Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25/01/2025, 06:55

General

  • Target

    61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe

  • Size

    96KB

  • MD5

    95a659337ba9854552afc655c14415c0

  • SHA1

    d1698c372887ff93d1bdb37cdb9437b86559e961

  • SHA256

    61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0

  • SHA512

    ef08e6157d7e84571f7accafa96b64fc8e144b72bac4a4c968be875a555470ff74347510b723bf9279b3b7f2867189f3ddddccd5ec500f34ebbe086fe5b9f999

  • SSDEEP

    1536:fnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:fGs8cd8eXlYairZYqMddH13z

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 7 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3040
    • C:\Users\Admin\AppData\Local\Temp\61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe
      C:\Users\Admin\AppData\Local\Temp\61dd378d367e57da5b8c45ff9c83ee4f0305dd9d4244a649c598457260e211f0N.exe
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3064
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2716
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2516
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:772
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1452
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1392
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:2196

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    96KB

    MD5

    c8d08fd0969ae3efa590c45cd4fa1284

    SHA1

    a4df5ff9c1525d224fc8c958872df8edabb56c69

    SHA256

    aa7fe942285d6c9c7c5b89abea90a6be7504835a6024272729117ed63e919421

    SHA512

    08589c178eade936993f6ecd047b189a24164544c111446aef73e1d2b3113d4590058b28b992da875929d6cb7eb00162f6970ac964d6f9a5c8b8213e0d378888

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    96KB

    MD5

    8fece7320881d0330e4b90257078f72a

    SHA1

    c4ac69e34a51af8134ed7d937797d643defd021f

    SHA256

    004f6cc34509832f8f2bb68b9bf4efb9a8db54fb9d1413363c33f0d4ffb3d011

    SHA512

    55c303dd7bd01ef93835c155a5e5418cc69e001e8d3bb9206dde559b06784af4709508040dba887ef5dbe888d8960048a75d7ced558e373e527c60a8f4e55191

  • \Windows\SysWOW64\omsecor.exe

    Filesize

    96KB

    MD5

    31aa2b31c51d1cadb6d59b630f0d5e8b

    SHA1

    3ea39123811727a63dc90991b6e02b646aa1cc80

    SHA256

    52623e3e841b4d145cc10c7496fc5eca0ae393b3e01775d3563cd43040ff8b9c

    SHA512

    6f213bdf00bb4946fdde8f58cb7505ce8937cae18b0b4946297126ed07705d264daebf7b60ce1b31027b7fbed1fc1ce451688574e95cb06a86aa5e741731cd0a

  • memory/772-66-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/772-57-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1392-87-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1452-71-0x00000000003D0000-0x00000000003F3000-memory.dmp

    Filesize

    140KB

  • memory/2196-89-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2516-54-0x0000000001F60000-0x0000000001F83000-memory.dmp

    Filesize

    140KB

  • memory/2516-47-0x0000000001F60000-0x0000000001F83000-memory.dmp

    Filesize

    140KB

  • memory/2516-34-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2516-37-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2516-40-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2516-43-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2516-56-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2716-31-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2716-21-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/3040-0-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/3040-8-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/3064-1-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/3064-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/3064-5-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/3064-9-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/3064-19-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB