Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
115s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
01/02/2025, 16:44
Static task
static1
Behavioral task
behavioral1
Sample
09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe
Resource
win7-20241010-en
General
-
Target
09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe
-
Size
96KB
-
MD5
b55545b8ebbe3b5559e4615778d5a610
-
SHA1
4cad156ecebb8a3a88947778e279386b68685260
-
SHA256
09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706ab
-
SHA512
28def2b2454383345a82949d9f00d9787036c4ad3ab64d82d7e86c588383e348be7e36d850148bda0c97bf6a3b7d00e530edcbb35c22db14813cf8ad9e0f04e3
-
SSDEEP
1536:UnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:UGs8cd8eXlYairZYqMddH13L
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 2040 omsecor.exe 3200 omsecor.exe 2680 omsecor.exe 3996 omsecor.exe 448 omsecor.exe 1268 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 4628 set thread context of 4248 4628 09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe 83 PID 2040 set thread context of 3200 2040 omsecor.exe 87 PID 2680 set thread context of 3996 2680 omsecor.exe 100 PID 448 set thread context of 1268 448 omsecor.exe 104 -
Program crash 4 IoCs
pid pid_target Process procid_target 3260 4628 WerFault.exe 82 3948 2040 WerFault.exe 85 3576 2680 WerFault.exe 99 3636 448 WerFault.exe 102 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 4628 wrote to memory of 4248 4628 09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe 83 PID 4628 wrote to memory of 4248 4628 09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe 83 PID 4628 wrote to memory of 4248 4628 09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe 83 PID 4628 wrote to memory of 4248 4628 09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe 83 PID 4628 wrote to memory of 4248 4628 09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe 83 PID 4248 wrote to memory of 2040 4248 09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe 85 PID 4248 wrote to memory of 2040 4248 09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe 85 PID 4248 wrote to memory of 2040 4248 09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe 85 PID 2040 wrote to memory of 3200 2040 omsecor.exe 87 PID 2040 wrote to memory of 3200 2040 omsecor.exe 87 PID 2040 wrote to memory of 3200 2040 omsecor.exe 87 PID 2040 wrote to memory of 3200 2040 omsecor.exe 87 PID 2040 wrote to memory of 3200 2040 omsecor.exe 87 PID 3200 wrote to memory of 2680 3200 omsecor.exe 99 PID 3200 wrote to memory of 2680 3200 omsecor.exe 99 PID 3200 wrote to memory of 2680 3200 omsecor.exe 99 PID 2680 wrote to memory of 3996 2680 omsecor.exe 100 PID 2680 wrote to memory of 3996 2680 omsecor.exe 100 PID 2680 wrote to memory of 3996 2680 omsecor.exe 100 PID 2680 wrote to memory of 3996 2680 omsecor.exe 100 PID 2680 wrote to memory of 3996 2680 omsecor.exe 100 PID 3996 wrote to memory of 448 3996 omsecor.exe 102 PID 3996 wrote to memory of 448 3996 omsecor.exe 102 PID 3996 wrote to memory of 448 3996 omsecor.exe 102 PID 448 wrote to memory of 1268 448 omsecor.exe 104 PID 448 wrote to memory of 1268 448 omsecor.exe 104 PID 448 wrote to memory of 1268 448 omsecor.exe 104 PID 448 wrote to memory of 1268 448 omsecor.exe 104 PID 448 wrote to memory of 1268 448 omsecor.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe"C:\Users\Admin\AppData\Local\Temp\09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Users\Admin\AppData\Local\Temp\09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exeC:\Users\Admin\AppData\Local\Temp\09eb2a6f05510dd24d687fb32eacf0fe455f562f4fc8c7ba152e864b746706abN.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1268
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 2568⤵
- Program crash
PID:3636
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 2926⤵
- Program crash
PID:3576
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 2884⤵
- Program crash
PID:3948
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 2882⤵
- Program crash
PID:3260
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4628 -ip 46281⤵PID:4432
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2040 -ip 20401⤵PID:4152
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2680 -ip 26801⤵PID:1308
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 448 -ip 4481⤵PID:1208
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD563295a52fdb48dcb327c0edae1f39764
SHA1310f47e5ceb3f073ec3307d63740e4f90cb7e8da
SHA256321c49c158e33c00cfff00752d812237ddba860e900169a4e1f2359017c7b162
SHA51247c6e7983785909279866f4c47bed010817230c9cb1b1a09e3801c68014cf5daa5e32dbed3b6ecebc0494195ac091941b9cd52122881bf19f18c3af63af2d961
-
Filesize
96KB
MD57030d0b66162cb56c85d320713f21874
SHA16450544f289d3656f5e36480050b255577acc79d
SHA256ba23dba9f23b6d003f585605ff70f41f8110d7501c870e8f8da0a4b31032b9d1
SHA5120d36183a218e7fbf54b1f58023fc4eaf1e1379bbd59ea8daf138b23ee4805b2533f11b93359daab0ce5e7a3d9dca3361cf0e158030f44509cd3e07f3af07dbd6
-
Filesize
96KB
MD5bf48853d7726383db23573f30c70dfb8
SHA16cfde3740e8f42c4a8e437a64fb151b49ce8703d
SHA256c9cce0e367b16042855494d6a780adc25a2ccfd88925e191f772e463d9a9a068
SHA5122dbe074448a21d0768edb859a1db29f912883c7e32a7aa26ea073e74a80060ba0225bdb17c06b9cf48e7fd1247a947844ff8291b50afab0f6041795c3d86a6a6