Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    21/01/2025, 11:04

General

  • Target

    0e7f0efe3dd76343ceab51a84f60013b3b2dc3e65d1737e913d59b597f3acb2a.exe

  • Size

    80KB

  • MD5

    b72d6e0501d41a0fcd53784f63d87880

  • SHA1

    c371552655ece43bc7037d615057ff2cf57afafc

  • SHA256

    0e7f0efe3dd76343ceab51a84f60013b3b2dc3e65d1737e913d59b597f3acb2a

  • SHA512

    191374c4e0a25fd8c96919cf495d76d94788b44dbf08fdb6271ff086279c7d5615bcaba1ce02f060c0fe8078593824f5d13749f938b0bad0f1495ab4fb82f9df

  • SSDEEP

    1536:+d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9Xwzb:mdseIOMEZEyFjEOFqTiQmOl/5xPvw/

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e7f0efe3dd76343ceab51a84f60013b3b2dc3e65d1737e913d59b597f3acb2a.exe
    "C:\Users\Admin\AppData\Local\Temp\0e7f0efe3dd76343ceab51a84f60013b3b2dc3e65d1737e913d59b597f3acb2a.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2304
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3032
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2844
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1136

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    80KB

    MD5

    1105a5530d3484899bac92604df40e4d

    SHA1

    ef081bef6e013dddd41ecb27ef59d9b41b249360

    SHA256

    fdde056d55fc0b08db4c54aa08224516e7832eb3f0fd16aadcf5b2fc179e3353

    SHA512

    ef86677ce4635679636b325cf37f9765c8ac529071e1eddfc061371be2169245fb6e25d7ccfeab3147f8e50423a4d544553244b71516ddd42dbe892255e4f091

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    80KB

    MD5

    51a6e01a0b9d19446adedf4b2271f177

    SHA1

    e98ff35fec53e3cd49cba75f05569aa2ccca9734

    SHA256

    a5fe4bd97866ec42790cae321edabb3a28ec1ecf1b342ce5bd80677c5efebf55

    SHA512

    c5f10cb14a4f5e4bdb8f41981a1e121518c5f9ef8c5fad8eeff421b4f7b2bb1f059315458dc4c5d2ef4f9fdc286cb226d3b5a7dcb48b108c18b19d55478c2004

  • \Windows\SysWOW64\omsecor.exe

    Filesize

    80KB

    MD5

    4c82b8ecf9e0ffeba844bd47e2ebe10b

    SHA1

    5a63e02794f6448446fe244d7740f89dd93de349

    SHA256

    2fc8f53d136f3daee6cd7a12700e5bd95615d51c4ca588f4135cf7b9f2671a99

    SHA512

    01df011745aea9d53b5348a7e50b0979b3b1f2f612b9382cdc5698342923e2453f3a9561699e6f4eb2f62e9c84acc847a3f3c46ff70bd7a85cf910ab9690ab9b