Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    115s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/01/2025, 18:17

General

  • Target

    9e4f8f1c77a6f54e1e546ff028d75e12a38218adb65789908660ba903724a903N.exe

  • Size

    61KB

  • MD5

    0ae69dcd82d19b6198b367d47664d750

  • SHA1

    2fdcf486e68cfe5f84bcc8ef8f1fc465606b59ec

  • SHA256

    9e4f8f1c77a6f54e1e546ff028d75e12a38218adb65789908660ba903724a903

  • SHA512

    21a751134ba8eaad85cb87800100a4ba0cc92b89a060efbd276f29d005c9d1ed229389b73cbb18970bb902f47d638fd7d58b5c77de4fe4a31197166a2dd82044

  • SSDEEP

    1536:cd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZjl/5:kdseIOMEZEyFjEOFqTiQmxl/5

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9e4f8f1c77a6f54e1e546ff028d75e12a38218adb65789908660ba903724a903N.exe
    "C:\Users\Admin\AppData\Local\Temp\9e4f8f1c77a6f54e1e546ff028d75e12a38218adb65789908660ba903724a903N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1984
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1568
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1864

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    61KB

    MD5

    9896fc5f795ef4f58e677dc32660b9d0

    SHA1

    8657d80ee97eea416e88865bc44aed16979f4f0a

    SHA256

    b849fc623ecec0d3340c914de262b90250fbd1c2d24969064cd6c9e2fc2b4bbf

    SHA512

    67a58cf3acc6a43b9cb94f99a383930763ff57b97810025f6c372b6985acdc20e606d6297e62aa749582336728c0dd7b03d8b8ff8afc8559cbefe6d9ff15b6c6

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    61KB

    MD5

    cd48fe3ad3a85f7c74f04d8d2fa05fa8

    SHA1

    9b696c4f5e288eec9ab978a6759b7c71a75ffed2

    SHA256

    c9492cf7d9128c374d9946a113951a7c77b2e1c4a8dcca47f5540d184acda7a5

    SHA512

    01f01cb6ccadbaaf583fd0eb573fdbc4f0b7ad4ecc8ec195201dbb9697eee4cc24eb6fc4aa7043b5a0f64803eeee2238c2b3cf59d7610bd1dd740c249d40655a

  • C:\Windows\SysWOW64\omsecor.exe

    Filesize

    61KB

    MD5

    c90b5ffc0f5b2d7237af5426ed4a4cb6

    SHA1

    20d98d1a67a911a66f563fc8ca1e6c3023ae06be

    SHA256

    94cc291cf93b90f07b98e6307eda5b6b7962d0f6dc8efbbd02dee7e949ed8d9b

    SHA512

    4bf2bb2443920f25d64eea4658f763b046bfe73070a241431fe9a39fd634d6725ad7f85f68d34e99032efc93a265b69bbd6798aeef23eb66ffcb48c8e4cdb6e8