Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    114s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05/02/2025, 13:46

General

  • Target

    0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe

  • Size

    96KB

  • MD5

    7445cb0dd8dc1d4cabd9881969898b10

  • SHA1

    b20ce716443b39f6bad665db6578fe6d9cb371be

  • SHA256

    0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9

  • SHA512

    61383698992e232ab3d95402a14b4b3c32de2ceec71a6863d04a064e05c59994a9783373ffb138154f12caded8809cc8ab372eb8c961c83e2d6649fc64744b95

  • SSDEEP

    1536:znAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxp:zGs8cd8eXlYairZYqMddH13p

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 7 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe
    "C:\Users\Admin\AppData\Local\Temp\0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1284
    • C:\Users\Admin\AppData\Local\Temp\0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe
      C:\Users\Admin\AppData\Local\Temp\0c8937e350b88e1c01ffe7c83037fe7522996cee4e67dbea0c575ea099c96ce9.exe
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:656
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2924
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2756
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2568
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1892
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2116
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:352

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    96KB

    MD5

    3ecf227d50109f374225f909f705e9bc

    SHA1

    458cccab2e5ff2bfca3b98b64cf61f3ebb90a8c4

    SHA256

    7de87bc37afdf859278a2bad190a905cdbb3858787788971ecbb8ccfcd82fb15

    SHA512

    8ab66b6372f653cb4e03e2c4927719f99707bac4882a7f5918a82b247e523cc313835b1b618faa440b9be69d002a020ef39a3f4d84a542df22cb563e256ac186

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    96KB

    MD5

    99f474e43273188ec3b23caf0e28bd18

    SHA1

    cac5d93c4a84b3b5fe04018e3c3cdb58837f7f0b

    SHA256

    f5f6a9775d90cfae9354b95963fd2542c27d9faa21a66ec6c0f77f8e8b5c6567

    SHA512

    f1dae6d45ca451364456b3575a1ef72b854281fdf9e6bece0e5ad2106f2fe53b220f3cb8d59dced42adffe14c24e90d70e5d8ca2f9f6f7270035629ae96f1ff7

  • \Windows\SysWOW64\omsecor.exe

    Filesize

    96KB

    MD5

    894772991d94681aebb2e934d8eebde4

    SHA1

    8c7e7dcfe7dc9e82673fbabb53fa79f259d592af

    SHA256

    ed76c078720d812542836f5d811baf171ebcaf6d4faf4bc8e702dbdd58fb293c

    SHA512

    bb2573867efec1358c7ce43a37c363691b6f0e4ff74f2d3dc28444f637f0dbe01dda9f43ed3ed3fc5a6d9cfdaa0fb7a2b2b36b6996f90f4aada28b6ad64523d7

  • memory/352-91-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/656-1-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/656-5-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/656-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/656-10-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/656-20-0x0000000000230000-0x0000000000253000-memory.dmp

    Filesize

    140KB

  • memory/656-22-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/1284-7-0x00000000003D0000-0x00000000003F3000-memory.dmp

    Filesize

    140KB

  • memory/1284-0-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1284-8-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1892-73-0x0000000000230000-0x0000000000253000-memory.dmp

    Filesize

    140KB

  • memory/2116-89-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2116-81-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2568-58-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2568-66-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2756-36-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2756-54-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2756-55-0x0000000000290000-0x00000000002B3000-memory.dmp

    Filesize

    140KB

  • memory/2756-48-0x0000000000290000-0x00000000002B3000-memory.dmp

    Filesize

    140KB

  • memory/2756-45-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2756-42-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2756-39-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2924-32-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2924-23-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB