Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
115s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/01/2025, 11:39
Static task
static1
Behavioral task
behavioral1
Sample
3faa574172a19eba7bdc738abb42ec4a8b35cdc107394872e3026ab366dfc0c3N.exe
Resource
win7-20241010-en
General
-
Target
3faa574172a19eba7bdc738abb42ec4a8b35cdc107394872e3026ab366dfc0c3N.exe
-
Size
96KB
-
MD5
a81d20fbc59985a3b7db87bbfaee5fe0
-
SHA1
8b7cbd78491f5dbc93c912a7464a9d3baff85ba6
-
SHA256
3faa574172a19eba7bdc738abb42ec4a8b35cdc107394872e3026ab366dfc0c3
-
SHA512
035f5e0ef094134c32f47754d3692f36ea88f9ff54c77cdd17c4bef0281b000edf3b5c3d949e00ccb3d0e26b8566114a87ab4590cb8edc6d5a48a301f1f64128
-
SSDEEP
1536:GnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxb:GGs8cd8eXlYairZYqMddH13b
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 4072 omsecor.exe 3764 omsecor.exe 2768 omsecor.exe 2892 omsecor.exe 2172 omsecor.exe 4584 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 5016 set thread context of 2332 5016 3faa574172a19eba7bdc738abb42ec4a8b35cdc107394872e3026ab366dfc0c3N.exe 83 PID 4072 set thread context of 3764 4072 omsecor.exe 88 PID 2768 set thread context of 2892 2768 omsecor.exe 109 PID 2172 set thread context of 4584 2172 omsecor.exe 113 -
Program crash 4 IoCs
pid pid_target Process procid_target 3980 5016 WerFault.exe 82 3100 4072 WerFault.exe 86 1876 2768 WerFault.exe 108 2508 2172 WerFault.exe 111 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3faa574172a19eba7bdc738abb42ec4a8b35cdc107394872e3026ab366dfc0c3N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3faa574172a19eba7bdc738abb42ec4a8b35cdc107394872e3026ab366dfc0c3N.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 5016 wrote to memory of 2332 5016 3faa574172a19eba7bdc738abb42ec4a8b35cdc107394872e3026ab366dfc0c3N.exe 83 PID 5016 wrote to memory of 2332 5016 3faa574172a19eba7bdc738abb42ec4a8b35cdc107394872e3026ab366dfc0c3N.exe 83 PID 5016 wrote to memory of 2332 5016 3faa574172a19eba7bdc738abb42ec4a8b35cdc107394872e3026ab366dfc0c3N.exe 83 PID 5016 wrote to memory of 2332 5016 3faa574172a19eba7bdc738abb42ec4a8b35cdc107394872e3026ab366dfc0c3N.exe 83 PID 5016 wrote to memory of 2332 5016 3faa574172a19eba7bdc738abb42ec4a8b35cdc107394872e3026ab366dfc0c3N.exe 83 PID 2332 wrote to memory of 4072 2332 3faa574172a19eba7bdc738abb42ec4a8b35cdc107394872e3026ab366dfc0c3N.exe 86 PID 2332 wrote to memory of 4072 2332 3faa574172a19eba7bdc738abb42ec4a8b35cdc107394872e3026ab366dfc0c3N.exe 86 PID 2332 wrote to memory of 4072 2332 3faa574172a19eba7bdc738abb42ec4a8b35cdc107394872e3026ab366dfc0c3N.exe 86 PID 4072 wrote to memory of 3764 4072 omsecor.exe 88 PID 4072 wrote to memory of 3764 4072 omsecor.exe 88 PID 4072 wrote to memory of 3764 4072 omsecor.exe 88 PID 4072 wrote to memory of 3764 4072 omsecor.exe 88 PID 4072 wrote to memory of 3764 4072 omsecor.exe 88 PID 3764 wrote to memory of 2768 3764 omsecor.exe 108 PID 3764 wrote to memory of 2768 3764 omsecor.exe 108 PID 3764 wrote to memory of 2768 3764 omsecor.exe 108 PID 2768 wrote to memory of 2892 2768 omsecor.exe 109 PID 2768 wrote to memory of 2892 2768 omsecor.exe 109 PID 2768 wrote to memory of 2892 2768 omsecor.exe 109 PID 2768 wrote to memory of 2892 2768 omsecor.exe 109 PID 2768 wrote to memory of 2892 2768 omsecor.exe 109 PID 2892 wrote to memory of 2172 2892 omsecor.exe 111 PID 2892 wrote to memory of 2172 2892 omsecor.exe 111 PID 2892 wrote to memory of 2172 2892 omsecor.exe 111 PID 2172 wrote to memory of 4584 2172 omsecor.exe 113 PID 2172 wrote to memory of 4584 2172 omsecor.exe 113 PID 2172 wrote to memory of 4584 2172 omsecor.exe 113 PID 2172 wrote to memory of 4584 2172 omsecor.exe 113 PID 2172 wrote to memory of 4584 2172 omsecor.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\3faa574172a19eba7bdc738abb42ec4a8b35cdc107394872e3026ab366dfc0c3N.exe"C:\Users\Admin\AppData\Local\Temp\3faa574172a19eba7bdc738abb42ec4a8b35cdc107394872e3026ab366dfc0c3N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Users\Admin\AppData\Local\Temp\3faa574172a19eba7bdc738abb42ec4a8b35cdc107394872e3026ab366dfc0c3N.exeC:\Users\Admin\AppData\Local\Temp\3faa574172a19eba7bdc738abb42ec4a8b35cdc107394872e3026ab366dfc0c3N.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4584
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 2568⤵
- Program crash
PID:2508
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 2926⤵
- Program crash
PID:1876
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 2884⤵
- Program crash
PID:3100
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 2882⤵
- Program crash
PID:3980
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5016 -ip 50161⤵PID:4840
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4072 -ip 40721⤵PID:3264
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2768 -ip 27681⤵PID:2740
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2172 -ip 21721⤵PID:2012
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5a554c0392fcead8e21d1b186724dc47c
SHA1b302443d77c72f8dee63ff0b99bc86cb5aaf7394
SHA2569c591703e305edcdb9e9b85bc2f57155289658ac3c10841c2311fad6f551730f
SHA512ff7eeeb79376325cce330b84b09ddd8565180cbaf022eee62780631870111c605cdcfc77ac179283aad35275709b3205527ddcbe507f5877e745f74d61694dc5
-
Filesize
96KB
MD541727eb08ad5cbef79d109b0b24dbd3b
SHA1125a88131440768053ab0bd76a2b0808897c2744
SHA256b37c2272f536f2a8f57eb7414e91407a4b3c10faa6a029ba0d7fee5281990265
SHA5128d26d4038dc05390af1f2704a1bac0e927af444b949f2c72c1a09a87a318a1ceb5511c96d9d553dc536835c58f2ede4f28b4d3412251e64ec1e047d5b147e1e5
-
Filesize
96KB
MD514fbfd831b2defb07d232987ea55dd2e
SHA1bc6c3eff4254c2ba6080ef15e604c9e52c9bfa23
SHA256ca25925f452dea40f05e91ce7e7368ad0cf9aab8849d04ee4eca987c43d524c2
SHA51290544b52a1349a240d21b6ac70f9f095e0175d8d0bba6a6dd0fc79dfd7645e4f47090dfebec2932fba88ca6accdeea946812c1312e002bd6a2b281725ddf3cad