Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    114s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22/01/2025, 01:01

General

  • Target

    781d05058243aecab0eb07eb68957b94af7ac98f9206cd8a71e6ae5527a8dbedN.exe

  • Size

    65KB

  • MD5

    21c540f78bdf821f2f1af733520c7ac0

  • SHA1

    dad78580707815d02ef375d7e6645d13d388aaed

  • SHA256

    781d05058243aecab0eb07eb68957b94af7ac98f9206cd8a71e6ae5527a8dbed

  • SHA512

    dbcf9d5589010e6b9d7bfab28fcf4b4af413f6a31cd8e0e818751685cbd8e539b9eb9ea95df1e0052cd5e973cfaabfb33418b5b36393a51e2588ac347853b030

  • SSDEEP

    1536:hd9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/Hzl:RdseIO+EZEyFjEOFqTiQmRHzl

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\781d05058243aecab0eb07eb68957b94af7ac98f9206cd8a71e6ae5527a8dbedN.exe
    "C:\Users\Admin\AppData\Local\Temp\781d05058243aecab0eb07eb68957b94af7ac98f9206cd8a71e6ae5527a8dbedN.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2492
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2524
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2020
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2452

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    65KB

    MD5

    aa2c86fd763014630a67ddf397818d45

    SHA1

    fa521f069005025be29a1fa8b2c73a4e23bf6731

    SHA256

    6184d19b82a55b330db3719e32bf6be063fc390078ea1d15a150d12c0571ba1d

    SHA512

    5a171ffdf77d089503d56fbe94c731d14cc6260cc7f60a23bebe4640f10c52c6c60acf572b1d5fb009ecdacfd9fb3df838a202b658c4865d94561e7dc4867919

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    65KB

    MD5

    38774e4d6c0db08725122be4fd407463

    SHA1

    9e8908bd43e73b1d0be87fcedd77e368d581cc11

    SHA256

    258fc8cf69a98d349712430d29b532f46898748419940acab9c6504fbfafe17c

    SHA512

    7d04cdf63e280a0d6f5c6843e4de1981bd537c4bcac246290ce8ba70ecb6b6e228ba03cb3f78b0f63ab7aa8cb016355f42612666415c7a9b74e879795f0d1be1

  • \Windows\SysWOW64\omsecor.exe

    Filesize

    65KB

    MD5

    b73483edd5abf43668042268ca357046

    SHA1

    38cdcad2a1326391fe3b7b5f3f39d615d30b7614

    SHA256

    3cecfee64dec375816a314d36058b0266f6758f03f18a042549780b1596ccac1

    SHA512

    bb98d26a5253148a240f6f818408f8b9847e453d0611f74566fe93e50c38f87fccf65fc77cd303f91ae73f38d2c5b2d6038f2a77d0a75dc93b3fe1ce0daae9cf

  • memory/2020-39-0x0000000000220000-0x000000000024A000-memory.dmp

    Filesize

    168KB

  • memory/2020-36-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2020-26-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2020-31-0x0000000000220000-0x000000000024A000-memory.dmp

    Filesize

    168KB

  • memory/2452-40-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2492-0-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2492-4-0x0000000000220000-0x000000000024A000-memory.dmp

    Filesize

    168KB

  • memory/2492-10-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2524-22-0x0000000000290000-0x00000000002BA000-memory.dmp

    Filesize

    168KB

  • memory/2524-23-0x0000000000290000-0x00000000002BA000-memory.dmp

    Filesize

    168KB

  • memory/2524-24-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2524-12-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB