Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

54bce66091...cs.exe

windows7-x64

10

54bce66091...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07/06/2024, 11:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    54bce660915caeec32b0702692de1dd0_NeikiAnalytics.exe

  • Size

    84KB

  • MD5

    54bce660915caeec32b0702692de1dd0

  • SHA1

    0808f6da79a2021a80cd16213341edd67ffb5e40

  • SHA256

    2d258b57b0125ffb2a18af4446d8865ce8540f4f490379f4ef162fbf0fd44a9f

  • SHA512

    388e81cd1ca2ce0b6bb1f75c7f2ea24695fd79bb2a8d7ab16788a4133f17543fd9be9e44aa5b454392565dd27079d9739e1c4ef65af7f3482666752210ce0720

  • SSDEEP

    768:IMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:IbIvYvZEyFKF6N4yS+AQmZTl/5

Score
10/10
neconydtrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\54bce660915caeec32b0702692de1dd0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\54bce660915caeec32b0702692de1dd0_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:3024
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3020
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2928
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          PID:2972

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    84KB

    MD5

    68cdd576ea5b3c5728b0884d6f82f736

    SHA1

    4d24e45cd6585ef627565a348aa9b863f33b6a6f

    SHA256

    dd4dfefce6c35b1adc5d691408ec122d23acf2625460724ed194824f64c0898a

    SHA512

    71f82843324a321b42f9eaeaf22fe11ffc6418256c6fee060071e52f5a8ccc51522f6427a2a0cd342d31d68ee1d9f7e7ab1bf5843cc60f1e2847d7bf341c0d64

    Download Submit

  • \Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    84KB

    MD5

    a0ca85cdc500ec9bba09d0dbc18c4b70

    SHA1

    d8ceb59745274eba93dc67095a3241812ee541d7

    SHA256

    914ba951049f67034f9c30d0956b7edcc30016d403c738db79ac0a1d3c18727c

    SHA512

    b78ad2ba6eab6ded3d6b095feb19c18e58198d1328ca18533196a79e9a46f650e8c45263c5d3021c9a580abb5c203871db90cad5a2b4ebddeee443385b339897

    Download Submit

  • \Windows\SysWOW64\omsecor.exe
    Filesize

    84KB

    MD5

    0540a2a04a3bcf1f3e114d8c8d46e82d

    SHA1

    966caca6b4a4b4d8ebf3ed60cafb252e2f39562b

    SHA256

    d8bcc38da567ee2b401842346b21a2d1f86f3cad85b0caa46cfb09ee5790ab14

    SHA512

    347864178c02ff6a4919fe669f72c9e5f0afcedbf85f309dbdcea82e05be9e0fe306448f7d6a7125303a5c84727605149bfe7ba4b391b903e1b93effce2fad5f

    Download Submit