Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

SecuriteIn...17.exe

windows7-x64

10

SecuriteIn...17.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    12/09/2022, 18:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.IL.Trojan.MSILZilla.22441.31968.10217.exe

  • Size

    883KB

  • MD5

    d693283a2b6c3a4b36f503b741cef17a

  • SHA1

    d38ba08bce1821bf81d76c1e5b7b769c6681f159

  • SHA256

    be0c5e38edc7aba393016c5cdf21d7a93b2daf78395ced609104f7055fd5f162

  • SHA512

    0db444e29a7c574a91e140c06d84a66aa84d3884d4d593b5de8be50ee84acc8209831569aaa636b80a003ef240b2954a3929297445e08f30ca7ca3f995de30d6

  • SSDEEP

    12288:NJ1bM9KvvqzRDYCIbw4IK2HBNxIJqRMj4V9N8kgJFT1scYq6y7qPg:etsENO2Mj4Gk4FTOq6y7qPg

Score
10/10
remcosremotehostrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

bodhansanders.hopto.org:2490

[email protected]:2490
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-G7HDVY

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.IL.Trojan.MSILZilla.22441.31968.10217.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.IL.Trojan.MSILZilla.22441.31968.10217.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:1680
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\taxrecords"
      2⤵
        PID:2028
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\taxrecords\taxrecords.exe'" /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1356
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\taxrecords\taxrecords.exe'" /f
          3⤵
          • Creates scheduled task(s)
          PID:1316
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.IL.Trojan.MSILZilla.22441.31968.10217.exe" "C:\Users\Admin\AppData\Roaming\taxrecords\taxrecords.exe"
        2⤵
          PID:112
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {9406DAC1-8804-4CE2-8E5D-AF028E38BF7B} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1632
        • C:\Users\Admin\AppData\Roaming\taxrecords\taxrecords.exe
          C:\Users\Admin\AppData\Roaming\taxrecords\taxrecords.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1056
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            3⤵
              PID:812
            • C:\Windows\SysWOW64\cmd.exe
              "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\taxrecords"
              3⤵
                PID:840
              • C:\Windows\SysWOW64\cmd.exe
                "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\taxrecords\taxrecords.exe'" /f
                3⤵
                  PID:1184
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\taxrecords\taxrecords.exe'" /f
                    4⤵
                    • Creates scheduled task(s)
                    PID:2024
                • C:\Windows\SysWOW64\cmd.exe
                  "cmd" /c copy "C:\Users\Admin\AppData\Roaming\taxrecords\taxrecords.exe" "C:\Users\Admin\AppData\Roaming\taxrecords\taxrecords.exe"
                  3⤵
                    PID:1640
                • C:\Users\Admin\AppData\Roaming\taxrecords\taxrecords.exe
                  C:\Users\Admin\AppData\Roaming\taxrecords\taxrecords.exe
                  2⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1880
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                    3⤵
                      PID:2016
                    • C:\Windows\SysWOW64\cmd.exe
                      "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\taxrecords"
                      3⤵
                        PID:1764
                      • C:\Windows\SysWOW64\cmd.exe
                        "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\taxrecords\taxrecords.exe'" /f
                        3⤵
                          PID:1740
                          • C:\Windows\SysWOW64\schtasks.exe
                            schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\taxrecords\taxrecords.exe'" /f
                            4⤵
                            • Creates scheduled task(s)
                            PID:664
                        • C:\Windows\SysWOW64\cmd.exe
                          "cmd" /c copy "C:\Users\Admin\AppData\Roaming\taxrecords\taxrecords.exe" "C:\Users\Admin\AppData\Roaming\taxrecords\taxrecords.exe"
                          3⤵
                            PID:1912

                      Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Roaming\taxrecords\taxrecords.exe
                        Filesize

                        883KB

                        MD5

                        d693283a2b6c3a4b36f503b741cef17a

                        SHA1

                        d38ba08bce1821bf81d76c1e5b7b769c6681f159

                        SHA256

                        be0c5e38edc7aba393016c5cdf21d7a93b2daf78395ced609104f7055fd5f162

                        SHA512

                        0db444e29a7c574a91e140c06d84a66aa84d3884d4d593b5de8be50ee84acc8209831569aaa636b80a003ef240b2954a3929297445e08f30ca7ca3f995de30d6

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\taxrecords\taxrecords.exe
                        Filesize

                        883KB

                        MD5

                        d693283a2b6c3a4b36f503b741cef17a

                        SHA1

                        d38ba08bce1821bf81d76c1e5b7b769c6681f159

                        SHA256

                        be0c5e38edc7aba393016c5cdf21d7a93b2daf78395ced609104f7055fd5f162

                        SHA512

                        0db444e29a7c574a91e140c06d84a66aa84d3884d4d593b5de8be50ee84acc8209831569aaa636b80a003ef240b2954a3929297445e08f30ca7ca3f995de30d6

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\taxrecords\taxrecords.exe
                        Filesize

                        883KB

                        MD5

                        d693283a2b6c3a4b36f503b741cef17a

                        SHA1

                        d38ba08bce1821bf81d76c1e5b7b769c6681f159

                        SHA256

                        be0c5e38edc7aba393016c5cdf21d7a93b2daf78395ced609104f7055fd5f162

                        SHA512

                        0db444e29a7c574a91e140c06d84a66aa84d3884d4d593b5de8be50ee84acc8209831569aaa636b80a003ef240b2954a3929297445e08f30ca7ca3f995de30d6

                        Download Submit

                      • memory/1056-83-0x0000000000F50000-0x0000000001032000-memory.dmp

                        Filesize

                        904KB

                        Download

                      • memory/1680-79-0x0000000000400000-0x000000000047F000-memory.dmp

                        Filesize

                        508KB

                        Download

                      • memory/1680-61-0x0000000000400000-0x000000000047F000-memory.dmp

                        Filesize

                        508KB

                        Download

                      • memory/1680-72-0x0000000000400000-0x000000000047F000-memory.dmp

                        Filesize

                        508KB

                        Download

                      • memory/1680-78-0x0000000000400000-0x000000000047F000-memory.dmp

                        Filesize

                        508KB

                        Download

                      • memory/1680-56-0x0000000000400000-0x000000000047F000-memory.dmp

                        Filesize

                        508KB

                        Download

                      • memory/1680-68-0x0000000000400000-0x000000000047F000-memory.dmp

                        Filesize

                        508KB

                        Download

                      • memory/1680-66-0x0000000000400000-0x000000000047F000-memory.dmp

                        Filesize

                        508KB

                        Download

                      • memory/1680-64-0x0000000000400000-0x000000000047F000-memory.dmp

                        Filesize

                        508KB

                        Download

                      • memory/1680-63-0x0000000000400000-0x000000000047F000-memory.dmp

                        Filesize

                        508KB

                        Download

                      • memory/1680-62-0x0000000000400000-0x000000000047F000-memory.dmp

                        Filesize

                        508KB

                        Download

                      • memory/1680-57-0x0000000000400000-0x000000000047F000-memory.dmp

                        Filesize

                        508KB

                        Download

                      • memory/1680-59-0x0000000000400000-0x000000000047F000-memory.dmp

                        Filesize

                        508KB

                        Download

                      • memory/1880-106-0x0000000000F50000-0x0000000001032000-memory.dmp

                        Filesize

                        904KB

                        Download

                      • memory/2016-126-0x0000000000400000-0x000000000047F000-memory.dmp

                        Filesize

                        508KB

                        Download

                      • memory/2032-54-0x00000000000F0000-0x00000000001D2000-memory.dmp

                        Filesize

                        904KB

                        Download

                      • memory/2032-55-0x00000000766D1000-0x00000000766D3000-memory.dmp

                        Filesize

                        8KB

                        Download