Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

0e7f0efe3d...2a.exe

windows7-x64

10

0e7f0efe3d...2a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/01/2025, 11:04 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0e7f0efe3dd76343ceab51a84f60013b3b2dc3e65d1737e913d59b597f3acb2a.exe

  • Size

    80KB

  • MD5

    b72d6e0501d41a0fcd53784f63d87880

  • SHA1

    c371552655ece43bc7037d615057ff2cf57afafc

  • SHA256

    0e7f0efe3dd76343ceab51a84f60013b3b2dc3e65d1737e913d59b597f3acb2a

  • SHA512

    191374c4e0a25fd8c96919cf495d76d94788b44dbf08fdb6271ff086279c7d5615bcaba1ce02f060c0fe8078593824f5d13749f938b0bad0f1495ab4fb82f9df

  • SSDEEP

    1536:+d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9Xwzb:mdseIOMEZEyFjEOFqTiQmOl/5xPvw/

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e7f0efe3dd76343ceab51a84f60013b3b2dc3e65d1737e913d59b597f3acb2a.exe
    "C:\Users\Admin\AppData\Local\Temp\0e7f0efe3dd76343ceab51a84f60013b3b2dc3e65d1737e913d59b597f3acb2a.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4988
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1700
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1076
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1068

Network

  • flag-us
    DNS
    lousta.net
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    lousta.net
    IN A
  • flag-us
    DNS
    lousta.net
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    lousta.net
    IN A
  • flag-us
    DNS
    lousta.net
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    lousta.net
    IN A
  • flag-us
    DNS
    lousta.net
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    lousta.net
    IN A
  • flag-us
    DNS
    lousta.net
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    lousta.net
    IN A
  • flag-us
    DNS
    69.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    69.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    167.173.78.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    167.173.78.104.in-addr.arpa
    IN PTR
    Response
    167.173.78.104.in-addr.arpa
    IN PTR
    a104-78-173-167deploystaticakamaitechnologiescom
  • flag-us
    DNS
    167.173.78.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    167.173.78.104.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    167.173.78.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    167.173.78.104.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    lousta.net
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    lousta.net
    IN A
    Response
    lousta.net
    IN A
    193.166.255.171
  • flag-us
    DNS
    lousta.net
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    lousta.net
    IN A
  • flag-us
    DNS
    lousta.net
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    lousta.net
    IN A
  • flag-us
    DNS
    200.163.202.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.163.202.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    200.163.202.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.163.202.172.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    mkkuei4kdsz.com
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    mkkuei4kdsz.com
    IN A
    Response
    mkkuei4kdsz.com
    IN A
    3.33.243.145
    mkkuei4kdsz.com
    IN A
    15.197.204.56
  • flag-us
    GET
    http://mkkuei4kdsz.com/185/548.html
    omsecor.exe
    Remote address:
    3.33.243.145:80
    Request
    GET /185/548.html HTTP/1.1
    From: 133819340783484261
    Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>.dc1be`ce188`5bc23a5g252.64`b9bc
    Host: mkkuei4kdsz.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    content-type: text/html
    date: Tue, 21 Jan 2025 11:55:38 GMT
    content-length: 114
  • flag-us
    DNS
    145.243.33.3.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    145.243.33.3.in-addr.arpa
    IN PTR
    Response
    145.243.33.3.in-addr.arpa
    IN PTR
    a3edc0dabdef92d6dawsglobalacceleratorcom
  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    ow5dirasuek.com
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    ow5dirasuek.com
    IN A
    Response
    ow5dirasuek.com
    IN A
    52.34.198.229
  • flag-us
    GET
    http://ow5dirasuek.com/183/707.html
    omsecor.exe
    Remote address:
    52.34.198.229:80
    Request
    GET /183/707.html HTTP/1.1
    From: 133819340783484261
    Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>.dc1be`ce188`5bc23a5g252.64`b9bc
    Host: ow5dirasuek.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Tue, 21 Jan 2025 11:55:49 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: close
    Set-Cookie: btst=bce13268de404a7d1c04c1a88b8205cb|181.215.176.83|1737460549|1737460549|0|1|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
    Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
  • flag-us
    DNS
    229.198.34.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    229.198.34.52.in-addr.arpa
    IN PTR
    Response
    229.198.34.52.in-addr.arpa
    IN PTR
    ec2-52-34-198-229 us-west-2compute amazonawscom
  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    60.153.16.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    60.153.16.2.in-addr.arpa
    IN PTR
    Response
    60.153.16.2.in-addr.arpa
    IN PTR
    a2-16-153-60deploystaticakamaitechnologiescom
  • flag-us
    DNS
    60.153.16.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    60.153.16.2.in-addr.arpa
    IN PTR
  • flag-us
    GET
    http://mkkuei4kdsz.com/887/303.html
    omsecor.exe
    Remote address:
    3.33.243.145:80
    Request
    GET /887/303.html HTTP/1.1
    From: 133819340783484261
    Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>.dc1be`ce188`5bc23a5g252.64`b9bc
    Host: mkkuei4kdsz.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    content-type: text/html
    date: Tue, 21 Jan 2025 11:57:03 GMT
    content-length: 114
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    260 B
     5
  • 3.33.243.145:80
    http://mkkuei4kdsz.com/185/548.html
    http
    omsecor.exe
    888 B
     508 B
     11
    7

    HTTP Request

    GET http://mkkuei4kdsz.com/185/548.html

    HTTP Response

    200
  • 52.34.198.229:80
    http://ow5dirasuek.com/183/707.html
    http
    omsecor.exe
    467 B
     623 B
     6
    5

    HTTP Request

    GET http://ow5dirasuek.com/183/707.html

    HTTP Response

    200
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    260 B
     5
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    260 B
     5
  • 3.33.243.145:80
    http://mkkuei4kdsz.com/887/303.html
    http
    omsecor.exe
    675 B
     1.2kB
     10
    8

    HTTP Request

    GET http://mkkuei4kdsz.com/887/303.html

    HTTP Response

    200
  • 8.8.8.8:53
    lousta.net
    dns
    omsecor.exe
    280 B
     5

    DNS Request

    lousta.net

    DNS Request

    lousta.net

    DNS Request

    lousta.net

    DNS Request

    lousta.net

    DNS Request

    lousta.net

  • 8.8.8.8:53
    69.31.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    69.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    167.173.78.104.in-addr.arpa
    dns
    219 B
     139 B
     3
    1

    DNS Request

    167.173.78.104.in-addr.arpa

    DNS Request

    167.173.78.104.in-addr.arpa

    DNS Request

    167.173.78.104.in-addr.arpa

  • 8.8.8.8:53
    lousta.net
    dns
    omsecor.exe
    168 B
     72 B
     3
    1

    DNS Request

    lousta.net

    DNS Request

    lousta.net

    DNS Request

    lousta.net

    DNS Response

    193.166.255.171

  • 8.8.8.8:53
    200.163.202.172.in-addr.arpa
    dns
    148 B
     160 B
     2
    1

    DNS Request

    200.163.202.172.in-addr.arpa

    DNS Request

    200.163.202.172.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    mkkuei4kdsz.com
    dns
    omsecor.exe
    61 B
     93 B
     1
    1

    DNS Request

    mkkuei4kdsz.com

    DNS Response

    3.33.243.145
    15.197.204.56

  • 8.8.8.8:53
    145.243.33.3.in-addr.arpa
    dns
    71 B
     127 B
     1
    1

    DNS Request

    145.243.33.3.in-addr.arpa

  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    ow5dirasuek.com
    dns
    omsecor.exe
    61 B
     77 B
     1
    1

    DNS Request

    ow5dirasuek.com

    DNS Response

    52.34.198.229

  • 8.8.8.8:53
    229.198.34.52.in-addr.arpa
    dns
    72 B
     135 B
     1
    1

    DNS Request

    229.198.34.52.in-addr.arpa

  • 8.8.8.8:53
    228.249.119.40.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    228.249.119.40.in-addr.arpa

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    11.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    60.153.16.2.in-addr.arpa
    dns
    140 B
     133 B
     2
    1

    DNS Request

    60.153.16.2.in-addr.arpa

    DNS Request

    60.153.16.2.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    80KB

    MD5

    4b039ee756b17e056e240fb6394e1a44

    SHA1

    c969ac901f61914286a7d0ab2c1617dd548dd9b6

    SHA256

    ddbcc80660e2c21ae1b8281ffa77198b032389fa9f45f9a0eb71509185d99694

    SHA512

    939b2b9a8a7c5cf7a645ef3a613f10cae601845b060ab24ff776b52d78805353ae616b0131f57c1aacf092e8d133e650dbfabee6a57e69ae4fefe35a41e83d01

    Download Submit

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    80KB

    MD5

    1105a5530d3484899bac92604df40e4d

    SHA1

    ef081bef6e013dddd41ecb27ef59d9b41b249360

    SHA256

    fdde056d55fc0b08db4c54aa08224516e7832eb3f0fd16aadcf5b2fc179e3353

    SHA512

    ef86677ce4635679636b325cf37f9765c8ac529071e1eddfc061371be2169245fb6e25d7ccfeab3147f8e50423a4d544553244b71516ddd42dbe892255e4f091

    Download Submit

  • C:\Windows\SysWOW64\omsecor.exe
    Filesize

    80KB

    MD5

    c80f7cdc74ae496c7cddefcb1a65ff28

    SHA1

    d9d44b7f3f0a5534a7d7109c1521a1621b02e6dd

    SHA256

    62aff667855603485f5fc4d6d0784291313740a2daf995e5154aea4b90f8f985

    SHA512

    76e03948c5704a063215f8dc6d13d0d775b6a4e15ba680e8dcfe238795a83b9bb522a4ca1564bb2ad577cef7534f45ace5005728bc616c244e8f126d2b80494a

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.