Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/12/2024, 22:40

General

  • Target

    7cd649936ef82dd2fa216cee0d480450e1bc2984ce99f02c3895c512abf11e44.exe

  • Size

    76KB

  • MD5

    ec8cb84b2c65d0f127c29133297ec8c7

  • SHA1

    8fe58ed34a15f30bfa351d1ea6bf01c7cb929496

  • SHA256

    7cd649936ef82dd2fa216cee0d480450e1bc2984ce99f02c3895c512abf11e44

  • SHA512

    796e0ebdd0a7488f5bff830a8bf7347feb2497d3d7f1593b65fd6f98343ea3b5c461bccf3dc039e7f9c0a60d28b9aeef2184a85c5852b37892b091821789bba5

  • SSDEEP

    768:xMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAWb:xbIvYvZEyFKF6N4yS+AQmZTl/5Ob

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7cd649936ef82dd2fa216cee0d480450e1bc2984ce99f02c3895c512abf11e44.exe
    "C:\Users\Admin\AppData\Local\Temp\7cd649936ef82dd2fa216cee0d480450e1bc2984ce99f02c3895c512abf11e44.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:716
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1608
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4960
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:864

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    76KB

    MD5

    1413ff2232be960e0a952939ffd56d50

    SHA1

    3e15e41e423c20fecf79d87e420150238a29159c

    SHA256

    9d6bbe17f5488de03f4e2a0ebc929c6f7aef890a17f529219152cc3658cad48c

    SHA512

    f734a8e7966c295ba17a2ccc8c851fdaabd61c601627757b33db999f1fbbe1bd75d2b64856eb1ea249e6c8be9226fc4ff2e6f612af96878667dd6fec89baefe2

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    76KB

    MD5

    55619170e69d92853a6121a63b0783f2

    SHA1

    92e2dd41a5f985e1def9f5b42df4a403d0fbddf1

    SHA256

    f81136835ed8be933f843ef5a22f7d9f3d3c9c890da4f26e4e731d04abae3872

    SHA512

    877c9ab7806aa1ff68c8bc56a1c327ffde11702821077b75129c9e6dc5eea873fa0340de577f35f6f809c040b5714b8eb69bf5e06b60430a5d6d7627de363357

  • C:\Windows\SysWOW64\omsecor.exe

    Filesize

    76KB

    MD5

    0aaf16bc4b54a627211fdc63ec3dd132

    SHA1

    f3674e7309e1ad69efd2a67115293799dc608521

    SHA256

    5936345f63a4e14a1ba61f9f4b5154b772b0aad8ae6ce00d483c310908303fbe

    SHA512

    e6c1afd2d16f18884a5448488c9fc8a89b51e987e1d3c31bf0a1d7b85d3983db214726d42ea7f9bf6ef293d301f979ab2e37723d7cee9d527b5bd456c58ec4e0