Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    114s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/12/2024, 21:37

General

  • Target

    3d0346aa72360dbdbc61b36a0ee61c0324de0375c88bfaa4940c415f18f90c8e.exe

  • Size

    76KB

  • MD5

    a4bc7c45722cf2a4f9a6759b885bad6c

  • SHA1

    a7c74bab40d8db95ad9fd9fb30dce5491f257e7f

  • SHA256

    3d0346aa72360dbdbc61b36a0ee61c0324de0375c88bfaa4940c415f18f90c8e

  • SHA512

    17eb0bf4e9e3d13652c9fc0484f50a1477f840199b92715d24bf3b21be0bc670619aa64eff2a6f59fb48d25ae1f3d4abdb2fbc96acfaac247be1f9a91fcd30b1

  • SSDEEP

    768:O2MEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAW7:/bIvYvZEyFKF6N4yS+AQmZTl/5O7

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3d0346aa72360dbdbc61b36a0ee61c0324de0375c88bfaa4940c415f18f90c8e.exe
    "C:\Users\Admin\AppData\Local\Temp\3d0346aa72360dbdbc61b36a0ee61c0324de0375c88bfaa4940c415f18f90c8e.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3108
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:228
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3488
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2256

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    76KB

    MD5

    58e388ac9367d2739362caec7a761931

    SHA1

    4b19d103ccd07fbc56521b0245475f188e73dd01

    SHA256

    bc8ee3d7e0d86633cfcf7f1d394625618d35558b14eb1e43607b367f3c928fab

    SHA512

    fbd907ec6c1395b60ba78d87efa50f72d800f3f71eb473459515edab07ae7cba8441bc784ec642b8c07f689d14d618fa2e30f017688b8adb8e01c21bd8ba87a5

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    76KB

    MD5

    0339db149beadf21e05483499ed5aff3

    SHA1

    aace77dce9a892c04d3221d57a2d81bd4b6300bc

    SHA256

    aa8e9a6a6435c7e6ab638dc56a87c53c8fed6f20510c96fcbdd490c1ba125e44

    SHA512

    d9ae87870af02f99359e997c399bb8ac0778ac2a6bc855101b9662410307036f1eb8eee53bbb2bff7043094012a50a750bcd2c559e04fb0f27676e10e21a03a4

  • C:\Windows\SysWOW64\omsecor.exe

    Filesize

    76KB

    MD5

    9d600b5ae7f08d6bfc185dd73057aa12

    SHA1

    5924daffa34bb06a0a7f105fc382e1536623eedd

    SHA256

    c657d6cd17b728d492638d50a5cbe9938d7ab578297d5226571f7a3fc594fb40

    SHA512

    2f0438837222ee77792b968c17a5df9b3e4fb752e5879a63f97909fdd52a9211891ef10a9e05ea8e218011c28e5edafb0db17ce00cdd593abbc07c1b5d9126a0