Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/01/2025, 14:04

General

  • Target

    7b877951f82fcfb7184c3576224b3bfb53fbb641b9aa6f472b9d162dc7e5d077N.exe

  • Size

    80KB

  • MD5

    142f51eb666fc454a719a3578f06a290

  • SHA1

    94b3b550600648890fb33ebf440c3e806ecb4090

  • SHA256

    7b877951f82fcfb7184c3576224b3bfb53fbb641b9aa6f472b9d162dc7e5d077

  • SHA512

    ff49f65987b905945529b406dad26b044fd95b2a5f8948a32080f064d1cd531fede8470a2ffd772709e4d14d3b16defd84676c1d90400e27d4b92f34d6753889

  • SSDEEP

    1536:rd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9Xwzr:bdseIOMEZEyFjEOFqTiQmOl/5xPvwv

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7b877951f82fcfb7184c3576224b3bfb53fbb641b9aa6f472b9d162dc7e5d077N.exe
    "C:\Users\Admin\AppData\Local\Temp\7b877951f82fcfb7184c3576224b3bfb53fbb641b9aa6f472b9d162dc7e5d077N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3656
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4876
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:1144

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    80KB

    MD5

    8e1163f852d63b0232110e06ad1a21fa

    SHA1

    15adaf52ec6662d08369cf6536dc6e9f0d7f878e

    SHA256

    b2d51585811e81f7e0b51a0c0239d0befce45af1475326052f87731cf94e8f37

    SHA512

    21be974b9610bb36bacc29be7eed22dd1702ec55b1d862aba6b3780b3f9b41949cb0b1b1f559d6289a057238873cdb1ca2a313795527c0d21ee30efe475233ec

  • C:\Windows\SysWOW64\omsecor.exe

    Filesize

    80KB

    MD5

    5f3bcfa87649167476c8e13dda76c3f4

    SHA1

    247ffda0f24a879e720c8a0ec1579a285212387f

    SHA256

    ef4174e266b70dd4231e378c095339ca25cd8c2e4c6932bfb503f08a5528dbd9

    SHA512

    921b491d4b2d632f9436ba527fe2d153d7377cebd368498edd0f49138982c777a866b4e664f47000890544fcf10fa7eab1b8a9d789c32d12d590d779a7021ebf