Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22/01/2025, 23:26

General

  • Target

    8284cc86af9962658a04f5276542d7b9c3ad8d66291a35f733fcdaf36c03906fN.exe

  • Size

    72KB

  • MD5

    e834652c7d8b9c50ec3808e8120392b0

  • SHA1

    4877b6cf5497b81a3a1e70854d64f63bc7d4fd69

  • SHA256

    8284cc86af9962658a04f5276542d7b9c3ad8d66291a35f733fcdaf36c03906f

  • SHA512

    b78e5d99e5ddb3afe7883054694bcdfc86a810620bb47e62eb6e86d93cae2394cfd447b64ee2de0d5a723fd692fbf5698a8fa64e59ddac5e44d3f2cc0f2dd784

  • SSDEEP

    1536:9Rd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211v:jdseIOMEZEyFjEOFqTiQm5l/5211v

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8284cc86af9962658a04f5276542d7b9c3ad8d66291a35f733fcdaf36c03906fN.exe
    "C:\Users\Admin\AppData\Local\Temp\8284cc86af9962658a04f5276542d7b9c3ad8d66291a35f733fcdaf36c03906fN.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2072
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2912
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1840
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1144

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    72KB

    MD5

    f81810a12b8facfc00410541399bf630

    SHA1

    4022948bdc69efaf5c9f9d20b02d84c8f72385d6

    SHA256

    46e1d6b5bbd081143431128b858697035e6473cb76ca111d9a154b61a2d66744

    SHA512

    f7beedc2ee5bf5a48a8b5a5d71aab8aa4095d46b0f8b027f9295bef3c3b9a667037ca232586e0eac39e4ec051fd26724482d971430d18564fee29c5e764f8c4b

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    72KB

    MD5

    3bfd87464c55b144c56b3fc8f6652516

    SHA1

    638730eaac7a549746fac30878b9f747f4310626

    SHA256

    1cfdb331aa21c4e0d203a0483135f772d49f6073a31c5087e877f2fcaddf262b

    SHA512

    9bd6424b36a9e9cb9ec0c1063b31c035b2fab00322599ea755da3a3987aeb8f0169b989f20dfefd4d8c95945cabb8e42167489a91c2fff4b8a52ef59f5e7a0b2

  • \Windows\SysWOW64\omsecor.exe

    Filesize

    72KB

    MD5

    e62a2efb904d6fc9c2f55c762a8bff90

    SHA1

    504dc8931ec4f42339774482a8d3f326838d7f79

    SHA256

    e14d8b3654c2b927ad33b098b486bb8ea8731801c7c2f15fe39f89fc42bd836b

    SHA512

    e7bd80256f5472b8b707e2d238dab46a538a9aea9b293455c70b82e6a822e2021dd2fec25d5cedcdee44b22922c293c45d70c024e90f098335c77aeb6cbf28d2