Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    21/01/2025, 07:02

General

  • Target

    6c5293e8be1df26d6f15895e22a9b6b79d33ab9984fb7598fedc9337ab24147bN.exe

  • Size

    96KB

  • MD5

    6d3dc9d6bd7adee40728b253e2eb0780

  • SHA1

    a86a05578acb4d0627f7d85af8a39433da702194

  • SHA256

    6c5293e8be1df26d6f15895e22a9b6b79d33ab9984fb7598fedc9337ab24147b

  • SHA512

    bf635ffe96a0b02ed884ad962d023f204bbe1d7a33fddc951cf1fcd34b7abc304ca5345287dd823c5413944433b3a14a358307fd0829dc29f3fe768e2fc48357

  • SSDEEP

    1536:4nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxr:4Gs8cd8eXlYairZYqMddH13r

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 7 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6c5293e8be1df26d6f15895e22a9b6b79d33ab9984fb7598fedc9337ab24147bN.exe
    "C:\Users\Admin\AppData\Local\Temp\6c5293e8be1df26d6f15895e22a9b6b79d33ab9984fb7598fedc9337ab24147bN.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2848
    • C:\Users\Admin\AppData\Local\Temp\6c5293e8be1df26d6f15895e22a9b6b79d33ab9984fb7598fedc9337ab24147bN.exe
      C:\Users\Admin\AppData\Local\Temp\6c5293e8be1df26d6f15895e22a9b6b79d33ab9984fb7598fedc9337ab24147bN.exe
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2084
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2740
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2672
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:532
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1092
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2032
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:2176

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    96KB

    MD5

    df24be91929341411994d9c5d5df22c9

    SHA1

    c947478174e353d33dad3244fc79ddae1be3e703

    SHA256

    bb5f489b34c4001feae77f356975ffe2007b2c566820753122ced0ffc504a268

    SHA512

    088f54fd412db3564f1be4e0ce79ad305cee6cae65ef3e65dcc3aa003927e0ddecf99326f789fb199988de5428eb0f4d451bc0cec1d82f417a61e148ea3c54ec

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    96KB

    MD5

    41a6673d119cdf2895589c85f051f65f

    SHA1

    af37d1379249a27136beb92dc42b6e6fe1ad8e87

    SHA256

    e8cc541546d613b59e1af9f0363ae86243d52254ea1815b479173f3fa220e469

    SHA512

    4049e802357dc5a24257b32b673a00cc0ef21cde0bc93ba81455bb608f0e0a2c8920d8996fff8ab11cf1b47cfba69eb717ff8f5a3429117e7413d1f2f3e5d905

  • \Windows\SysWOW64\omsecor.exe

    Filesize

    96KB

    MD5

    966e0a1ac38082ce57faa597403082db

    SHA1

    300ba3db9f9305e31cc80e90d23e2d753f071b72

    SHA256

    6d2a8e5251c2b3a2bb0298f06d913a57355e3f72ef606744fa79bc86a3a71ba7

    SHA512

    93d4ba0bd007c735c38d78129ca14d01b738e7cc307b8f28f5043f8bdf12849adfb721321f00ff05cc227c79182bbf2da63f70f31f3fa841f084dd56605b762a

  • memory/532-65-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1092-70-0x0000000000240000-0x0000000000263000-memory.dmp

    Filesize

    140KB

  • memory/2032-87-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2032-79-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2084-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2084-5-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2084-19-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2084-1-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2084-9-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2176-89-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2672-47-0x00000000003C0000-0x00000000003E3000-memory.dmp

    Filesize

    140KB

  • memory/2672-44-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2672-56-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2672-41-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2672-38-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2672-35-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2740-21-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2740-24-0x0000000000230000-0x0000000000253000-memory.dmp

    Filesize

    140KB

  • memory/2740-32-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2848-0-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2848-7-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB