Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

solicitud ...22.exe

windows7-x64

1

solicitud ...22.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/11/2022, 12:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    solicitud de presupuesto 29-11-2022.exe

  • Size

    125KB

  • MD5

    3cd5112e9d9cd2bc8ed794401cc271e9

  • SHA1

    4ab5de3c9df69b32bdb2c7b39fa36ab5f14ec97a

  • SHA256

    a97f182e8e7da0854b932b946352626e4c94c6f1319ea6ddf5cefa854af93bd7

  • SHA512

    d36d489dd4ad11c4be771baecdd641108e5384c140e4236bb696b66abb3dcb744e1c165bebad2c8d218cce2125fbba957054bd12318f34bb872c154df2d9c421

  • SSDEEP

    1536:FXVlyB2mzz5plxj6gpf6m4JE/9F6i8x6YEDHBDF1aOHCmvRwv+SfF1FVj:BVlyB2srxWxwF6iNDHzJwv+k1FVj

Score
10/10
remcosremotehostcollectionpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

obologs.work.gd:4044

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-0IY2Q2

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 6 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\solicitud de presupuesto 29-11-2022.exe
    "C:\Users\Admin\AppData\Local\Temp\solicitud de presupuesto 29-11-2022.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1944
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-Date
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5048
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3116
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4428
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\Admin\AppData\Local\Temp\dlmuspc"
        3⤵
          PID:1888
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\Admin\AppData\Local\Temp\dlmuspc"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1020
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\Admin\AppData\Local\Temp\ogrmthnvsw"
          3⤵
            PID:2712
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
            C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\Admin\AppData\Local\Temp\ogrmthnvsw"
            3⤵
              PID:732
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\Admin\AppData\Local\Temp\ogrmthnvsw"
              3⤵
              • Accesses Microsoft Outlook accounts
              PID:4832
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\Admin\AppData\Local\Temp\yixxtayogedrf"
              3⤵
                PID:5000
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\Admin\AppData\Local\Temp\yixxtayogedrf"
                3⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4280

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
            Filesize

            1KB

            MD5

            4280e36a29fa31c01e4d8b2ba726a0d8

            SHA1

            c485c2c9ce0a99747b18d899b71dfa9a64dabe32

            SHA256

            e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

            SHA512

            494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            17KB

            MD5

            6ac839d7d02c0f88d82a69cf0cc8fa42

            SHA1

            48c201aad3fc3c9e90272c7c703b415e20971b0b

            SHA256

            c4b108d8e7f015ad95f88d8ff58e699a6160e11548ad1a54ec5c92221ec0da07

            SHA512

            c6efd4eaef035f5a607848aca0edf815821e0e36ce8c51958adc2c6335b3073bbefd7bc8b93e3e6d1c9fba0499d7f5e5f0cb7f39a5feb4d80f7b65a41480f237

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\dlmuspc
            Filesize

            4KB

            MD5

            d06ebab8b0513f602e535079a9ebbeea

            SHA1

            d29472e6eb5a72f0353d70b97a33337b255b487e

            SHA256

            0c9e16830ccc6495def187adde2137ac07a566e1534e5714f626dcd68d28094c

            SHA512

            002df6f401950fd24d5976a47c58e9e2c58cef7d4fdec69f815fb6a00fb1e1a8963a4a7bf52056e61d6f6875edec393c466742c3031dd5f88802b45ddadca209

            Download Submit

          • memory/1020-165-0x0000000000400000-0x0000000000478000-memory.dmp

            Filesize

            480KB

            Download

          • memory/1020-162-0x0000000000400000-0x0000000000478000-memory.dmp

            Filesize

            480KB

            Download

          • memory/1944-132-0x00000000004E0000-0x0000000000504000-memory.dmp

            Filesize

            144KB

            Download

          • memory/1944-141-0x0000000005490000-0x000000000549A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/1944-136-0x0000000005BF0000-0x0000000005C82000-memory.dmp

            Filesize

            584KB

            Download

          • memory/1944-133-0x00000000054A0000-0x0000000005A44000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/4280-160-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download

          • memory/4280-164-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download

          • memory/4428-149-0x0000000000400000-0x000000000047F000-memory.dmp

            Filesize

            508KB

            Download

          • memory/4428-150-0x0000000000400000-0x000000000047F000-memory.dmp

            Filesize

            508KB

            Download

          • memory/4428-151-0x0000000000400000-0x000000000047F000-memory.dmp

            Filesize

            508KB

            Download

          • memory/4428-152-0x0000000000400000-0x000000000047F000-memory.dmp

            Filesize

            508KB

            Download

          • memory/4428-167-0x0000000000400000-0x000000000047F000-memory.dmp

            Filesize

            508KB

            Download

          • memory/4832-161-0x0000000000400000-0x0000000000457000-memory.dmp

            Filesize

            348KB

            Download

          • memory/4832-163-0x0000000000400000-0x0000000000457000-memory.dmp

            Filesize

            348KB

            Download

          • memory/5048-139-0x0000000005660000-0x00000000056C6000-memory.dmp

            Filesize

            408KB

            Download

          • memory/5048-144-0x00000000063A0000-0x00000000063BA000-memory.dmp

            Filesize

            104KB

            Download

          • memory/5048-138-0x00000000055C0000-0x00000000055E2000-memory.dmp

            Filesize

            136KB

            Download

          • memory/5048-140-0x00000000057D0000-0x0000000005836000-memory.dmp

            Filesize

            408KB

            Download

          • memory/5048-137-0x0000000004F60000-0x0000000005588000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/5048-142-0x0000000005F20000-0x0000000005F3E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/5048-135-0x00000000048F0000-0x0000000004926000-memory.dmp

            Filesize

            216KB

            Download

          • memory/5048-143-0x00000000077B0000-0x0000000007E2A000-memory.dmp

            Filesize

            6.5MB

            Download