Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    146s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14/01/2025, 19:42

General

  • Target

    0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe

  • Size

    96KB

  • MD5

    702d7d818e2b3e5661a7c61433a20118

  • SHA1

    1ffe06c9db1e8178806bfe02e971b17b261f7abc

  • SHA256

    0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833

  • SHA512

    7fa4b86a390a0a658f5f95edce7d731375cb36bdb9dde4bb4230441e83c51260c59c84b6c6291de8a0e6026c5f65c356244205943ef588cb2067550b79da8124

  • SSDEEP

    1536:HnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxr:HGs8cd8eXlYairZYqMddH13r

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 7 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe
    "C:\Users\Admin\AppData\Local\Temp\0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Users\Admin\AppData\Local\Temp\0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe
      C:\Users\Admin\AppData\Local\Temp\0ca25d6b6c2bef3fe5b64d4d8f0133e53a0f02c9316bcb05ad1612fa6bbbe833.exe
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2148
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2360
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2968
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1908
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2016
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1852
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:2952

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    96KB

    MD5

    ae753e5386a5755c298250f922a62d8a

    SHA1

    75aee149c21d4df745f170fa8d67522a8b97ca23

    SHA256

    aca3f9808ede1d037dbbe66d98a556c2844821b2405d92ef290f033fcf77d22d

    SHA512

    a8b01c55bd1d5e2703544141bced2cd430234e082719b9428628b2cc4e8e4053cc0ebef7244d9d61f1a1797ded3c53aaa8760d1603ef933710c2930dcde9824b

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    96KB

    MD5

    21d18d1e8d0d191947a83157bca1727c

    SHA1

    3baad5fa032d7e502b9b1783e74ce465c1b19afc

    SHA256

    8012f3bf195a8529a2275248abc3e710ea80749b0df31cfddae0140e554426c6

    SHA512

    0aee8b92989daede5cf361dd2b92ac44ef7e6bdfc0e469b1a6b946c03971b2b134cd145290338bd52871565b46c54256d41938efcfec1d9d9d0c49ec2eb391d4

  • \Windows\SysWOW64\omsecor.exe

    Filesize

    96KB

    MD5

    d3b930c87d9ce38d03e57136321aa0fe

    SHA1

    5dd56fd50c61ebb42f3db2a33b45327c9b915abc

    SHA256

    83eff4662c6decae57a74ffc840883e6c116a5987e0566d73b583b7eab85bb63

    SHA512

    f71e933c38c164056b52626c8cb615f2a0e35dd2cc3945f812235b14daa79f77ad587bda167e003cac82433dfe3adca88cbc510b4aee1bcc10e3aebd99160e66

  • memory/1852-81-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1852-89-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1908-68-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1908-59-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2148-5-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2148-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2148-9-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2148-20-0x00000000002B0000-0x00000000002D3000-memory.dmp

    Filesize

    140KB

  • memory/2148-13-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2148-2-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2360-22-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2360-33-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2360-25-0x00000000003D0000-0x00000000003F3000-memory.dmp

    Filesize

    140KB

  • memory/2372-8-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2372-0-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2952-94-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2952-91-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2968-55-0x0000000000290000-0x00000000002B3000-memory.dmp

    Filesize

    140KB

  • memory/2968-56-0x0000000000290000-0x00000000002B3000-memory.dmp

    Filesize

    140KB

  • memory/2968-57-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2968-36-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2968-42-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2968-37-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2968-45-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB