Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    114s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/01/2025, 02:37

General

  • Target

    f55fb86596d19f910733201602a18331b962ede7ef1a7ff118ee487c4c15b72a.exe

  • Size

    80KB

  • MD5

    ad4435bb25f4a761455cf19cbf6b59cb

  • SHA1

    249e6d126522149a5b5d6c2fa1c788fed38943e0

  • SHA256

    f55fb86596d19f910733201602a18331b962ede7ef1a7ff118ee487c4c15b72a

  • SHA512

    d9f9229dcbf3bc5149028280a0c764538225bb9e83a3f52402def65293b2d2802b6eb8b859fe2487113b03662d323455a52f74bff50040ff59c382ccaa5dff0b

  • SSDEEP

    1536:wd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9Xwzp:wdseIOMEZEyFjEOFqTiQmOl/5xPvw1

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f55fb86596d19f910733201602a18331b962ede7ef1a7ff118ee487c4c15b72a.exe
    "C:\Users\Admin\AppData\Local\Temp\f55fb86596d19f910733201602a18331b962ede7ef1a7ff118ee487c4c15b72a.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2276
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4432
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3232
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3160

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    80KB

    MD5

    baccce52005058c533d8afacbafcaaab

    SHA1

    db4caf5c60ea844842ff6be68723d9e8f390969f

    SHA256

    3dab5e36682bf7ed8876080b20f9232b43efcf0051b4612a93c7bd43a804a9c5

    SHA512

    5f49f56e829b760bdef7d3bdf25fae7f2ed1684cc273cec872a377668e928e47006608321812170ea3e9b2aa6f5484be5d17c4fb48685a3c1166fd2a69942c60

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    80KB

    MD5

    35e41059f24b43b24796a6bbee1700c8

    SHA1

    ca179cb5f7eacc1352be79b5f85abdba1651052f

    SHA256

    09931456a13261ba5211a89c8c418dc2a705037219d5e7dbbf9f476fe96ef9f2

    SHA512

    92159a744ea8f97dce8a221a6ed489d0896c4aa5cf4a282a4f492de7c935ad2d192efc0de3c959468f08da937559716d7509c95736b733c1926a2401baffed88

  • C:\Windows\SysWOW64\omsecor.exe

    Filesize

    80KB

    MD5

    d0524761d07b233b488e03798895a4a6

    SHA1

    9473b1ee5b2e4fc699c3359841410fa3ea187b53

    SHA256

    a923c5365830231cade0a6d854e41f3431c15fb63ea8a4edc7df98b78a967cd6

    SHA512

    e6cb773e4d0dc553239920a6fadf37e34ef15f964fd5e5c95f0097cf0534b83ebe5d2be1e9de43933d7c7a076c6834b250c875442dd6845c6c00538596c829cf