Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    114s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/12/2024, 17:28

General

  • Target

    9ef94536697acaa39faea754e15f488ab748e62ddc15ba1a9ddb08a1c3622d74.exe

  • Size

    89KB

  • MD5

    5a33e3253691cc6f38e096c9d378bca7

  • SHA1

    ca893cc11e1ac841f5a9e30e586dbb27e62ca08b

  • SHA256

    9ef94536697acaa39faea754e15f488ab748e62ddc15ba1a9ddb08a1c3622d74

  • SHA512

    555efd1af8e049111b8f0748f7faa0664fcb73c2f24914869b3598a0194ca73994ab7b110679a90ebbbd299c66da3d65cf2e296c415ae9a711f83315eca8b748

  • SSDEEP

    768:pMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAV:pbIvYvZEyFKF6N4yS+AQmZTl/59

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9ef94536697acaa39faea754e15f488ab748e62ddc15ba1a9ddb08a1c3622d74.exe
    "C:\Users\Admin\AppData\Local\Temp\9ef94536697acaa39faea754e15f488ab748e62ddc15ba1a9ddb08a1c3622d74.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2808
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1976
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4556
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4508

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    89KB

    MD5

    fc6f0a0ace7f781105b34b94d6ccf3f9

    SHA1

    da12cb53f094a05a28bf858752052119b9fdee96

    SHA256

    9cbaf7508df962d10fae54b08ca63637ef619bbce11b514221177c4ebe9058a1

    SHA512

    e0372e6ea69d21c203c8d4a16f85f21845614830bbe600305dc9dcf6a87e1cdb57f41c0367d3561697b7b47bb14af07330fb379129f05dd90d6055096a802e53

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    89KB

    MD5

    953b5dcbee95440d38892ee7f4c84e50

    SHA1

    bad61f40f24102dc184116dbe839547816ba020f

    SHA256

    f05d38f591adb596fc1c2e257be265bb3e458d4ebf0b60920ec2558343cadc22

    SHA512

    5e9ffe005d1e3e383d9a6fc1b9892d734bd7a6ecc38b983a2136aed43aab1a0f754e277b1b66876056925fdd6b584b545ccddb5a0fe9bc1ac7b2b1a89becd0c4

  • C:\Windows\SysWOW64\omsecor.exe

    Filesize

    89KB

    MD5

    cc2f8ef9ea3f85f5af7418125f3a27cd

    SHA1

    c1b8f6a6a20786683542da94005db1b70fdbcc04

    SHA256

    2dcb0e4459567d2ec3b75dceccad64b5da94a6b18256b4c00ceff30c522d0932

    SHA512

    9e825ce374f555d7988f9ae1c402e4551ed86e86f4553d1ccefb454be66941c215c751dddff522d4aeb2e2ff411626a28173f2ea0669f031733832bd671fd0f2