Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    114s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/01/2025, 15:35

General

  • Target

    4560e75e744285616a87a122a107ebe30b04f96ac3a8f98bc3001f22b791f2dbN.exe

  • Size

    65KB

  • MD5

    5a23b0173a338fbb8069cfe77346e970

  • SHA1

    7c339674d04175cbf58af4d5399311db4f4b6fd7

  • SHA256

    4560e75e744285616a87a122a107ebe30b04f96ac3a8f98bc3001f22b791f2db

  • SHA512

    828040bc301948c8164082f75f69240bcdb2ec50ea2af95d22ae189c935e7b1b34a0c21d3d0405dda2c96ad4b56333b2c75b3a90a9ee4ddde0f2918f80808c27

  • SSDEEP

    1536:nd9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/Hzg:PdseIO+EZEyFjEOFqTiQmRHzg

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4560e75e744285616a87a122a107ebe30b04f96ac3a8f98bc3001f22b791f2dbN.exe
    "C:\Users\Admin\AppData\Local\Temp\4560e75e744285616a87a122a107ebe30b04f96ac3a8f98bc3001f22b791f2dbN.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5036
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2708
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:3760

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    65KB

    MD5

    e30fc56ea97508fbe4312a8549ab6b73

    SHA1

    c1688892aaee4df32d3db50a0796323ae355bd34

    SHA256

    0733abd1154328bb9bb6e073120f8bef72188e70ad771312b553184aeb4e12f9

    SHA512

    62200212e3f641808d6b9a42756d5215c5fd4536b6eefdef28ef682c36739c00bf9a96933574b599dac64866e81e97a0d690ac9ec912f9c9df397f270aec6441

  • C:\Windows\SysWOW64\omsecor.exe

    Filesize

    65KB

    MD5

    4a55bd843fec67972d4abf5a99cd1a7e

    SHA1

    42827a7f7990122f6516d927a9b7a23aa844ec3a

    SHA256

    7972192afd86ffb1920e70caf86e3025a2d0bfdee0285e253c932a5a9f42b1b2

    SHA512

    b0c027c8a06e3b7cee94be70af2428f21a23de6b42e413d89be4306e6cdc8a90aebdc68283aa58c3bac024799cd26c3739522135fbfb12966d8a462720ecfdb1

  • memory/2708-4-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2708-7-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2708-13-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/3760-11-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/3760-14-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/5036-0-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/5036-6-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB