Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
115s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
01/02/2025, 10:09
General
-
Target
9bc42851c88a5c5b61088796b5a70a95d5022c615545f9dbb369d3cae99f1be2N.exe
-
Size
134KB
-
MD5
7e24c5ea6b190011e71e9cac4f7595d0
-
SHA1
de15ef57cfe63e8632279ed147b4f74b8bbc9f4c
-
SHA256
9bc42851c88a5c5b61088796b5a70a95d5022c615545f9dbb369d3cae99f1be2
-
SHA512
da2bececc40ae17401bda67c97b6ab3f2215940fb6d5e6052e7549c7f0b50a31eb8a1c1c977a1cbf7e58a4bfbf32f788851a74397b438faf6881b54a40a43006
-
SSDEEP
1536:7DfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCid:3iRTeH0iqAW6J6f1tqF6dngNmaZCiaI
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd
Neconyd is a trojan written in C++.
-
Neconyd family
-
Executes dropped EXE 6 IoCs
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Program crash 4 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 29 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9bc42851c88a5c5b61088796b5a70a95d5022c615545f9dbb369d3cae99f1be2N.exe"C:\Users\Admin\AppData\Local\Temp\9bc42851c88a5c5b61088796b5a70a95d5022c615545f9dbb369d3cae99f1be2N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9bc42851c88a5c5b61088796b5a70a95d5022c615545f9dbb369d3cae99f1be2N.exeC:\Users\Admin\AppData\Local\Temp\9bc42851c88a5c5b61088796b5a70a95d5022c615545f9dbb369d3cae99f1be2N.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 2568⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 2926⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 2964⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 2722⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5088 -ip 50881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 896 -ip 8961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1764 -ip 17641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2720 -ip 27201⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD500da085700945004288dc7dc71274f16
SHA1661d184c57fc0ad65c69572d263c34fd740dc2f9
SHA2566f0c5b412b2212c809c6bbc93a4257e75e1f746fc8675f0eebcf51dd51ebab92
SHA512cd7eff6f9b89d17a955ffc2a09482b266270114a31578cfa5deb6fc21d6b24d879720fe596a661d9fa65503e7d2017c967ba30194ccbca1187eeb8f3b0391c68
-
Filesize
134KB
MD5ddb1ebf28d678b17251adfde4c4dce7c
SHA100e06e873f93dcbc219ae611e1736ad414976999
SHA2561c2cc2e3dab03fa8b2e17d99727fcdcdf2875ba98169dbbe86ca800caa1d8fed
SHA51201752ad6461e06e0d023f6a2dc1f02b6c02091ffc45e5b0f768de51d71ed6a6dc84a78ff40f8f6c810d294f4d7d3a214ef546e4136b8bdb15e70ea4b6506bb78
-
Filesize
134KB
MD538b98a0cf8bd6c3e328f8bb9777762e0
SHA1a8e690cb58655b17a023972efc33ec06a090e8db
SHA256002287ed5e642aa8b60a955f2383c26ad79b494e36fef3bad1c9f69c82ffd258
SHA5120517214abb6d5794c8ba9e8d2c08bea71b50695a921b81a78e2cdded681da3bcc6ec197aac6cf4c3439ff74e08136b37c9e84efdc57c3b3d44c89de415315bfd
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
144KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
144KB
-
Filesize
144KB