Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    114s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/12/2024, 01:59

General

  • Target

    92348d638ead680ba564a500edbdd18af34c5dc1ba1d684da357bed3ac241aa6.exe

  • Size

    90KB

  • MD5

    4cfcc2372b0d1cec4ca5cd9de9c37d45

  • SHA1

    9296d10dcd3135c5744e32409c2c4b5340d91419

  • SHA256

    92348d638ead680ba564a500edbdd18af34c5dc1ba1d684da357bed3ac241aa6

  • SHA512

    e0832dcc6b19a14e90feeb51d5ac78628294c49d75b1dacb1a68d047680d0919b6e90fd66c85e2a2c3b1abc1b233344ca79e9f07f96e30858c1c87fb929fb671

  • SSDEEP

    768:GMEIvFGvZEr8LFK0ic46N4zeSdPAHwmZGp6JXXlaa5uA6:GbIvYvZEyFKF6N4aS5AQmZTl/5C

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\92348d638ead680ba564a500edbdd18af34c5dc1ba1d684da357bed3ac241aa6.exe
    "C:\Users\Admin\AppData\Local\Temp\92348d638ead680ba564a500edbdd18af34c5dc1ba1d684da357bed3ac241aa6.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2052
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4788
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2964
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3748

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    90KB

    MD5

    d52fd52d4441f5ee67672390b796c4b6

    SHA1

    2443247a601ee381fdf25b181b1ef3318b978b22

    SHA256

    917b3096550cfc7ba281772450566505ef1bc9891a945dfab502a50d538f81c2

    SHA512

    be8ae7acbca2618dd502b4db203c3aedd5ffcc33709f49f7a3d4a4b84b4f258fb85fdb388540c7e05c0be5d4bd8d0c4813cef631824ce5636973016961275ed8

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    90KB

    MD5

    8dee2d8cae1e243c9808a04cc886c746

    SHA1

    c501945a7d593253b68d2e99063bf5d68fda83b9

    SHA256

    bdc917a2b628176bebdc844a510f84bc568088d971514be7fce9ae29d0f63df9

    SHA512

    bfd3a84e8fa78b0bf440417a15f0a70a4906b7685c9c0efb13f9304db2df6f3edf26690c83cddd90e45c3448f78bd86ca4dd4349f6747d043a03c6fe348c6df6

  • C:\Windows\SysWOW64\omsecor.exe

    Filesize

    90KB

    MD5

    9ccf829d4e11196f79c301c95ed497ff

    SHA1

    6e8967757e1136364e0c217c1662b1d108225d4e

    SHA256

    182dbbcf3b7a64e0d5dc304d39317958441fe579194445fbe93e0b59bd3c3d91

    SHA512

    5092c0ef600119e866341c0fbfe56a46245ff7c9c611a10ddcaafc1a693543f9a734948fe399867cc40cfc3a8c92452197c3eed2ad73269b460d864b7bf43242

  • memory/2052-0-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/2052-6-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/2964-11-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/2964-16-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/3748-19-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/3748-20-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/4788-4-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/4788-7-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/4788-12-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB