Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2025, 10:59
Static task
static1
Behavioral task
behavioral1
Sample
3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe
Resource
win7-20240729-en
General
-
Target
3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe
-
Size
96KB
-
MD5
1ed206ccb847192d9a5bc700d2ce9f30
-
SHA1
8cd8f19f39ba976f4ae5260aa247b534dc78a7f7
-
SHA256
3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022ae
-
SHA512
ff27ddf559984e66e34dec8e88ba876a92b0103921bb0bbe53eabefc015079bf9ba6ed43d595ffcfb6b730a591a5fbc3e1e07e2ed21a01605f2e125e8c67a42a
-
SSDEEP
1536:4nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:4Gs8cd8eXlYairZYqMddH13L
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 5084 omsecor.exe 4192 omsecor.exe 4944 omsecor.exe 960 omsecor.exe 2080 omsecor.exe 4148 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2588 set thread context of 2460 2588 3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe 82 PID 5084 set thread context of 4192 5084 omsecor.exe 87 PID 4944 set thread context of 960 4944 omsecor.exe 93 PID 2080 set thread context of 4148 2080 omsecor.exe 97 -
Program crash 4 IoCs
pid pid_target Process procid_target 876 5084 WerFault.exe 2212 2588 WerFault.exe 81 4056 4944 WerFault.exe 92 3280 2080 WerFault.exe 95 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 2588 wrote to memory of 2460 2588 3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe 82 PID 2588 wrote to memory of 2460 2588 3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe 82 PID 2588 wrote to memory of 2460 2588 3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe 82 PID 2588 wrote to memory of 2460 2588 3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe 82 PID 2588 wrote to memory of 2460 2588 3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe 82 PID 2460 wrote to memory of 5084 2460 3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe 85 PID 2460 wrote to memory of 5084 2460 3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe 85 PID 2460 wrote to memory of 5084 2460 3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe 85 PID 5084 wrote to memory of 4192 5084 omsecor.exe 87 PID 5084 wrote to memory of 4192 5084 omsecor.exe 87 PID 5084 wrote to memory of 4192 5084 omsecor.exe 87 PID 5084 wrote to memory of 4192 5084 omsecor.exe 87 PID 5084 wrote to memory of 4192 5084 omsecor.exe 87 PID 4192 wrote to memory of 4944 4192 omsecor.exe 92 PID 4192 wrote to memory of 4944 4192 omsecor.exe 92 PID 4192 wrote to memory of 4944 4192 omsecor.exe 92 PID 4944 wrote to memory of 960 4944 omsecor.exe 93 PID 4944 wrote to memory of 960 4944 omsecor.exe 93 PID 4944 wrote to memory of 960 4944 omsecor.exe 93 PID 4944 wrote to memory of 960 4944 omsecor.exe 93 PID 4944 wrote to memory of 960 4944 omsecor.exe 93 PID 960 wrote to memory of 2080 960 omsecor.exe 95 PID 960 wrote to memory of 2080 960 omsecor.exe 95 PID 960 wrote to memory of 2080 960 omsecor.exe 95 PID 2080 wrote to memory of 4148 2080 omsecor.exe 97 PID 2080 wrote to memory of 4148 2080 omsecor.exe 97 PID 2080 wrote to memory of 4148 2080 omsecor.exe 97 PID 2080 wrote to memory of 4148 2080 omsecor.exe 97 PID 2080 wrote to memory of 4148 2080 omsecor.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe"C:\Users\Admin\AppData\Local\Temp\3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Users\Admin\AppData\Local\Temp\3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exeC:\Users\Admin\AppData\Local\Temp\3787791d3ec869833001c24b9497b20c4942b0297a00c65b4aabb6879a5022aeN.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4148
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 2568⤵
- Program crash
PID:3280
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 2926⤵
- Program crash
PID:4056
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 3004⤵
- Program crash
PID:876
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 2882⤵
- Program crash
PID:2212
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2588 -ip 25881⤵PID:1388
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5084 -ip 50841⤵PID:2532
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4944 -ip 49441⤵PID:3532
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2080 -ip 20801⤵PID:3856
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD50bf3697d99de20472d9b6b82862cb331
SHA1ebb63864c2ab28cfe35a585b37293abc6b79ec0b
SHA2567656cf76e24aba694622607efa1d87ac36853d41e70d1c6d242caace354c4658
SHA51224468738297c2e25992a31f7117744808b183f7eecb75c5391654350a774a6b45e1df884d660f8bc0e686ee6f7ad0d50e866224ac27fe1e6d5a0dde6f7ddaafc
-
Filesize
96KB
MD5da8034b506342218c1b5d69cd693d721
SHA139468ba17368db2515c6acca884ac8a546942b78
SHA256a072734720a832eb10ab026d7057b3faef8e90a27c025306f4c85ad14ac03010
SHA512dd0905fd5338cdce4ccad031d548bb78e0abd885ce47a153633a3402bbb7ce2efa5ae536894a7738c25c5ca4a76b5ed0fa8c12ee4ff005bd96037e5268afc651
-
Filesize
96KB
MD5ec90d1b118abb4494eefdb85b06772a5
SHA1cc5c464ca47534e3c8e20a86b6e8a6e49e7d64dd
SHA2565bea3b06cc144ffdf7a56e1e29ca114e27a0cea8038ebc7b572bffab93880610
SHA5125b635f652c330967455494ec3391911fc3e1f5fd5c18f943f7a92dbba5f8b7dbb62e94b1939de72e8a7b156853dc9dd41e584adeef94e1f243a886fab1b3a925