Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
115s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
22/01/2025, 11:52
General
-
Target
073f024fb1923ce0297162adcfcfa2b22d568513f6942fc5a2ea5bea2885fb66N.exe
-
Size
96KB
-
MD5
cd9bbefa014cd325ab8772ae0d20a370
-
SHA1
4ffd6ac0bd71f2fc8bbaa3e690ff7ed1344a28a2
-
SHA256
073f024fb1923ce0297162adcfcfa2b22d568513f6942fc5a2ea5bea2885fb66
-
SHA512
69a56700f19f7298cf0ad599c3b4641548861e3d8d746b2043c0cc0c3a12e148b389b7a02045509e906b9bf718761b1b25367de47172665cf225e371afbf3327
-
SSDEEP
1536:HnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:HGs8cd8eXlYairZYqMddH13L
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd
Neconyd is a trojan written in C++.
-
Neconyd family
-
Executes dropped EXE 6 IoCs
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Program crash 4 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 29 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\073f024fb1923ce0297162adcfcfa2b22d568513f6942fc5a2ea5bea2885fb66N.exe"C:\Users\Admin\AppData\Local\Temp\073f024fb1923ce0297162adcfcfa2b22d568513f6942fc5a2ea5bea2885fb66N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\073f024fb1923ce0297162adcfcfa2b22d568513f6942fc5a2ea5bea2885fb66N.exeC:\Users\Admin\AppData\Local\Temp\073f024fb1923ce0297162adcfcfa2b22d568513f6942fc5a2ea5bea2885fb66N.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 2568⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 2966⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 2884⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 3002⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2808 -ip 28081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1352 -ip 13521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2288 -ip 22881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2424 -ip 24241⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD586d54888bafc101606184592513ee734
SHA150b61b0696f7e602be85998f24df602b4861cf18
SHA256f77a18e76c511ae8feeb8abc6b6bf2566c4add96c5f0912458f6601039be0a55
SHA51293c8840aadfb119c298db6c7807214e3a4031ae8b960d810ae0cc7f650426378d15641ab5065c3226a4e3b9e2008bafb6a6e217caa558993298f884e311bb31b
-
Filesize
96KB
MD57f4457ce53b447b679c89ade501eb727
SHA10dfd91a067053f528f37118157fffe83670152de
SHA2561f44817058135a9a9ed940e66aaabe559f7f070151d6edd09363fae86521f2b8
SHA512a42873acb9f80d87513e32607dc2f985481168639fc36532b80b69a4c9a6aa59d26b9cbeae443406a244fffe6464a4068b4d365e73fa8c7c79b8a513eb3c375a
-
Filesize
96KB
MD51bd2d95150196c42544a02e1f08eaab2
SHA1f6dd2d1a1c648c919ceef7573a72cb11eb21e687
SHA2564b6ae721ee2cb2de63924405a02b13cc839f77e5aaf60b2792f2f239f2d86e22
SHA512662122d35eda6da84baabd433f67eae0308fa3603070ded4fcd2a308e8b714e53735afac2495d07afd053e8e0c7b54a2d229e4e31f24a879c37161453119cd98
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB