Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

ade1d2d53b...f8.exe

windows7-x64

10

ade1d2d53b...f8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    114s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/01/2025, 20:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ade1d2d53b8542d73d4b71adc453a68db4f8f05c09f87eaaa2b7b7004811a7f8.exe

  • Size

    80KB

  • MD5

    2280a07398f9229442d8919d4c3322d2

  • SHA1

    6b2168f604b5536f8a8b79c93edacf5fa5614d8d

  • SHA256

    ade1d2d53b8542d73d4b71adc453a68db4f8f05c09f87eaaa2b7b7004811a7f8

  • SHA512

    f783a9234a6b9d461192e3843c1a803ecb68eb667ddf5b273d9bfc484290d895b828b228d39b59b07f92a4efac627fcc560183b2cbb3917ec37b193b64227c56

  • SSDEEP

    1536:0d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9Xwz5:MdseIOMEZEyFjEOFqTiQmOl/5xPvwl

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ade1d2d53b8542d73d4b71adc453a68db4f8f05c09f87eaaa2b7b7004811a7f8.exe
    "C:\Users\Admin\AppData\Local\Temp\ade1d2d53b8542d73d4b71adc453a68db4f8f05c09f87eaaa2b7b7004811a7f8.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3196
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1260
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:2100

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    80KB

    MD5

    64efa7b9e6ff61e955ebd00c872a3584

    SHA1

    4735f167299693ba8e9f9d8bee780f69acbdeb8b

    SHA256

    7b5dc447e1273b6754678ed977fa3b5e5b96b5207da7df83ca2847bce9502ba8

    SHA512

    905dcfb5792212c1e6763cc43253cde8a2c9ac0e8ba733e8079663521d48fee3b4907812a6cf3596de36ae39c0edecfb2cefaa1af35ee6c222bb594e9cba360c

    Download Submit

  • C:\Windows\SysWOW64\omsecor.exe
    Filesize

    80KB

    MD5

    8985a3c9fbe20fd797ca56c493d1c263

    SHA1

    ad0251225017e8e562b8219462835b819ee489a8

    SHA256

    f0ee05631809635097730be3465cb2f3a1f2b5afeec073025e0ac56121c24dd6

    SHA512

    57b6930343bf13105dc30461edffdd94243c17d26a09442c6da55578ef564606425e94a202b7e57c50679803c7a1bc73f018a590d29c876e1fa01c136f5c24cf

    Download Submit