Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22/01/2025, 08:05

General

  • Target

    59a8077f411ce233f7c26cf78db2299c8f4049aa30c8d143307c75987442f250N.exe

  • Size

    96KB

  • MD5

    8b2b21eebd1bb8f8765fff013b065ad0

  • SHA1

    d838fa05cc4652376e0af6ec511417e5be1b68a3

  • SHA256

    59a8077f411ce233f7c26cf78db2299c8f4049aa30c8d143307c75987442f250

  • SHA512

    d5e7ceac818d5cd23e53e999ce4f6633aaa4bfdb0838a3d59e11d1827fcab1d2d226fcab129a0a09a32c95fb672c08e3b2b843ef711c9ae6e60f3ad627df68dd

  • SSDEEP

    1536:xnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:xGs8cd8eXlYairZYqMddH13L

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 7 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\59a8077f411ce233f7c26cf78db2299c8f4049aa30c8d143307c75987442f250N.exe
    "C:\Users\Admin\AppData\Local\Temp\59a8077f411ce233f7c26cf78db2299c8f4049aa30c8d143307c75987442f250N.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2252
    • C:\Users\Admin\AppData\Local\Temp\59a8077f411ce233f7c26cf78db2299c8f4049aa30c8d143307c75987442f250N.exe
      C:\Users\Admin\AppData\Local\Temp\59a8077f411ce233f7c26cf78db2299c8f4049aa30c8d143307c75987442f250N.exe
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2692
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2716
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2724
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2120
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2040
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2196
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:2332

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    96KB

    MD5

    d50b0bea50f7465cc517056daf3246d6

    SHA1

    a7951b8b88b403b49fa2d7f90afd3579a634bbb5

    SHA256

    2ecd9bdc1d1fa15698b152a7d56348423632ba4b0c3b17a7a106081dac5e0abf

    SHA512

    f4e7faa335caeb3b4a8c2281f5fe5c9cdbbb8c8d9b01640fcf87059f09f89e46a005821c61b5b4ce490a8a0ae4307cd01866b90c68974088411d13132db6692f

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    96KB

    MD5

    a1630f0e69f1b4b359f65ad94f2f1f04

    SHA1

    24e7033338976a695c0789b342b19ff9ea1c9b07

    SHA256

    54e755616171a813a17afac8348ee09c1961b24803e694949be0ff23e4a0ea0b

    SHA512

    58b1459a89cb4273bb36d02f83350c0d31c91064f5425bf40b29c32dfd031a6bd2f65781e001261bdcbd1da503522ca22ab0e25104f34b429ef007938be85f36

  • \Windows\SysWOW64\omsecor.exe

    Filesize

    96KB

    MD5

    db8a72c27a825aea46eeebcdb80c4b32

    SHA1

    fc7609313a90eb1e5a3db4b1b1db048b380f1b5a

    SHA256

    5eda90176feb89c75074f57e0326b81fbadf3eb103127faa318049710f55b78d

    SHA512

    06556cd47fcbdbdae5ee2ed3a555f78d5f3e7823d6947cc22cbd5af775ee9172876d1e187f9a2f73ea5c3b0eb1c838edd76405631b8b4c58b42cddf43137da07

  • memory/2040-75-0x0000000000240000-0x0000000000263000-memory.dmp

    Filesize

    140KB

  • memory/2120-69-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2120-60-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2196-90-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2252-0-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2252-7-0x0000000000230000-0x0000000000253000-memory.dmp

    Filesize

    140KB

  • memory/2252-8-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2332-92-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2692-15-0x0000000000240000-0x0000000000263000-memory.dmp

    Filesize

    140KB

  • memory/2692-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2692-22-0x0000000000240000-0x0000000000263000-memory.dmp

    Filesize

    140KB

  • memory/2692-5-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2692-12-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2692-10-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2692-1-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2716-34-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2716-24-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2724-59-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2724-50-0x0000000000330000-0x0000000000353000-memory.dmp

    Filesize

    140KB

  • memory/2724-47-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2724-44-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2724-39-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2724-37-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB