Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
116s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20250207-en -
resource tags
arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system -
submitted
07/02/2025, 22:05
Static task
static1
Behavioral task
behavioral1
Sample
d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exe
Resource
win7-20241010-en
General
-
Target
d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exe
-
Size
134KB
-
MD5
a5a67f612b5a17a66c725b8269528500
-
SHA1
be4760955ba37cf1506dbea0fcb47601a8a28e16
-
SHA256
d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287b
-
SHA512
420c515f8b90f90b6a0a2845ab173e3298ff8bf248b36abcb61a176bd8ec03d4343f55076a8c1b866f6319004cd5553123a502ffe9cc22e6d8338adcfd00d67d
-
SSDEEP
1536:MDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCiH:yiRTeH0iqAW6J6f1tqF6dngNmaZCiaI
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Downloads MZ/PE file 1 IoCs
flow pid Process 48 4928 Process not Found -
Executes dropped EXE 6 IoCs
pid Process 1460 omsecor.exe 1760 omsecor.exe 1028 omsecor.exe 656 omsecor.exe 4968 omsecor.exe 4468 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 4564 set thread context of 1404 4564 d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exe 86 PID 1460 set thread context of 1760 1460 omsecor.exe 90 PID 1028 set thread context of 656 1028 omsecor.exe 106 PID 4968 set thread context of 4468 4968 omsecor.exe 109 -
Program crash 4 IoCs
pid pid_target Process procid_target 668 1460 WerFault.exe 88 1796 4564 WerFault.exe 85 2584 1028 WerFault.exe 105 2164 4968 WerFault.exe 108 -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2420 MicrosoftEdgeUpdate.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 4564 wrote to memory of 1404 4564 d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exe 86 PID 4564 wrote to memory of 1404 4564 d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exe 86 PID 4564 wrote to memory of 1404 4564 d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exe 86 PID 4564 wrote to memory of 1404 4564 d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exe 86 PID 4564 wrote to memory of 1404 4564 d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exe 86 PID 1404 wrote to memory of 1460 1404 d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exe 88 PID 1404 wrote to memory of 1460 1404 d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exe 88 PID 1404 wrote to memory of 1460 1404 d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exe 88 PID 1460 wrote to memory of 1760 1460 omsecor.exe 90 PID 1460 wrote to memory of 1760 1460 omsecor.exe 90 PID 1460 wrote to memory of 1760 1460 omsecor.exe 90 PID 1460 wrote to memory of 1760 1460 omsecor.exe 90 PID 1460 wrote to memory of 1760 1460 omsecor.exe 90 PID 1760 wrote to memory of 1028 1760 omsecor.exe 105 PID 1760 wrote to memory of 1028 1760 omsecor.exe 105 PID 1760 wrote to memory of 1028 1760 omsecor.exe 105 PID 1028 wrote to memory of 656 1028 omsecor.exe 106 PID 1028 wrote to memory of 656 1028 omsecor.exe 106 PID 1028 wrote to memory of 656 1028 omsecor.exe 106 PID 1028 wrote to memory of 656 1028 omsecor.exe 106 PID 1028 wrote to memory of 656 1028 omsecor.exe 106 PID 656 wrote to memory of 4968 656 omsecor.exe 108 PID 656 wrote to memory of 4968 656 omsecor.exe 108 PID 656 wrote to memory of 4968 656 omsecor.exe 108 PID 4968 wrote to memory of 4468 4968 omsecor.exe 109 PID 4968 wrote to memory of 4468 4968 omsecor.exe 109 PID 4968 wrote to memory of 4468 4968 omsecor.exe 109 PID 4968 wrote to memory of 4468 4968 omsecor.exe 109 PID 4968 wrote to memory of 4468 4968 omsecor.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exe"C:\Users\Admin\AppData\Local\Temp\d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Users\Admin\AppData\Local\Temp\d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exeC:\Users\Admin\AppData\Local\Temp\d473b502e0b7b71713870b1a0de94a37bfa68336adea76ef00ea2e0e993f287bN.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4468
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 2688⤵
- Program crash
PID:2164
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 2926⤵
- Program crash
PID:2584
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 2884⤵
- Program crash
PID:668
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 2882⤵
- Program crash
PID:1796
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4564 -ip 45641⤵PID:4432
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1460 -ip 14601⤵PID:1732
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QjNCMEJDNzktMkRDMC00QzAwLTg2NDAtOEQ3RjM1QTlCRUM5fSIgdXNlcmlkPSJ7RDFEMkUzRTEtOTIyQy00NEFBLTk5MTAtRTg4MERGQzQ0OUVEfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7ODFENDc1MTUtQzdGNC00QkQ1LTlFMjQtMjM4MDQxRTk2REFBfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5ODUiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODQ0NDQzNjAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MjM0MjkyNTM2Ii8-PC9hcHA-PC9yZXF1ZXN0Pg1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2420
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1028 -ip 10281⤵PID:4432
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4968 -ip 49681⤵PID:1500
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD5cfc84a3a1501caaa91f7b5b0388eed32
SHA17631a1cf9ef4b8879db9f9771a88d48842e39f47
SHA25692fa58f9c3f31e4056bf4ac78ea3b498aa8016432c8571db4d4b6d859bc6e7b3
SHA512a6a2685fcd1844c3ca08df59add4a550a1eb0548044ccbd51e6d2c9046f86e3c6b95cda63de64c1f47372e7b3f3fc9e097e698c72bcd0e84740f010f5c0ed548
-
Filesize
134KB
MD542d9bd64ea09d414dd79cf2c3490f5af
SHA10eb3b031246a1032ae48fe22c7e9fc06d321fef9
SHA256fdd220fcf198c3a9307fe46f60bee0b1574dbc273832c110068e6dac656f0e34
SHA5122184d765fe48dd35842dfb6c8614478621bb4c9d5e906ce634e72f1310e583b6711264808d1a978a8ce7b2f7b642b9ef19283a1868c5c14e627c916f3aa01b22
-
Filesize
134KB
MD5644a31088d68faa1923954aae56489e7
SHA1808786a48b2de2fc50c706cb784c8609ef8f8aab
SHA256f1f7b8f9961d1dba59892f1781b6205d8200a7b64b37e40683d54a34db2d74f3
SHA51241efa108b9d89ccbe0e665d13ba500b342b1bb9c712b7936f0f5e51e958bfad1a1d8412245445b3aa0d3a68934e5062094413d1cbce70abb01c1fef65ff3e28d