Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
07/02/2025, 07:10
Static task
static1
Behavioral task
behavioral1
Sample
fa631e3a01c206a795aca1e4c24690b86560364546ce52405416436017ad746d.exe
Resource
win7-20241010-en
General
-
Target
fa631e3a01c206a795aca1e4c24690b86560364546ce52405416436017ad746d.exe
-
Size
96KB
-
MD5
aa88acfb7a9968aa6855bdcd044b8bad
-
SHA1
95d1dfdade216b01efe0cfd38445619180da0a82
-
SHA256
fa631e3a01c206a795aca1e4c24690b86560364546ce52405416436017ad746d
-
SHA512
6220d7d5c6cbd78c114e542e1374d69017ea35535056aef2a7e1fff42cff430ce269a0f3c94ae1fc96d1f34776181e835b86fac543f8db58efa5b14161550891
-
SSDEEP
1536:knAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxb:kGs8cd8eXlYairZYqMddH13b
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 3008 omsecor.exe 3496 omsecor.exe 3964 omsecor.exe 4776 omsecor.exe 3384 omsecor.exe 4236 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3292 set thread context of 3272 3292 fa631e3a01c206a795aca1e4c24690b86560364546ce52405416436017ad746d.exe 84 PID 3008 set thread context of 3496 3008 omsecor.exe 89 PID 3964 set thread context of 4776 3964 omsecor.exe 107 PID 3384 set thread context of 4236 3384 omsecor.exe 111 -
Program crash 4 IoCs
pid pid_target Process procid_target 4032 3292 WerFault.exe 83 4392 3008 WerFault.exe 86 1136 3964 WerFault.exe 106 3416 3384 WerFault.exe 109 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fa631e3a01c206a795aca1e4c24690b86560364546ce52405416436017ad746d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fa631e3a01c206a795aca1e4c24690b86560364546ce52405416436017ad746d.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 3292 wrote to memory of 3272 3292 fa631e3a01c206a795aca1e4c24690b86560364546ce52405416436017ad746d.exe 84 PID 3292 wrote to memory of 3272 3292 fa631e3a01c206a795aca1e4c24690b86560364546ce52405416436017ad746d.exe 84 PID 3292 wrote to memory of 3272 3292 fa631e3a01c206a795aca1e4c24690b86560364546ce52405416436017ad746d.exe 84 PID 3292 wrote to memory of 3272 3292 fa631e3a01c206a795aca1e4c24690b86560364546ce52405416436017ad746d.exe 84 PID 3292 wrote to memory of 3272 3292 fa631e3a01c206a795aca1e4c24690b86560364546ce52405416436017ad746d.exe 84 PID 3272 wrote to memory of 3008 3272 fa631e3a01c206a795aca1e4c24690b86560364546ce52405416436017ad746d.exe 86 PID 3272 wrote to memory of 3008 3272 fa631e3a01c206a795aca1e4c24690b86560364546ce52405416436017ad746d.exe 86 PID 3272 wrote to memory of 3008 3272 fa631e3a01c206a795aca1e4c24690b86560364546ce52405416436017ad746d.exe 86 PID 3008 wrote to memory of 3496 3008 omsecor.exe 89 PID 3008 wrote to memory of 3496 3008 omsecor.exe 89 PID 3008 wrote to memory of 3496 3008 omsecor.exe 89 PID 3008 wrote to memory of 3496 3008 omsecor.exe 89 PID 3008 wrote to memory of 3496 3008 omsecor.exe 89 PID 3496 wrote to memory of 3964 3496 omsecor.exe 106 PID 3496 wrote to memory of 3964 3496 omsecor.exe 106 PID 3496 wrote to memory of 3964 3496 omsecor.exe 106 PID 3964 wrote to memory of 4776 3964 omsecor.exe 107 PID 3964 wrote to memory of 4776 3964 omsecor.exe 107 PID 3964 wrote to memory of 4776 3964 omsecor.exe 107 PID 3964 wrote to memory of 4776 3964 omsecor.exe 107 PID 3964 wrote to memory of 4776 3964 omsecor.exe 107 PID 4776 wrote to memory of 3384 4776 omsecor.exe 109 PID 4776 wrote to memory of 3384 4776 omsecor.exe 109 PID 4776 wrote to memory of 3384 4776 omsecor.exe 109 PID 3384 wrote to memory of 4236 3384 omsecor.exe 111 PID 3384 wrote to memory of 4236 3384 omsecor.exe 111 PID 3384 wrote to memory of 4236 3384 omsecor.exe 111 PID 3384 wrote to memory of 4236 3384 omsecor.exe 111 PID 3384 wrote to memory of 4236 3384 omsecor.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa631e3a01c206a795aca1e4c24690b86560364546ce52405416436017ad746d.exe"C:\Users\Admin\AppData\Local\Temp\fa631e3a01c206a795aca1e4c24690b86560364546ce52405416436017ad746d.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Users\Admin\AppData\Local\Temp\fa631e3a01c206a795aca1e4c24690b86560364546ce52405416436017ad746d.exeC:\Users\Admin\AppData\Local\Temp\fa631e3a01c206a795aca1e4c24690b86560364546ce52405416436017ad746d.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4236
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3384 -s 2208⤵
- Program crash
PID:3416
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 2966⤵
- Program crash
PID:1136
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 3004⤵
- Program crash
PID:4392
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 2882⤵
- Program crash
PID:4032
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3292 -ip 32921⤵PID:5004
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3008 -ip 30081⤵PID:2388
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3964 -ip 39641⤵PID:3228
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3384 -ip 33841⤵PID:3040
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD524f45864b857f2f36dc0a3fd94e14f6e
SHA11f8195230867bb822656744e5e4dcdf9d19dd922
SHA256cd255c30af83481c5205fd3cebb410e377b2bceb0bb807d9f7c3e8462936ad48
SHA512bb1ef53cfc0e80aef9b2c98388d63eef1890d0067a932c21db74476a38f57306afec207db138d7522221e1dc7670652460cdc35111dd388b9f4de622c27d16ae
-
Filesize
96KB
MD5d78b30c514ce10800837df3433c3ac4e
SHA12b15c60ea2b057299dc3fb5372c711ab8b8ec445
SHA256d5414ec810a62b2b7ec7fbd70db5d537147656d2a230cfb40cc9e64e4db7d192
SHA512428a4d93b1502b234994f3a019ac2e264f4c1e06137d01bdfd93e38991b2f81a8b47af6b597ef2ad6e4329bbbc98c95f141fb3a5221bb488d87c55d9403f69f8
-
Filesize
96KB
MD52107de6bef31349ebfdf97e4f2c083fd
SHA10771c695a2258c72fe0c018d2431b78c1013094a
SHA256b611e486b07f037d75c974e295e6878fdaebee6ea754e0b1eeec902f3d4024b8
SHA5126f40781e95c27e7feb9c788968ad6c1b1012c71c39b0ee00522ef9291cb1dc7287f945c293d614693a81b0cb83afba7245890eb20963e2283230146711152c8c