Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14/01/2025, 19:42
Static task
static1
Behavioral task
behavioral1
Sample
0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe
Resource
win7-20240903-en
General
-
Target
0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe
-
Size
96KB
-
MD5
702d7d818e2b3e5661a7c61433a20118
-
SHA1
1ffe06c9db1e8178806bfe02e971b17b261f7abc
-
SHA256
0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833
-
SHA512
7fa4b86a390a0a658f5f95edce7d731375cb36bdb9dde4bb4230441e83c51260c59c84b6c6291de8a0e6026c5f65c356244205943ef588cb2067550b79da8124
-
SSDEEP
1536:HnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxr:HGs8cd8eXlYairZYqMddH13r
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 3936 omsecor.exe 1528 omsecor.exe 1572 omsecor.exe 1820 omsecor.exe 3736 omsecor.exe 1968 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2312 set thread context of 3044 2312 0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe 81 PID 3936 set thread context of 1528 3936 omsecor.exe 86 PID 1572 set thread context of 1820 1572 omsecor.exe 100 PID 3736 set thread context of 1968 3736 omsecor.exe 104 -
Program crash 4 IoCs
pid pid_target Process procid_target 1760 2312 WerFault.exe 80 2180 3936 WerFault.exe 83 4632 1572 WerFault.exe 99 1480 3736 WerFault.exe 102 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 2312 wrote to memory of 3044 2312 0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe 81 PID 2312 wrote to memory of 3044 2312 0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe 81 PID 2312 wrote to memory of 3044 2312 0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe 81 PID 2312 wrote to memory of 3044 2312 0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe 81 PID 2312 wrote to memory of 3044 2312 0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe 81 PID 3044 wrote to memory of 3936 3044 0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe 83 PID 3044 wrote to memory of 3936 3044 0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe 83 PID 3044 wrote to memory of 3936 3044 0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe 83 PID 3936 wrote to memory of 1528 3936 omsecor.exe 86 PID 3936 wrote to memory of 1528 3936 omsecor.exe 86 PID 3936 wrote to memory of 1528 3936 omsecor.exe 86 PID 3936 wrote to memory of 1528 3936 omsecor.exe 86 PID 3936 wrote to memory of 1528 3936 omsecor.exe 86 PID 1528 wrote to memory of 1572 1528 omsecor.exe 99 PID 1528 wrote to memory of 1572 1528 omsecor.exe 99 PID 1528 wrote to memory of 1572 1528 omsecor.exe 99 PID 1572 wrote to memory of 1820 1572 omsecor.exe 100 PID 1572 wrote to memory of 1820 1572 omsecor.exe 100 PID 1572 wrote to memory of 1820 1572 omsecor.exe 100 PID 1572 wrote to memory of 1820 1572 omsecor.exe 100 PID 1572 wrote to memory of 1820 1572 omsecor.exe 100 PID 1820 wrote to memory of 3736 1820 omsecor.exe 102 PID 1820 wrote to memory of 3736 1820 omsecor.exe 102 PID 1820 wrote to memory of 3736 1820 omsecor.exe 102 PID 3736 wrote to memory of 1968 3736 omsecor.exe 104 PID 3736 wrote to memory of 1968 3736 omsecor.exe 104 PID 3736 wrote to memory of 1968 3736 omsecor.exe 104 PID 3736 wrote to memory of 1968 3736 omsecor.exe 104 PID 3736 wrote to memory of 1968 3736 omsecor.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe"C:\Users\Admin\AppData\Local\Temp\0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Users\Admin\AppData\Local\Temp\0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exeC:\Users\Admin\AppData\Local\Temp\0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1968
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 2688⤵
- Program crash
PID:1480
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 2926⤵
- Program crash
PID:4632
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 2964⤵
- Program crash
PID:2180
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 2882⤵
- Program crash
PID:1760
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2312 -ip 23121⤵PID:5088
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3936 -ip 39361⤵PID:3868
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1572 -ip 15721⤵PID:4032
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3736 -ip 37361⤵PID:1288
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5bed19c142bd55c8d368e128c2418f3ee
SHA12eca45e55eb4eb4dd87eb2c89e03e2fbde7e0620
SHA256450118456a0597f81cd0070d5a773e628f0c1aa43d100b6b2b13023127aa72bd
SHA5122f744b7d8fad229f6a8a31bcb21c871deb5a4b066e6da4981a08a94f0eb426f781eeb35cdba0dd768a5061fbe50f509b38d9b585086f6aec53c8b2503d23c66c
-
Filesize
96KB
MD5ae753e5386a5755c298250f922a62d8a
SHA175aee149c21d4df745f170fa8d67522a8b97ca23
SHA256aca3f9808ede1d037dbbe66d98a556c2844821b2405d92ef290f033fcf77d22d
SHA512a8b01c55bd1d5e2703544141bced2cd430234e082719b9428628b2cc4e8e4053cc0ebef7244d9d61f1a1797ded3c53aaa8760d1603ef933710c2930dcde9824b
-
Filesize
96KB
MD5c2efcce4bf0ad4e3828e15ff9635a99e
SHA1a7409a65c679b235ad4c7ae1ac0595fe1af10ea6
SHA256910ce5e0594624972144188727b553328af83c24786517c2f67e344f4c307ea3
SHA51260170e7224ab1c8f597264d804fcf2982e817d42f529e707d997ddd56737b6fd8d329e41411f237eeb44983056d763bfcf790d2f9c90418ce76cff704be7f41c