Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
115s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
-
submitted
02/02/2025, 00:29
General
-
Target
1726f118cc86819c43bdcbe7d625ff051c530a2583ee07d445d6095580d9b72a.exe
-
Size
134KB
-
MD5
099abb3081d65799fc9b40e3df5cd1a8
-
SHA1
ceb4f89461297162a73acd8ffc58b56e24109d5c
-
SHA256
1726f118cc86819c43bdcbe7d625ff051c530a2583ee07d445d6095580d9b72a
-
SHA512
a71ce8a1f65c9f3383d6dbc52fb9c208054bfb8cf2c0b06164325ad1764ca05cba86885a4b5f51f1c677a29966bf89626c4bda9e15e260ecd4ff12d488bb58b6
-
SSDEEP
1536:qDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCi/:MiRTeH0iqAW6J6f1tqF6dngNmaZCiaI
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd
Neconyd is a trojan written in C++.
-
Neconyd family
-
Executes dropped EXE 6 IoCs
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Program crash 4 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 29 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1726f118cc86819c43bdcbe7d625ff051c530a2583ee07d445d6095580d9b72a.exe"C:\Users\Admin\AppData\Local\Temp\1726f118cc86819c43bdcbe7d625ff051c530a2583ee07d445d6095580d9b72a.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1726f118cc86819c43bdcbe7d625ff051c530a2583ee07d445d6095580d9b72a.exeC:\Users\Admin\AppData\Local\Temp\1726f118cc86819c43bdcbe7d625ff051c530a2583ee07d445d6095580d9b72a.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 2568⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 2926⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 2884⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1448 -s 2882⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1448 -ip 14481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2984 -ip 29841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4532 -ip 45321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1928 -ip 19281⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD58f71664fabd6ab31cef8e91a269e9170
SHA1693715e0cc2fb7639ece4734dbe8c5d711f2486f
SHA2560f4e4e682de0e656001395121ba9f920dc301f55e9a1b828b19cbdb3587d57a7
SHA512baa5068282ebaa388197aabe92063d79b02ddca6cb8753b398a79c51eaab2b3de375358b2cf42c73d030ef1fd8f3592d7a05910ba01f4d881c67313ab7cf22ad
-
Filesize
134KB
MD5eba86746668f8d90837926342a64fc77
SHA1d1cd0e6c55f25e5de3433539b613c219ac468f70
SHA256891bb93e65898c960feb8d16067e34590b84d56da12fa24342b5d9de622deb78
SHA512fd87b1d2894ac9b62ce73cf5f6fee593b8fffbd5ba2cf54916bd66520c2832577c4d0f8562fe1f171facb7e1091a9f768cff8be021d6fa3bd9de816a768566d9
-
Filesize
134KB
MD5c2d8ad8c9b5f25e68e618aedd4aedaf9
SHA172a2866e9a665ec660894cab155665f61dc06009
SHA256a593a5ecfdbaae5bf719a0cf003ed1d167db06ccc85324856912efa0f55e64f4
SHA512a6466da9fd5b6d8d3658b456f778ad164dd71166d97ad3704d3c9fb2b9496ff7a9179ba7fe5cade53bae61648e48e2b1c671761cd7c0e6305eeaa8497066dc2d
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
144KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB