Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    116s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    27/01/2025, 16:49

General

  • Target

    d6caa8df97406bcf24055c2b8de28cd651bc6aa9740abb1a2b0c16a654104e34N.exe

  • Size

    96KB

  • MD5

    bd7713ed8422c64dff66486d55ce4a50

  • SHA1

    5d94eb3814fcc4b464f025075ccf78aa7789b71f

  • SHA256

    d6caa8df97406bcf24055c2b8de28cd651bc6aa9740abb1a2b0c16a654104e34

  • SHA512

    c4482819a5463759c1a79c14147472ce1542eb175d788d394358ea3ee70909dde733f2b0523e240abda86ea339479081d0f4d75eef74a75a89e06876573c9ac5

  • SSDEEP

    1536:4nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxJ:4Gs8cd8eXlYairZYqMddH13J

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 7 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d6caa8df97406bcf24055c2b8de28cd651bc6aa9740abb1a2b0c16a654104e34N.exe
    "C:\Users\Admin\AppData\Local\Temp\d6caa8df97406bcf24055c2b8de28cd651bc6aa9740abb1a2b0c16a654104e34N.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2304
    • C:\Users\Admin\AppData\Local\Temp\d6caa8df97406bcf24055c2b8de28cd651bc6aa9740abb1a2b0c16a654104e34N.exe
      C:\Users\Admin\AppData\Local\Temp\d6caa8df97406bcf24055c2b8de28cd651bc6aa9740abb1a2b0c16a654104e34N.exe
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2216
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2988
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2484
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:972
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2504
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:836
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    96KB

    MD5

    3a090f39f732307373380b0a33b6806d

    SHA1

    41606e9188d956b1c3683ac588c3d4a0d4e994ae

    SHA256

    33e6e6c57e92b416ccf86d428c95ab2bc7ef48b36436191e89abe57cb02d425d

    SHA512

    8c4a92947298ad2737a4a926277763ddf4c8b1880ae17ef9fcb87ebc5e7927663352459267fc394bce31459e7871f6e846b8528424927e2ecc81ab14ceb457b3

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    96KB

    MD5

    e2685e4a55e061c4ef957a1ea754d226

    SHA1

    7d9ae2c64c6475118056d8e9a779ad1d15b8220f

    SHA256

    8a59b11af8ad2f0523084f0ce4904f3859dfdfb6e4b2f8b6f6fc75fbf51ef7b7

    SHA512

    749d7a3765a460c41f7d9cea5a74664859fc405286f568f7eba89a9bdf13235f99e9b9d47feba2659babc195ca3877b1131830f989fce33cceae13c0cfc0e3f9

  • \Windows\SysWOW64\omsecor.exe

    Filesize

    96KB

    MD5

    b9b07e638f19002bf42b1b255c6ab1d7

    SHA1

    91821e14f51f99bdface0489b58dfeb9abbd36fe

    SHA256

    bcef61bbd14147316e514f5f79d25776a7bb07091b67c57eef7bea63bd7cbc88

    SHA512

    11ecf64ccc8e139389324c9909ff2e8e0ec01239f321f1ce3cb0e184309d875e4dd8f473a923ebe15a93e8741f944fde9e0997c657d0b7d8f8cb1728dce1bf6c

  • memory/836-82-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/836-90-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/840-92-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/972-58-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/972-68-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2216-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2216-21-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2216-2-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2216-13-0x0000000000230000-0x0000000000253000-memory.dmp

    Filesize

    140KB

  • memory/2216-9-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2216-5-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2304-0-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2304-7-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2484-36-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2484-49-0x00000000004A0000-0x00000000004C3000-memory.dmp

    Filesize

    140KB

  • memory/2484-45-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2484-56-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2484-42-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2484-39-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2504-80-0x0000000000230000-0x0000000000253000-memory.dmp

    Filesize

    140KB

  • memory/2504-78-0x0000000000230000-0x0000000000253000-memory.dmp

    Filesize

    140KB

  • memory/2988-25-0x0000000000270000-0x0000000000293000-memory.dmp

    Filesize

    140KB

  • memory/2988-34-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2988-22-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB