Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24/01/2025, 14:19
Static task
static1
Behavioral task
behavioral1
Sample
7ec7417b9746b94dffa98075f7e15a52ccf18763e5d4784555a2f8b11d1e8a38N.exe
Resource
win7-20240903-en
General
-
Target
7ec7417b9746b94dffa98075f7e15a52ccf18763e5d4784555a2f8b11d1e8a38N.exe
-
Size
96KB
-
MD5
d1c25d28aa9af072868f45ef116b3740
-
SHA1
ea8f590868b6dfdadae4ddf8e37b0f3973b1ecd6
-
SHA256
7ec7417b9746b94dffa98075f7e15a52ccf18763e5d4784555a2f8b11d1e8a38
-
SHA512
2ca62e04345a1ae85b50db9875493e2b0750dae5514cb2469f9160b052c21800c60e457342a6e330ffd41d97e2fde3f6732bda90a21c1f362a0164f4241e7358
-
SSDEEP
1536:rnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxb:rGs8cd8eXlYairZYqMddH13b
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 3600 omsecor.exe 4800 omsecor.exe 4360 omsecor.exe 1508 omsecor.exe 4400 omsecor.exe 4684 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3232 set thread context of 3744 3232 7ec7417b9746b94dffa98075f7e15a52ccf18763e5d4784555a2f8b11d1e8a38N.exe 82 PID 3600 set thread context of 4800 3600 omsecor.exe 87 PID 4360 set thread context of 1508 4360 omsecor.exe 99 PID 4400 set thread context of 4684 4400 omsecor.exe 102 -
Program crash 4 IoCs
pid pid_target Process procid_target 1060 3232 WerFault.exe 81 3672 3600 WerFault.exe 85 2100 4360 WerFault.exe 98 4876 4400 WerFault.exe 101 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ec7417b9746b94dffa98075f7e15a52ccf18763e5d4784555a2f8b11d1e8a38N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ec7417b9746b94dffa98075f7e15a52ccf18763e5d4784555a2f8b11d1e8a38N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 3232 wrote to memory of 3744 3232 7ec7417b9746b94dffa98075f7e15a52ccf18763e5d4784555a2f8b11d1e8a38N.exe 82 PID 3232 wrote to memory of 3744 3232 7ec7417b9746b94dffa98075f7e15a52ccf18763e5d4784555a2f8b11d1e8a38N.exe 82 PID 3232 wrote to memory of 3744 3232 7ec7417b9746b94dffa98075f7e15a52ccf18763e5d4784555a2f8b11d1e8a38N.exe 82 PID 3232 wrote to memory of 3744 3232 7ec7417b9746b94dffa98075f7e15a52ccf18763e5d4784555a2f8b11d1e8a38N.exe 82 PID 3232 wrote to memory of 3744 3232 7ec7417b9746b94dffa98075f7e15a52ccf18763e5d4784555a2f8b11d1e8a38N.exe 82 PID 3744 wrote to memory of 3600 3744 7ec7417b9746b94dffa98075f7e15a52ccf18763e5d4784555a2f8b11d1e8a38N.exe 85 PID 3744 wrote to memory of 3600 3744 7ec7417b9746b94dffa98075f7e15a52ccf18763e5d4784555a2f8b11d1e8a38N.exe 85 PID 3744 wrote to memory of 3600 3744 7ec7417b9746b94dffa98075f7e15a52ccf18763e5d4784555a2f8b11d1e8a38N.exe 85 PID 3600 wrote to memory of 4800 3600 omsecor.exe 87 PID 3600 wrote to memory of 4800 3600 omsecor.exe 87 PID 3600 wrote to memory of 4800 3600 omsecor.exe 87 PID 3600 wrote to memory of 4800 3600 omsecor.exe 87 PID 3600 wrote to memory of 4800 3600 omsecor.exe 87 PID 4800 wrote to memory of 4360 4800 omsecor.exe 98 PID 4800 wrote to memory of 4360 4800 omsecor.exe 98 PID 4800 wrote to memory of 4360 4800 omsecor.exe 98 PID 4360 wrote to memory of 1508 4360 omsecor.exe 99 PID 4360 wrote to memory of 1508 4360 omsecor.exe 99 PID 4360 wrote to memory of 1508 4360 omsecor.exe 99 PID 4360 wrote to memory of 1508 4360 omsecor.exe 99 PID 4360 wrote to memory of 1508 4360 omsecor.exe 99 PID 1508 wrote to memory of 4400 1508 omsecor.exe 101 PID 1508 wrote to memory of 4400 1508 omsecor.exe 101 PID 1508 wrote to memory of 4400 1508 omsecor.exe 101 PID 4400 wrote to memory of 4684 4400 omsecor.exe 102 PID 4400 wrote to memory of 4684 4400 omsecor.exe 102 PID 4400 wrote to memory of 4684 4400 omsecor.exe 102 PID 4400 wrote to memory of 4684 4400 omsecor.exe 102 PID 4400 wrote to memory of 4684 4400 omsecor.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ec7417b9746b94dffa98075f7e15a52ccf18763e5d4784555a2f8b11d1e8a38N.exe"C:\Users\Admin\AppData\Local\Temp\7ec7417b9746b94dffa98075f7e15a52ccf18763e5d4784555a2f8b11d1e8a38N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Users\Admin\AppData\Local\Temp\7ec7417b9746b94dffa98075f7e15a52ccf18763e5d4784555a2f8b11d1e8a38N.exeC:\Users\Admin\AppData\Local\Temp\7ec7417b9746b94dffa98075f7e15a52ccf18763e5d4784555a2f8b11d1e8a38N.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4684
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 2688⤵
- Program crash
PID:4876
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 2926⤵
- Program crash
PID:2100
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 3004⤵
- Program crash
PID:3672
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 2882⤵
- Program crash
PID:1060
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3232 -ip 32321⤵PID:1736
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3600 -ip 36001⤵PID:4200
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4360 -ip 43601⤵PID:3736
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4400 -ip 44001⤵PID:1148
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD588a0c5d9d1e4c67496a74074b81b45e0
SHA1183c22825d260ae6d303eb6887087bbd3854c462
SHA25624074e2973dc2761593714c3332418948ff9ea5d20bfb9b704c8dd4b60c35eae
SHA5126896ce6d0183d032468613dee046bc9c62ad9275c4be7aac369f58a031b2dea23fdfb9431bf9a41545464b081c2e26ce970aa8b90732535b7fe3b1ddc6f67e15
-
Filesize
96KB
MD5194cdea28d4d0786e88cd47cb76216c0
SHA1e95511031fadde5d9294e9efd75c70f2bc304ece
SHA2562fdb24c71ea6cb9c44022d9f33b2e548517c6abb42240d6adf6063690065854e
SHA512de3dfa34e49899892be2f8fe62d158fcdcc62822d4b84a202c75aeddfdee6e35c406f1a9925a70616c76077b6aaa5b91e6076230b4d762d0edf2a3a660922304
-
Filesize
96KB
MD5b109a32fb14a06150edfaff435d9d4b1
SHA1ed533e58c011c7c6b207a3a7b6243b8c81b59250
SHA25646376e3dfaffc98541a164c936e027d46540b52ef4eb153ae4c88b8f9bfae0d1
SHA51208d675d37dda6a978d6582734ae9ed75c2ddeea9dcd9885c1a7e015ef495092ee13b696a2723204d351334f739e3262f5f2971557cdcf33bb3783eb6282758e8