Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    114s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/12/2024, 16:19

General

  • Target

    24e498e6af8fd661096a4172e061efc0a6f239b2e9981d2655aa0f3bb3addcd8N.exe

  • Size

    89KB

  • MD5

    bbc94aacd015ca2f333cdd6830a88520

  • SHA1

    e70f0f5184d16f9094ddb4826be8f2fe85b0c6e2

  • SHA256

    24e498e6af8fd661096a4172e061efc0a6f239b2e9981d2655aa0f3bb3addcd8

  • SHA512

    2300af48bd6e724b2015c12a05ccbe17383d703a109cae0ff68ef1c42fb0ba3b3921006fe5e7594f7467598fcde76f31e135c8f99efb7dcd14528aa610897f78

  • SSDEEP

    768:V2MEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA1:V2bIvYvZEyFKF6N4yS+AQmZTl/5d

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\24e498e6af8fd661096a4172e061efc0a6f239b2e9981d2655aa0f3bb3addcd8N.exe
    "C:\Users\Admin\AppData\Local\Temp\24e498e6af8fd661096a4172e061efc0a6f239b2e9981d2655aa0f3bb3addcd8N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1644
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1972
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2148
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2296

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    89KB

    MD5

    bb5aaf0419dbc078daf39c809a1f0951

    SHA1

    8cba83d5ce45c4c9942e720d91308a6c33549f97

    SHA256

    1265391da30a5a52fd085b53b70785b6e222a2ab7f9c62c98a7ed6d6474bb0ed

    SHA512

    b523c52ec3c4589a7c357e169898cb8e545f605073b7c2a0b581c250e93fcd2a75b829aa22f3a09fd68d8a7ffe1e523aa3be596e3d9ced3977135ebf9840e9e0

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    89KB

    MD5

    4670891243830587fb1aeb71ac487a3c

    SHA1

    cfc7735c8c8de308d99bfdbf1463b079d191cc0d

    SHA256

    b9d022ac72b7aed5a718e98ebbfc5839238023c00c30753e45964d556f58bc59

    SHA512

    c90805569d18c3e77f9e627ec8288b0ff1cfe86be59a5be42649c78f332df721f6312e55b9158edfa06110d2b941f63337d9315dc8eae5d929a6ef3aa6b27899

  • C:\Windows\SysWOW64\omsecor.exe

    Filesize

    89KB

    MD5

    161d46118151af5433b078cad651a5c6

    SHA1

    c1161dc31a2788a58d4c6198caa1a58f303b3bb4

    SHA256

    897445698a6a6138b762ea61f440af29325f35459e329411ca6e4a8dc301ac74

    SHA512

    571b5a0c981fe45f143ec1a435047f5bdbae5d41ec11e9d8dd14e47017ec206184c20e8128793c885e529a86f7c5df5303cf5f6c895f587296ef322eb0511ed0