Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

25ab8d0b58...d8.exe

windows7-x64

10

25ab8d0b58...d8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    31/12/2024, 20:32 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    25ab8d0b58f13ed8dacefa17a8ff1e644df9fbc98fc935c6baf23dfbd78f2bd8.exe

  • Size

    62KB

  • MD5

    d1896f5ae8cf8436b83b2f6542117083

  • SHA1

    3f873aff30a32926a4485d1398c22b2d8dc17cbd

  • SHA256

    25ab8d0b58f13ed8dacefa17a8ff1e644df9fbc98fc935c6baf23dfbd78f2bd8

  • SHA512

    35442b9fd60aa2ee142abf19b1583a051f0ebff2539778e7db9f16dc06af217d8f7d734132936cb0132b2f45cf9c13ad9a84279089cbf8aaff9ab2c0d17311d4

  • SSDEEP

    768:nMEIvFGvZEr8LFK0ic46N47eSdYAHwmZQp6JXXlaa5uAF:nbIvYvZEyFKF6N4yS+AQmZtl/5N

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\25ab8d0b58f13ed8dacefa17a8ff1e644df9fbc98fc935c6baf23dfbd78f2bd8.exe
    "C:\Users\Admin\AppData\Local\Temp\25ab8d0b58f13ed8dacefa17a8ff1e644df9fbc98fc935c6baf23dfbd78f2bd8.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1728
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1764
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2576
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2996

Network

  • flag-us
    DNS
    lousta.net
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    lousta.net
    IN A
    Response
    lousta.net
    IN A
    193.166.255.171
  • flag-us
    DNS
    mkkuei4kdsz.com
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    mkkuei4kdsz.com
    IN A
    Response
    mkkuei4kdsz.com
    IN A
    3.33.243.145
    mkkuei4kdsz.com
    IN A
    15.197.204.56
  • flag-us
    GET
    http://mkkuei4kdsz.com/766/202.html
    omsecor.exe
    Remote address:
    3.33.243.145:80
    Request
    GET /766/202.html HTTP/1.1
    From: 133801507671648000
    Via: ckmfeqmZqer<7,4^_nda<5Zoan`m900,/0/1^kr=201-]kax=30f369150^e2,`0.dd462`60250/7f3`
    Host: mkkuei4kdsz.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    content-type: text/html
    date: Tue, 31 Dec 2024 20:33:51 GMT
    content-length: 114
  • flag-us
    DNS
    ow5dirasuek.com
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    ow5dirasuek.com
    IN A
    Response
    ow5dirasuek.com
    IN A
    52.34.198.229
  • flag-us
    GET
    http://ow5dirasuek.com/467/603.html
    omsecor.exe
    Remote address:
    52.34.198.229:80
    Request
    GET /467/603.html HTTP/1.1
    From: 133801507671648000
    Via: ckmfeqmZqer<7,4^_nda<5Zoan`m900,/0/1^kr=201-]kax=30f369150^e2,`0.dd462`60250/7f3`
    Host: ow5dirasuek.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Tue, 31 Dec 2024 20:34:02 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: close
    Set-Cookie: btst=796522ec40688347878942e2cd9d6b2a|181.215.176.83|1735677242|1735677242|0|1|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
    Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
  • flag-us
    GET
    http://mkkuei4kdsz.com/403/672.html
    omsecor.exe
    Remote address:
    3.33.243.145:80
    Request
    GET /403/672.html HTTP/1.1
    From: 133801507671648000
    Via: ckmfeqmZqer<7,4^_nda<5Zoan`m900,/0/1^kr=201-]kax=30f369150^e2,`0.dd462`60250/7f3`
    Host: mkkuei4kdsz.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    content-type: text/html
    date: Tue, 31 Dec 2024 20:35:14 GMT
    content-length: 114
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    152 B
     3
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    152 B
     3
  • 3.33.243.145:80
    http://mkkuei4kdsz.com/766/202.html
    http
    omsecor.exe
    519 B
     644 B
     7
    5

    HTTP Request

    GET http://mkkuei4kdsz.com/766/202.html

    HTTP Response

    200
  • 52.34.198.229:80
    http://ow5dirasuek.com/467/603.html
    http
    omsecor.exe
    421 B
     623 B
     5
    5

    HTTP Request

    GET http://ow5dirasuek.com/467/603.html

    HTTP Response

    200
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    152 B
     3
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    152 B
     3
  • 3.33.243.145:80
    http://mkkuei4kdsz.com/403/672.html
    http
    omsecor.exe
    381 B
     604 B
     4
    4

    HTTP Request

    GET http://mkkuei4kdsz.com/403/672.html

    HTTP Response

    200
  • 8.8.8.8:53
    lousta.net
    dns
    omsecor.exe
    56 B
     72 B
     1
    1

    DNS Request

    lousta.net

    DNS Response

    193.166.255.171

  • 8.8.8.8:53
    mkkuei4kdsz.com
    dns
    omsecor.exe
    61 B
     93 B
     1
    1

    DNS Request

    mkkuei4kdsz.com

    DNS Response

    3.33.243.145
    15.197.204.56

  • 8.8.8.8:53
    ow5dirasuek.com
    dns
    omsecor.exe
    61 B
     77 B
     1
    1

    DNS Request

    ow5dirasuek.com

    DNS Response

    52.34.198.229

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    62KB

    MD5

    2cd7c80517cdbc9aca05e6e3c66a1406

    SHA1

    e8ff84a35fd25236dc4a51574108a677cc2387d2

    SHA256

    d11035c40016617ab62d44d807262d8f6dd441aa05dee9b46c23edb9ba5ea1da

    SHA512

    a67e6a227a08162892e9a4eead28d3129a67431bff3b713351492bf2a4d705867bd914d837355cbec1862a8bd249bc4222675ab010c50fdae6605f05c35d0cc0

    Download Submit

  • \Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    62KB

    MD5

    921a5b31ee28aad9fc29b5026f971c47

    SHA1

    c6df3ac2fa81c0f0aaf2665e64e3a3e062ae44d6

    SHA256

    88050d5d8d57c6e800e06bed7dd9849712ccf9820db15f5e53222cb842d2ff04

    SHA512

    352099e6d7508dfb1328630e2d3ad0ffab7176e7ed2a28290e5a1e9af7e11c4b8c2277cc8db9195758e88bd4080bd94a4ba2ff6b7ac1ccc6ef8e11eb22d9b30e

    Download Submit

  • \Windows\SysWOW64\omsecor.exe
    Filesize

    62KB

    MD5

    f4ec3847ddbc539e8d5c1d3d3dcc4c25

    SHA1

    38efe1a4b4b7d3d558d28f7368129fd0305683e8

    SHA256

    9bd32a59b06737b8ad5d6d6ba05fefa18e2c3e34e68b32d313a2d0f1cd83171f

    SHA512

    ff8811db3518daf727f1120b5ac06493d6ea54bb963b616e92dd81b0e3e405aedbb75df0c7380ccd9ab806c3bb224f84b22724f1e92fa707caac1d1f0d763ef4

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.