Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    145s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    02/01/2025, 00:21

General

  • Target

    6f4a44c7d35ba1af57e115c6f7b32b693e08cb6d777aba72a6d46c93141d3c95.exe

  • Size

    96KB

  • MD5

    45ec69aea194e3c952bf2bb1e2831a13

  • SHA1

    23700639bd45852d86460434e69b1d73331c07f1

  • SHA256

    6f4a44c7d35ba1af57e115c6f7b32b693e08cb6d777aba72a6d46c93141d3c95

  • SHA512

    e66ffcbaf83a8966e08dd3e2e0727caeac1df91b220841fb40a72a36dc538a28c79a45010582e7c31f62c7bcb078a347587396be8aa11b818ff1ef4d5b9e1920

  • SSDEEP

    1536:BnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:BGs8cd8eXlYairZYqMddH13z

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 7 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6f4a44c7d35ba1af57e115c6f7b32b693e08cb6d777aba72a6d46c93141d3c95.exe
    "C:\Users\Admin\AppData\Local\Temp\6f4a44c7d35ba1af57e115c6f7b32b693e08cb6d777aba72a6d46c93141d3c95.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2460
    • C:\Users\Admin\AppData\Local\Temp\6f4a44c7d35ba1af57e115c6f7b32b693e08cb6d777aba72a6d46c93141d3c95.exe
      C:\Users\Admin\AppData\Local\Temp\6f4a44c7d35ba1af57e115c6f7b32b693e08cb6d777aba72a6d46c93141d3c95.exe
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2456
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2952
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2980
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2820
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1056
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2280
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:2080

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    96KB

    MD5

    ef41a2c1ab05878bea1e18732ad0d88c

    SHA1

    b0f264b072b0dfc69cc3fb3117c0dfe20546d253

    SHA256

    4aa7d5c1f3b38284fd3f925de9595358cbc24e5c75c4f49c40c13eb8b92314c7

    SHA512

    a945f005f985be3b24b9b6b81cabe77d42ccd586e8c1c5b2e12919b2c17e487295afeed19c2bf2005f4fae90deea3f6f25e7ad1c8a5efe66e3154e7fb0ba3ae8

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    96KB

    MD5

    88d6414aa6867b7da027e3496160fb7d

    SHA1

    1bdfb04b9178812578e1a517decf66f27da75494

    SHA256

    c68d95abba7ae2eacf469ff26cec3fb637fa592aa94187ac2b995f657ef5777d

    SHA512

    a3ac2e5be84a41f5d76c9514b23dc615c0d0e13df252ecd7e6354d20530768f9ed49b255895ae6df584f83f14cfae540587b528522f084cb2b1662d92be3c577

  • \Windows\SysWOW64\omsecor.exe

    Filesize

    96KB

    MD5

    e1d746fb699b33c99873c65e18a65d8d

    SHA1

    79220c955d97700d0c1db6fdcc7145a38dba01ce

    SHA256

    002cf81354e867f108af8bad8ecfc1405c9d49feb56a36438f10e97a20d9652e

    SHA512

    57355bf326db4dfedc07a61eb34e5771f49f070740388de44d6154bf322e0ad5fa012b467103a08a9194efdd889301665dc8014b08f3f7828a99ed12e739b0c3

  • memory/2080-90-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2080-93-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2280-80-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2280-88-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2456-14-0x0000000000230000-0x0000000000253000-memory.dmp

    Filesize

    140KB

  • memory/2456-22-0x0000000000230000-0x0000000000253000-memory.dmp

    Filesize

    140KB

  • memory/2456-11-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2456-1-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2456-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2456-5-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2456-9-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2460-0-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2460-7-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2820-67-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2952-23-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2952-32-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2980-36-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2980-56-0x0000000002360000-0x0000000002383000-memory.dmp

    Filesize

    140KB

  • memory/2980-57-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2980-48-0x0000000002360000-0x0000000002383000-memory.dmp

    Filesize

    140KB

  • memory/2980-43-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2980-42-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2980-39-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB