Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    145s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    26/05/2024, 09:12

General

  • Target

    a3c865f8aaebac9423eaacfa147e5b10_NeikiAnalytics.exe

  • Size

    88KB

  • MD5

    a3c865f8aaebac9423eaacfa147e5b10

  • SHA1

    c2d70c2edee43c9e8d7cbaf29abeba333b838033

  • SHA256

    a93dc0df74c3802331cb3071a6b6fede81223aab056e9c54f72522816d4b65be

  • SHA512

    a192e7a046bef5c53475748e03bd24db95a7e4874a55606ea622f123f105e15965022a1f16ea239521f96f296439473108be993a2918b892e8ea7d2fa2ffe438

  • SSDEEP

    768:+MEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:+bIvYvZEyFKF6N4yS+AQmZTl/5

Score
10/10

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a3c865f8aaebac9423eaacfa147e5b10_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\a3c865f8aaebac9423eaacfa147e5b10_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2956
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3068
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2856
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          PID:3004

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    88KB

    MD5

    2504d2a7777077f3afb7fb7df1ec343e

    SHA1

    c26d2abec5b105256d029b5c4698a51365b418d4

    SHA256

    f62894e7bad95d59d5878c2dbd7c156190007222c17931d2e4be6698ec5b7dba

    SHA512

    b13d014e232c9b1bbdded3d7dca2b41f6d16e7198ea4138f213f4129d7f8ae78c15169a5dbcea6bb826ec8707859fe6d84b767ce2a61f673244fe6537785b6e9

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    88KB

    MD5

    73184ee3eae4e13d13183214d8d8ef4b

    SHA1

    150d80fd00f4816596fb031b718bd93bfad935f3

    SHA256

    0b6d359d91e23e90581414fca728660e08d702a3d4d1f5cc2a11f0d1fbbb2c5c

    SHA512

    ba540f16534e6516ada3930f7f9da054bb3d1daff120389ca3a8f9f1ef3594a1e7d3a349725f50785a454241ca57fd59bee355ca79ebbd717d5f675dbc15bd9f

  • \Windows\SysWOW64\omsecor.exe

    Filesize

    88KB

    MD5

    b3f92ceef0d100db3ae185fec261a8dc

    SHA1

    435fd1da08c5b7772123a7bb6961b66143e2bb54

    SHA256

    855c209b5026ae7747b5cc93d1afa56e2efa02b16ae253a85178a4512374b511

    SHA512

    a62ff457123a38333cd2e6673e8f25a86abc1aeb83d654b627837d9cfe22d7000d7a016906366d03f8ea75a926e4179de90afefd719dcb1608153df565b295bc