Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    114s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/01/2025, 16:55

General

  • Target

    a869b932a309809104b953c6d85343c402d6c6febe2e063514a1f0feb8ea5f18.exe

  • Size

    88KB

  • MD5

    3f55b3190b0c45b83dc48b7112da87cc

  • SHA1

    17708d2217db6973e7e54c2bc2d578b47090b8f6

  • SHA256

    a869b932a309809104b953c6d85343c402d6c6febe2e063514a1f0feb8ea5f18

  • SHA512

    e7823ed80f3654102b6e6ab904fa9636696083ad76fb4e28cfdb667113a3d94aa36de9b685704323a1f66b8f00b8d361fc1beca411545f90c971a34c76c202ef

  • SSDEEP

    1536:nd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5T:PdseIOMEZEyFjEOFqTiQm5l/5T

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a869b932a309809104b953c6d85343c402d6c6febe2e063514a1f0feb8ea5f18.exe
    "C:\Users\Admin\AppData\Local\Temp\a869b932a309809104b953c6d85343c402d6c6febe2e063514a1f0feb8ea5f18.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4560
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:956
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4344
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:628

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    88KB

    MD5

    9143eb3b9573b4d4d62eeab4964e1b81

    SHA1

    cfb092f9109c3e122c6942b0dcd176ee99605c1d

    SHA256

    32fd5607450549cbdba8e4c27267b141da10a5fe06a281d0bc381192a5d36883

    SHA512

    c9a1615cce31341875eae3a3a51f8009ce5ea8316ea19a07c83a5ccbe1813f43a624c7e7106ce862a80ad7ec6a6fbb7b708a209f1487355e0b4344b12157ef9b

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    88KB

    MD5

    13e5c3ebad2622eee988942d10cdf3fe

    SHA1

    ba35c3ad4eb5c11d1d583ea5bcdf968557e121f7

    SHA256

    48aa8c40c858e4a464d909f796582a56f1a857344be32286ef07a2540cb705bb

    SHA512

    0375b1781b9ea645d4aab94d9b302f5574b60f3a203750d1b725b34c9ccec50ac06f9d87bfaa51b4945e1b8d2bb30ea868d7d96ae3ba6a38300918176476c879

  • C:\Windows\SysWOW64\omsecor.exe

    Filesize

    88KB

    MD5

    cca0bf80422261b5afabf0a5c9bebcde

    SHA1

    d53974845f8e468b57e9823d5b3b404975ce4a5d

    SHA256

    0c7995e72074008e8c293bbbf577d4935149fbbc7d2486662817151f15777561

    SHA512

    4ef4a515c1461de86b640b185405c583564e61bc300c18d635d4b181ce87865d00348cf7f869d543cc84e83174235211270f35b1c6ef141363c5d22884fb714e