Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    115s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    22/01/2025, 11:39 UTC

General

  • Target

    3faa574172a19eba7bdc738abb42ec4a8b35cdc107394872e3026ab366dfc0c3N.exe

  • Size

    96KB

  • MD5

    a81d20fbc59985a3b7db87bbfaee5fe0

  • SHA1

    8b7cbd78491f5dbc93c912a7464a9d3baff85ba6

  • SHA256

    3faa574172a19eba7bdc738abb42ec4a8b35cdc107394872e3026ab366dfc0c3

  • SHA512

    035f5e0ef094134c32f47754d3692f36ea88f9ff54c77cdd17c4bef0281b000edf3b5c3d949e00ccb3d0e26b8566114a87ab4590cb8edc6d5a48a301f1f64128

  • SSDEEP

    1536:GnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxb:GGs8cd8eXlYairZYqMddH13b

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 7 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3faa574172a19eba7bdc738abb42ec4a8b35cdc107394872e3026ab366dfc0c3N.exe
    "C:\Users\Admin\AppData\Local\Temp\3faa574172a19eba7bdc738abb42ec4a8b35cdc107394872e3026ab366dfc0c3N.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2660
    • C:\Users\Admin\AppData\Local\Temp\3faa574172a19eba7bdc738abb42ec4a8b35cdc107394872e3026ab366dfc0c3N.exe
      C:\Users\Admin\AppData\Local\Temp\3faa574172a19eba7bdc738abb42ec4a8b35cdc107394872e3026ab366dfc0c3N.exe
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3008
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2448
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2948
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2064
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2016
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1448
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:1744

Network

  • flag-us
    DNS
    lousta.net
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    lousta.net
    IN A
    Response
    lousta.net
    IN A
    193.166.255.171
  • flag-us
    DNS
    mkkuei4kdsz.com
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    mkkuei4kdsz.com
    IN A
    Response
    mkkuei4kdsz.com
    IN A
    15.197.204.56
    mkkuei4kdsz.com
    IN A
    3.33.243.145
  • flag-us
    GET
    http://mkkuei4kdsz.com/169/699.html
    omsecor.exe
    Remote address:
    15.197.204.56:80
    Request
    GET /169/699.html HTTP/1.1
    From: 133820195981642000
    Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<1/0,\j`w<]671d7a65-be,/e053-14aa4-2b^7a.6
    Host: mkkuei4kdsz.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    content-type: text/html
    date: Wed, 22 Jan 2025 11:41:03 GMT
    content-length: 114
  • flag-us
    DNS
    ow5dirasuek.com
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    ow5dirasuek.com
    IN A
    Response
    ow5dirasuek.com
    IN A
    52.34.198.229
  • flag-us
    GET
    http://ow5dirasuek.com/154/466.html
    omsecor.exe
    Remote address:
    52.34.198.229:80
    Request
    GET /154/466.html HTTP/1.1
    From: 133820195981642000
    Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<1/0,\j`w<]671d7a65-be,/e053-14aa4-2b^7a.6
    Host: ow5dirasuek.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Wed, 22 Jan 2025 11:41:13 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: close
    Set-Cookie: btst=faa0d69dce9f0ad21839b5d827ef9888|181.215.176.83|1737546073|1737546073|0|1|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
    Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    152 B
    3
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    152 B
    3
  • 15.197.204.56:80
    http://mkkuei4kdsz.com/169/699.html
    http
    omsecor.exe
    473 B
    644 B
    6
    5

    HTTP Request

    GET http://mkkuei4kdsz.com/169/699.html

    HTTP Response

    200
  • 52.34.198.229:80
    http://ow5dirasuek.com/154/466.html
    http
    omsecor.exe
    421 B
    623 B
    5
    5

    HTTP Request

    GET http://ow5dirasuek.com/154/466.html

    HTTP Response

    200
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    152 B
    3
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    104 B
    2
  • 8.8.8.8:53
    lousta.net
    dns
    omsecor.exe
    56 B
    72 B
    1
    1

    DNS Request

    lousta.net

    DNS Response

    193.166.255.171

  • 8.8.8.8:53
    mkkuei4kdsz.com
    dns
    omsecor.exe
    61 B
    93 B
    1
    1

    DNS Request

    mkkuei4kdsz.com

    DNS Response

    15.197.204.56
    3.33.243.145

  • 8.8.8.8:53
    ow5dirasuek.com
    dns
    omsecor.exe
    61 B
    77 B
    1
    1

    DNS Request

    ow5dirasuek.com

    DNS Response

    52.34.198.229

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    96KB

    MD5

    41727eb08ad5cbef79d109b0b24dbd3b

    SHA1

    125a88131440768053ab0bd76a2b0808897c2744

    SHA256

    b37c2272f536f2a8f57eb7414e91407a4b3c10faa6a029ba0d7fee5281990265

    SHA512

    8d26d4038dc05390af1f2704a1bac0e927af444b949f2c72c1a09a87a318a1ceb5511c96d9d553dc536835c58f2ede4f28b4d3412251e64ec1e047d5b147e1e5

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    96KB

    MD5

    4e9e560ba2df60a8d7fd9221f0d7cd31

    SHA1

    45d7df9af9f7614d8498a383f9e3aa5e97003121

    SHA256

    46d86820e33db1433ca173c5f6f5de2848431d691ceab999aa19fd347f6d7a12

    SHA512

    9b25fdf4af733f35b871feb712b60f2550ec3c91674961ba46b3b70de59e836e6e8f48ca6c92037b20f837921392e8e253b63d9d74ab5700f0d34c60c3d32718

  • \Windows\SysWOW64\omsecor.exe

    Filesize

    96KB

    MD5

    ef25274211f3af02b3c950976a45ba21

    SHA1

    5ece2b15dc3136c6c6071040d6a17c43eda1be05

    SHA256

    1b4b34834fd5bfcf9329e07c0163e50ca22ca174d0fb1001c2d9431ce0e67268

    SHA512

    26a1ee6ab8af7b12e6cc90f76763035bcd4cb2fa87823787acff584f87b0a76f15fd98606f47848f902f8b9ba32cebc74c2f9a47c20e444cf2e8687fd8f474e5

  • memory/1448-88-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1448-79-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1744-89-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2064-67-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2064-57-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2448-21-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2448-29-0x0000000000230000-0x0000000000253000-memory.dmp

    Filesize

    140KB

  • memory/2448-32-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2660-7-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2660-0-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2948-38-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2948-44-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2948-41-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2948-47-0x0000000000310000-0x0000000000333000-memory.dmp

    Filesize

    140KB

  • memory/2948-55-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2948-35-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/3008-1-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/3008-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/3008-5-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/3008-9-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/3008-11-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.