Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
115s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21/01/2025, 21:49
Static task
static1
Behavioral task
behavioral1
Sample
75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da.exe
Resource
win7-20240903-en
General
-
Target
75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da.exe
-
Size
96KB
-
MD5
52f894d5e05afd7a0c3e3f494103bd74
-
SHA1
39288ac93279ffffe529338f52a0662dfc3171c4
-
SHA256
75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da
-
SHA512
60b4f1f80a3dc940383e6cc677a12b0e933993b4c307e366dab961e3050b0c6afc138d852a487c5d671adc9a43c955eea77e98e2efa9b57ad0f4f46bd08da479
-
SSDEEP
1536:HnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:HGs8cd8eXlYairZYqMddH13z
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 1992 omsecor.exe 4064 omsecor.exe 1496 omsecor.exe 4784 omsecor.exe 3844 omsecor.exe 1876 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 4324 set thread context of 2016 4324 75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da.exe 83 PID 1992 set thread context of 4064 1992 omsecor.exe 88 PID 1496 set thread context of 4784 1496 omsecor.exe 108 PID 3844 set thread context of 1876 3844 omsecor.exe 112 -
Program crash 4 IoCs
pid pid_target Process procid_target 4924 4324 WerFault.exe 82 4316 1992 WerFault.exe 85 2616 1496 WerFault.exe 107 4052 3844 WerFault.exe 110 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 4324 wrote to memory of 2016 4324 75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da.exe 83 PID 4324 wrote to memory of 2016 4324 75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da.exe 83 PID 4324 wrote to memory of 2016 4324 75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da.exe 83 PID 4324 wrote to memory of 2016 4324 75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da.exe 83 PID 4324 wrote to memory of 2016 4324 75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da.exe 83 PID 2016 wrote to memory of 1992 2016 75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da.exe 85 PID 2016 wrote to memory of 1992 2016 75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da.exe 85 PID 2016 wrote to memory of 1992 2016 75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da.exe 85 PID 1992 wrote to memory of 4064 1992 omsecor.exe 88 PID 1992 wrote to memory of 4064 1992 omsecor.exe 88 PID 1992 wrote to memory of 4064 1992 omsecor.exe 88 PID 1992 wrote to memory of 4064 1992 omsecor.exe 88 PID 1992 wrote to memory of 4064 1992 omsecor.exe 88 PID 4064 wrote to memory of 1496 4064 omsecor.exe 107 PID 4064 wrote to memory of 1496 4064 omsecor.exe 107 PID 4064 wrote to memory of 1496 4064 omsecor.exe 107 PID 1496 wrote to memory of 4784 1496 omsecor.exe 108 PID 1496 wrote to memory of 4784 1496 omsecor.exe 108 PID 1496 wrote to memory of 4784 1496 omsecor.exe 108 PID 1496 wrote to memory of 4784 1496 omsecor.exe 108 PID 1496 wrote to memory of 4784 1496 omsecor.exe 108 PID 4784 wrote to memory of 3844 4784 omsecor.exe 110 PID 4784 wrote to memory of 3844 4784 omsecor.exe 110 PID 4784 wrote to memory of 3844 4784 omsecor.exe 110 PID 3844 wrote to memory of 1876 3844 omsecor.exe 112 PID 3844 wrote to memory of 1876 3844 omsecor.exe 112 PID 3844 wrote to memory of 1876 3844 omsecor.exe 112 PID 3844 wrote to memory of 1876 3844 omsecor.exe 112 PID 3844 wrote to memory of 1876 3844 omsecor.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da.exe"C:\Users\Admin\AppData\Local\Temp\75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Users\Admin\AppData\Local\Temp\75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da.exeC:\Users\Admin\AppData\Local\Temp\75728f28e53fa173d612a532eb870dd0583e5e363026de08322103501baf57da.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1876
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 2568⤵
- Program crash
PID:4052
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 2966⤵
- Program crash
PID:2616
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 2884⤵
- Program crash
PID:4316
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 2882⤵
- Program crash
PID:4924
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4324 -ip 43241⤵PID:4864
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1992 -ip 19921⤵PID:2264
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1496 -ip 14961⤵PID:3892
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3844 -ip 38441⤵PID:2316
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5ed3768d379e3eb38226482f664e6e9c8
SHA14100b9970b5dffa3086fcd25c3375fcc1763affa
SHA2565d7aa8171c8c90a25c7b542096d1451040daae5b6cb56b0d0758ec39d97a8d2e
SHA512aedda74b64b63b1232b2e5c79db715080b3a6daffe348b2874ba603d3d99d318856bd50f878753f19cb83271f38516994662aa6442ea67eced2c557d7523e37a
-
Filesize
96KB
MD588ae9d0702a8a9df63390a9f61619b81
SHA1f1d25aefeec7071b0b9a8fcb335f431e08b152d4
SHA256cc0aa4a46f27081de7b809f8027abca8616f073fe0a65214c82a3649ebdb6886
SHA512fc3e9150ec373405a18b448047ac86f3a72db98d7fa0d963839eee69af3d9a7fa4547d12f743d489fa0c165b9f7a9b2470d5d937511b40dd9984baf94652ec99
-
Filesize
96KB
MD5a531991a591fb44cf639c6098c463cd9
SHA10cf7f13679084f0ea516f29ab9681cd7de25de3a
SHA256f3e48cf7b74a0603992ba4dbb8181cf25a80dab3fc938f14bf06656389577218
SHA512b161440ee0bfaeb341c46375b22b7a94ab29712483de065a903ef8b3cabf4b3cd17f18c0ab1ff4aba82ac195a42a78cdae352f5d7718a620b1bccd124a4d43f5