Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    113s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16/01/2025, 14:50

General

  • Target

    662ee72b1c477e0ba7cc9ff86da3da7e1df8792d58582519a7f674147814e944.exe

  • Size

    76KB

  • MD5

    4da380879d70fbcf230ed358131d352a

  • SHA1

    02a0535a9e16715dcb4b7ce607fc1de765e3a7ba

  • SHA256

    662ee72b1c477e0ba7cc9ff86da3da7e1df8792d58582519a7f674147814e944

  • SHA512

    56d9188446c96e1da11bf9aa7252796030c4b03c4be9b163ffda30de25587444f6f77658de7054045f356e56cfa6eb68530321f9d15748893d96d9326309c89c

  • SSDEEP

    768:VMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAWb:VbIvYvZEyFKF6N4yS+AQmZTl/5Ob

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\662ee72b1c477e0ba7cc9ff86da3da7e1df8792d58582519a7f674147814e944.exe
    "C:\Users\Admin\AppData\Local\Temp\662ee72b1c477e0ba7cc9ff86da3da7e1df8792d58582519a7f674147814e944.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2716
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2784
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1148
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1044

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    76KB

    MD5

    d47b327fea566cbee5e9cc21398a8f1b

    SHA1

    6730610cdc25b214f6772b6c5a93848406b19e37

    SHA256

    cc4c5ff639447989c67ed504f40d652712ec290446439404037718dba23ad4f2

    SHA512

    7c48e0511f1ed0f7af9e9fe50ba80e4388eadc4b3e1e50fabd1f2ed2120d4c1514bd7fa32c1dd4e646828696dcd2eba239d122697786cee82c96ceafe4dfa359

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    76KB

    MD5

    1399e86def1b539655f8c31bf1bfe893

    SHA1

    0351d57d9c754154a295095932e35909817eb26e

    SHA256

    89117b1691c4dfb96c338293f0c18eb5e4b830ff7c73e2297416e1d27dd8cca9

    SHA512

    85c1b9fe5206435b94042963d35312e5ebfc7cf01ba6b0bea5e3c88fc4d74038805f84848abf806c2595d0d0e0e262c690dde0077d0c957d2e8b16f78c517b69

  • \Windows\SysWOW64\omsecor.exe

    Filesize

    76KB

    MD5

    b604db7ec1a0f6aa1e4cbbddc9f626d7

    SHA1

    f80ea3ba1ddd1d985f99eba7e0d8ae46af60ea58

    SHA256

    5c94471e8954a435a68131e1f39911523f8cad87e65c00395d44e935bdead0d6

    SHA512

    a42a9d495eee7fdc40d594178cbc85cb6b368999fa1f55048ffe6d3274485aabf4587d8be7f121a676011a3004b07d4ee7c5c5f753f9269be309927e38af41b6