Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    114s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/12/2024, 22:06

General

  • Target

    521e179d06bffe53e1e57b820782c0bb7f942d0e71f95a09bc7e77e4a9766c16.exe

  • Size

    61KB

  • MD5

    587f1c746ca05559da45ca63829d112d

  • SHA1

    879d27fad040dd1aacfe9ba47ea83bc73316e284

  • SHA256

    521e179d06bffe53e1e57b820782c0bb7f942d0e71f95a09bc7e77e4a9766c16

  • SHA512

    4692c21f0b55a04460245e3caebee339e736b258b3207cdc98c1d6e6fe80e9296fdd143a17bcc73da584a06ac8a6403773cc83a8a220833c10313b1c23f9c08d

  • SSDEEP

    1536:Fd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZ4l/5N:tdseIOMEZEyFjEOFqTiQmil/5N

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\521e179d06bffe53e1e57b820782c0bb7f942d0e71f95a09bc7e77e4a9766c16.exe
    "C:\Users\Admin\AppData\Local\Temp\521e179d06bffe53e1e57b820782c0bb7f942d0e71f95a09bc7e77e4a9766c16.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1752
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4844
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2440
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4512

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    61KB

    MD5

    e8d9e2099ee46afd92697096e1515d9c

    SHA1

    79c62bf362801216debbbb392418c99a79d89388

    SHA256

    93b80bbfebcba602026554e7912f623bead0cd143ffa176c52afe2855b7d97bb

    SHA512

    d93731ac4cd3a215641e64cd718982903740c766a5070f5e16efaab2f3bcabd2d289a44d0f0857dd01835247d2f2b6b2ee9256bf288a495778d18c156ac1a998

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    61KB

    MD5

    d30091f295418f77b653e358d229415e

    SHA1

    314a990a5a3d2cc5f845d6ba7518fc2136d909d2

    SHA256

    4c1cabdaf5306eec96a0828e4fda831be6ed18579e6ccfff29a3f1e476bccc69

    SHA512

    039e4aaccf7a56ee00e8c04684d62353609628d499f6bddb059eb79bc940d50d9bde17a7260c1b21161333af0cfc689553cffd5ec08139be5341a31b6b810805

  • C:\Windows\SysWOW64\omsecor.exe

    Filesize

    61KB

    MD5

    b4e80b040e8bf230c3dde36b5402eed5

    SHA1

    ddbdc3dd0d896e4b63966604d5ef3433cb782735

    SHA256

    6997a4775909e346a3e17d9665ad8f40e2c1972ac4fbc325492f805d6cbdc7d6

    SHA512

    3290bb40476a84d79401aad9cdd8ba5bee4f968cce71ae4c0f24cf01db932f4a344609d058c97e9adc08cd1f5de54c5f3e10a26be702ca5f15130053471af2b0