Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/12/2024, 20:52

General

  • Target

    2e12be0b08f4d6d4fb59bc6b580e1d703e5245c3f3ec1c1d4430891f7fb32237.exe

  • Size

    61KB

  • MD5

    bae8f8153cca690a28d4f9994d01e1cf

  • SHA1

    dd7c227d54c3cd18f78f5311aaf60b63e278b97d

  • SHA256

    2e12be0b08f4d6d4fb59bc6b580e1d703e5245c3f3ec1c1d4430891f7fb32237

  • SHA512

    4730e80d64dac2ee3e6697560fbe51a8bbd823f89bd924bc66a02281bff91c451a05d30c313f31e4941f683fcabcde6918f96da0d7a76ccd67fc704048c19707

  • SSDEEP

    1536:md9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZWl/5n:edseIOMEZEyFjEOFqTiQmUl/5n

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2e12be0b08f4d6d4fb59bc6b580e1d703e5245c3f3ec1c1d4430891f7fb32237.exe
    "C:\Users\Admin\AppData\Local\Temp\2e12be0b08f4d6d4fb59bc6b580e1d703e5245c3f3ec1c1d4430891f7fb32237.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3588
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3976
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3064
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4560

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    61KB

    MD5

    75a817e6678b19f376d2eca41a1f52c5

    SHA1

    779c8b102c141172fb6fb6095005ef65253731e0

    SHA256

    bf76638ddd6e10b3d8b378ddeb0d68fdd1589dda0d4935dc0bdc9353d5654eb6

    SHA512

    6e57ded03326e46c3092e52100268c4a283897a04dc2164528214327c2c022c04b51e347a83af76e14b13b50c8b9b4468d5006a7b85e49333ecf0b0a858024d9

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    61KB

    MD5

    b1095243c21a2d8437fa46cd1cbb2b15

    SHA1

    b80673cf7fd2ae0d6553c4678008d208244e5091

    SHA256

    6c7854c03c1ffb5c25ccaa0a275c245bc0527bde60d5d71784b0765840bd7e29

    SHA512

    f735b8b6b592b578b6de1053e215f5fb3061d448220f02124957d9d8e5f9d545723db860084794c550d6c8533b018ef0857377b7018fe513b3581d83cb0f5be6

  • C:\Windows\SysWOW64\omsecor.exe

    Filesize

    61KB

    MD5

    a5da81ac5436e509e752ad9347e0dd07

    SHA1

    8b196954d0f293679109e514a76c8eda371e35cf

    SHA256

    6208063c06771dadfd93e728f54e4093e35214529ab3255b29b611021c5acc2e

    SHA512

    c2a28aaa46f2914c42666dc923e7a1a60b96843e0e715abfebce049caf6314a9368769a531309aaaf6dfa269f44a4dc88cc156a359f4421349017a2ff4a08b01