Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
115s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/01/2025, 13:19
Static task
static1
Behavioral task
behavioral1
Sample
6eb54419c10c7c367117116b93d993bcc795d2c57a93d8515245e55fceaa45d1N.exe
Resource
win7-20240903-en
General
-
Target
6eb54419c10c7c367117116b93d993bcc795d2c57a93d8515245e55fceaa45d1N.exe
-
Size
96KB
-
MD5
e108e8f374797fefd9917f5563343b00
-
SHA1
306763d0a77657d638e093d4ac809187f709cf27
-
SHA256
6eb54419c10c7c367117116b93d993bcc795d2c57a93d8515245e55fceaa45d1
-
SHA512
1cca39848bd09ef84a534d98a8a725272ae23ad054978b4d96c63cc12d30339119b97c9b8a79709fe00ff6797adc2aea9e8fd878147002f93abe51fede03aaad
-
SSDEEP
1536:BnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxb:BGs8cd8eXlYairZYqMddH13b
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 3244 omsecor.exe 4408 omsecor.exe 1300 omsecor.exe 3972 omsecor.exe 4420 omsecor.exe 3672 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2220 set thread context of 1168 2220 6eb54419c10c7c367117116b93d993bcc795d2c57a93d8515245e55fceaa45d1N.exe 85 PID 3244 set thread context of 4408 3244 omsecor.exe 90 PID 1300 set thread context of 3972 1300 omsecor.exe 110 PID 4420 set thread context of 3672 4420 omsecor.exe 114 -
Program crash 4 IoCs
pid pid_target Process procid_target 3084 2220 WerFault.exe 84 3008 3244 WerFault.exe 88 2948 1300 WerFault.exe 109 2320 4420 WerFault.exe 112 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6eb54419c10c7c367117116b93d993bcc795d2c57a93d8515245e55fceaa45d1N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6eb54419c10c7c367117116b93d993bcc795d2c57a93d8515245e55fceaa45d1N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 2220 wrote to memory of 1168 2220 6eb54419c10c7c367117116b93d993bcc795d2c57a93d8515245e55fceaa45d1N.exe 85 PID 2220 wrote to memory of 1168 2220 6eb54419c10c7c367117116b93d993bcc795d2c57a93d8515245e55fceaa45d1N.exe 85 PID 2220 wrote to memory of 1168 2220 6eb54419c10c7c367117116b93d993bcc795d2c57a93d8515245e55fceaa45d1N.exe 85 PID 2220 wrote to memory of 1168 2220 6eb54419c10c7c367117116b93d993bcc795d2c57a93d8515245e55fceaa45d1N.exe 85 PID 2220 wrote to memory of 1168 2220 6eb54419c10c7c367117116b93d993bcc795d2c57a93d8515245e55fceaa45d1N.exe 85 PID 1168 wrote to memory of 3244 1168 6eb54419c10c7c367117116b93d993bcc795d2c57a93d8515245e55fceaa45d1N.exe 88 PID 1168 wrote to memory of 3244 1168 6eb54419c10c7c367117116b93d993bcc795d2c57a93d8515245e55fceaa45d1N.exe 88 PID 1168 wrote to memory of 3244 1168 6eb54419c10c7c367117116b93d993bcc795d2c57a93d8515245e55fceaa45d1N.exe 88 PID 3244 wrote to memory of 4408 3244 omsecor.exe 90 PID 3244 wrote to memory of 4408 3244 omsecor.exe 90 PID 3244 wrote to memory of 4408 3244 omsecor.exe 90 PID 3244 wrote to memory of 4408 3244 omsecor.exe 90 PID 3244 wrote to memory of 4408 3244 omsecor.exe 90 PID 4408 wrote to memory of 1300 4408 omsecor.exe 109 PID 4408 wrote to memory of 1300 4408 omsecor.exe 109 PID 4408 wrote to memory of 1300 4408 omsecor.exe 109 PID 1300 wrote to memory of 3972 1300 omsecor.exe 110 PID 1300 wrote to memory of 3972 1300 omsecor.exe 110 PID 1300 wrote to memory of 3972 1300 omsecor.exe 110 PID 1300 wrote to memory of 3972 1300 omsecor.exe 110 PID 1300 wrote to memory of 3972 1300 omsecor.exe 110 PID 3972 wrote to memory of 4420 3972 omsecor.exe 112 PID 3972 wrote to memory of 4420 3972 omsecor.exe 112 PID 3972 wrote to memory of 4420 3972 omsecor.exe 112 PID 4420 wrote to memory of 3672 4420 omsecor.exe 114 PID 4420 wrote to memory of 3672 4420 omsecor.exe 114 PID 4420 wrote to memory of 3672 4420 omsecor.exe 114 PID 4420 wrote to memory of 3672 4420 omsecor.exe 114 PID 4420 wrote to memory of 3672 4420 omsecor.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\6eb54419c10c7c367117116b93d993bcc795d2c57a93d8515245e55fceaa45d1N.exe"C:\Users\Admin\AppData\Local\Temp\6eb54419c10c7c367117116b93d993bcc795d2c57a93d8515245e55fceaa45d1N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Users\Admin\AppData\Local\Temp\6eb54419c10c7c367117116b93d993bcc795d2c57a93d8515245e55fceaa45d1N.exeC:\Users\Admin\AppData\Local\Temp\6eb54419c10c7c367117116b93d993bcc795d2c57a93d8515245e55fceaa45d1N.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3672
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 2568⤵
- Program crash
PID:2320
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 2926⤵
- Program crash
PID:2948
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 2884⤵
- Program crash
PID:3008
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 3002⤵
- Program crash
PID:3084
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2220 -ip 22201⤵PID:4620
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3244 -ip 32441⤵PID:4496
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1300 -ip 13001⤵PID:116
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4420 -ip 44201⤵PID:1268
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5d2188cf7527ee0bdf3d1f037e88d9e74
SHA16dcd97d3ff0b44fb5dfb9801960a20f58ad6aee9
SHA256d3e18d63f91591946a7c43c3d14706bf1260d85a603a2b60bbbf78dbd47413fa
SHA512e18f2e985ec7b79cf57f3090cb30c4608c1f9ca467e41cf6c8bec90ce4d242bb27ef5f80dbe987bef36f89ebcde181e87698bc56d6936cd9282daa28db251434
-
Filesize
96KB
MD5bc3bff3f86a8d42adcd14dc7053b4154
SHA1364aefbc6a147d78e4692d5564fff0e9310b0b60
SHA256f9d38c3d3bf1b245cb1baacc4c5c20b7180d0c3776152d9b19e063267e3fcd76
SHA5121ab18189be17bbf066925ef6dbde43693cec458022715a62ea4bac967dfb69856478ee2c3449d2cf1754058986fe288414b6d76fad81802ecb1b200af45a0b86
-
Filesize
96KB
MD59c1e7b2802b4f05919dbfbff31fac6e1
SHA11abd629f9eebd800b3514f89fb28f4f4664ec93b
SHA2561ea616513abf14341fd3fbdd151034ba93d5b0be737b86f4ce7db76b20a7a605
SHA5128e1be915d4c8da6087c865f5058f456b613718a803babe5dc80cf68e73474276854115bd665a3c1344e41461e98d32b19386a5a40d91525dc2cfe8c316093883