Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
115s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
02/02/2025, 10:12
Static task
static1
Behavioral task
behavioral1
Sample
00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exe
Resource
win7-20240903-en
General
-
Target
00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exe
-
Size
134KB
-
MD5
17abba9b7903c73f47d031d6a7ca2973
-
SHA1
054397fba61cb951cb8cac20adada39cf4c0d3f6
-
SHA256
00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4
-
SHA512
c4513e79cd8b9f162245348e410120dbdb725f71d2971d0a645ad0fc93b132f1211a3e8ae4f5bff52c7a8cead5f94af4cd8abc0a120770a081fab31a30400e28
-
SSDEEP
1536:FDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCiX:liRTeH0iqAW6J6f1tqF6dngNmaZCiaI
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 2964 omsecor.exe 2784 omsecor.exe 744 omsecor.exe 4796 omsecor.exe 3524 omsecor.exe 3972 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1896 set thread context of 404 1896 00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exe 83 PID 2964 set thread context of 2784 2964 omsecor.exe 88 PID 744 set thread context of 4796 744 omsecor.exe 98 PID 3524 set thread context of 3972 3524 omsecor.exe 101 -
Program crash 4 IoCs
pid pid_target Process procid_target 3168 1896 WerFault.exe 82 1584 2964 WerFault.exe 87 3164 744 WerFault.exe 97 2128 3524 WerFault.exe 100 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 1896 wrote to memory of 404 1896 00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exe 83 PID 1896 wrote to memory of 404 1896 00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exe 83 PID 1896 wrote to memory of 404 1896 00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exe 83 PID 1896 wrote to memory of 404 1896 00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exe 83 PID 1896 wrote to memory of 404 1896 00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exe 83 PID 404 wrote to memory of 2964 404 00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exe 87 PID 404 wrote to memory of 2964 404 00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exe 87 PID 404 wrote to memory of 2964 404 00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exe 87 PID 2964 wrote to memory of 2784 2964 omsecor.exe 88 PID 2964 wrote to memory of 2784 2964 omsecor.exe 88 PID 2964 wrote to memory of 2784 2964 omsecor.exe 88 PID 2964 wrote to memory of 2784 2964 omsecor.exe 88 PID 2964 wrote to memory of 2784 2964 omsecor.exe 88 PID 2784 wrote to memory of 744 2784 omsecor.exe 97 PID 2784 wrote to memory of 744 2784 omsecor.exe 97 PID 2784 wrote to memory of 744 2784 omsecor.exe 97 PID 744 wrote to memory of 4796 744 omsecor.exe 98 PID 744 wrote to memory of 4796 744 omsecor.exe 98 PID 744 wrote to memory of 4796 744 omsecor.exe 98 PID 744 wrote to memory of 4796 744 omsecor.exe 98 PID 744 wrote to memory of 4796 744 omsecor.exe 98 PID 4796 wrote to memory of 3524 4796 omsecor.exe 100 PID 4796 wrote to memory of 3524 4796 omsecor.exe 100 PID 4796 wrote to memory of 3524 4796 omsecor.exe 100 PID 3524 wrote to memory of 3972 3524 omsecor.exe 101 PID 3524 wrote to memory of 3972 3524 omsecor.exe 101 PID 3524 wrote to memory of 3972 3524 omsecor.exe 101 PID 3524 wrote to memory of 3972 3524 omsecor.exe 101 PID 3524 wrote to memory of 3972 3524 omsecor.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exe"C:\Users\Admin\AppData\Local\Temp\00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Users\Admin\AppData\Local\Temp\00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exeC:\Users\Admin\AppData\Local\Temp\00700fd8f51e7e4a3347522e3d5698c1a326441fe0dd0fce00cdc30c161d02e4.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3972
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 2568⤵
- Program crash
PID:2128
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 2926⤵
- Program crash
PID:3164
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 2884⤵
- Program crash
PID:1584
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 3002⤵
- Program crash
PID:3168
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1896 -ip 18961⤵PID:684
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2964 -ip 29641⤵PID:2160
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 744 -ip 7441⤵PID:3408
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3524 -ip 35241⤵PID:448
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD587a597b34f67271d72573bfdd220c97d
SHA1fdd417d84462d204ae5991c2e69bcacf747b9f11
SHA25682d9478fcc8c7fb7054b2e26e39e2779e9881f8c107ac34c8fac0c333f788d8d
SHA512b64df6930c59076308645f4e5bbd84f78bbe5ab88e18b9f61013718527e8fb422a68a37de133dbf771eb569dfb5d5742c3f53ff17a421daaf1c2182739217cc7
-
Filesize
134KB
MD5f12dbc220a90f9e2d2ad8303e5ecdf8f
SHA1080e72badfb81e725ac3e52a56631f35b7f19505
SHA256033c2a7eaf3e01e3a5cfdb858472fae641a5c0467b5573e31228a54484d2ad3f
SHA512932fbb6ad2a17125f8566ac4e9ab9f7fa4aea9e8d5805b73232272f8608604f7d9ddbb22d1c18b717868242da6fe4908218d7b039c4eeeaefeea14a63d85bd8e
-
Filesize
134KB
MD59fda2a87b48fbfbda9ae176b1b252bcd
SHA16b1f88472a318987d297ec13a153658d6e11d2e8
SHA2569d4ec2f6ded9dca6bd6904d03c214a116be3539d59569d6f4d37a60e29fb97eb
SHA512d2962f8961d28c82b8d2dee20e4ec4d18a5656a70093eff033aeea7b2cb8b180edfa0430274a66a98150b328956138ebf1e858f42f3ae356ae4693a057e53adc