Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/12/2024, 23:15

General

  • Target

    315953fbb913441159adea85d6d5139b8f633d99b26e28d76b4db2618f69a11d.exe

  • Size

    80KB

  • MD5

    4cac4da6513b2494ea90fea579d6c2a8

  • SHA1

    0edede44656cabc718bc91805f135563d7b6f452

  • SHA256

    315953fbb913441159adea85d6d5139b8f633d99b26e28d76b4db2618f69a11d

  • SHA512

    ec0d57d1baa87dde2cbfa37472dc961980691a278d147f005544e2cfaab710a633fdf01a1f65b169ff06f7faa74a2038343434ff43d23e0259cef5d8abf42144

  • SSDEEP

    1536:Wd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9Xwzr:udseIOMEZEyFjEOFqTiQmOl/5xPvwv

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\315953fbb913441159adea85d6d5139b8f633d99b26e28d76b4db2618f69a11d.exe
    "C:\Users\Admin\AppData\Local\Temp\315953fbb913441159adea85d6d5139b8f633d99b26e28d76b4db2618f69a11d.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4572
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5008
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2264
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:380

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    80KB

    MD5

    829f0322839e78ded1df12fe0335527f

    SHA1

    7877c149c9ff6792cd4c0cfbbfaf4897dc72a465

    SHA256

    21f4612a0adb5307edac6542ed828a6a0b5b76b41ced4bd74f1a9fa914a5822a

    SHA512

    add7189d16d66391416348569ef232761c44ee9bcf81a58f52e944d0dbbb38f937a9a0d9213deddfda27616c3f160d4dac64a9cc1d5dc783581feb45c27676cd

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    80KB

    MD5

    eee91782497f7f31e10749ceef31464b

    SHA1

    490b7fa7de48b286522f27e57b55daf14b97a6b7

    SHA256

    dc0aca5d8277d317637a1f2c810ff69ceb2581ed0e8a58fc48da9733f3cd89f5

    SHA512

    cbbd41668b675d24d2bd47d24a527af2825834e72004d5911e7007c9cd640ed49ac28799b46c9ccc461fe656459c92169955a5d5478411b3d8a6091964b03e02

  • C:\Windows\SysWOW64\omsecor.exe

    Filesize

    80KB

    MD5

    dd482cc98f54a77c0ec0819e02b04714

    SHA1

    cd59e1f55b44263fd264b344962b54ef4441e59c

    SHA256

    bfca5d9d920e9fbb57d4891dc92d6a8f72bbc8e6d28ea44a3552408e2bac26d4

    SHA512

    fc3cdc955432e8334f31bb62e647d4993c0dae5879fcda4360351614326881b2aefb6528f54536e8a1cffe48b34b91e9418c93f23e0a62eb8a4cbc452cef9ad6