Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
115s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/01/2025, 02:03
Static task
static1
Behavioral task
behavioral1
Sample
0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe
Resource
win7-20240903-en
General
-
Target
0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe
-
Size
96KB
-
MD5
424f283b670f5184ae95851fe76a3603
-
SHA1
e95026178513a139cf4c9d44f37d1142bb8559ce
-
SHA256
0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db
-
SHA512
a11068534d6917d2bc4a5d985606ad9dc4b5f1c5dc506bd3bae6ee7e251c3c41e53d9b27abcc1712bbc70ef6417436cf7b2fe17cd80bce2adc4bdfb7a2262210
-
SSDEEP
1536:WnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:WGs8cd8eXlYairZYqMddH13L
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 2816 omsecor.exe 2848 omsecor.exe 1604 omsecor.exe 1836 omsecor.exe 428 omsecor.exe 2624 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 5056 set thread context of 4628 5056 0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe 83 PID 2816 set thread context of 2848 2816 omsecor.exe 87 PID 1604 set thread context of 1836 1604 omsecor.exe 108 PID 428 set thread context of 2624 428 omsecor.exe 112 -
Program crash 4 IoCs
pid pid_target Process procid_target 4892 5056 WerFault.exe 82 4568 2816 WerFault.exe 86 2136 1604 WerFault.exe 107 2308 428 WerFault.exe 110 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 5056 wrote to memory of 4628 5056 0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe 83 PID 5056 wrote to memory of 4628 5056 0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe 83 PID 5056 wrote to memory of 4628 5056 0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe 83 PID 5056 wrote to memory of 4628 5056 0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe 83 PID 5056 wrote to memory of 4628 5056 0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe 83 PID 4628 wrote to memory of 2816 4628 0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe 86 PID 4628 wrote to memory of 2816 4628 0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe 86 PID 4628 wrote to memory of 2816 4628 0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe 86 PID 2816 wrote to memory of 2848 2816 omsecor.exe 87 PID 2816 wrote to memory of 2848 2816 omsecor.exe 87 PID 2816 wrote to memory of 2848 2816 omsecor.exe 87 PID 2816 wrote to memory of 2848 2816 omsecor.exe 87 PID 2816 wrote to memory of 2848 2816 omsecor.exe 87 PID 2848 wrote to memory of 1604 2848 omsecor.exe 107 PID 2848 wrote to memory of 1604 2848 omsecor.exe 107 PID 2848 wrote to memory of 1604 2848 omsecor.exe 107 PID 1604 wrote to memory of 1836 1604 omsecor.exe 108 PID 1604 wrote to memory of 1836 1604 omsecor.exe 108 PID 1604 wrote to memory of 1836 1604 omsecor.exe 108 PID 1604 wrote to memory of 1836 1604 omsecor.exe 108 PID 1604 wrote to memory of 1836 1604 omsecor.exe 108 PID 1836 wrote to memory of 428 1836 omsecor.exe 110 PID 1836 wrote to memory of 428 1836 omsecor.exe 110 PID 1836 wrote to memory of 428 1836 omsecor.exe 110 PID 428 wrote to memory of 2624 428 omsecor.exe 112 PID 428 wrote to memory of 2624 428 omsecor.exe 112 PID 428 wrote to memory of 2624 428 omsecor.exe 112 PID 428 wrote to memory of 2624 428 omsecor.exe 112 PID 428 wrote to memory of 2624 428 omsecor.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe"C:\Users\Admin\AppData\Local\Temp\0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Users\Admin\AppData\Local\Temp\0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exeC:\Users\Admin\AppData\Local\Temp\0682c0d80c7fdcda76f2834c69997077389cb66f8bbfa3071e9d32089848e1db.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2624
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 2688⤵
- Program crash
PID:2308
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 2926⤵
- Program crash
PID:2136
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 2884⤵
- Program crash
PID:4568
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 3002⤵
- Program crash
PID:4892
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5056 -ip 50561⤵PID:4828
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2816 -ip 28161⤵PID:4924
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1604 -ip 16041⤵PID:3920
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 428 -ip 4281⤵PID:4596
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5c82a8df0bc50b0b9118b443c8e41e54e
SHA165bd77751c494aece4650d0c248e51747721fba2
SHA2566f802dcd68d1dd9bb32304d70c2a4f2a10867d2918dbc9355771bb438edc9ad2
SHA512292b2047bdf12bc5eede6438c2edf843898256b32d7d9523238b5e1493504c3140bd2cd19f7c4b8c8a3c962cb25da2fdb5b4d19443fc76afec751d40a6fa9885
-
Filesize
96KB
MD553966f9be167af83b0ba210b95aa4a6e
SHA1c6dd9bf60a28b3112f07d83603baf83dbffad9c0
SHA2560d70416395b922c2b4e43afc07122734f46911f80ff8886bad5890018aed205a
SHA512b04ca4174a788a320bc6f17d06527200c357b293b2d5b064b605a8ba24f3f5a55c8b383b8def35e9454ab8dfb7d0e9a9a4124369d024553b67e7430e81fcc834
-
Filesize
96KB
MD548a261900db1d7ba6c6e9555ad28a01a
SHA194e91a0db4d3fa5d95f948b13b89b7457938943f
SHA25643baa10f8b8a798260a70c109ee8536363107f795c1e21ed30fc94f2be31ede8
SHA512fed8705ca2c7d268dc37790d7ef5c05095821e7e82c398e545e9057c61b67cc57ea3e6d3a991e5b213b100eb824eddc0fbd41291d667ec3a684a85385e552be2