Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

Shipment D...pg.exe

windows7_x64

10

Shipment D...pg.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    148s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    07/07/2020, 09:12 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Shipment Document BL,INV and packing list.jpg.exe

  • Size

    659KB

  • MD5

    fe59b9e260519d6227ff7e239c9d0a04

  • SHA1

    577f9d0d5fd671a83caad0cfe241fbf724d372fc

  • SHA256

    57294ac308436e17b7e99da25f3d0fa1eb0a466572bed8ee736e078d0dc8042f

  • SHA512

    30f90794a594bb0f68f04089f4f367d7251e24c25d073386eb6f2df7d847d558ea859d4404632d069041ac0157952db95f13e064fef5f3a968dd227a341eea59

Score
10/10
ratremcospersistence

Malware Config

Extracted

Family

remcos

C2

hussanm.duckdns.org:7652

Signatures

  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Adds Run entry to start application 2 TTPs 4 IoCs
    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos

Processes

  • C:\Users\Admin\AppData\Local\Temp\Shipment Document BL,INV and packing list.jpg.exe
    "C:\Users\Admin\AppData\Local\Temp\Shipment Document BL,INV and packing list.jpg.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetThreadContext
    PID:3632
    • C:\Users\Admin\AppData\Local\Temp\Shipment Document BL,INV and packing list.jpg.exe
      "C:\Users\Admin\AppData\Local\Temp\Shipment Document BL,INV and packing list.jpg.exe"
      2⤵
      • Adds Run entry to start application
      • Suspicious use of WriteProcessMemory
      PID:3828
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3836
        • C:\Windows\SysWOW64\PING.EXE
          PING 127.0.0.1 -n 2
          4⤵
          • Runs ping.exe
          PID:3568
        • C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
          "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of SetThreadContext
          PID:3772
          • C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
            "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            • Adds Run entry to start application
            • Suspicious behavior: GetForegroundWindowSpam
            PID:4056

Network

  • flag-unknown
    DNS
    hussanm.duckdns.org
    Remote address:
    8.8.8.8:53
    Request
    hussanm.duckdns.org
    IN A
    Response
    hussanm.duckdns.org
    IN A
    185.140.53.50
  • flag-unknown
    DNS
    hussanm.duckdns.org
    Remote address:
    8.8.8.8:53
    Request
    hussanm.duckdns.org
    IN A
    Response
    hussanm.duckdns.org
    IN A
    185.140.53.50
  • flag-unknown
    DNS
    hussanm.duckdns.org
    Remote address:
    8.8.8.8:53
    Request
    hussanm.duckdns.org
    IN A
    Response
    hussanm.duckdns.org
    IN A
    185.140.53.50
  • 185.140.53.50:7652
    hussanm.duckdns.org
    remcos.exe
    156 B
     120 B
     3
    3
  • 185.140.53.50:7652
    hussanm.duckdns.org
    remcos.exe
    156 B
     120 B
     3
    3
  • 185.140.53.50:7652
    hussanm.duckdns.org
    remcos.exe
    156 B
     120 B
     3
    3
  • 185.140.53.50:7652
    hussanm.duckdns.org
    remcos.exe
    156 B
     120 B
     3
    3
  • 185.140.53.50:7652
    hussanm.duckdns.org
    remcos.exe
    156 B
     120 B
     3
    3
  • 185.140.53.50:7652
    hussanm.duckdns.org
    remcos.exe
    156 B
     120 B
     3
    3
  • 185.140.53.50:7652
    hussanm.duckdns.org
    remcos.exe
    156 B
     120 B
     3
    3
  • 185.140.53.50:7652
    hussanm.duckdns.org
    remcos.exe
    156 B
     120 B
     3
    3
  • 185.140.53.50:7652
    hussanm.duckdns.org
    remcos.exe
    156 B
     120 B
     3
    3
  • 185.140.53.50:7652
    hussanm.duckdns.org
    remcos.exe
    156 B
     120 B
     3
    3
  • 185.140.53.50:7652
    hussanm.duckdns.org
    remcos.exe
    156 B
     120 B
     3
    3
  • 127.0.0.1:47001
  • 185.140.53.50:7652
    hussanm.duckdns.org
    remcos.exe
    156 B
     120 B
     3
    3
  • 185.140.53.50:7652
    hussanm.duckdns.org
    remcos.exe
    156 B
     120 B
     3
    3
  • 185.140.53.50:7652
    hussanm.duckdns.org
    remcos.exe
    156 B
     120 B
     3
    3
  • 185.140.53.50:7652
    hussanm.duckdns.org
    remcos.exe
    156 B
     120 B
     3
    3
  • 185.140.53.50:7652
    hussanm.duckdns.org
    remcos.exe
    156 B
     120 B
     3
    3
  • 185.140.53.50:7652
    hussanm.duckdns.org
    remcos.exe
    156 B
     120 B
     3
    3
  • 185.140.53.50:7652
    hussanm.duckdns.org
    remcos.exe
    156 B
     120 B
     3
    3
  • 185.140.53.50:7652
    hussanm.duckdns.org
    remcos.exe
    156 B
     120 B
     3
    3
  • 185.140.53.50:7652
    hussanm.duckdns.org
    remcos.exe
    156 B
     120 B
     3
    3
  • 185.140.53.50:7652
    hussanm.duckdns.org
    remcos.exe
    156 B
     120 B
     3
    3
  • 185.140.53.50:7652
    hussanm.duckdns.org
    remcos.exe
    156 B
     120 B
     3
    3
  • 185.140.53.50:7652
    hussanm.duckdns.org
    remcos.exe
    156 B
     120 B
     3
    3
  • 185.140.53.50:7652
    hussanm.duckdns.org
    remcos.exe
    156 B
     120 B
     3
    3
  • 185.140.53.50:7652
    hussanm.duckdns.org
    remcos.exe
    156 B
     120 B
     3
    3
  • 10.10.0.255:138
    netbios-dgm
    2.9kB
     13
  • 8.8.8.8:53
    hussanm.duckdns.org
    dns
    65 B
     81 B
     1
    1

    DNS Request

    hussanm.duckdns.org

    DNS Response

    185.140.53.50

  • 10.10.0.255:137
    netbios-ns
    1.5kB
     17
  • 239.255.255.250:1900
    1.3kB
     8
  • 8.8.8.8:53
    hussanm.duckdns.org
    dns
    65 B
     81 B
     1
    1

    DNS Request

    hussanm.duckdns.org

    DNS Response

    185.140.53.50

  • 239.255.255.250:1900
  • 8.8.8.8:53
    hussanm.duckdns.org
    dns
    65 B
     81 B
     1
    1

    DNS Request

    hussanm.duckdns.org

    DNS Response

    185.140.53.50

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3828-0-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/3828-2-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/4056-13-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.