Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    114s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/12/2024, 02:53

General

  • Target

    42df003a9d56c1271b060686c57443beeca03aeb90f6f34185cbacadfca09037N.exe

  • Size

    88KB

  • MD5

    ad189b1ecc0e43a88777dd208ccadb50

  • SHA1

    eed594eb3de0728dbc2b4697478eb67e27c6217a

  • SHA256

    42df003a9d56c1271b060686c57443beeca03aeb90f6f34185cbacadfca09037

  • SHA512

    2e4353eb883bc23d3b0b1852234ca01d001e5a54a3b07a8be569209903767d663f77f4f81abfe8bb98fbf32aa282c5d6bcf3607c7867ce4e1959036f83380bf4

  • SSDEEP

    1536:1d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5R:9dseIOMEZEyFjEOFqTiQm5l/5R

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\42df003a9d56c1271b060686c57443beeca03aeb90f6f34185cbacadfca09037N.exe
    "C:\Users\Admin\AppData\Local\Temp\42df003a9d56c1271b060686c57443beeca03aeb90f6f34185cbacadfca09037N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2316
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1736
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2304
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4356

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    88KB

    MD5

    bcabe56a5acca18bfe292b932e618f3c

    SHA1

    8b1fe6274467abd52d4fb441a34a6d714edad998

    SHA256

    421777723d481e9ec52faec607e10c36d292ebcdc897c48abc0a5795643ef940

    SHA512

    a11d40cc5e7625f01a9a7458be25e1de2ac3c410d930e7b7153a7507e1a51f77948ed09fdf129592b25b2d8e9b5c244f4ca701a57b34a20da57c8e18c7767b8c

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    88KB

    MD5

    fa71d1d07e3c0f6f61074e8264242f81

    SHA1

    a4dd38decd0219b81a8c7004224938b759acdac2

    SHA256

    b757e90d0fd4606555ea021eccb65449439e435f2065eb63d604605b6c700985

    SHA512

    5cdec690802dcb863a7463a5be0958b0665f8a6f3959aa0e793ba82560dbf058ff4e664832a3becf66c22576439f755e44a1d88c88d161fc53f27dc02ed84426

  • C:\Windows\SysWOW64\omsecor.exe

    Filesize

    88KB

    MD5

    50f4787ef676b0bae155596a6e1281f6

    SHA1

    d49316d8d296c4c03c5f30469d7eae29088afba0

    SHA256

    e9a648996aa75fd2563a67e5ee9d79709c702d637fdce091d61328a252c286da

    SHA512

    b63cffdd081b9dcd2a1cffb5c329b62125dfa7e3762c07e2c2467165c17577d98d7fbfcdcdb3ef2267f9aa545204c43f6253b8f8dab7f4dbac30a5b40caf1f0d