Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/01/2025, 03:12
Static task
static1
Behavioral task
behavioral1
Sample
7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe
Resource
win7-20241023-en
General
-
Target
7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe
-
Size
96KB
-
MD5
91de4d3077d1c1beab2298acba54cab6
-
SHA1
ae455abf836a7955ec04d529f99fe68e10556d6d
-
SHA256
7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1
-
SHA512
d655e8c4b8164bf5d6366839be8dd22e3949ffe2edd61607134f8c0b0c8f7f518c1f03bf01f5593c3160a93296afa717a6dff9ac7518331be46776c6c496b9d4
-
SSDEEP
1536:vnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:vGs8cd8eXlYairZYqMddH13L
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 2896 omsecor.exe 3080 omsecor.exe 2468 omsecor.exe 1576 omsecor.exe 876 omsecor.exe 712 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2056 set thread context of 3908 2056 7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe 82 PID 2896 set thread context of 3080 2896 omsecor.exe 87 PID 2468 set thread context of 1576 2468 omsecor.exe 100 PID 876 set thread context of 712 876 omsecor.exe 104 -
Program crash 4 IoCs
pid pid_target Process procid_target 4232 2056 WerFault.exe 81 3600 2896 WerFault.exe 85 4672 2468 WerFault.exe 99 3660 876 WerFault.exe 102 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 2056 wrote to memory of 3908 2056 7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe 82 PID 2056 wrote to memory of 3908 2056 7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe 82 PID 2056 wrote to memory of 3908 2056 7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe 82 PID 2056 wrote to memory of 3908 2056 7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe 82 PID 2056 wrote to memory of 3908 2056 7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe 82 PID 3908 wrote to memory of 2896 3908 7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe 85 PID 3908 wrote to memory of 2896 3908 7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe 85 PID 3908 wrote to memory of 2896 3908 7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe 85 PID 2896 wrote to memory of 3080 2896 omsecor.exe 87 PID 2896 wrote to memory of 3080 2896 omsecor.exe 87 PID 2896 wrote to memory of 3080 2896 omsecor.exe 87 PID 2896 wrote to memory of 3080 2896 omsecor.exe 87 PID 2896 wrote to memory of 3080 2896 omsecor.exe 87 PID 3080 wrote to memory of 2468 3080 omsecor.exe 99 PID 3080 wrote to memory of 2468 3080 omsecor.exe 99 PID 3080 wrote to memory of 2468 3080 omsecor.exe 99 PID 2468 wrote to memory of 1576 2468 omsecor.exe 100 PID 2468 wrote to memory of 1576 2468 omsecor.exe 100 PID 2468 wrote to memory of 1576 2468 omsecor.exe 100 PID 2468 wrote to memory of 1576 2468 omsecor.exe 100 PID 2468 wrote to memory of 1576 2468 omsecor.exe 100 PID 1576 wrote to memory of 876 1576 omsecor.exe 102 PID 1576 wrote to memory of 876 1576 omsecor.exe 102 PID 1576 wrote to memory of 876 1576 omsecor.exe 102 PID 876 wrote to memory of 712 876 omsecor.exe 104 PID 876 wrote to memory of 712 876 omsecor.exe 104 PID 876 wrote to memory of 712 876 omsecor.exe 104 PID 876 wrote to memory of 712 876 omsecor.exe 104 PID 876 wrote to memory of 712 876 omsecor.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe"C:\Users\Admin\AppData\Local\Temp\7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Users\Admin\AppData\Local\Temp\7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exeC:\Users\Admin\AppData\Local\Temp\7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:712
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 2688⤵
- Program crash
PID:3660
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 2926⤵
- Program crash
PID:4672
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 3004⤵
- Program crash
PID:3600
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 2962⤵
- Program crash
PID:4232
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2056 -ip 20561⤵PID:3520
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2896 -ip 28961⤵PID:4560
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2468 -ip 24681⤵PID:2568
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 876 -ip 8761⤵PID:2832
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5ed3abde2e6492399e88a0d1e78db5f6e
SHA1df95dc805773beb2a478e0f6555abb163f8856db
SHA2568e9a6e822a80aa3c140fcbd41b4618357c3f04ad4a8a27045032ace2e0d43326
SHA5121740b36e59b513b8b2c5086dc486d986d58a10bc2029940b464955a1b031cbbe5aaba723901fb0b233c5258a37624ebf312205bcd73b776f1f861f3651be8f5a
-
Filesize
96KB
MD5a917b9eece10e40f46ceded24557a52d
SHA106b3270e31c8642d941cc0540079a7fd095e6547
SHA25669d04ebd8aa9f71a5db05b7e62bd9781423c5fc0302f0734d7cd8cc9b1a203b5
SHA5129617a91563c29c336e9d1339b06e9de54938ef04a92de365a1f3bf6fd41f890b1c474713f726224a51cdbd7c7a5ce4201a26ba16383dd6ae8ac911b893f06405
-
Filesize
96KB
MD5b55b713e6010d86e40a45ba16389704e
SHA145488e55c6dcadc1eff796d099d00d72bfdc3a67
SHA256204ea023c3071beec86d960a8126ceaec6eba6e314355db76c1c6c578bb0208e
SHA51288193c83f100ac9e1585980f4614cc2dade31657b69547b4c8f38cfdb0e70c20f75c7cd24671b96dbb09ad9edbfb724f811f8b34814f4dece8073d649682e907