Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    145s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22/01/2025, 03:44

General

  • Target

    7aa802d8f6df7e6bf7786078518e348207d67ff90d6d231a7308e9362b2fdd5d.exe

  • Size

    80KB

  • MD5

    7f92312b3e3885e89af5a29c29a87131

  • SHA1

    390526f25d1c74e41b0b0282587764e6d08fc42c

  • SHA256

    7aa802d8f6df7e6bf7786078518e348207d67ff90d6d231a7308e9362b2fdd5d

  • SHA512

    620bcc7e564df898a5f605d31bd71db1c13c3d07a1f4bf5fe3a1b440cdea1b5e6d5b823535f9a474cc801b2d63cfdcf2709a6893615f522f2d0c2033266f6ec7

  • SSDEEP

    768:pfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAa:pfbIvYvZEyFKF6N4yS+AQmZTl/5C

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7aa802d8f6df7e6bf7786078518e348207d67ff90d6d231a7308e9362b2fdd5d.exe
    "C:\Users\Admin\AppData\Local\Temp\7aa802d8f6df7e6bf7786078518e348207d67ff90d6d231a7308e9362b2fdd5d.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2828
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2112
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:2544

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    80KB

    MD5

    a61d57529b995b6e1b8597b59733022d

    SHA1

    5322722eba9ba32f43ec78a2eb95016ac11534d7

    SHA256

    0123955cb9dfbb37b1abfcc46384b249d3b077e113b8a070b6d5f7dd06c36c60

    SHA512

    408d8d4367d9b16b72dccfda64fda3f582b4cd80874c4960396deb9bc2ea16cccdd8b7fb3a78f9f700d7f0723f297ea302dc1aa4c0360bb95070d4f4839cf3d3

  • \Windows\SysWOW64\omsecor.exe

    Filesize

    80KB

    MD5

    73ae1ddce355be863336ed8a4fbc78f3

    SHA1

    910a0b873aae9e5ad3f47c996d07664867d6b08b

    SHA256

    91471622e46e2917f49067094701c8a1417b28b1babebac6ee515bd5c554f019

    SHA512

    aae87cce958a553ee32f667cd2a7b7b5ea05bb46939212db8e90cfc81b251f329aba4124c2d7ebecae95b62741f3fc3704bc3835596436e2709a91eee4d8ad85