Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    10/01/2025, 03:12

General

  • Target

    7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe

  • Size

    96KB

  • MD5

    91de4d3077d1c1beab2298acba54cab6

  • SHA1

    ae455abf836a7955ec04d529f99fe68e10556d6d

  • SHA256

    7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1

  • SHA512

    d655e8c4b8164bf5d6366839be8dd22e3949ffe2edd61607134f8c0b0c8f7f518c1f03bf01f5593c3160a93296afa717a6dff9ac7518331be46776c6c496b9d4

  • SSDEEP

    1536:vnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:vGs8cd8eXlYairZYqMddH13L

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 7 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe
    "C:\Users\Admin\AppData\Local\Temp\7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1832
    • C:\Users\Admin\AppData\Local\Temp\7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe
      C:\Users\Admin\AppData\Local\Temp\7e0718db6c91591568a112fcefed2d17dad39cbbea87d91a0d334aebbb3d1cd1.exe
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2632
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1264
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2008
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:532
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2028
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1604
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:2276

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    96KB

    MD5

    d579a6df3c6b1f9f44999db4a1158cbf

    SHA1

    34f504e1f221cb2051e9b1074de8231729ef64c3

    SHA256

    fa6d702d455514b98998fbbbdf22ee258e5be281f4d20c60c5cbfd395b5bbf48

    SHA512

    7d90c219423ba0cc25ed1094c36b2d13ea7cb01e7010dbce0b3cb634b105ea19f441d5d9c8f5b3074b270a88d0c9c83a0663c9a1fdc8ed008e917f4786fa0374

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    96KB

    MD5

    a917b9eece10e40f46ceded24557a52d

    SHA1

    06b3270e31c8642d941cc0540079a7fd095e6547

    SHA256

    69d04ebd8aa9f71a5db05b7e62bd9781423c5fc0302f0734d7cd8cc9b1a203b5

    SHA512

    9617a91563c29c336e9d1339b06e9de54938ef04a92de365a1f3bf6fd41f890b1c474713f726224a51cdbd7c7a5ce4201a26ba16383dd6ae8ac911b893f06405

  • \Windows\SysWOW64\omsecor.exe

    Filesize

    96KB

    MD5

    36fcbbcaab2e76b1de2d1f0ba1c3a562

    SHA1

    08f7144e457bde5bc1a488f36441ff8e57e31bf0

    SHA256

    f8e1d695d3bf2414991801e3b8437041b27d6a46ad88bb69ecbc193ac8aa1606

    SHA512

    729580c18e84c09aee86a506f6df628d76866d545cb7141236825d9b0a55f37fb3508ee9524e5799c26275de22cf1aba5785acb973000dcd53b97ea6a52c3acb

  • memory/532-56-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/532-64-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1264-31-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1264-22-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1604-85-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1832-0-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1832-1-0x0000000000340000-0x0000000000363000-memory.dmp

    Filesize

    140KB

  • memory/1832-8-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2008-35-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2008-39-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2008-43-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2008-54-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2008-46-0x0000000002220000-0x0000000002243000-memory.dmp

    Filesize

    140KB

  • memory/2008-42-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2028-71-0x0000000000230000-0x0000000000253000-memory.dmp

    Filesize

    140KB

  • memory/2276-91-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2276-88-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2632-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2632-10-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2632-2-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2632-6-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2632-21-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB