Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    23/01/2025, 10:58

General

  • Target

    a2e2a7bf237176b590ae010057a1db34f0019763c675b66c950f8f98dfa5d8e7.exe

  • Size

    96KB

  • MD5

    3741f3d1409a19365929b6bd1dee01d6

  • SHA1

    da584cee4bebddcd5f48bb30c883c8950b5e160d

  • SHA256

    a2e2a7bf237176b590ae010057a1db34f0019763c675b66c950f8f98dfa5d8e7

  • SHA512

    37a764e84764ebf79138ea4cfa70d72ffd351d4ba3b8d23c97510452b7712bb15c7dda8f6189e69e19c8ae1bc06aa4f42eb299213a6d9b110ce75607d453e9e5

  • SSDEEP

    1536:xnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxJ:xGs8cd8eXlYairZYqMddH13J

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 7 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a2e2a7bf237176b590ae010057a1db34f0019763c675b66c950f8f98dfa5d8e7.exe
    "C:\Users\Admin\AppData\Local\Temp\a2e2a7bf237176b590ae010057a1db34f0019763c675b66c950f8f98dfa5d8e7.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2336
    • C:\Users\Admin\AppData\Local\Temp\a2e2a7bf237176b590ae010057a1db34f0019763c675b66c950f8f98dfa5d8e7.exe
      C:\Users\Admin\AppData\Local\Temp\a2e2a7bf237176b590ae010057a1db34f0019763c675b66c950f8f98dfa5d8e7.exe
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1944
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2920
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2000
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1808
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1192
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1120
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:2956

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    96KB

    MD5

    3f8bba03c981efd8f5a58855bd9b29df

    SHA1

    25a428aa709764c7316888d8fa6b71dcf693ad5a

    SHA256

    d4d60eb1ed15d9f84b6926080379abeeb07027c7ab66c8e86e232c4963adb3ee

    SHA512

    3b79053e7be7af9ceec97f6affe4f469450c284106ee0c8fd4034eaa5ca2b51a323e4a3542c46f63dbd1d29973243c0c775708027781b6832b52fd9e258250fb

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    96KB

    MD5

    b68e12b881253c73dd7ebf5add9f9ae1

    SHA1

    25d90681c112e715b65b033fb85831f7d80bf763

    SHA256

    6f0fa6f57d86e7fc8d81c039193fd075b2fa11a4f21c0eda3a988a9f7c43478b

    SHA512

    64658419ec4463efb856e78dc240691827ff653fab72ceea1f9a164cc48202388088494887763b8e74de5d724b66f93e259e33f6768493e48da3113e1ca456da

  • \Windows\SysWOW64\omsecor.exe

    Filesize

    96KB

    MD5

    418937c384703d47ba12a8188337ad43

    SHA1

    d73f09c727e2808cfc60b58b059d0b6958fef759

    SHA256

    7ae33e8ee9dc4dd8942f30e518ca7a09e60fcc5169a8a9f56f9674a341ad871d

    SHA512

    3caf8f38fd74df9fbe0ca76701d2d4a7ba6586e3c8a04faab4580df249a38d8dad426392f3b74e7b7936677b5b380d0e6014ae7e851d977c60dcf1567cf116a8

  • memory/1120-87-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1120-79-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1192-70-0x00000000001C0000-0x00000000001E3000-memory.dmp

    Filesize

    140KB

  • memory/1808-64-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1944-9-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/1944-5-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/1944-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/1944-1-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/1944-19-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2000-34-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2000-44-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2000-41-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2000-47-0x00000000005C0000-0x00000000005E3000-memory.dmp

    Filesize

    140KB

  • memory/2000-55-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2000-38-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2336-0-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2336-7-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2920-21-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2920-30-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2956-89-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB