Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
115s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23/01/2025, 21:08
Static task
static1
Behavioral task
behavioral1
Sample
18950759b4044717a5c028ff457af1eb524556aa634a52a1014c386458486842.exe
Resource
win7-20240903-en
General
-
Target
18950759b4044717a5c028ff457af1eb524556aa634a52a1014c386458486842.exe
-
Size
96KB
-
MD5
b3713e03f5213be6bdd7366e5961730c
-
SHA1
9e4087a0ba8e77c162201bd559b400ad520ef3ed
-
SHA256
18950759b4044717a5c028ff457af1eb524556aa634a52a1014c386458486842
-
SHA512
15faab5cd6251d5dcb0454fd5251643c9d71f6e3b472e0db318da7b11229d13cb8cdf620d8fb2851bc62fc0db5fe018f3574a0cc0fc15fd7ef0884f96eeda109
-
SSDEEP
1536:rnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:rGs8cd8eXlYairZYqMddH13z
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 4636 omsecor.exe 4520 omsecor.exe 5092 omsecor.exe 4804 omsecor.exe 4208 omsecor.exe 1964 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1548 set thread context of 4500 1548 18950759b4044717a5c028ff457af1eb524556aa634a52a1014c386458486842.exe 83 PID 4636 set thread context of 4520 4636 omsecor.exe 88 PID 5092 set thread context of 4804 5092 omsecor.exe 108 PID 4208 set thread context of 1964 4208 omsecor.exe 111 -
Program crash 4 IoCs
pid pid_target Process procid_target 4744 1548 WerFault.exe 82 780 4636 WerFault.exe 85 3476 5092 WerFault.exe 107 2884 4208 WerFault.exe 110 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 18950759b4044717a5c028ff457af1eb524556aa634a52a1014c386458486842.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 18950759b4044717a5c028ff457af1eb524556aa634a52a1014c386458486842.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 1548 wrote to memory of 4500 1548 18950759b4044717a5c028ff457af1eb524556aa634a52a1014c386458486842.exe 83 PID 1548 wrote to memory of 4500 1548 18950759b4044717a5c028ff457af1eb524556aa634a52a1014c386458486842.exe 83 PID 1548 wrote to memory of 4500 1548 18950759b4044717a5c028ff457af1eb524556aa634a52a1014c386458486842.exe 83 PID 1548 wrote to memory of 4500 1548 18950759b4044717a5c028ff457af1eb524556aa634a52a1014c386458486842.exe 83 PID 1548 wrote to memory of 4500 1548 18950759b4044717a5c028ff457af1eb524556aa634a52a1014c386458486842.exe 83 PID 4500 wrote to memory of 4636 4500 18950759b4044717a5c028ff457af1eb524556aa634a52a1014c386458486842.exe 85 PID 4500 wrote to memory of 4636 4500 18950759b4044717a5c028ff457af1eb524556aa634a52a1014c386458486842.exe 85 PID 4500 wrote to memory of 4636 4500 18950759b4044717a5c028ff457af1eb524556aa634a52a1014c386458486842.exe 85 PID 4636 wrote to memory of 4520 4636 omsecor.exe 88 PID 4636 wrote to memory of 4520 4636 omsecor.exe 88 PID 4636 wrote to memory of 4520 4636 omsecor.exe 88 PID 4636 wrote to memory of 4520 4636 omsecor.exe 88 PID 4636 wrote to memory of 4520 4636 omsecor.exe 88 PID 4520 wrote to memory of 5092 4520 omsecor.exe 107 PID 4520 wrote to memory of 5092 4520 omsecor.exe 107 PID 4520 wrote to memory of 5092 4520 omsecor.exe 107 PID 5092 wrote to memory of 4804 5092 omsecor.exe 108 PID 5092 wrote to memory of 4804 5092 omsecor.exe 108 PID 5092 wrote to memory of 4804 5092 omsecor.exe 108 PID 5092 wrote to memory of 4804 5092 omsecor.exe 108 PID 5092 wrote to memory of 4804 5092 omsecor.exe 108 PID 4804 wrote to memory of 4208 4804 omsecor.exe 110 PID 4804 wrote to memory of 4208 4804 omsecor.exe 110 PID 4804 wrote to memory of 4208 4804 omsecor.exe 110 PID 4208 wrote to memory of 1964 4208 omsecor.exe 111 PID 4208 wrote to memory of 1964 4208 omsecor.exe 111 PID 4208 wrote to memory of 1964 4208 omsecor.exe 111 PID 4208 wrote to memory of 1964 4208 omsecor.exe 111 PID 4208 wrote to memory of 1964 4208 omsecor.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\18950759b4044717a5c028ff457af1eb524556aa634a52a1014c386458486842.exe"C:\Users\Admin\AppData\Local\Temp\18950759b4044717a5c028ff457af1eb524556aa634a52a1014c386458486842.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Users\Admin\AppData\Local\Temp\18950759b4044717a5c028ff457af1eb524556aa634a52a1014c386458486842.exeC:\Users\Admin\AppData\Local\Temp\18950759b4044717a5c028ff457af1eb524556aa634a52a1014c386458486842.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1964
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 2568⤵
- Program crash
PID:2884
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 2926⤵
- Program crash
PID:3476
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 2884⤵
- Program crash
PID:780
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 2882⤵
- Program crash
PID:4744
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1548 -ip 15481⤵PID:3948
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4636 -ip 46361⤵PID:1376
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5092 -ip 50921⤵PID:2352
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4208 -ip 42081⤵PID:4284
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD584cf20a5260621e56fe134c6ea12238a
SHA1f14dc943baf0f89e0b3ffe49eb743d4d5041922c
SHA256488da3e8da00ea033d695ad99164aff0b61d118a695d03601e6b1d1f54b79ff8
SHA512b936d60883c2c1cdfca41b5f7225ecdcc90c1ef93f0c7499653d23d63f9978070842d382d06c5e02ec2a09122f0f7fc108ccdde16cd1771d7607a98c8a1ee0a7
-
Filesize
96KB
MD53dc705843b8a411cf70ae4498fccdb74
SHA149d7acf95bc90b22e07a464ba1fbb5e9289b6ffc
SHA256a12d69cc9ada4ce3b4deb3ea21ffbae3e1abd1955ebe48a6aa1237cc2342a485
SHA512eca1bd9743e51252d2087bd9bdb7380806a3f4552f072d6d978fceff164b20ef3c882d0b45f91ac45ad2395d62c13424ea0e54d278eae2ceabaaa5d41bb2b253
-
Filesize
96KB
MD572288fd6bd4ff0bea148afcb0cbfd7a4
SHA1b494a8c33a1bef2d89f146adcf2748aee1548f27
SHA2561f5716fcc43857b855eb0ff3b7d158645d64a70162b1054bc0c85e4d9d5646c8
SHA51233b1a95b65d43559718e5505aaa5755f64e6afdc2a5cbbb97f03180191d8a1616cc45957a68268ffa6d0787bec8244f6ef271a437f749fdc275e7592fad29f6d