Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
115s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
23/01/2025, 21:08
General
-
Target
18950759b4044717a5c028ff457af1eb524556aa634a52a1014c386458486842.exe
-
Size
96KB
-
MD5
b3713e03f5213be6bdd7366e5961730c
-
SHA1
9e4087a0ba8e77c162201bd559b400ad520ef3ed
-
SHA256
18950759b4044717a5c028ff457af1eb524556aa634a52a1014c386458486842
-
SHA512
15faab5cd6251d5dcb0454fd5251643c9d71f6e3b472e0db318da7b11229d13cb8cdf620d8fb2851bc62fc0db5fe018f3574a0cc0fc15fd7ef0884f96eeda109
-
SSDEEP
1536:rnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:rGs8cd8eXlYairZYqMddH13z
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd
Neconyd is a trojan written in C++.
-
Neconyd family
-
Executes dropped EXE 6 IoCs
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Program crash 4 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 29 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\18950759b4044717a5c028ff457af1eb524556aa634a52a1014c386458486842.exe"C:\Users\Admin\AppData\Local\Temp\18950759b4044717a5c028ff457af1eb524556aa634a52a1014c386458486842.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\18950759b4044717a5c028ff457af1eb524556aa634a52a1014c386458486842.exeC:\Users\Admin\AppData\Local\Temp\18950759b4044717a5c028ff457af1eb524556aa634a52a1014c386458486842.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 2568⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 2926⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 2884⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 2882⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1548 -ip 15481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4636 -ip 46361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5092 -ip 50921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4208 -ip 42081⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD584cf20a5260621e56fe134c6ea12238a
SHA1f14dc943baf0f89e0b3ffe49eb743d4d5041922c
SHA256488da3e8da00ea033d695ad99164aff0b61d118a695d03601e6b1d1f54b79ff8
SHA512b936d60883c2c1cdfca41b5f7225ecdcc90c1ef93f0c7499653d23d63f9978070842d382d06c5e02ec2a09122f0f7fc108ccdde16cd1771d7607a98c8a1ee0a7
-
Filesize
96KB
MD53dc705843b8a411cf70ae4498fccdb74
SHA149d7acf95bc90b22e07a464ba1fbb5e9289b6ffc
SHA256a12d69cc9ada4ce3b4deb3ea21ffbae3e1abd1955ebe48a6aa1237cc2342a485
SHA512eca1bd9743e51252d2087bd9bdb7380806a3f4552f072d6d978fceff164b20ef3c882d0b45f91ac45ad2395d62c13424ea0e54d278eae2ceabaaa5d41bb2b253
-
Filesize
96KB
MD572288fd6bd4ff0bea148afcb0cbfd7a4
SHA1b494a8c33a1bef2d89f146adcf2748aee1548f27
SHA2561f5716fcc43857b855eb0ff3b7d158645d64a70162b1054bc0c85e4d9d5646c8
SHA51233b1a95b65d43559718e5505aaa5755f64e6afdc2a5cbbb97f03180191d8a1616cc45957a68268ffa6d0787bec8244f6ef271a437f749fdc275e7592fad29f6d
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
140KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
140KB
-
Filesize
140KB