Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    145s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    28/01/2025, 04:51

General

  • Target

    eee2a6a681d331529e8ace75d539138207d220ba82dc4bb89d07cc792af66827.exe

  • Size

    88KB

  • MD5

    ba22eee6c9fb329301817a2ecc56e943

  • SHA1

    bdd2a764fcbf8c16671c4997be14c013fb30f5be

  • SHA256

    eee2a6a681d331529e8ace75d539138207d220ba82dc4bb89d07cc792af66827

  • SHA512

    73e46feb3babfae0ff107fe83f23ee9dfc013e74327df61f20c596f820d6568013343c4db07ffa77716d79102e6420af1756a172c8938f3caedd6e7b0975634a

  • SSDEEP

    1536:ud9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5Z:2dseIOMEZEyFjEOFqTiQm5l/5Z

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eee2a6a681d331529e8ace75d539138207d220ba82dc4bb89d07cc792af66827.exe
    "C:\Users\Admin\AppData\Local\Temp\eee2a6a681d331529e8ace75d539138207d220ba82dc4bb89d07cc792af66827.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2216
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:984
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2708

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    88KB

    MD5

    daf5883ff36c6070c70c2325e4979aef

    SHA1

    1c52885a8a0ac5e145f50a9c934f97a69e981c52

    SHA256

    05f91406cb47d7d77198e598b71b254a074c79d20dfd2184efa566eb4116a272

    SHA512

    6ffbc858b36ff5b65b6defb55d7677ad1b9355a0e6f6599c4d7aec6da665631aa272c7f31b6c1402efd8d4d3b212e53fae9392127bec6db5b24112aed1824a0e

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    88KB

    MD5

    8f5453a775864fa7714ca82526218077

    SHA1

    01f609b318c40083bc700d54f3298b6dd9996771

    SHA256

    de627601e0045a39e1455f7f8888875c1b15d2ec210aec7605b0fc35a26b4933

    SHA512

    2be67f7132f928f86444e05b14d15072a6ecd6761b3ff538836d51a8178b683edd14c0a9b1257254927ac0f3c3d80c0547ad071689f289c57af8ab1992492c7d

  • \Windows\SysWOW64\omsecor.exe

    Filesize

    88KB

    MD5

    30b451959777e513d94e32450b5deb33

    SHA1

    86f1b0293a5fdbdb2fddee5ec94a90c63292cf95

    SHA256

    b345909d70df443fda0627667e5ac91049069b3b58cde89f846d3fc406ab02ac

    SHA512

    8310df3b510968fb46112332d4984a02f9f9fc1e0d7b8a3e0c3135c494a7020e43b09c2ab2e9c3f4a314ed385532798c0cfba98bc1b334fa49f70c30215a1e22