Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
-
submitted
05/02/2025, 03:32
General
-
Target
b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe
-
Size
96KB
-
MD5
81ec813a24cad85f5b97baf9787fa631
-
SHA1
0a1a7d728bac16c4ba8803e3d215805a2939503e
-
SHA256
b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3
-
SHA512
a257a07ed481d60a5a075091b75c98ecbe01e9fe84efe7b9371bba73e1829d19a3afb29d26ca017183cd924674e08fec195e0e8417d3490edd0823c8f9aaa4b5
-
SSDEEP
1536:mnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:mGs8cd8eXlYairZYqMddH13L
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd
Neconyd is a trojan written in C++.
-
Neconyd family
-
Executes dropped EXE 6 IoCs
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Program crash 4 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 29 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe"C:\Users\Admin\AppData\Local\Temp\b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exeC:\Users\Admin\AppData\Local\Temp\b93f27f9f9a43ca52a30a2a285190dc5f48396fdc426f39c53c7a821d74051b3.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 2568⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 2926⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 2884⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 2882⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2756 -ip 27561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 952 -ip 9521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1252 -ip 12521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2760 -ip 27601⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5a0d3009039e3348404df0f46c9f9a4a4
SHA1e51e8d5a68ec8e2e4323d933dfb54725632c204b
SHA2560aa46de08152bfc6d1a9daaf300822138377cb920a3940f3683c0c64f5ba63a3
SHA5126b2dce891c399b3ea33e1cc25acacfe2047e798b9f389653960c7bc793fbf4172f90df1a834d875e78d260b1b718e9a82bc625881f7e5d0544e92aa3d6a00a52
-
Filesize
96KB
MD5b30ed9cda57812d61a9088c0d1328b2f
SHA1d65d2fd9af0c7b86851105e58e62780b5cc88e3a
SHA2563430b32c66561d387786d39ba967e508329450392d8569ff0a6bd90e845ce47e
SHA5128c563ad59a29c798f3f11c7102a4c3ca328efa4cd5ee43fc1142ce24c76ca59a72ec517dec36d30ec8ce64249e0b53a4434cbe1a20d90776088095a9d11c28c0
-
Filesize
96KB
MD563e844ec0eecd8cc5abfbae848532659
SHA133cf9b08004cf818ae9583b410a4581927e7514d
SHA256e369fee082ccc59f5f4a8f85d7ba8fdac50ab40b9adfa81c5c33363e3b679df5
SHA512f403d2fb1a33cd64bc9ef28455512e27acc7e5757ca4571f5af78ed445d9d19fe464a3f7e0180f89f32fb6baeb7c759b8f0d8092b4e2719ed6a22ebb33346746
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB