Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
116s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
31/12/2024, 16:46
General
-
Target
61321ac128d3d5dbb22385e8d5880c9527d4c1c59873bac01223cc2d62e9e0abN.exe
-
Size
96KB
-
MD5
f4e9b81146e3a7c76fcd136712d9be40
-
SHA1
e7cffad0e338c3f13e179bc3920d40c144d0d3ed
-
SHA256
61321ac128d3d5dbb22385e8d5880c9527d4c1c59873bac01223cc2d62e9e0ab
-
SHA512
4c3cbd65c12714a99d99e49aa5881c0c0b2bc11587a996df34b052754bd0643af83239087659ddd2458cb92f247109b60a40f65f66d4e716a294956d0f4fa8c5
-
SSDEEP
1536:inAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:iGs8cd8eXlYairZYqMddH13L
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd
Neconyd is a trojan written in C++.
-
Neconyd family
-
Executes dropped EXE 6 IoCs
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Program crash 4 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 29 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\61321ac128d3d5dbb22385e8d5880c9527d4c1c59873bac01223cc2d62e9e0abN.exe"C:\Users\Admin\AppData\Local\Temp\61321ac128d3d5dbb22385e8d5880c9527d4c1c59873bac01223cc2d62e9e0abN.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\61321ac128d3d5dbb22385e8d5880c9527d4c1c59873bac01223cc2d62e9e0abN.exeC:\Users\Admin\AppData\Local\Temp\61321ac128d3d5dbb22385e8d5880c9527d4c1c59873bac01223cc2d62e9e0abN.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 2568⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 2926⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 2524⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 2882⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4460 -ip 44601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5064 -ip 50641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4452 -ip 44521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1680 -ip 16801⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5f4f5a3accfc71dc1a2589a832ce3f872
SHA1689b37479b652ef79e85cf9acc8c71f2235ef497
SHA2568cfd85b6f508b454e3878aeea00d3fe168e0b0d5dda868e9cf375943759dd367
SHA512a01f3580b78db6033d4ab04901e3e1f4d4b1450d31525d992a9751ef38eff76df131f08e0247537fc851206b099c546357d40212f929132c397af43adcc2c90a
-
Filesize
96KB
MD5ade8001189cc18070d30d77c5dfdce99
SHA19b33f7b3971ccec383efbff6d30b7a5346b63360
SHA256934d37f15847e569564c9321e60a5f85212c6fa8c63bf2f426e7fad46f47d800
SHA5127f3c4f498d188d4fc4a4a6587e9992b9284d4e7eeb4d4f37610add4aa4b58b2a2f0d18692bde1a3d0f31a8561cc3b3c0db8907d6e28c7231469b080a2ae9fa2b
-
Filesize
96KB
MD5b352dbb18f490174a32a30577b3d9f36
SHA189263e5b2018280ace4eeb6641c411bb42d5794c
SHA256064fe206bf1ca341af26a44f5d5106594d30d86d9edfaadf08fc8d756ecb6043
SHA512a3ae710c942d8c9bb12f56151eb344a0d9672d70dd97d60c62fb6ea2fe200ce4d95dec1813041520ae09ff176ec97c3f011e7c45f8445ab02d5ed881fd67332f
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
140KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB