Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
115s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
05/02/2025, 13:46
Static task
static1
Behavioral task
behavioral1
Sample
0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe
Resource
win7-20240903-en
General
-
Target
0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe
-
Size
96KB
-
MD5
7445cb0dd8dc1d4cabd9881969898b10
-
SHA1
b20ce716443b39f6bad665db6578fe6d9cb371be
-
SHA256
0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9
-
SHA512
61383698992e232ab3d95402a14b4b3c32de2ceec71a6863d04a064e05c59994a9783373ffb138154f12caded8809cc8ab372eb8c961c83e2d6649fc64744b95
-
SSDEEP
1536:znAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxp:zGs8cd8eXlYairZYqMddH13p
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 5076 omsecor.exe 1076 omsecor.exe 616 omsecor.exe 3044 omsecor.exe 4520 omsecor.exe 768 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1384 set thread context of 3112 1384 0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe 85 PID 5076 set thread context of 1076 5076 omsecor.exe 89 PID 616 set thread context of 3044 616 omsecor.exe 101 PID 4520 set thread context of 768 4520 omsecor.exe 105 -
Program crash 4 IoCs
pid pid_target Process procid_target 1700 5076 WerFault.exe 88 4112 1384 WerFault.exe 84 1620 616 WerFault.exe 100 1064 4520 WerFault.exe 103 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 1384 wrote to memory of 3112 1384 0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe 85 PID 1384 wrote to memory of 3112 1384 0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe 85 PID 1384 wrote to memory of 3112 1384 0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe 85 PID 1384 wrote to memory of 3112 1384 0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe 85 PID 1384 wrote to memory of 3112 1384 0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe 85 PID 3112 wrote to memory of 5076 3112 0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe 88 PID 3112 wrote to memory of 5076 3112 0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe 88 PID 3112 wrote to memory of 5076 3112 0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe 88 PID 5076 wrote to memory of 1076 5076 omsecor.exe 89 PID 5076 wrote to memory of 1076 5076 omsecor.exe 89 PID 5076 wrote to memory of 1076 5076 omsecor.exe 89 PID 5076 wrote to memory of 1076 5076 omsecor.exe 89 PID 5076 wrote to memory of 1076 5076 omsecor.exe 89 PID 1076 wrote to memory of 616 1076 omsecor.exe 100 PID 1076 wrote to memory of 616 1076 omsecor.exe 100 PID 1076 wrote to memory of 616 1076 omsecor.exe 100 PID 616 wrote to memory of 3044 616 omsecor.exe 101 PID 616 wrote to memory of 3044 616 omsecor.exe 101 PID 616 wrote to memory of 3044 616 omsecor.exe 101 PID 616 wrote to memory of 3044 616 omsecor.exe 101 PID 616 wrote to memory of 3044 616 omsecor.exe 101 PID 3044 wrote to memory of 4520 3044 omsecor.exe 103 PID 3044 wrote to memory of 4520 3044 omsecor.exe 103 PID 3044 wrote to memory of 4520 3044 omsecor.exe 103 PID 4520 wrote to memory of 768 4520 omsecor.exe 105 PID 4520 wrote to memory of 768 4520 omsecor.exe 105 PID 4520 wrote to memory of 768 4520 omsecor.exe 105 PID 4520 wrote to memory of 768 4520 omsecor.exe 105 PID 4520 wrote to memory of 768 4520 omsecor.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe"C:\Users\Admin\AppData\Local\Temp\0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Users\Admin\AppData\Local\Temp\0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exeC:\Users\Admin\AppData\Local\Temp\0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:768
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 2568⤵
- Program crash
PID:1064
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 616 -s 2966⤵
- Program crash
PID:1620
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 2724⤵
- Program crash
PID:1700
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 3002⤵
- Program crash
PID:4112
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1384 -ip 13841⤵PID:3592
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5076 -ip 50761⤵PID:3840
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 616 -ip 6161⤵PID:2700
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4520 -ip 45201⤵PID:4420
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD53ecf227d50109f374225f909f705e9bc
SHA1458cccab2e5ff2bfca3b98b64cf61f3ebb90a8c4
SHA2567de87bc37afdf859278a2bad190a905cdbb3858787788971ecbb8ccfcd82fb15
SHA5128ab66b6372f653cb4e03e2c4927719f99707bac4882a7f5918a82b247e523cc313835b1b618faa440b9be69d002a020ef39a3f4d84a542df22cb563e256ac186
-
Filesize
96KB
MD5793324b8a0328d0e7ce10a5c8e0eec1d
SHA120d0b2b7c25d1efc31e74a4f13e47a291b02dec9
SHA25637b2056619bff4f80a28ac23c48e70ae5796d36718327449ff4785f6063c7ebe
SHA512d516866ed52983584bd6e80c1e6ba8a4a3017aadce1bdfc6e6adc8ee4c63291f29a30b2a11d6a7406767765950718081382af45bb2265f59e086aab676a03ba0
-
Filesize
96KB
MD5747bc807c0a8c056765310b6a9dfb909
SHA1e1ee451ddb8aceed5ab170097bfb3c51ae47afbc
SHA25692c5e4df8b8690f5365febf3e6b6889dfa4a0edbca160ccbdb645ae42c42ac40
SHA51288f1f3e79ab8ad1dbf2915434a75f2d574ff41c1b42682edb43f186ae35aa1d08d569b1656fd1f3f61f62cf1cb879fe3d7395f481f2c54a46246a85095a0866e