Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    115s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    22/01/2025, 03:28

General

  • Target

    240dee6da2e284d7cc1628babe7cc0907f4654168f0bc36f1f3b2268be4ee70dN.exe

  • Size

    33KB

  • MD5

    6b4a87610d7192ec35123b4f22ffa960

  • SHA1

    2e82ed58a2647815bf7c347e428bfd39d75f3e82

  • SHA256

    240dee6da2e284d7cc1628babe7cc0907f4654168f0bc36f1f3b2268be4ee70d

  • SHA512

    b7656415066d4bacfbc9c985330130ce7258b33dfb637f4e97c9d557d33ac3905e9bbaa180c92b03f23c00ef6b3a1155b5c2660aa7aee401ccf01db4c221467f

  • SSDEEP

    768:jfVhP/4kt3+9IV6Y90ksQ1oWHT0hh0vy9S5fsYGbTmoN/yE56hlSQ7DJ:jfVRztyHo8QNHTk0qE5fslvN/956qw

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\240dee6da2e284d7cc1628babe7cc0907f4654168f0bc36f1f3b2268be4ee70dN.exe
    "C:\Users\Admin\AppData\Local\Temp\240dee6da2e284d7cc1628babe7cc0907f4654168f0bc36f1f3b2268be4ee70dN.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3056
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2012
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1492
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1564

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    33KB

    MD5

    90c7fd5f1e2ac396dfd57f1d98bf9bf6

    SHA1

    407bf80c51b5e03816cc085739d12dcc58ec1feb

    SHA256

    821ae93fb9c0dfa68fb59e7d28c1bfadf4da3650a14876ff61b8125b781bdda4

    SHA512

    da456fe1fe51ce7c19a429fa0b85de82a364741cf7ddab29f73d8e29c2a6366111254057e4d2e30d58b0e8ebc2e0a92b041e4f3354dd770c3eb87bbd328f6bcf

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    33KB

    MD5

    a6fd68d59f3405fb54d619825b9ccda6

    SHA1

    06b89763bd13a5d4ba8267b487a1541ef2f26eb8

    SHA256

    4babfc0462a134f60b4f57604525af2012515c4c1be6e9dbb4b51a16cd1370d5

    SHA512

    76af982a5f56fc3e293250d8bcb42502d8939487935f8833c1705b251660cf8e0464052f89f163743f74f77c5388890a863b8c0267061aee395488844c151371

  • \Windows\SysWOW64\omsecor.exe

    Filesize

    33KB

    MD5

    449970832ad8c542a6164b53d1a99507

    SHA1

    1dd83980e19a5df76f5e6ec13a256bb8287fcc12

    SHA256

    04d3cd4d851ee9066459066877f2d593e266cbfc59bcf0b09b46cdebb049ac0f

    SHA512

    bcff716e3f9186af62dbd6dae27f75e83c030b517b9894a95d9d08bb5f1898148163cf5dd1538e19db9e19b1244d9c370335a4653eaecb13862cae2cce07b69b

  • memory/1492-40-0x0000000000220000-0x000000000024A000-memory.dmp

    Filesize

    168KB

  • memory/1492-46-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1564-50-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1564-48-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2012-23-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2012-20-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2012-26-0x0000000000370000-0x000000000039A000-memory.dmp

    Filesize

    168KB

  • memory/2012-34-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2012-33-0x0000000000370000-0x000000000039A000-memory.dmp

    Filesize

    168KB

  • memory/2012-17-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2012-14-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2012-12-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/3056-1-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/3056-10-0x0000000000220000-0x000000000024A000-memory.dmp

    Filesize

    168KB

  • memory/3056-9-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB