Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    145s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16/12/2024, 23:15

General

  • Target

    315953fbb913441159adea85d6d5139b8f633d99b26e28d76b4db2618f69a11d.exe

  • Size

    80KB

  • MD5

    4cac4da6513b2494ea90fea579d6c2a8

  • SHA1

    0edede44656cabc718bc91805f135563d7b6f452

  • SHA256

    315953fbb913441159adea85d6d5139b8f633d99b26e28d76b4db2618f69a11d

  • SHA512

    ec0d57d1baa87dde2cbfa37472dc961980691a278d147f005544e2cfaab710a633fdf01a1f65b169ff06f7faa74a2038343434ff43d23e0259cef5d8abf42144

  • SSDEEP

    1536:Wd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9Xwzr:udseIOMEZEyFjEOFqTiQmOl/5xPvwv

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\315953fbb913441159adea85d6d5139b8f633d99b26e28d76b4db2618f69a11d.exe
    "C:\Users\Admin\AppData\Local\Temp\315953fbb913441159adea85d6d5139b8f633d99b26e28d76b4db2618f69a11d.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2440
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2396
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2484
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2304

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    80KB

    MD5

    829f0322839e78ded1df12fe0335527f

    SHA1

    7877c149c9ff6792cd4c0cfbbfaf4897dc72a465

    SHA256

    21f4612a0adb5307edac6542ed828a6a0b5b76b41ced4bd74f1a9fa914a5822a

    SHA512

    add7189d16d66391416348569ef232761c44ee9bcf81a58f52e944d0dbbb38f937a9a0d9213deddfda27616c3f160d4dac64a9cc1d5dc783581feb45c27676cd

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    80KB

    MD5

    79127e8972251ca0ecd35ac7bf1643f5

    SHA1

    10e26002f133ead23d634b7c38801efd8ed11255

    SHA256

    b02ddfb47b550577d6934a41b7ae09cca0eb8bb3f17e7a827dd9c87e3ec4d14e

    SHA512

    f939919be84fb5f6b5f55fd530d7c98a70bcea970dec653ce21983b2a76e982031c178022068699d4c1203d36119692cb1dac2e8652eb8db1df45f03b7accd6b

  • \Windows\SysWOW64\omsecor.exe

    Filesize

    80KB

    MD5

    232efd73fb1e4a9b038b5b061f1fd9a1

    SHA1

    73ae8f3082e540413f7710030396b7c25ffcb235

    SHA256

    2c34756a08e4440790bcea474e5e4f7bf7f3e98d5c225a80c9d46c81b91afc4f

    SHA512

    09df689f4de2c5a7ef786e302facc4c26ba2e207fca4cd19d5928b4fb3e7b9ed59678b3922623ca2976d411e1457a7e167a054beefe270f0e8c59d440e1d1da2