Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    28/01/2025, 16:20

General

  • Target

    7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe

  • Size

    96KB

  • MD5

    5ec2d98eed16ff460b007d4e1906b847

  • SHA1

    083ea682b0221622e57184ba39a8a15477a426fd

  • SHA256

    7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345

  • SHA512

    65d570166147941bfb8a52c4f09c2502bb070b083b92d9177b7f1a5906da2a28197bdc31cc4bf7f9326ce68fd52e59c318191610829d0c29e610faeb3249a793

  • SSDEEP

    1536:anAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxz:aGs8cd8eXlYairZYqMddH13z

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 7 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe
    "C:\Users\Admin\AppData\Local\Temp\7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3068
    • C:\Users\Admin\AppData\Local\Temp\7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe
      C:\Users\Admin\AppData\Local\Temp\7c9813ba830d9f01d25baa6467f98c3e98efd009acbcc983605d471970259345.exe
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2024
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2776
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2636
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1848
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2900
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1952
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:2952

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    96KB

    MD5

    23d1cf278ac56ac9435ba38ab08205bf

    SHA1

    88821ebd6beff95e06b8cdda9769a226792e12e7

    SHA256

    f8ae97a2442f7a0d7c37b633de740a13ec45c0b06390080e85f34312e5377f28

    SHA512

    458e47b01a62750aa97b1d163077695bd0b493f9674ebb2a3105b5c6b592f86fb80d0889e6b1402be57326fb084119b16ff66cc3bd1cb825a894ce4723d904ad

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    96KB

    MD5

    6bbca8024a5e0a6bd7ad4c93ee5e492a

    SHA1

    d453deacd8079ad39f9c0890d6b51504db732803

    SHA256

    6a7f2abda56a3d4342f4418a13ae9aa4d83e61f1b14194b407cc09d734635f1a

    SHA512

    2f7964d6e3da7070bbb1a71e0278e9ca30de62e75e63a6a80ee633cc1ac32f729aeec010bff5ad8796f4e46a8ba2916b77bdadb4b60952a4627fd2bc1b0f3bdf

  • \Windows\SysWOW64\omsecor.exe

    Filesize

    96KB

    MD5

    ed0ee97a0b8d3e5961cab4f3e30be2cf

    SHA1

    98481edff0c0cc02f11ade21621732bc61202b5a

    SHA256

    5a8c8f2a90b0b1b30e516562d0118caaea4c5c80a26c990f091d1418b4e7afad

    SHA512

    6694136e046b07ce81f0d7798f059bcfc3d42c9db45a8c44ae48cfc09722f780f21afa22d44b8d7460286fa96eba6865201894726b9dfdebc6545600b4f2c5d9

  • memory/1848-66-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1848-57-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1952-87-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1952-79-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2024-1-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2024-9-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2024-11-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2024-5-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2024-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2636-40-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2636-43-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2636-53-0x0000000000310000-0x0000000000333000-memory.dmp

    Filesize

    140KB

  • memory/2636-37-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2636-55-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2636-52-0x0000000000310000-0x0000000000333000-memory.dmp

    Filesize

    140KB

  • memory/2636-34-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2776-31-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2776-21-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2952-89-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2952-92-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/3068-0-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/3068-7-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB