Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    145s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/01/2025, 00:35

General

  • Target

    JaffaCakes118_7fccf02504296f7a2517532adae450fd.exe

  • Size

    63KB

  • MD5

    7fccf02504296f7a2517532adae450fd

  • SHA1

    3725b65262871db393147079430bcde824da2a2d

  • SHA256

    f11d72433512b6bf325419d1c039abe33d779c5e8cc8172b668e2b3aa23c64ff

  • SHA512

    b682d6b7d274daec2031511bfcf552310e9d941b25050580165f9d070fd68566e81418f53566a39277a6d66955973d50293e065faddeb21d826ed57b0b3c9399

  • SSDEEP

    1536:2d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:OdseIOMEZEyFjEOFqTiQm5l/5

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7fccf02504296f7a2517532adae450fd.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7fccf02504296f7a2517532adae450fd.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4732
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1724
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:464
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2672

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    63KB

    MD5

    a470af9c988561890031161a78785e21

    SHA1

    57f7087d2fb82948588685f18d06587bbbf2a3c7

    SHA256

    b4f28f7ea81fa2e833d6020af41ae4b7bf05233b3876604d5d07a839957b2e87

    SHA512

    fbff5f99a136106d83d556aa0a333e325d68210835acd559117a4355611bbce3d7f5d93b8a3fa0fe5548941b8f30f9ec475083f76891a6b4b0ad6bfa57cf84df

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    63KB

    MD5

    4af7b3034c24a3e5426ce4d916dba8e7

    SHA1

    7566e6354d2160f0c56e4008e56032924e235921

    SHA256

    d923818c66b3b634273058d4b6101da4b8fef0e397138fae308dd91f8f20a7cf

    SHA512

    269000c92b47d88a9782463bf0e88640039310b9d84320272623c3cf272ad8dcab1ffa957a0852d315f1bfee0cc3c840a544d0dead78c18117ce85aa342b12d7

  • C:\Windows\SysWOW64\omsecor.exe

    Filesize

    63KB

    MD5

    459f3f98327b87d5196c15a75b00fa98

    SHA1

    9a2cf0b47c9644b9958f0985ebfedf9bf05b589a

    SHA256

    6572bb96584cb44b3244b2023991ff89bb908682ce56c82a38de5f28fe370e2c

    SHA512

    33456d3726f7b13e952e2308a1f819499a9bd5a29686394be8fa6cfa4dcc39d04dc37e38b283883033dc3945799b65519a1a13ae6fbf26fc64d6a40f9f63b0f3