Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    114s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/01/2025, 04:33

General

  • Target

    b3631affd7bdc141d454486540889437e0b243dbfb10ea8d9fcccfe67954c89fN.exe

  • Size

    88KB

  • MD5

    a097be328eb9231d136ad6df8ef684b0

  • SHA1

    4fcf756ab596072f42f1582f1e9d7c05e5d832a1

  • SHA256

    b3631affd7bdc141d454486540889437e0b243dbfb10ea8d9fcccfe67954c89f

  • SHA512

    5d6a9b70dd20070edd00ebfc3c6813dab12dcc0ffb4d9866f8c5ae16d51a4698cec78789399723a8a665d0069f9037ca6c17308f67240d602ede9c61dbea8dfd

  • SSDEEP

    1536:1d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5r:9dseIOMEZEyFjEOFqTiQm5l/5r

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b3631affd7bdc141d454486540889437e0b243dbfb10ea8d9fcccfe67954c89fN.exe
    "C:\Users\Admin\AppData\Local\Temp\b3631affd7bdc141d454486540889437e0b243dbfb10ea8d9fcccfe67954c89fN.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3896
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3836
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:4004

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    88KB

    MD5

    fe87e99998c96f2e97cd55b1eae62b59

    SHA1

    c22ccd06477e93ea6f6d741341256c64c6281519

    SHA256

    b22d4b5bc760bd640c289e08330cda2873c933329fd6fa93dfab411fe98b1673

    SHA512

    8134fa8ebb24c495cf50ce0364b6478c782cf9e5d388342e0743034b28a2d1d20c3ee53a0e98446db5040edf6e537a76771c6eadd223e0895f3911a2208e3b3d

  • C:\Windows\SysWOW64\omsecor.exe

    Filesize

    88KB

    MD5

    ad025a7141d5032ca01bcd21d5daaea7

    SHA1

    a93a6e3426d72e6f7ff434bf3895db0709425084

    SHA256

    bed04fb3c925014a6e75a2f8b953d05888e47c23b4274e467e867100f271ad8e

    SHA512

    eb928553796d8be5eec1761f930cb1ecb509318817449aebfeb213ece76756b8cceab89c62f5a88925c666d394e5890f01eed285091e46128fe239fce28bfd6f