Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

d42d0bcec7...10.exe

windows7-x64

10

d42d0bcec7...10.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27/12/2024, 03:07 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d42d0bcec7908cf5141db8b57a09f5011b7f75943fcf4b4606c5e9e435ee1810.exe

  • Size

    90KB

  • MD5

    d1cbebb87a50f19ebe40d068ab9b2e3a

  • SHA1

    1a40cc5fb7be80577cc1eabd53a48e6d8d64c4ea

  • SHA256

    d42d0bcec7908cf5141db8b57a09f5011b7f75943fcf4b4606c5e9e435ee1810

  • SHA512

    c10eb92a6879effb6c9502eaafb327857f918cc0b820dc1015a072e55eaf3aaa37a9df13e857bca0145e0621989d586e1b6bd6727c5b16ed5f3630d6fabb439d

  • SSDEEP

    768:EMEIvFGvZEr8LFK0ic46N4zeSdPAHwmZGp6JXXlaa5uAa:EbIvYvZEyFKF6N4aS5AQmZTl/5i

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d42d0bcec7908cf5141db8b57a09f5011b7f75943fcf4b4606c5e9e435ee1810.exe
    "C:\Users\Admin\AppData\Local\Temp\d42d0bcec7908cf5141db8b57a09f5011b7f75943fcf4b4606c5e9e435ee1810.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3016
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1020
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2148
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2196

Network

  • flag-us
    DNS
    lousta.net
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    lousta.net
    IN A
    Response
    lousta.net
    IN A
    193.166.255.171
  • flag-fi
    GET
    http://lousta.net/424/225.html
    omsecor.exe
    Remote address:
    193.166.255.171:80
    Request
    GET /424/225.html HTTP/1.1
    From: 133797424502520000
    Via: ckmfeqmZqer<7,4^_nda<5Zoan`m900,/0/1^kr=201-]kax=b54-/05c6.db-d55`74c9]df444.cb13
    Host: lousta.net
    Connection: Keep-Alive
  • flag-us
    DNS
    mkkuei4kdsz.com
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    mkkuei4kdsz.com
    IN A
    Response
    mkkuei4kdsz.com
    IN A
    15.197.204.56
    mkkuei4kdsz.com
    IN A
    3.33.243.145
  • flag-us
    GET
    http://mkkuei4kdsz.com/281/818.html
    omsecor.exe
    Remote address:
    15.197.204.56:80
    Request
    GET /281/818.html HTTP/1.1
    From: 133797424502520000
    Via: ckmfeqmZqer<7,4^_nda<5Zoan`m900,/0/1^kr=201-]kax=b54-/05c6.db-d55`74c9]df444.cb13
    Host: mkkuei4kdsz.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    content-type: text/html
    date: Fri, 27 Dec 2024 03:08:33 GMT
    content-length: 114
  • flag-us
    DNS
    ow5dirasuek.com
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    ow5dirasuek.com
    IN A
    Response
    ow5dirasuek.com
    IN A
    52.34.198.229
  • flag-us
    GET
    http://ow5dirasuek.com/933/833.html
    omsecor.exe
    Remote address:
    52.34.198.229:80
    Request
    GET /933/833.html HTTP/1.1
    From: 133797424502520000
    Via: ckmfeqmZqer<7,4^_nda<5Zoan`m900,/0/1^kr=201-]kax=b54-/05c6.db-d55`74c9]df444.cb13
    Host: ow5dirasuek.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Fri, 27 Dec 2024 03:08:43 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: close
    Set-Cookie: btst=d01ff2e71cfecfd5261bffece1df0856|181.215.176.83|1735268923|1735268923|0|1|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
    Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
  • flag-us
    GET
    http://mkkuei4kdsz.com/745/973.html
    omsecor.exe
    Remote address:
    15.197.204.56:80
    Request
    GET /745/973.html HTTP/1.1
    From: 133797424502520000
    Via: ckmfeqmZqer<7,4^_nda<5Zoan`m900,/0/1^kr=201-]kax=b54-/05c6.db-d55`74c9]df444.cb13
    Host: mkkuei4kdsz.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    content-type: text/html
    date: Fri, 27 Dec 2024 03:09:56 GMT
    content-length: 114
  • 193.166.255.171:80
    http://lousta.net/424/225.html
    http
    omsecor.exe
    324 B
     132 B
     3
    3

    HTTP Request

    GET http://lousta.net/424/225.html
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    152 B
     3
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    152 B
     3
  • 15.197.204.56:80
    http://mkkuei4kdsz.com/281/818.html
    http
    omsecor.exe
    473 B
     644 B
     6
    5

    HTTP Request

    GET http://mkkuei4kdsz.com/281/818.html

    HTTP Response

    200
  • 52.34.198.229:80
    http://ow5dirasuek.com/933/833.html
    http
    omsecor.exe
    421 B
     631 B
     5
    5

    HTTP Request

    GET http://ow5dirasuek.com/933/833.html

    HTTP Response

    200
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    152 B
     3
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    152 B
     3
  • 15.197.204.56:80
    http://mkkuei4kdsz.com/745/973.html
    http
    omsecor.exe
    427 B
     604 B
     5
    4

    HTTP Request

    GET http://mkkuei4kdsz.com/745/973.html

    HTTP Response

    200
  • 8.8.8.8:53
    lousta.net
    dns
    omsecor.exe
    56 B
     72 B
     1
    1

    DNS Request

    lousta.net

    DNS Response

    193.166.255.171

  • 8.8.8.8:53
    mkkuei4kdsz.com
    dns
    omsecor.exe
    61 B
     93 B
     1
    1

    DNS Request

    mkkuei4kdsz.com

    DNS Response

    15.197.204.56
    3.33.243.145

  • 8.8.8.8:53
    ow5dirasuek.com
    dns
    omsecor.exe
    61 B
     77 B
     1
    1

    DNS Request

    ow5dirasuek.com

    DNS Response

    52.34.198.229

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    90KB

    MD5

    721838d0dc55b0715421fc9940d76768

    SHA1

    ff6838e5b2ba34bdcb9ff88231ceb593eabddd22

    SHA256

    1a3f84f95b4006f44fe8c289ee62a578338644765549ddc10375237a8ad69e67

    SHA512

    bc6588183d2e728d39e32bcb86821f09a526884db9666cc7b05a9705cbaaa096ba72619579201f8fa4ea7de69bb3c0d399f318ee5c4f6566e417f225afb24c73

    Download Submit

  • \Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    90KB

    MD5

    6ba426446de78e3ed07c8211f028ef8b

    SHA1

    835beafbc008cac4e94cb03dd9d808d315479d90

    SHA256

    5a9ffa467ee5aa96a1e70ad7e0daafc66f6fa147202f7f412c48b9e7a32c0084

    SHA512

    d30f804f290e3f628be0e495acd6fc584d877746538f498432fe5958b33fda1a38465246044879eaae7c699855fbe6a568b416df50dd493f356a198ab1e0d531

    Download Submit

  • \Windows\SysWOW64\omsecor.exe
    Filesize

    90KB

    MD5

    c7ec0306559a7c7010c3ad0bab1c2423

    SHA1

    9517a0c6f67a223876a7ed0a46f8373f152e0239

    SHA256

    e47748b5eae34994ec464db5149c8c2c44417efebe5568f327ef51b957b0ed0d

    SHA512

    4bcbbb40ea96b2e2958a112a3b64e86d7c37c81f4e12fccf61a2b0fd3aecdd181fb82809c5cd8d7feadffecc55626878c7a2a23cd74a6ea58789997692f28bdb

    Download Submit

  • memory/1020-10-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1020-24-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1020-12-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1020-17-0x0000000000330000-0x000000000035B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2148-35-0x0000000000230000-0x000000000025B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2148-36-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2148-30-0x0000000000230000-0x000000000025B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2148-25-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2196-39-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3016-0-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3016-8-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.