Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
05/02/2025, 03:32
Static task
static1
Behavioral task
behavioral1
Sample
b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe
Resource
win7-20240903-en
General
-
Target
b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe
-
Size
96KB
-
MD5
81ec813a24cad85f5b97baf9787fa631
-
SHA1
0a1a7d728bac16c4ba8803e3d215805a2939503e
-
SHA256
b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3
-
SHA512
a257a07ed481d60a5a075091b75c98ecbe01e9fe84efe7b9371bba73e1829d19a3afb29d26ca017183cd924674e08fec195e0e8417d3490edd0823c8f9aaa4b5
-
SSDEEP
1536:mnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:mGs8cd8eXlYairZYqMddH13L
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 952 omsecor.exe 2828 omsecor.exe 1252 omsecor.exe 2172 omsecor.exe 2760 omsecor.exe 3232 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2756 set thread context of 3904 2756 b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe 83 PID 952 set thread context of 2828 952 omsecor.exe 88 PID 1252 set thread context of 2172 1252 omsecor.exe 98 PID 2760 set thread context of 3232 2760 omsecor.exe 102 -
Program crash 4 IoCs
pid pid_target Process procid_target 3184 2756 WerFault.exe 82 1976 952 WerFault.exe 86 2000 1252 WerFault.exe 97 3544 2760 WerFault.exe 100 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 2756 wrote to memory of 3904 2756 b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe 83 PID 2756 wrote to memory of 3904 2756 b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe 83 PID 2756 wrote to memory of 3904 2756 b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe 83 PID 2756 wrote to memory of 3904 2756 b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe 83 PID 2756 wrote to memory of 3904 2756 b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe 83 PID 3904 wrote to memory of 952 3904 b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe 86 PID 3904 wrote to memory of 952 3904 b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe 86 PID 3904 wrote to memory of 952 3904 b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe 86 PID 952 wrote to memory of 2828 952 omsecor.exe 88 PID 952 wrote to memory of 2828 952 omsecor.exe 88 PID 952 wrote to memory of 2828 952 omsecor.exe 88 PID 952 wrote to memory of 2828 952 omsecor.exe 88 PID 952 wrote to memory of 2828 952 omsecor.exe 88 PID 2828 wrote to memory of 1252 2828 omsecor.exe 97 PID 2828 wrote to memory of 1252 2828 omsecor.exe 97 PID 2828 wrote to memory of 1252 2828 omsecor.exe 97 PID 1252 wrote to memory of 2172 1252 omsecor.exe 98 PID 1252 wrote to memory of 2172 1252 omsecor.exe 98 PID 1252 wrote to memory of 2172 1252 omsecor.exe 98 PID 1252 wrote to memory of 2172 1252 omsecor.exe 98 PID 1252 wrote to memory of 2172 1252 omsecor.exe 98 PID 2172 wrote to memory of 2760 2172 omsecor.exe 100 PID 2172 wrote to memory of 2760 2172 omsecor.exe 100 PID 2172 wrote to memory of 2760 2172 omsecor.exe 100 PID 2760 wrote to memory of 3232 2760 omsecor.exe 102 PID 2760 wrote to memory of 3232 2760 omsecor.exe 102 PID 2760 wrote to memory of 3232 2760 omsecor.exe 102 PID 2760 wrote to memory of 3232 2760 omsecor.exe 102 PID 2760 wrote to memory of 3232 2760 omsecor.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe"C:\Users\Admin\AppData\Local\Temp\b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Users\Admin\AppData\Local\Temp\b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exeC:\Users\Admin\AppData\Local\Temp\b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3232
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 2568⤵
- Program crash
PID:3544
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 2926⤵
- Program crash
PID:2000
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 2884⤵
- Program crash
PID:1976
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 2882⤵
- Program crash
PID:3184
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2756 -ip 27561⤵PID:2872
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 952 -ip 9521⤵PID:2736
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1252 -ip 12521⤵PID:1648
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2760 -ip 27601⤵PID:4316
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5a0d3009039e3348404df0f46c9f9a4a4
SHA1e51e8d5a68ec8e2e4323d933dfb54725632c204b
SHA2560aa46de08152bfc6d1a9daaf300822138377cb920a3940f3683c0c64f5ba63a3
SHA5126b2dce891c399b3ea33e1cc25acacfe2047e798b9f389653960c7bc793fbf4172f90df1a834d875e78d260b1b718e9a82bc625881f7e5d0544e92aa3d6a00a52
-
Filesize
96KB
MD5b30ed9cda57812d61a9088c0d1328b2f
SHA1d65d2fd9af0c7b86851105e58e62780b5cc88e3a
SHA2563430b32c66561d387786d39ba967e508329450392d8569ff0a6bd90e845ce47e
SHA5128c563ad59a29c798f3f11c7102a4c3ca328efa4cd5ee43fc1142ce24c76ca59a72ec517dec36d30ec8ce64249e0b53a4434cbe1a20d90776088095a9d11c28c0
-
Filesize
96KB
MD563e844ec0eecd8cc5abfbae848532659
SHA133cf9b08004cf818ae9583b410a4581927e7514d
SHA256e369fee082ccc59f5f4a8f85d7ba8fdac50ab40b9adfa81c5c33363e3b679df5
SHA512f403d2fb1a33cd64bc9ef28455512e27acc7e5757ca4571f5af78ed445d9d19fe464a3f7e0180f89f32fb6baeb7c759b8f0d8092b4e2719ed6a22ebb33346746