Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    145s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    12/05/2024, 15:16

General

  • Target

    23ae0965995ed3c4551e9ca3503b8ef0_NeikiAnalytics.exe

  • Size

    88KB

  • MD5

    23ae0965995ed3c4551e9ca3503b8ef0

  • SHA1

    38cdaf5c6aaf3fc7d3cb0340e67ed6ffbd67347c

  • SHA256

    17c185a2c0d7db1ad1c29cd637557674967baba5584f095035bc49c9cdd31041

  • SHA512

    e3ea2d146f38bde923f46a19f983a5bc456677a7710aa8d90f9112e21a50e54d9c372b794151539d2f0cf31d2e9acedf2c1bab1dfd2ed46ca89f287209cd13c4

  • SSDEEP

    1536:id9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:SdseIOMEZEyFjEOFqTiQm5l/5

Score
10/10

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\23ae0965995ed3c4551e9ca3503b8ef0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\23ae0965995ed3c4551e9ca3503b8ef0_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:3000
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:820
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1968
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          PID:2200

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    88KB

    MD5

    e0af0f522407bf0d3a5908c550e1e89b

    SHA1

    53344131048130c981046a5c0ba6e07b5fdbdb81

    SHA256

    c3455cd6518f7616fbdebad881b1505c51979a57476e8cdbd5924fd951498830

    SHA512

    44ede6b5f41b244fc1da1b6e2d4bdfa8d9c66adbead2d5437edd1b0e2f403458940d0da13ef63aef7f589f107bc7bf42b85645e76ab60307ff1819732493da8f

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    88KB

    MD5

    d339ca2e0d8d3130c53b749c572b9087

    SHA1

    b740cf77fdf9d32969b148f97849787df5f4970b

    SHA256

    170cf4f4b03997ca341e95073eac9aaa89fd90e81bd31ca0665a1a25d55fe8ac

    SHA512

    89bd7044e9b0ac5d27ddc7e0c29a8431585c89074ed1b6c35ff2fb272f57d8ca4d253c79773668dafc65b1e89ee7880ceccc77edd024103f17789bf2546015d2

  • \Windows\SysWOW64\omsecor.exe

    Filesize

    88KB

    MD5

    f84c9a64a0890e052a966ce611e6ad1a

    SHA1

    d5423a5204c1c3c4be221f8500b8dd1357fecc67

    SHA256

    75599f657a80adc0d45c491256e279c49404aaf1d852400cfcc38b7aa7f25856

    SHA512

    9cbad1b30a86a84830f8bc3195e302c3fdeda0cc1c4fc4fdaead88b580a57e0031bc154343b7ed1f5ad44f953ba157f83b556628cfe26062dc398501790d41a6