Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    114s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/01/2025, 00:08

General

  • Target

    5b8ff5e52dbea86abceab6c421da3c2a435ed4e48d7a84675d251c84e2d60b47N.exe

  • Size

    80KB

  • MD5

    f97587f7b361193b7db0db38ad4fb970

  • SHA1

    584034a137030cfcee780ef8835c5d7de588e081

  • SHA256

    5b8ff5e52dbea86abceab6c421da3c2a435ed4e48d7a84675d251c84e2d60b47

  • SHA512

    157bd41c8dd5160f3270a02de352136f15368e632cd08573753dc0a81d3eb2179696e8f5daef7cff15735e0ad7a325ba567a9e4f6ff54befe3ebfc9d8457ccf9

  • SSDEEP

    1536:0d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9XwzB:MdseIOMEZEyFjEOFqTiQmOl/5xPvwN

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5b8ff5e52dbea86abceab6c421da3c2a435ed4e48d7a84675d251c84e2d60b47N.exe
    "C:\Users\Admin\AppData\Local\Temp\5b8ff5e52dbea86abceab6c421da3c2a435ed4e48d7a84675d251c84e2d60b47N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:532
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4580
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3528
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4940

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    80KB

    MD5

    90f2ef9de6df1ffb936d2197a1bce4a0

    SHA1

    f927998855e78738d4ec9675fb96355e0f8fc3ee

    SHA256

    54337ea42b44fd8bd5720c6b4c2efc27b6505fcf629fb3174231a2513ed511ae

    SHA512

    9bb14e047c1592ccf287d1deb68ea2bb7c452e404fea9d9ca41a50a3a52c88080f8921c429c6eba0804185980f2fdf76497742ac8207e53b5a7acd63b30fe2c6

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    80KB

    MD5

    77747f222cd5cf4ebe7b1fb987aa71cb

    SHA1

    280957e938ce3b4cad37ed83178a19723d7f4d8a

    SHA256

    489db48d37861cd49820a03e80195a23c6fbfacc3ab3f78787cfe1b8dd3d4445

    SHA512

    69480b79172d30fea7bc7f51ab174717b912285d41d09a6bb82ad70bd1f7d7797dc90c1b9771e85212071bbdf5fb535d9fa917954eaa2ec23ac9ab4c7d3b1c2c

  • C:\Windows\SysWOW64\omsecor.exe

    Filesize

    80KB

    MD5

    7e425608010a6e12fd37818c0ec31edd

    SHA1

    2e18d18526ba0f83732b6db3dec0e80ffa09b6cd

    SHA256

    ba6ea32054df7ca4cf61eeb2db1053ad06aed4dd6b45a6f04d19f44f65c2e799

    SHA512

    7b4d33e85574205ba2f418c76b7c508a944fcebda75da6dde438e135138dfbc5580037cd28d27e7c2d82290d3176ca9d8d997cdabac99527a4be43461ba77f03