Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

7a4548c16f...f1.exe

windows7-x64

10

7a4548c16f...f1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/12/2024, 00:13 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7a4548c16f2cee1d9ccfe39a0eb8a7e1caa133c30fe3b6d8de8462ba8c4488f1.exe

  • Size

    76KB

  • MD5

    58283dc9e1a09139b0de697a8ff26b88

  • SHA1

    bed5a32685e344306c973b80f675570b3ddd784f

  • SHA256

    7a4548c16f2cee1d9ccfe39a0eb8a7e1caa133c30fe3b6d8de8462ba8c4488f1

  • SHA512

    4cc6ee9d4d4a357229ebd2cafccaa38c1bb5c1e299b391471893dd1b8f2a7054392cbbb6636208a0063c06f63ddad5ccb876abfe128d0baf058baee6909de355

  • SSDEEP

    1536:Jd9dseIOcE93bIvYvZEyF4EEOF6N4XS+AQmZTl/5w11H:JdseIOMEZEyFjEOFqaiQm5l/5w11H

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7a4548c16f2cee1d9ccfe39a0eb8a7e1caa133c30fe3b6d8de8462ba8c4488f1.exe
    "C:\Users\Admin\AppData\Local\Temp\7a4548c16f2cee1d9ccfe39a0eb8a7e1caa133c30fe3b6d8de8462ba8c4488f1.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2084
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4924
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:3144

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    lousta.net
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    lousta.net
    IN A
    Response
    lousta.net
    IN A
    193.166.255.171
  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    83.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.210.23.2.in-addr.arpa
    IN PTR
    Response
    83.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-83deploystaticakamaitechnologiescom
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    134.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    134.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    53.210.109.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    53.210.109.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    mkkuei4kdsz.com
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    mkkuei4kdsz.com
    IN A
    Response
    mkkuei4kdsz.com
    IN A
    15.197.204.56
    mkkuei4kdsz.com
    IN A
    3.33.243.145
  • flag-us
    GET
    http://mkkuei4kdsz.com/62/697.html
    omsecor.exe
    Remote address:
    15.197.204.56:80
    Request
    GET /62/697.html HTTP/1.1
    From: 133789544164513021
    Via: ckmfeqmZqer<7,4^_nda<5Zoan`m900,/0/1^kr=210-]kax=b5d_c4/054d9b14.5133c^1f576^00./
    Host: mkkuei4kdsz.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    content-type: text/html
    date: Wed, 18 Dec 2024 00:14:40 GMT
    content-length: 114
  • flag-us
    DNS
    86.49.80.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    86.49.80.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.204.197.15.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.204.197.15.in-addr.arpa
    IN PTR
    Response
    56.204.197.15.in-addr.arpa
    IN PTR
    a3edc0dabdef92d6dawsglobalacceleratorcom
  • flag-us
    DNS
    ow5dirasuek.com
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    ow5dirasuek.com
    IN A
    Response
  • flag-us
    DNS
    ow5dirasuek.com
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    ow5dirasuek.com
    IN A
    Response
  • flag-us
    DNS
    ow5dirasuek.com
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    ow5dirasuek.com
    IN A
    Response
  • flag-us
    DNS
    ow5dirasuek.com
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    ow5dirasuek.com
    IN A
    Response
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    GET
    http://mkkuei4kdsz.com/695/179.html
    omsecor.exe
    Remote address:
    15.197.204.56:80
    Request
    GET /695/179.html HTTP/1.1
    From: 133789545032794121
    Via: hprkjvr_vjwA<19cdsifA:_tfser>5514546cpwB7652bpf}Bg:idh945:9i>g693:688hc6k:<;c5534
    Host: mkkuei4kdsz.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    content-type: text/html
    date: Wed, 18 Dec 2024 00:16:06 GMT
    content-length: 114
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    260 B
     5
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    260 B
     5
  • 15.197.204.56:80
    http://mkkuei4kdsz.com/62/697.html
    http
    omsecor.exe
    466 B
     388 B
     6
    4

    HTTP Request

    GET http://mkkuei4kdsz.com/62/697.html

    HTTP Response

    200
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    260 B
     5
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    260 B
     5
  • 15.197.204.56:80
    http://mkkuei4kdsz.com/695/179.html
    http
    omsecor.exe
    375 B
     348 B
     4
    3

    HTTP Request

    GET http://mkkuei4kdsz.com/695/179.html

    HTTP Response

    200
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    lousta.net
    dns
    omsecor.exe
    56 B
     72 B
     1
    1

    DNS Request

    lousta.net

    DNS Response

    193.166.255.171

  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    83.210.23.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    83.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    134.32.126.40.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    134.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    241.150.49.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    241.150.49.20.in-addr.arpa

  • 8.8.8.8:53
    53.210.109.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    53.210.109.20.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    mkkuei4kdsz.com
    dns
    omsecor.exe
    61 B
     93 B
     1
    1

    DNS Request

    mkkuei4kdsz.com

    DNS Response

    15.197.204.56
    3.33.243.145

  • 8.8.8.8:53
    86.49.80.91.in-addr.arpa
    dns
    70 B
     145 B
     1
    1

    DNS Request

    86.49.80.91.in-addr.arpa

  • 8.8.8.8:53
    56.204.197.15.in-addr.arpa
    dns
    72 B
     128 B
     1
    1

    DNS Request

    56.204.197.15.in-addr.arpa

  • 8.8.8.8:53
    ow5dirasuek.com
    dns
    omsecor.exe
    244 B
     244 B
     4
    4

    DNS Request

    ow5dirasuek.com

    DNS Request

    ow5dirasuek.com

    DNS Request

    ow5dirasuek.com

    DNS Request

    ow5dirasuek.com

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    11.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    76KB

    MD5

    eadda070ba850be2852053179dd29806

    SHA1

    42567c79508203895f211d05e950064737f07416

    SHA256

    0d56384533bee6ac5e0c299965ed608d339b1becc67f14fd0a0236dadc7f2c57

    SHA512

    a3766bc26f4d9ee40daf9e7f2d8646fc5276ac5651e820690c4cfb93e0c88f416eb6e37f182bbdac579081036f1a74f8c32e334dd788818406c10ccd032e3850

    Download Submit

  • C:\Windows\SysWOW64\omsecor.exe
    Filesize

    76KB

    MD5

    bd7253422e2cc55291f8b0a1c2be2463

    SHA1

    38f4d794f7d61a97fab59c9eb8e2072c00a3ac1d

    SHA256

    0ae4eacb6b3ffeef5cded99e818a34a9e4bc8b7bd0d27fbb573439720a3f644b

    SHA512

    937e3174fb92d2a36604c66ab8d60bc797ed3c8c6477d1a431fff242a71570cb2925f9409f0a5ba7e5eeaab01906ad283ee54c13290815917de38b7bce63af80

    Download Submit

  • memory/2084-0-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2084-5-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/3144-11-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/3144-14-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/4924-4-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/4924-7-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/4924-13-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.