Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
115s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24/01/2025, 06:13
Static task
static1
Behavioral task
behavioral1
Sample
38fbb0179143b5f06e66b5987febaf1354093db23d3a1482a095842f4e81e0b9N.exe
Resource
win7-20240903-en
General
-
Target
38fbb0179143b5f06e66b5987febaf1354093db23d3a1482a095842f4e81e0b9N.exe
-
Size
96KB
-
MD5
974c6c7e364717a92b1f54f5d654fe20
-
SHA1
f474b144d14d24f20aa28f4037a4d3c9d9cc806d
-
SHA256
38fbb0179143b5f06e66b5987febaf1354093db23d3a1482a095842f4e81e0b9
-
SHA512
6496d425bc88f0a53ac81b479e05c5bf8738e898c9cf32109cb0f12e806368b87f5c2bd18c8709bc3aacf8b72c43ae6aee90e6e2047bfafe3616df1581c32143
-
SSDEEP
1536:NnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxB:NGs8cd8eXlYairZYqMddH13B
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 1372 omsecor.exe 3504 omsecor.exe 2856 omsecor.exe 1040 omsecor.exe 1916 omsecor.exe 1392 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 4616 set thread context of 1188 4616 38fbb0179143b5f06e66b5987febaf1354093db23d3a1482a095842f4e81e0b9N.exe 84 PID 1372 set thread context of 3504 1372 omsecor.exe 89 PID 2856 set thread context of 1040 2856 omsecor.exe 109 PID 1916 set thread context of 1392 1916 omsecor.exe 113 -
Program crash 4 IoCs
pid pid_target Process procid_target 2204 4616 WerFault.exe 83 4876 1372 WerFault.exe 86 4456 2856 WerFault.exe 108 2524 1916 WerFault.exe 111 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 38fbb0179143b5f06e66b5987febaf1354093db23d3a1482a095842f4e81e0b9N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 38fbb0179143b5f06e66b5987febaf1354093db23d3a1482a095842f4e81e0b9N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 4616 wrote to memory of 1188 4616 38fbb0179143b5f06e66b5987febaf1354093db23d3a1482a095842f4e81e0b9N.exe 84 PID 4616 wrote to memory of 1188 4616 38fbb0179143b5f06e66b5987febaf1354093db23d3a1482a095842f4e81e0b9N.exe 84 PID 4616 wrote to memory of 1188 4616 38fbb0179143b5f06e66b5987febaf1354093db23d3a1482a095842f4e81e0b9N.exe 84 PID 4616 wrote to memory of 1188 4616 38fbb0179143b5f06e66b5987febaf1354093db23d3a1482a095842f4e81e0b9N.exe 84 PID 4616 wrote to memory of 1188 4616 38fbb0179143b5f06e66b5987febaf1354093db23d3a1482a095842f4e81e0b9N.exe 84 PID 1188 wrote to memory of 1372 1188 38fbb0179143b5f06e66b5987febaf1354093db23d3a1482a095842f4e81e0b9N.exe 86 PID 1188 wrote to memory of 1372 1188 38fbb0179143b5f06e66b5987febaf1354093db23d3a1482a095842f4e81e0b9N.exe 86 PID 1188 wrote to memory of 1372 1188 38fbb0179143b5f06e66b5987febaf1354093db23d3a1482a095842f4e81e0b9N.exe 86 PID 1372 wrote to memory of 3504 1372 omsecor.exe 89 PID 1372 wrote to memory of 3504 1372 omsecor.exe 89 PID 1372 wrote to memory of 3504 1372 omsecor.exe 89 PID 1372 wrote to memory of 3504 1372 omsecor.exe 89 PID 1372 wrote to memory of 3504 1372 omsecor.exe 89 PID 3504 wrote to memory of 2856 3504 omsecor.exe 108 PID 3504 wrote to memory of 2856 3504 omsecor.exe 108 PID 3504 wrote to memory of 2856 3504 omsecor.exe 108 PID 2856 wrote to memory of 1040 2856 omsecor.exe 109 PID 2856 wrote to memory of 1040 2856 omsecor.exe 109 PID 2856 wrote to memory of 1040 2856 omsecor.exe 109 PID 2856 wrote to memory of 1040 2856 omsecor.exe 109 PID 2856 wrote to memory of 1040 2856 omsecor.exe 109 PID 1040 wrote to memory of 1916 1040 omsecor.exe 111 PID 1040 wrote to memory of 1916 1040 omsecor.exe 111 PID 1040 wrote to memory of 1916 1040 omsecor.exe 111 PID 1916 wrote to memory of 1392 1916 omsecor.exe 113 PID 1916 wrote to memory of 1392 1916 omsecor.exe 113 PID 1916 wrote to memory of 1392 1916 omsecor.exe 113 PID 1916 wrote to memory of 1392 1916 omsecor.exe 113 PID 1916 wrote to memory of 1392 1916 omsecor.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\38fbb0179143b5f06e66b5987febaf1354093db23d3a1482a095842f4e81e0b9N.exe"C:\Users\Admin\AppData\Local\Temp\38fbb0179143b5f06e66b5987febaf1354093db23d3a1482a095842f4e81e0b9N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Users\Admin\AppData\Local\Temp\38fbb0179143b5f06e66b5987febaf1354093db23d3a1482a095842f4e81e0b9N.exeC:\Users\Admin\AppData\Local\Temp\38fbb0179143b5f06e66b5987febaf1354093db23d3a1482a095842f4e81e0b9N.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1392
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 2568⤵
- Program crash
PID:2524
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 2926⤵
- Program crash
PID:4456
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 2884⤵
- Program crash
PID:4876
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 2882⤵
- Program crash
PID:2204
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4616 -ip 46161⤵PID:4856
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1372 -ip 13721⤵PID:4144
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2856 -ip 28561⤵PID:5016
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1916 -ip 19161⤵PID:4956
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5749f06594ca626d54c95d1a43ff0495d
SHA197984f031a872ec17d48f4f7b418054a5e73a755
SHA256b83f4aa614e39018bdd344319a8cafeb0642487eb575bf2621c1c57a2bb49a95
SHA512ae3a0e42c935c3029514caaab17cef24dcaa7adc3b9cd8c85e37b3928dfb3eb87d28b8d68ea142324e2b80cda766e56fdb178a9ba2b08ddfe3efde6eb32372fa
-
Filesize
96KB
MD5b5fb6c75d8e72cc1c36531d5f4420aae
SHA1d923ab3f2fccd434e642024da3d29cef3cf77c39
SHA256c95783b32a67731daa53bf7233e53712f9c86bfc0188f59e8e78d72a9c8477a6
SHA51227042afc8668f82e41702a2b9aae57038aa9fb073c82f2988be4aab6e41657523d5fbae42db0319ecc4593104494bb3671aca2aacef8f1a47737c8d022f68111
-
Filesize
96KB
MD54c4e5d4ad8b80aa5e4f9df9a9bcdf902
SHA1068d96ef34f5a511f20e5c0572b921c7ecf72692
SHA2563de774bd5121dbcdb61b018fa92e427238999b0c5ee59661d4c9af5b79ef5bdf
SHA512eda54d977aadb29787bad0bb22e2c8bd7f57164d7b654ce397c467a0496a01ce4cbb5c6434a19c66c90cce53b85aee84059994fa8bbbfe28db5b6a992f22dbe3