Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
-
submitted
02/02/2025, 13:03
General
-
Target
b0532102e3eea6533b32da4111ab68cf3649b75f06244cb35c68c6506fb49385.exe
-
Size
96KB
-
MD5
82ec32e61d3cc855216c94aad2018f85
-
SHA1
95032b286624fc8c10a48a2c4ec163b0d695976e
-
SHA256
b0532102e3eea6533b32da4111ab68cf3649b75f06244cb35c68c6506fb49385
-
SHA512
0b5c54953891e065906f62d65afc9f3ca7684ed7ed578ade6a7e32e6f378bca823045de58f3ee303838da179f52d98eb8f6fcc3881a6979628beab961778f013
-
SSDEEP
1536:MnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxb:MGs8cd8eXlYairZYqMddH13b
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd
Neconyd is a trojan written in C++.
-
Neconyd family
-
Executes dropped EXE 6 IoCs
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Program crash 4 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 29 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0532102e3eea6533b32da4111ab68cf3649b75f06244cb35c68c6506fb49385.exe"C:\Users\Admin\AppData\Local\Temp\b0532102e3eea6533b32da4111ab68cf3649b75f06244cb35c68c6506fb49385.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b0532102e3eea6533b32da4111ab68cf3649b75f06244cb35c68c6506fb49385.exeC:\Users\Admin\AppData\Local\Temp\b0532102e3eea6533b32da4111ab68cf3649b75f06244cb35c68c6506fb49385.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 2248⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 2926⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 2884⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 2882⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4892 -ip 48921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2684 -ip 26841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 740 -ip 7401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4828 -ip 48281⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5185cd751140564fc02b2c5a5a0814202
SHA146c4b43014332f30e9736d73f08b4fb37f621ea6
SHA256e87c9f8994583a0a39bbf72edaa9a60b8f069cad1c776ccbcd475f3ce8257d70
SHA5123b9f02ab350ed9ff5df43856935d5fe74a13821065a60b5236a38ce5fa622cef93135051558d48cbdebcdff242cc8d23808b77c68162686c4f8e033f1e6b0e91
-
Filesize
96KB
MD5b4edde9ecce673eb4f02b16fb9ef291d
SHA19e81626129858fc9c02e9fac95ccc592bced1b57
SHA256c94288e71549ed0d3cdc1385f7ed36eb1b4517b49411c1bf967f963cebf6bb41
SHA512d40f4fd78a894ef75e4f0a3c3e9bc6d720aa2980af72b437f144d86e28850ce4798dff1aaf2fc84fca135ccbb60fbfb18387cf83626a50e9e57906e79c67f17f
-
Filesize
96KB
MD5774b8c0d66dccbebc7ed81ed620d2be3
SHA1099098fe0e460df33524452081f532cddfa8a491
SHA2567b1c665ed702558c7eaa4bd2c4b439a2a63fca3dfc96e34221bb6c5b033d4149
SHA51274e0fcbe3f4cc231627f8d157520272a80b72d3b760d603c74b483c4a816820284a3fc084b9b630fddd8fec37c6552204fa2232d3e203e3de38dbd3920f30c51
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
140KB
-
Filesize
140KB