Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22/01/2025, 19:11 UTC

General

  • Target

    196f443fd6abeb561100985d1c5e4be4066beb0344ac8ce4cfaefae881c77432.exe

  • Size

    96KB

  • MD5

    a8c0fcc2af31901e2a529fc64ae8cc81

  • SHA1

    29b1dc02e111ef01c0963f650d9436cd0f0d4278

  • SHA256

    196f443fd6abeb561100985d1c5e4be4066beb0344ac8ce4cfaefae881c77432

  • SHA512

    ac1486b5db71b9a3f56ee88e6321f595649691adc9c62908ba870f96a3fac47306685216696a31b422f8cf1e0e60d36dbff764ce5ab0a93dfaf4f0f7f0894c51

  • SSDEEP

    1536:GnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxb:GGs8cd8eXlYairZYqMddH13b

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 7 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\196f443fd6abeb561100985d1c5e4be4066beb0344ac8ce4cfaefae881c77432.exe
    "C:\Users\Admin\AppData\Local\Temp\196f443fd6abeb561100985d1c5e4be4066beb0344ac8ce4cfaefae881c77432.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\Users\Admin\AppData\Local\Temp\196f443fd6abeb561100985d1c5e4be4066beb0344ac8ce4cfaefae881c77432.exe
      C:\Users\Admin\AppData\Local\Temp\196f443fd6abeb561100985d1c5e4be4066beb0344ac8ce4cfaefae881c77432.exe
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2144
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2348
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2532
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1740
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:324
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:316
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:2936

Network

  • flag-us
    DNS
    lousta.net
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    lousta.net
    IN A
    Response
    lousta.net
    IN A
    193.166.255.171
  • flag-us
    DNS
    mkkuei4kdsz.com
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    mkkuei4kdsz.com
    IN A
    Response
    mkkuei4kdsz.com
    IN A
    15.197.204.56
    mkkuei4kdsz.com
    IN A
    3.33.243.145
  • flag-us
    GET
    http://mkkuei4kdsz.com/467/893.html
    omsecor.exe
    Remote address:
    15.197.204.56:80
    Request
    GET /467/893.html HTTP/1.1
    From: 133820466853892000
    Via: hprkjvr_vjwA<19cdsifA:_tfser>5514546cpwB7562bpf}B66i95=:<77e=4h<2:k9gke66be=e;95<
    Host: mkkuei4kdsz.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    content-type: text/html
    date: Wed, 22 Jan 2025 19:12:29 GMT
    content-length: 114
  • flag-us
    DNS
    ow5dirasuek.com
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    ow5dirasuek.com
    IN A
    Response
    ow5dirasuek.com
    IN A
    52.34.198.229
  • flag-us
    GET
    http://ow5dirasuek.com/168/294.html
    omsecor.exe
    Remote address:
    52.34.198.229:80
    Request
    GET /168/294.html HTTP/1.1
    From: 133820466853892000
    Via: hprkjvr_vjwA<19cdsifA:_tfser>5514546cpwB7562bpf}B66i95=:<77e=4h<2:k9gke66be=e;95<
    Host: ow5dirasuek.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Wed, 22 Jan 2025 19:12:39 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: close
    Set-Cookie: btst=a68418b108587c1ffdab4def053b707b|181.215.176.83|1737573159|1737573159|0|1|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
    Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    152 B
    3
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    152 B
    3
  • 15.197.204.56:80
    http://mkkuei4kdsz.com/467/893.html
    http
    omsecor.exe
    467 B
    348 B
    6
    3

    HTTP Request

    GET http://mkkuei4kdsz.com/467/893.html

    HTTP Response

    200
  • 52.34.198.229:80
    http://ow5dirasuek.com/168/294.html
    http
    omsecor.exe
    421 B
    631 B
    5
    5

    HTTP Request

    GET http://ow5dirasuek.com/168/294.html

    HTTP Response

    200
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    152 B
    3
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    104 B
    2
  • 8.8.8.8:53
    lousta.net
    dns
    omsecor.exe
    56 B
    72 B
    1
    1

    DNS Request

    lousta.net

    DNS Response

    193.166.255.171

  • 8.8.8.8:53
    mkkuei4kdsz.com
    dns
    omsecor.exe
    61 B
    93 B
    1
    1

    DNS Request

    mkkuei4kdsz.com

    DNS Response

    15.197.204.56
    3.33.243.145

  • 8.8.8.8:53
    ow5dirasuek.com
    dns
    omsecor.exe
    61 B
    77 B
    1
    1

    DNS Request

    ow5dirasuek.com

    DNS Response

    52.34.198.229

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    96KB

    MD5

    d24fed6ff9bfbd7d0b611ac52adc7b6f

    SHA1

    932e740998865fe22134d8846bda99b443c3fc33

    SHA256

    7f4023f0a5f913fc2f430a4c1d87feda6c2b497c9038a574a9df8140b9a7fd3c

    SHA512

    c534578ce285bea415e9ab48ccc14d711d4075b5b1d117cb637e51b846c8c24f8469a4e9ce342a98af74bc2c8f643be038f40aa436a9465f6597b8184128b3b3

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    96KB

    MD5

    e30d0709f86b362a0f8e101dabc1d013

    SHA1

    392a09e1fbb8a2f91590bb28dea579e6c46178c8

    SHA256

    594851e7c4d45846c291e501f2f2d1d6d5f0bffe42104fb8aa6483a187277163

    SHA512

    aa532424702b6420cde10073b5053bc0738cfd13fa4e89f64827843e0af146d8260a59e50267ea872b58a4070a236e5686fadef0d021b5162996dacc6f73d427

  • \Windows\SysWOW64\omsecor.exe

    Filesize

    96KB

    MD5

    0d7c99ceb8b875a581c5a7faab8cdea8

    SHA1

    0428878cd48c6e58866d386a057d24e40140bfee

    SHA256

    759931bdeb72bc5278f72465aa828991b9af7893a4a0f4cc8c26841e53522620

    SHA512

    dcd4ca54ad3f138cfff590e08bada1302f7ee755c3014a8222ba331475bb1c510d80d662242596e468ba9497c06e2e76376e9791f1fe936dffab9fe1f1c13e61

  • memory/316-80-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/316-88-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/324-72-0x0000000000230000-0x0000000000253000-memory.dmp

    Filesize

    140KB

  • memory/324-79-0x0000000000230000-0x0000000000253000-memory.dmp

    Filesize

    140KB

  • memory/324-90-0x0000000000230000-0x0000000000253000-memory.dmp

    Filesize

    140KB

  • memory/1740-65-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2100-7-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2100-0-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2144-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2144-19-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2144-9-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2144-5-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2144-1-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2348-21-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2348-33-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2348-24-0x00000000001C0000-0x00000000001E3000-memory.dmp

    Filesize

    140KB

  • memory/2532-55-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2532-47-0x0000000000380000-0x00000000003A3000-memory.dmp

    Filesize

    140KB

  • memory/2532-44-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2532-41-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2532-38-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2532-35-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2936-91-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.