Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/12/2024, 21:34

General

  • Target

    3c6921867c1a38631ae82a64e0167f454cf67aee61427605f06c0be0a42e6eca.exe

  • Size

    80KB

  • MD5

    a6a4d61642344f69842308d7d0b50104

  • SHA1

    1048ed9463d5cb12a871b47eb01a269915ac2e2b

  • SHA256

    3c6921867c1a38631ae82a64e0167f454cf67aee61427605f06c0be0a42e6eca

  • SHA512

    0d7c9a7e7410cc795929dfd3473a3b45a9bafb4a9ab311720f9d6aca1b62280fa07a721e9fae4659412a2ae8e678ad47f6dd3a96091daf57ee8c8b0f0d86008a

  • SSDEEP

    1536:Td9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9XwzT:TdseIOMEZEyFjEOFqTiQmOl/5xPvwX

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3c6921867c1a38631ae82a64e0167f454cf67aee61427605f06c0be0a42e6eca.exe
    "C:\Users\Admin\AppData\Local\Temp\3c6921867c1a38631ae82a64e0167f454cf67aee61427605f06c0be0a42e6eca.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4004
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:116
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4036
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4468

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    80KB

    MD5

    e3b056b70d4d0fb544150155000df78e

    SHA1

    75c6a8dbbd94521edffdd50e5ab0ca4cd8b6fff1

    SHA256

    2a854b1408f255eefe47a069f8132194f30816b6d581d17ac1102b550131f91a

    SHA512

    4796877739cd3726cbeaf5964bfbc0f6d6d666dccb97df311652320561c9ecc28a12fa08b4ecc79b393da9f1897a8aa5e28be370a3236287190fda33a7540b79

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    80KB

    MD5

    23e42895f0db5c89981ac2edf831e744

    SHA1

    5375a785af0a2a942afc562e62eb14c2c7166ded

    SHA256

    f8d89a95f7040300401ce5d1a7d297e7ba713d4a9af7fc163a9ddece95d14e4c

    SHA512

    661a0cab5c9b48f1db82b8c21fad8904fd2e9b3cd5955e384d8f4693ea9305d7adef424caa9c5ccda606b25a8232f63ced2fb465232f8a0900464f92cd0efb9f

  • C:\Windows\SysWOW64\omsecor.exe

    Filesize

    80KB

    MD5

    ac5670f4ed8d7470cb5f10d0e143d361

    SHA1

    6e87650ee0c8a94bc059f3cd855935a42e13de69

    SHA256

    fc47b55077159360905004dbd7c0f0b02065e1b3fd4981ab2ee8df179e7811fa

    SHA512

    a4b1699fda60816ea4e1d4712686d99569e0ee5ac4381f5ca365d8d56fbba648381c18e8e3930cb22648f34512aba30ba348642d760d8089dd874aad6da5254c