Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    11/12/2024, 20:00

General

  • Target

    19dadf7bf2ff58f63a4548eb89904520e0a2368628b8a38fe4d49ddaf5dbcb33.exe

  • Size

    96KB

  • MD5

    04b6069c77fed76c7be2a0c8e8f5d31c

  • SHA1

    1154753584936c70bb37eeab1d8b8ec6aeed1721

  • SHA256

    19dadf7bf2ff58f63a4548eb89904520e0a2368628b8a38fe4d49ddaf5dbcb33

  • SHA512

    91fe0dcb515cb04e0a829c25cddf10e15491f64fc419bfa45ffbac1402f5779926720cadb7629808990c1f16d36b3f257034d9d832c31cf3274d3be10e2385c0

  • SSDEEP

    1536:jnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxO:jGs8cd8eXlYairZYqMddH13O

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 7 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\19dadf7bf2ff58f63a4548eb89904520e0a2368628b8a38fe4d49ddaf5dbcb33.exe
    "C:\Users\Admin\AppData\Local\Temp\19dadf7bf2ff58f63a4548eb89904520e0a2368628b8a38fe4d49ddaf5dbcb33.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2340
    • C:\Users\Admin\AppData\Local\Temp\19dadf7bf2ff58f63a4548eb89904520e0a2368628b8a38fe4d49ddaf5dbcb33.exe
      C:\Users\Admin\AppData\Local\Temp\19dadf7bf2ff58f63a4548eb89904520e0a2368628b8a38fe4d49ddaf5dbcb33.exe
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2572
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1632
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2952
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2132
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2036
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:908
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:2464

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    96KB

    MD5

    e678be7f39536f4d6a8aec90c0b1b247

    SHA1

    6de6975a9b87a1f566afbb15eed1e6d9462e4629

    SHA256

    805a77fb8e6f5b0cb0df4f89649224aacb937a9178be576a27553d6558f88ca2

    SHA512

    17eea96040be28e169869b3be0c81d65eec32d14c0c0645ca1574ee9e3b74f5cc79b7987b2234e399dec0514a8d1ed5f54c84e741488e72e243609e4f75321f2

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    96KB

    MD5

    c746ce0ecb66b122a0dd555e7c0d3c31

    SHA1

    2d4edf0e01816a46d20cc9c9e2b2fefce29f1850

    SHA256

    e7e14458cba80e180d5257529ffa410d2903a25c353a04041abae94a6b48c075

    SHA512

    647410e543329848cb63faaba3b7b4159922649dfd575b8da2c6e82be72026a74ad4b0133d62a62702b46c1dd9b89de169d1ae67dfe0e8a19222f9f4f369de6e

  • \Windows\SysWOW64\omsecor.exe

    Filesize

    96KB

    MD5

    181c75c279be34b4d35a1b2074881ad3

    SHA1

    7176eea8f16a41f09473b8e1d791a166a967874d

    SHA256

    c1b25d2c2bba74769493173f4a50591385f1ce0fac4dc6b7b9bf32d46ad8739e

    SHA512

    039a488a47617f90a6b05c88ac515216653c4eef4c19698c273b339ef504d5ccf7ae5b11a0960d35462680e1fbf1ceedb93c8bf286aed9e49749bee46479b525

  • memory/908-83-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/908-91-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1632-33-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1632-24-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2036-80-0x0000000000230000-0x0000000000253000-memory.dmp

    Filesize

    140KB

  • memory/2036-81-0x0000000000230000-0x0000000000253000-memory.dmp

    Filesize

    140KB

  • memory/2132-68-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2132-59-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2340-0-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2340-8-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2340-11-0x00000000001C0000-0x00000000001E3000-memory.dmp

    Filesize

    140KB

  • memory/2464-93-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2464-96-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2572-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2572-20-0x0000000000230000-0x0000000000253000-memory.dmp

    Filesize

    140KB

  • memory/2572-18-0x0000000000230000-0x0000000000253000-memory.dmp

    Filesize

    140KB

  • memory/2572-5-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2572-9-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2572-12-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2572-1-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2952-46-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2952-49-0x00000000002D0000-0x00000000002F3000-memory.dmp

    Filesize

    140KB

  • memory/2952-57-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2952-43-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2952-40-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2952-37-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB