Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    145s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29/12/2024, 20:10

General

  • Target

    15cd84b0943b6f775bc10029d846363ecf985a2a3fe7a3fd14f31e154eeee344.exe

  • Size

    61KB

  • MD5

    b43ae4bd2587aae0bb7cda53225bfb7e

  • SHA1

    a7915c8f95202c58172bc6ffa283505e7874fb3a

  • SHA256

    15cd84b0943b6f775bc10029d846363ecf985a2a3fe7a3fd14f31e154eeee344

  • SHA512

    21c0cb46e37862689cf1fb6f75692e3ff094298c5e263db46b2f0df6cca1e943ef1e170dfd2f330080db80aa40ce6b64d80b36073557538274fbba116e743b84

  • SSDEEP

    1536:Ld9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZll/5:7dseIOMEZEyFjEOFqTiQmPl/5

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\15cd84b0943b6f775bc10029d846363ecf985a2a3fe7a3fd14f31e154eeee344.exe
    "C:\Users\Admin\AppData\Local\Temp\15cd84b0943b6f775bc10029d846363ecf985a2a3fe7a3fd14f31e154eeee344.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2696
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:676
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2920

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    61KB

    MD5

    e75c970bba40534408665e9780da0b9e

    SHA1

    14dfe6fee89cb45fe582844aeb9732941f34d86b

    SHA256

    fbe87e65078d3ea5eee27a339e541a95b3dffba4c91b3bc7a4d0ad50016d10c2

    SHA512

    ea214804fccaed5947da5e24641a712842cfad507e55029d21f201117d0a851ca7aaf515cdb62d44e8e342ac0719fa652e49a81c2a189e4b669359bfd558fca1

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    61KB

    MD5

    d01b660d2283f068c79724968338645f

    SHA1

    589b80e4e8784bf8f21aa5a753989e9ca8e97b71

    SHA256

    5154ae8b1dc240e4cf938c58ee33f0d521b801174527da0bf1841e7de9c33200

    SHA512

    3ec94a45a076a901369d618f680f5c61d70952daf92a8c4757b6b290623b731b3502017f627f79a05b83fb28575302d1e790200b7518a87ebdec79e15dfc8cfb

  • \Windows\SysWOW64\omsecor.exe

    Filesize

    61KB

    MD5

    6f19c18e4012785b7040a08e25ad7c59

    SHA1

    42d8ff55126c72c645249dfde86c08b283cd7de7

    SHA256

    41eb26dab28d5e3d65df53b12f2c3073a1b2c3a3f6101eb2a2e593e4e77009ad

    SHA512

    274d2d86ab9c1f6913e20c6678ec0a766b843ece175cf902a8626bec21a68094b18b895d94ffb55b2dd96168f0b7cb99bc5307fc2a9274ad20b122cd6292aa44