Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/01/2025, 05:17
Static task
static1
Behavioral task
behavioral1
Sample
b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exe
Resource
win7-20240903-en
General
-
Target
b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exe
-
Size
134KB
-
MD5
98bc18d83207c88983f907562764918b
-
SHA1
ca02fb1d6c55cca9ec9353ab2a6c377109c1cd55
-
SHA256
b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42
-
SHA512
b6062b0ad9216c9a4a0763e8d5594b3f81f97da9343769c43d006e347803be595bdec05127b1e1a4a8dd162ce86c193a5bb2ba5ebefa90f616a1b38ecc0ab85e
-
SSDEEP
1536:HDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:jiRTeH0iqAW6J6f1tqF6dngNmaZCia
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 4392 omsecor.exe 2848 omsecor.exe 1160 omsecor.exe 4580 omsecor.exe 3992 omsecor.exe 2276 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 4456 set thread context of 3056 4456 b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exe 83 PID 4392 set thread context of 2848 4392 omsecor.exe 87 PID 1160 set thread context of 4580 1160 omsecor.exe 108 PID 3992 set thread context of 2276 3992 omsecor.exe 112 -
Program crash 4 IoCs
pid pid_target Process procid_target 2392 4456 WerFault.exe 82 1544 4392 WerFault.exe 85 5008 1160 WerFault.exe 107 3300 3992 WerFault.exe 110 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 4456 wrote to memory of 3056 4456 b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exe 83 PID 4456 wrote to memory of 3056 4456 b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exe 83 PID 4456 wrote to memory of 3056 4456 b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exe 83 PID 4456 wrote to memory of 3056 4456 b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exe 83 PID 4456 wrote to memory of 3056 4456 b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exe 83 PID 3056 wrote to memory of 4392 3056 b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exe 85 PID 3056 wrote to memory of 4392 3056 b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exe 85 PID 3056 wrote to memory of 4392 3056 b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exe 85 PID 4392 wrote to memory of 2848 4392 omsecor.exe 87 PID 4392 wrote to memory of 2848 4392 omsecor.exe 87 PID 4392 wrote to memory of 2848 4392 omsecor.exe 87 PID 4392 wrote to memory of 2848 4392 omsecor.exe 87 PID 4392 wrote to memory of 2848 4392 omsecor.exe 87 PID 2848 wrote to memory of 1160 2848 omsecor.exe 107 PID 2848 wrote to memory of 1160 2848 omsecor.exe 107 PID 2848 wrote to memory of 1160 2848 omsecor.exe 107 PID 1160 wrote to memory of 4580 1160 omsecor.exe 108 PID 1160 wrote to memory of 4580 1160 omsecor.exe 108 PID 1160 wrote to memory of 4580 1160 omsecor.exe 108 PID 1160 wrote to memory of 4580 1160 omsecor.exe 108 PID 1160 wrote to memory of 4580 1160 omsecor.exe 108 PID 4580 wrote to memory of 3992 4580 omsecor.exe 110 PID 4580 wrote to memory of 3992 4580 omsecor.exe 110 PID 4580 wrote to memory of 3992 4580 omsecor.exe 110 PID 3992 wrote to memory of 2276 3992 omsecor.exe 112 PID 3992 wrote to memory of 2276 3992 omsecor.exe 112 PID 3992 wrote to memory of 2276 3992 omsecor.exe 112 PID 3992 wrote to memory of 2276 3992 omsecor.exe 112 PID 3992 wrote to memory of 2276 3992 omsecor.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exe"C:\Users\Admin\AppData\Local\Temp\b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Users\Admin\AppData\Local\Temp\b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exeC:\Users\Admin\AppData\Local\Temp\b56f25dc932cb6b1f3276f2533b8093db250efbb8ecda5860b13c0f439a3bf42.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2276
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 2648⤵
- Program crash
PID:3300
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 2966⤵
- Program crash
PID:5008
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 2884⤵
- Program crash
PID:1544
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 3002⤵
- Program crash
PID:2392
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4456 -ip 44561⤵PID:3192
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4392 -ip 43921⤵PID:3288
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1160 -ip 11601⤵PID:4900
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3992 -ip 39921⤵PID:3772
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD520180de6e32a7cbebbb1628f087857a2
SHA128027e2eee081e71ddfcf46338293aec51c4664d
SHA256b75d557e63a292b7ca4f7daeb43695afc6ca115b09351759f6a3017294be7f2e
SHA512f8417e3752b7fef833d3122a966a3565d72afea4747fbc705ddd10e339017761613b81b40a6cab6a4e4ee6e6f663ed5ff22f53f8102af19ca6eaf06433fe96d5
-
Filesize
134KB
MD538558e5f21c3321c91e3f8257952429b
SHA1ed0679de9dc7567f19e87982e68165086a4bed5c
SHA256ba72918598727e6415bbd398684717d2bdb8ecd84e46ee7896f9927785a4e86d
SHA51256aa885c0754a2ca12c4a0c3b3997960af0b18418df59b4fb1729991a5026d2b98d727b1c07ee33df9f32fdc6a05e1785499868760333a8daf32ed4f18a9adf0
-
Filesize
134KB
MD5361f6dfc2ce0af918723c1a463153a7b
SHA1b21ea454a3bd3246af53a74b0e9e8dec1caa1b70
SHA256df72b3a76350f661c37adce819dc91c072c7d6bebb5101bcbffb83e43925373d
SHA512f5cb47144bb8d1e2cdd1e5908a2728a143038422d20bbb536d9a8c6266c723059a8321320f0168d902bb98f70ffb6007db865bd337f6c19fbb6bd8024bdabe0f