Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/01/2025, 15:47

General

  • Target

    0e7f0efe3dd76343ceab51a84f60013b3b2dc3e65d1737e913d59b597f3acb2a.exe

  • Size

    80KB

  • MD5

    b72d6e0501d41a0fcd53784f63d87880

  • SHA1

    c371552655ece43bc7037d615057ff2cf57afafc

  • SHA256

    0e7f0efe3dd76343ceab51a84f60013b3b2dc3e65d1737e913d59b597f3acb2a

  • SHA512

    191374c4e0a25fd8c96919cf495d76d94788b44dbf08fdb6271ff086279c7d5615bcaba1ce02f060c0fe8078593824f5d13749f938b0bad0f1495ab4fb82f9df

  • SSDEEP

    1536:+d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9Xwzb:mdseIOMEZEyFjEOFqTiQmOl/5xPvw/

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e7f0efe3dd76343ceab51a84f60013b3b2dc3e65d1737e913d59b597f3acb2a.exe
    "C:\Users\Admin\AppData\Local\Temp\0e7f0efe3dd76343ceab51a84f60013b3b2dc3e65d1737e913d59b597f3acb2a.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:224
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3736
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:3444

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    80KB

    MD5

    1105a5530d3484899bac92604df40e4d

    SHA1

    ef081bef6e013dddd41ecb27ef59d9b41b249360

    SHA256

    fdde056d55fc0b08db4c54aa08224516e7832eb3f0fd16aadcf5b2fc179e3353

    SHA512

    ef86677ce4635679636b325cf37f9765c8ac529071e1eddfc061371be2169245fb6e25d7ccfeab3147f8e50423a4d544553244b71516ddd42dbe892255e4f091

  • C:\Windows\SysWOW64\omsecor.exe

    Filesize

    80KB

    MD5

    19219a238b5e51f3098716126df1f50f

    SHA1

    78dfcebaed308e8f006668421eaef4b59c45daca

    SHA256

    50e2bf76f782c8e57f6db340f0322f2ff09177253869990280b138dd69958b26

    SHA512

    040c3c4799b51625b783471055e530aa186e0ffee25ead20bf115b9a941cff1434741cc5499bc23b171617cd6404d1b0c0db0a6853e734ee385e5eb47f8e84fa