Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
02/02/2025, 13:03
Static task
static1
Behavioral task
behavioral1
Sample
b0532102e3eea6533b32da4111ab68cf3649b75f06244cb35c68c6506fb49385.exe
Resource
win7-20241010-en
General
-
Target
b0532102e3eea6533b32da4111ab68cf3649b75f06244cb35c68c6506fb49385.exe
-
Size
96KB
-
MD5
82ec32e61d3cc855216c94aad2018f85
-
SHA1
95032b286624fc8c10a48a2c4ec163b0d695976e
-
SHA256
b0532102e3eea6533b32da4111ab68cf3649b75f06244cb35c68c6506fb49385
-
SHA512
0b5c54953891e065906f62d65afc9f3ca7684ed7ed578ade6a7e32e6f378bca823045de58f3ee303838da179f52d98eb8f6fcc3881a6979628beab961778f013
-
SSDEEP
1536:MnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxb:MGs8cd8eXlYairZYqMddH13b
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 2684 omsecor.exe 948 omsecor.exe 740 omsecor.exe 636 omsecor.exe 4828 omsecor.exe 4860 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 4892 set thread context of 1072 4892 b0532102e3eea6533b32da4111ab68cf3649b75f06244cb35c68c6506fb49385.exe 84 PID 2684 set thread context of 948 2684 omsecor.exe 90 PID 740 set thread context of 636 740 omsecor.exe 101 PID 4828 set thread context of 4860 4828 omsecor.exe 105 -
Program crash 4 IoCs
pid pid_target Process procid_target 3540 4892 WerFault.exe 82 1668 2684 WerFault.exe 88 812 740 WerFault.exe 100 4720 4828 WerFault.exe 103 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b0532102e3eea6533b32da4111ab68cf3649b75f06244cb35c68c6506fb49385.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b0532102e3eea6533b32da4111ab68cf3649b75f06244cb35c68c6506fb49385.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 4892 wrote to memory of 1072 4892 b0532102e3eea6533b32da4111ab68cf3649b75f06244cb35c68c6506fb49385.exe 84 PID 4892 wrote to memory of 1072 4892 b0532102e3eea6533b32da4111ab68cf3649b75f06244cb35c68c6506fb49385.exe 84 PID 4892 wrote to memory of 1072 4892 b0532102e3eea6533b32da4111ab68cf3649b75f06244cb35c68c6506fb49385.exe 84 PID 4892 wrote to memory of 1072 4892 b0532102e3eea6533b32da4111ab68cf3649b75f06244cb35c68c6506fb49385.exe 84 PID 4892 wrote to memory of 1072 4892 b0532102e3eea6533b32da4111ab68cf3649b75f06244cb35c68c6506fb49385.exe 84 PID 1072 wrote to memory of 2684 1072 b0532102e3eea6533b32da4111ab68cf3649b75f06244cb35c68c6506fb49385.exe 88 PID 1072 wrote to memory of 2684 1072 b0532102e3eea6533b32da4111ab68cf3649b75f06244cb35c68c6506fb49385.exe 88 PID 1072 wrote to memory of 2684 1072 b0532102e3eea6533b32da4111ab68cf3649b75f06244cb35c68c6506fb49385.exe 88 PID 2684 wrote to memory of 948 2684 omsecor.exe 90 PID 2684 wrote to memory of 948 2684 omsecor.exe 90 PID 2684 wrote to memory of 948 2684 omsecor.exe 90 PID 2684 wrote to memory of 948 2684 omsecor.exe 90 PID 2684 wrote to memory of 948 2684 omsecor.exe 90 PID 948 wrote to memory of 740 948 omsecor.exe 100 PID 948 wrote to memory of 740 948 omsecor.exe 100 PID 948 wrote to memory of 740 948 omsecor.exe 100 PID 740 wrote to memory of 636 740 omsecor.exe 101 PID 740 wrote to memory of 636 740 omsecor.exe 101 PID 740 wrote to memory of 636 740 omsecor.exe 101 PID 740 wrote to memory of 636 740 omsecor.exe 101 PID 740 wrote to memory of 636 740 omsecor.exe 101 PID 636 wrote to memory of 4828 636 omsecor.exe 103 PID 636 wrote to memory of 4828 636 omsecor.exe 103 PID 636 wrote to memory of 4828 636 omsecor.exe 103 PID 4828 wrote to memory of 4860 4828 omsecor.exe 105 PID 4828 wrote to memory of 4860 4828 omsecor.exe 105 PID 4828 wrote to memory of 4860 4828 omsecor.exe 105 PID 4828 wrote to memory of 4860 4828 omsecor.exe 105 PID 4828 wrote to memory of 4860 4828 omsecor.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0532102e3eea6533b32da4111ab68cf3649b75f06244cb35c68c6506fb49385.exe"C:\Users\Admin\AppData\Local\Temp\b0532102e3eea6533b32da4111ab68cf3649b75f06244cb35c68c6506fb49385.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Users\Admin\AppData\Local\Temp\b0532102e3eea6533b32da4111ab68cf3649b75f06244cb35c68c6506fb49385.exeC:\Users\Admin\AppData\Local\Temp\b0532102e3eea6533b32da4111ab68cf3649b75f06244cb35c68c6506fb49385.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4860
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 2248⤵
- Program crash
PID:4720
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 2926⤵
- Program crash
PID:812
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 2884⤵
- Program crash
PID:1668
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 2882⤵
- Program crash
PID:3540
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4892 -ip 48921⤵PID:3344
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2684 -ip 26841⤵PID:2044
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 740 -ip 7401⤵PID:32
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4828 -ip 48281⤵PID:3176
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5185cd751140564fc02b2c5a5a0814202
SHA146c4b43014332f30e9736d73f08b4fb37f621ea6
SHA256e87c9f8994583a0a39bbf72edaa9a60b8f069cad1c776ccbcd475f3ce8257d70
SHA5123b9f02ab350ed9ff5df43856935d5fe74a13821065a60b5236a38ce5fa622cef93135051558d48cbdebcdff242cc8d23808b77c68162686c4f8e033f1e6b0e91
-
Filesize
96KB
MD5b4edde9ecce673eb4f02b16fb9ef291d
SHA19e81626129858fc9c02e9fac95ccc592bced1b57
SHA256c94288e71549ed0d3cdc1385f7ed36eb1b4517b49411c1bf967f963cebf6bb41
SHA512d40f4fd78a894ef75e4f0a3c3e9bc6d720aa2980af72b437f144d86e28850ce4798dff1aaf2fc84fca135ccbb60fbfb18387cf83626a50e9e57906e79c67f17f
-
Filesize
96KB
MD5774b8c0d66dccbebc7ed81ed620d2be3
SHA1099098fe0e460df33524452081f532cddfa8a491
SHA2567b1c665ed702558c7eaa4bd2c4b439a2a63fca3dfc96e34221bb6c5b033d4149
SHA51274e0fcbe3f4cc231627f8d157520272a80b72d3b760d603c74b483c4a816820284a3fc084b9b630fddd8fec37c6552204fa2232d3e203e3de38dbd3920f30c51