Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    145s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/01/2025, 06:38

General

  • Target

    b308483f9fed901628a9341f9ac7e1546f44f1643979e2f70224e7e9612a8429.exe

  • Size

    70KB

  • MD5

    b483ab5c9018ea96cb70d2b40c4f8d1e

  • SHA1

    5d28d055562b55df9e4d4aa9e87c1a8907598d5d

  • SHA256

    b308483f9fed901628a9341f9ac7e1546f44f1643979e2f70224e7e9612a8429

  • SHA512

    3acd494d5c4264d186ad246fc7e189102b0b7deaaadcbb38556a618d04fe8bd29d1ef0368c97e05c0992a0f83759ca9fe6e7e6ec1f8b380dd1160388acbc1ace

  • SSDEEP

    1536:kd9dseIOcE93bIvYvZEyF4EEOF+N4yS+AQmZsDHNzfE:cdseIOMEZEyFjEOFuTiQm+DHNzfE

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b308483f9fed901628a9341f9ac7e1546f44f1643979e2f70224e7e9612a8429.exe
    "C:\Users\Admin\AppData\Local\Temp\b308483f9fed901628a9341f9ac7e1546f44f1643979e2f70224e7e9612a8429.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3656
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3456
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:3208

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    70KB

    MD5

    314f3c09230b1fd02e44991f7a3753d2

    SHA1

    0b65552bf6f4fefa40fa09060b1df05e39542680

    SHA256

    9485a470fde4b2b07930258c8b999d1af7e342c6cfabd0b7e55fe6d0793c76a5

    SHA512

    9c8864fb1b798bde20f18a64f859b16a327db44bc5dbf372e1e882db65d4a470b59b1de08a94a7960e57013eaa1df2464a7628e32c6848177dcb7d7e64c364b0

  • C:\Windows\SysWOW64\omsecor.exe

    Filesize

    70KB

    MD5

    192d1b14b74e47bdcecf80a0a7358162

    SHA1

    d601f3784e3fdce7fc0300cb5835b80b20fcb7d1

    SHA256

    d7ccc24d5b966d2e3d7df05241d3b7af4eee1f99536a358241a271be357004df

    SHA512

    cc5866f06d6e6c33224dfb9527e054a06fc1713991656f8f7ab88d38723eeeea3f636e88219ce4cc7876f9d7dc446fe232c6f9bef4045cb92e1b6911961e5bc7

  • memory/3208-11-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/3208-14-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/3456-4-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/3456-7-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/3456-13-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/3656-0-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/3656-6-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB