Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
115s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
02/02/2025, 00:29
Static task
static1
Behavioral task
behavioral1
Sample
1726f118cc86819c43bdcbe7d625ff051c530a2583ee07d445d6095580d9b72a.exe
Resource
win7-20241023-en
General
-
Target
1726f118cc86819c43bdcbe7d625ff051c530a2583ee07d445d6095580d9b72a.exe
-
Size
134KB
-
MD5
099abb3081d65799fc9b40e3df5cd1a8
-
SHA1
ceb4f89461297162a73acd8ffc58b56e24109d5c
-
SHA256
1726f118cc86819c43bdcbe7d625ff051c530a2583ee07d445d6095580d9b72a
-
SHA512
a71ce8a1f65c9f3383d6dbc52fb9c208054bfb8cf2c0b06164325ad1764ca05cba86885a4b5f51f1c677a29966bf89626c4bda9e15e260ecd4ff12d488bb58b6
-
SSDEEP
1536:qDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCi/:MiRTeH0iqAW6J6f1tqF6dngNmaZCiaI
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 2984 omsecor.exe 2632 omsecor.exe 4532 omsecor.exe 2332 omsecor.exe 1928 omsecor.exe 1484 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1448 set thread context of 1500 1448 1726f118cc86819c43bdcbe7d625ff051c530a2583ee07d445d6095580d9b72a.exe 83 PID 2984 set thread context of 2632 2984 omsecor.exe 88 PID 4532 set thread context of 2332 4532 omsecor.exe 98 PID 1928 set thread context of 1484 1928 omsecor.exe 102 -
Program crash 4 IoCs
pid pid_target Process procid_target 3512 1448 WerFault.exe 82 816 2984 WerFault.exe 85 3332 4532 WerFault.exe 97 5076 1928 WerFault.exe 100 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1726f118cc86819c43bdcbe7d625ff051c530a2583ee07d445d6095580d9b72a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1726f118cc86819c43bdcbe7d625ff051c530a2583ee07d445d6095580d9b72a.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 1448 wrote to memory of 1500 1448 1726f118cc86819c43bdcbe7d625ff051c530a2583ee07d445d6095580d9b72a.exe 83 PID 1448 wrote to memory of 1500 1448 1726f118cc86819c43bdcbe7d625ff051c530a2583ee07d445d6095580d9b72a.exe 83 PID 1448 wrote to memory of 1500 1448 1726f118cc86819c43bdcbe7d625ff051c530a2583ee07d445d6095580d9b72a.exe 83 PID 1448 wrote to memory of 1500 1448 1726f118cc86819c43bdcbe7d625ff051c530a2583ee07d445d6095580d9b72a.exe 83 PID 1448 wrote to memory of 1500 1448 1726f118cc86819c43bdcbe7d625ff051c530a2583ee07d445d6095580d9b72a.exe 83 PID 1500 wrote to memory of 2984 1500 1726f118cc86819c43bdcbe7d625ff051c530a2583ee07d445d6095580d9b72a.exe 85 PID 1500 wrote to memory of 2984 1500 1726f118cc86819c43bdcbe7d625ff051c530a2583ee07d445d6095580d9b72a.exe 85 PID 1500 wrote to memory of 2984 1500 1726f118cc86819c43bdcbe7d625ff051c530a2583ee07d445d6095580d9b72a.exe 85 PID 2984 wrote to memory of 2632 2984 omsecor.exe 88 PID 2984 wrote to memory of 2632 2984 omsecor.exe 88 PID 2984 wrote to memory of 2632 2984 omsecor.exe 88 PID 2984 wrote to memory of 2632 2984 omsecor.exe 88 PID 2984 wrote to memory of 2632 2984 omsecor.exe 88 PID 2632 wrote to memory of 4532 2632 omsecor.exe 97 PID 2632 wrote to memory of 4532 2632 omsecor.exe 97 PID 2632 wrote to memory of 4532 2632 omsecor.exe 97 PID 4532 wrote to memory of 2332 4532 omsecor.exe 98 PID 4532 wrote to memory of 2332 4532 omsecor.exe 98 PID 4532 wrote to memory of 2332 4532 omsecor.exe 98 PID 4532 wrote to memory of 2332 4532 omsecor.exe 98 PID 4532 wrote to memory of 2332 4532 omsecor.exe 98 PID 2332 wrote to memory of 1928 2332 omsecor.exe 100 PID 2332 wrote to memory of 1928 2332 omsecor.exe 100 PID 2332 wrote to memory of 1928 2332 omsecor.exe 100 PID 1928 wrote to memory of 1484 1928 omsecor.exe 102 PID 1928 wrote to memory of 1484 1928 omsecor.exe 102 PID 1928 wrote to memory of 1484 1928 omsecor.exe 102 PID 1928 wrote to memory of 1484 1928 omsecor.exe 102 PID 1928 wrote to memory of 1484 1928 omsecor.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\1726f118cc86819c43bdcbe7d625ff051c530a2583ee07d445d6095580d9b72a.exe"C:\Users\Admin\AppData\Local\Temp\1726f118cc86819c43bdcbe7d625ff051c530a2583ee07d445d6095580d9b72a.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Users\Admin\AppData\Local\Temp\1726f118cc86819c43bdcbe7d625ff051c530a2583ee07d445d6095580d9b72a.exeC:\Users\Admin\AppData\Local\Temp\1726f118cc86819c43bdcbe7d625ff051c530a2583ee07d445d6095580d9b72a.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1484
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 2568⤵
- Program crash
PID:5076
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 2926⤵
- Program crash
PID:3332
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 2884⤵
- Program crash
PID:816
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1448 -s 2882⤵
- Program crash
PID:3512
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1448 -ip 14481⤵PID:2756
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2984 -ip 29841⤵PID:3968
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4532 -ip 45321⤵PID:4220
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1928 -ip 19281⤵PID:2104
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD58f71664fabd6ab31cef8e91a269e9170
SHA1693715e0cc2fb7639ece4734dbe8c5d711f2486f
SHA2560f4e4e682de0e656001395121ba9f920dc301f55e9a1b828b19cbdb3587d57a7
SHA512baa5068282ebaa388197aabe92063d79b02ddca6cb8753b398a79c51eaab2b3de375358b2cf42c73d030ef1fd8f3592d7a05910ba01f4d881c67313ab7cf22ad
-
Filesize
134KB
MD5eba86746668f8d90837926342a64fc77
SHA1d1cd0e6c55f25e5de3433539b613c219ac468f70
SHA256891bb93e65898c960feb8d16067e34590b84d56da12fa24342b5d9de622deb78
SHA512fd87b1d2894ac9b62ce73cf5f6fee593b8fffbd5ba2cf54916bd66520c2832577c4d0f8562fe1f171facb7e1091a9f768cff8be021d6fa3bd9de816a768566d9
-
Filesize
134KB
MD5c2d8ad8c9b5f25e68e618aedd4aedaf9
SHA172a2866e9a665ec660894cab155665f61dc06009
SHA256a593a5ecfdbaae5bf719a0cf003ed1d167db06ccc85324856912efa0f55e64f4
SHA512a6466da9fd5b6d8d3658b456f778ad164dd71166d97ad3704d3c9fb2b9496ff7a9179ba7fe5cade53bae61648e48e2b1c671761cd7c0e6305eeaa8497066dc2d