Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    114s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24/01/2025, 15:46

General

  • Target

    52ee358f4b6e0c872d5a4fe0c353ea32d602ede3d166ce370ad411e5b1185e02N.exe

  • Size

    61KB

  • MD5

    35ee24e737e63d87c27fa95ee96c7360

  • SHA1

    aa84de4d09780c3df094825a5e0644398a1b8bd9

  • SHA256

    52ee358f4b6e0c872d5a4fe0c353ea32d602ede3d166ce370ad411e5b1185e02

  • SHA512

    06563c4edcbf12afb6c8b0ec179fdefc16196be9f8f36d48c5ea6f7b9b95a84ba9597095b3e740ace153f9460edfda004c697700e89bbe90dc72e0aa471c7d95

  • SSDEEP

    1536:bd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZ1l/5:rdseIOMEZEyFjEOFqTiQmXl/5

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\52ee358f4b6e0c872d5a4fe0c353ea32d602ede3d166ce370ad411e5b1185e02N.exe
    "C:\Users\Admin\AppData\Local\Temp\52ee358f4b6e0c872d5a4fe0c353ea32d602ede3d166ce370ad411e5b1185e02N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2420
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2428
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1224
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2796

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    61KB

    MD5

    577f059c6c48fc39a92e302ef3b7349b

    SHA1

    f0674c888ec23370f1db3081da5ce7cb54b6ba24

    SHA256

    2901f24c3a56f741b47f4d5c9f93345f427bf0998f5c6c3e1d0bca2e19f39a63

    SHA512

    062ac56d31a62051d3dacb592a716cc0a38ed403e7bf00d54eae412d5648e9f35f3bc0a297d5167d8b383e325b2ad364cbc2ec9bf7361f58d151963a7d048651

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    61KB

    MD5

    7a384af94f1dbc30d2c6b92fcf031258

    SHA1

    618c56e9cf25e9464f481c65a99413a6dfe6337e

    SHA256

    7f5e19864ff54b3bf78cbd21f7f4b99b12dcbb20c97de62e8b33b58db2b0d018

    SHA512

    382b020feb2600efed147f054a616596fd310305d8c11ab5cc72b23761c2a857d63ebcf5db975866f01d0abcc206b56ef46b0534f524498abae7e504524c1ee9

  • \Windows\SysWOW64\omsecor.exe

    Filesize

    61KB

    MD5

    10a6c054af226531930ba793a0897ff4

    SHA1

    ed8002d66b8eee9771b01e533018290963823369

    SHA256

    dfb7a7d67d4d829fd481ca844a491b44a326134a02a52a50fbfc20e87fe7205e

    SHA512

    2934c2cf32e7fd54733c05c769ec5252197331133e965ad2c84a7b05c508b4ad8ef6b97733e93b0100c44ae41559db35b788027c3f7376808e905118f17e8b33