Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/01/2025, 05:07
Static task
static1
Behavioral task
behavioral1
Sample
9066fe151e9f78e2b8bd30cd77bb1a615d144ff40331a10e52638b9fb801fb7a.exe
Resource
win7-20241023-en
General
-
Target
9066fe151e9f78e2b8bd30cd77bb1a615d144ff40331a10e52638b9fb801fb7a.exe
-
Size
96KB
-
MD5
3670275c7384e38596358f622b4e2772
-
SHA1
7b8ac062649c45de37410f1ad68fd0f0946a4f5f
-
SHA256
9066fe151e9f78e2b8bd30cd77bb1a615d144ff40331a10e52638b9fb801fb7a
-
SHA512
539658eb04a49a72028cf67a907db3ccbf6426d18b72b2b29e1b77253aaebfdb0c15e55063e6e8b6e55b793fb43d2e0e61df2f96e4e02b219b6bb5f0d0015743
-
SSDEEP
1536:AnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxb:AGs8cd8eXlYairZYqMddH13b
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 4192 omsecor.exe 2100 omsecor.exe 4460 omsecor.exe 1608 omsecor.exe 924 omsecor.exe 2568 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 4052 set thread context of 2408 4052 9066fe151e9f78e2b8bd30cd77bb1a615d144ff40331a10e52638b9fb801fb7a.exe 83 PID 4192 set thread context of 2100 4192 omsecor.exe 88 PID 4460 set thread context of 1608 4460 omsecor.exe 109 PID 924 set thread context of 2568 924 omsecor.exe 113 -
Program crash 4 IoCs
pid pid_target Process procid_target 3980 4052 WerFault.exe 82 2948 4192 WerFault.exe 85 3152 4460 WerFault.exe 108 2680 924 WerFault.exe 111 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9066fe151e9f78e2b8bd30cd77bb1a615d144ff40331a10e52638b9fb801fb7a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9066fe151e9f78e2b8bd30cd77bb1a615d144ff40331a10e52638b9fb801fb7a.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 4052 wrote to memory of 2408 4052 9066fe151e9f78e2b8bd30cd77bb1a615d144ff40331a10e52638b9fb801fb7a.exe 83 PID 4052 wrote to memory of 2408 4052 9066fe151e9f78e2b8bd30cd77bb1a615d144ff40331a10e52638b9fb801fb7a.exe 83 PID 4052 wrote to memory of 2408 4052 9066fe151e9f78e2b8bd30cd77bb1a615d144ff40331a10e52638b9fb801fb7a.exe 83 PID 4052 wrote to memory of 2408 4052 9066fe151e9f78e2b8bd30cd77bb1a615d144ff40331a10e52638b9fb801fb7a.exe 83 PID 4052 wrote to memory of 2408 4052 9066fe151e9f78e2b8bd30cd77bb1a615d144ff40331a10e52638b9fb801fb7a.exe 83 PID 2408 wrote to memory of 4192 2408 9066fe151e9f78e2b8bd30cd77bb1a615d144ff40331a10e52638b9fb801fb7a.exe 85 PID 2408 wrote to memory of 4192 2408 9066fe151e9f78e2b8bd30cd77bb1a615d144ff40331a10e52638b9fb801fb7a.exe 85 PID 2408 wrote to memory of 4192 2408 9066fe151e9f78e2b8bd30cd77bb1a615d144ff40331a10e52638b9fb801fb7a.exe 85 PID 4192 wrote to memory of 2100 4192 omsecor.exe 88 PID 4192 wrote to memory of 2100 4192 omsecor.exe 88 PID 4192 wrote to memory of 2100 4192 omsecor.exe 88 PID 4192 wrote to memory of 2100 4192 omsecor.exe 88 PID 4192 wrote to memory of 2100 4192 omsecor.exe 88 PID 2100 wrote to memory of 4460 2100 omsecor.exe 108 PID 2100 wrote to memory of 4460 2100 omsecor.exe 108 PID 2100 wrote to memory of 4460 2100 omsecor.exe 108 PID 4460 wrote to memory of 1608 4460 omsecor.exe 109 PID 4460 wrote to memory of 1608 4460 omsecor.exe 109 PID 4460 wrote to memory of 1608 4460 omsecor.exe 109 PID 4460 wrote to memory of 1608 4460 omsecor.exe 109 PID 4460 wrote to memory of 1608 4460 omsecor.exe 109 PID 1608 wrote to memory of 924 1608 omsecor.exe 111 PID 1608 wrote to memory of 924 1608 omsecor.exe 111 PID 1608 wrote to memory of 924 1608 omsecor.exe 111 PID 924 wrote to memory of 2568 924 omsecor.exe 113 PID 924 wrote to memory of 2568 924 omsecor.exe 113 PID 924 wrote to memory of 2568 924 omsecor.exe 113 PID 924 wrote to memory of 2568 924 omsecor.exe 113 PID 924 wrote to memory of 2568 924 omsecor.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\9066fe151e9f78e2b8bd30cd77bb1a615d144ff40331a10e52638b9fb801fb7a.exe"C:\Users\Admin\AppData\Local\Temp\9066fe151e9f78e2b8bd30cd77bb1a615d144ff40331a10e52638b9fb801fb7a.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Users\Admin\AppData\Local\Temp\9066fe151e9f78e2b8bd30cd77bb1a615d144ff40331a10e52638b9fb801fb7a.exeC:\Users\Admin\AppData\Local\Temp\9066fe151e9f78e2b8bd30cd77bb1a615d144ff40331a10e52638b9fb801fb7a.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2568
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 924 -s 2688⤵
- Program crash
PID:2680
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 2966⤵
- Program crash
PID:3152
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 2884⤵
- Program crash
PID:2948
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 2882⤵
- Program crash
PID:3980
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4052 -ip 40521⤵PID:2728
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4192 -ip 41921⤵PID:4024
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4460 -ip 44601⤵PID:2132
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 924 -ip 9241⤵PID:3168
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD58b75c01ae89c60b5a359a3d416387ff9
SHA1efd7ba44195dc2a58a7141a440c5ce7a1889d0b2
SHA256037e0e03531d7e06c010ecc75cc17f0064195be2e289272349e4167d05e6a33f
SHA5122f90aab9f3993592a9806b37d378f91aa26eea479453b7de6fc501f11168de63075319a25baf18a426a94e7663bd46958facab48e530b134816e0802e69bfd80
-
Filesize
96KB
MD5c6302ce30a3aaf0e3058a256753c7e67
SHA1151dca9fa1d42ebf98fa13a1de180b4e5fd7731d
SHA256d0c79d32ddeb6f2633117efc926cfb21ce6e27e25bb68a46c22ff368331c4e1d
SHA5122ee700024f2c526a23a6389643bee1114882bb068ec5fcd57ac78b0daaa07e16d30adccdfe158e2305ce8f3f84f39221790d0b4adffec397e934bb71a4a4eaa5
-
Filesize
96KB
MD59870c3470e77f331f48dde2330f6b31f
SHA153f97f013fcfee31afadfb5990b46d68bb7bdade
SHA2564a4e84f123edcc67f926fb27c9e5862c8255960a84ab79b542f21f4b9a17033e
SHA512b0d38c5dea23d5c4b4f75f59fb12a65016e0700c36aa82c3795aee9f5438c2cdca53a69a511d520d4736d8fe7e88f690a561cb5d2ccc6a8cc4ab37bf3229e527