Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    10/09/2022, 13:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    1008KB

  • MD5

    344a23d53906a0fe841f7a0a8126d75f

  • SHA1

    278871bd3c21de399683e55bf8eec0317441a659

  • SHA256

    1303812928a7f3ca5452a5d0758c2bbe3e876c892cbd90a6b6ca436f48e6940f

  • SHA512

    cd5ed8ed25f84e70483a5e9febce10f6109287ccba72833ad218c219ee074d3b069c7e29a52bd4940458837673134852bb8976621125b4ed9b4e8cbf54ac77ce

  • SSDEEP

    24576:E4444YyXDTaaHTDkr/LeBf6uG8yI0/dD+lPU3KqeMT/T7UCHdOWM4444:KKPezGb/jKqzf7r9O

Score
10/10
remcosmalymoneypersistencerat

Malware Config

Extracted

Family

remcos

Botnet

MalyMoney

C2

maly22333.ddnsking.com:3091

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    iys.exe

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    true

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-CQ4N0Z

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    gtr

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1872
    • C:\Users\Admin\AppData\Local\Temp\tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
      2⤵
        PID:1532
      • C:\Users\Admin\AppData\Local\Temp\tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
        2⤵
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1500
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:320
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\iys.exe"
            4⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1760
            • C:\Users\Admin\AppData\Roaming\iys.exe
              C:\Users\Admin\AppData\Roaming\iys.exe
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1860
              • C:\Users\Admin\AppData\Roaming\iys.exe
                "C:\Users\Admin\AppData\Roaming\iys.exe"
                6⤵
                • Executes dropped EXE
                PID:1508
              • C:\Users\Admin\AppData\Roaming\iys.exe
                "C:\Users\Admin\AppData\Roaming\iys.exe"
                6⤵
                • Executes dropped EXE
                PID:472
              • C:\Users\Admin\AppData\Roaming\iys.exe
                "C:\Users\Admin\AppData\Roaming\iys.exe"
                6⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Suspicious use of SetWindowsHookEx
                PID:1576

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\install.vbs
      Filesize

      398B

      MD5

      d1d78c43dd8979c231896f298ba28326

      SHA1

      f62fee4bb9bed07d062dd9f9618434d4417fa11d

      SHA256

      5a8ddad5dcf6071f62ad721ac553bafd90be9db146aa77d29bfc30a72415099b

      SHA512

      8a8baf664b75f7beb00abd3fc16286155850abfaa9d5d95687279244f0f5a3ceeef965e754de19614f7a18646ffea4c7b09d028e54fec2aaf42d896b2d93da6a

      Download Submit

    • C:\Users\Admin\AppData\Roaming\iys.exe
      Filesize

      1008KB

      MD5

      344a23d53906a0fe841f7a0a8126d75f

      SHA1

      278871bd3c21de399683e55bf8eec0317441a659

      SHA256

      1303812928a7f3ca5452a5d0758c2bbe3e876c892cbd90a6b6ca436f48e6940f

      SHA512

      cd5ed8ed25f84e70483a5e9febce10f6109287ccba72833ad218c219ee074d3b069c7e29a52bd4940458837673134852bb8976621125b4ed9b4e8cbf54ac77ce

      Download Submit

    • C:\Users\Admin\AppData\Roaming\iys.exe
      Filesize

      1008KB

      MD5

      344a23d53906a0fe841f7a0a8126d75f

      SHA1

      278871bd3c21de399683e55bf8eec0317441a659

      SHA256

      1303812928a7f3ca5452a5d0758c2bbe3e876c892cbd90a6b6ca436f48e6940f

      SHA512

      cd5ed8ed25f84e70483a5e9febce10f6109287ccba72833ad218c219ee074d3b069c7e29a52bd4940458837673134852bb8976621125b4ed9b4e8cbf54ac77ce

      Download Submit

    • C:\Users\Admin\AppData\Roaming\iys.exe
      Filesize

      1008KB

      MD5

      344a23d53906a0fe841f7a0a8126d75f

      SHA1

      278871bd3c21de399683e55bf8eec0317441a659

      SHA256

      1303812928a7f3ca5452a5d0758c2bbe3e876c892cbd90a6b6ca436f48e6940f

      SHA512

      cd5ed8ed25f84e70483a5e9febce10f6109287ccba72833ad218c219ee074d3b069c7e29a52bd4940458837673134852bb8976621125b4ed9b4e8cbf54ac77ce

      Download Submit

    • C:\Users\Admin\AppData\Roaming\iys.exe
      Filesize

      1008KB

      MD5

      344a23d53906a0fe841f7a0a8126d75f

      SHA1

      278871bd3c21de399683e55bf8eec0317441a659

      SHA256

      1303812928a7f3ca5452a5d0758c2bbe3e876c892cbd90a6b6ca436f48e6940f

      SHA512

      cd5ed8ed25f84e70483a5e9febce10f6109287ccba72833ad218c219ee074d3b069c7e29a52bd4940458837673134852bb8976621125b4ed9b4e8cbf54ac77ce

      Download Submit

    • C:\Users\Admin\AppData\Roaming\iys.exe
      Filesize

      1008KB

      MD5

      344a23d53906a0fe841f7a0a8126d75f

      SHA1

      278871bd3c21de399683e55bf8eec0317441a659

      SHA256

      1303812928a7f3ca5452a5d0758c2bbe3e876c892cbd90a6b6ca436f48e6940f

      SHA512

      cd5ed8ed25f84e70483a5e9febce10f6109287ccba72833ad218c219ee074d3b069c7e29a52bd4940458837673134852bb8976621125b4ed9b4e8cbf54ac77ce

      Download Submit

    • \Users\Admin\AppData\Roaming\iys.exe
      Filesize

      1008KB

      MD5

      344a23d53906a0fe841f7a0a8126d75f

      SHA1

      278871bd3c21de399683e55bf8eec0317441a659

      SHA256

      1303812928a7f3ca5452a5d0758c2bbe3e876c892cbd90a6b6ca436f48e6940f

      SHA512

      cd5ed8ed25f84e70483a5e9febce10f6109287ccba72833ad218c219ee074d3b069c7e29a52bd4940458837673134852bb8976621125b4ed9b4e8cbf54ac77ce

      Download Submit

    • \Users\Admin\AppData\Roaming\iys.exe
      Filesize

      1008KB

      MD5

      344a23d53906a0fe841f7a0a8126d75f

      SHA1

      278871bd3c21de399683e55bf8eec0317441a659

      SHA256

      1303812928a7f3ca5452a5d0758c2bbe3e876c892cbd90a6b6ca436f48e6940f

      SHA512

      cd5ed8ed25f84e70483a5e9febce10f6109287ccba72833ad218c219ee074d3b069c7e29a52bd4940458837673134852bb8976621125b4ed9b4e8cbf54ac77ce

      Download Submit

    • memory/1500-64-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

      Download

    • memory/1500-62-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

      Download

    • memory/1500-69-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

      Download

    • memory/1500-67-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

      Download

    • memory/1500-71-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

      Download

    • memory/1500-75-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

      Download

    • memory/1500-76-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

      Download

    • memory/1500-65-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

      Download

    • memory/1500-78-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

      Download

    • memory/1500-59-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

      Download

    • memory/1500-60-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

      Download

    • memory/1500-66-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

      Download

    • memory/1576-108-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

      Download

    • memory/1576-109-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

      Download

    • memory/1576-110-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

      Download

    • memory/1860-87-0x00000000009A0000-0x0000000000AA2000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1872-54-0x00000000009F0000-0x0000000000AF2000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1872-58-0x0000000005030000-0x00000000050AC000-memory.dmp

      Filesize

      496KB

      Download

    • memory/1872-57-0x00000000055D0000-0x00000000056A2000-memory.dmp

      Filesize

      840KB

      Download

    • memory/1872-56-0x00000000005E0000-0x00000000005F8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1872-55-0x0000000075841000-0x0000000075843000-memory.dmp

      Filesize

      8KB

      Download