Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
04/01/2023, 12:40
Static task
static1
Behavioral task
behavioral1
Sample
e3a64adc43c5c5c0bfc725344407433b4b497fa9.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
e3a64adc43c5c5c0bfc725344407433b4b497fa9.exe
Resource
win10v2004-20221111-en
General
-
Target
e3a64adc43c5c5c0bfc725344407433b4b497fa9.exe
-
Size
1.1MB
-
MD5
d9b3775511c7538a73dfeaab0073b4b6
-
SHA1
e3a64adc43c5c5c0bfc725344407433b4b497fa9
-
SHA256
98479f2d5e3f5147ddd504bcc7bd1a2b0a3b06ff5525f313a55ce81efc67fc28
-
SHA512
6b685246032b7c4a09f4df63dbc1282dfdd9822911744d9b9bcb4b135139a7a25b7d0daf30fd0b62b254ede16d010dbd18e8a8adef384bcfa11400a4605e6969
-
SSDEEP
24576:QOwgbq09TF+lmP8iZ1P/wvDcm9puPYxsJ4gb:HrdDAvFYQsqgb
Malware Config
Extracted
remcos
RemoteHost
51.75.209.245:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-CMFPLR
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation e3a64adc43c5c5c0bfc725344407433b4b497fa9.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 640 set thread context of 4736 640 e3a64adc43c5c5c0bfc725344407433b4b497fa9.exe 97 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4868 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 640 e3a64adc43c5c5c0bfc725344407433b4b497fa9.exe 640 e3a64adc43c5c5c0bfc725344407433b4b497fa9.exe 640 e3a64adc43c5c5c0bfc725344407433b4b497fa9.exe 640 e3a64adc43c5c5c0bfc725344407433b4b497fa9.exe 640 e3a64adc43c5c5c0bfc725344407433b4b497fa9.exe 640 e3a64adc43c5c5c0bfc725344407433b4b497fa9.exe 2140 powershell.exe 3536 powershell.exe 640 e3a64adc43c5c5c0bfc725344407433b4b497fa9.exe 640 e3a64adc43c5c5c0bfc725344407433b4b497fa9.exe 640 e3a64adc43c5c5c0bfc725344407433b4b497fa9.exe 2140 powershell.exe 3536 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 640 e3a64adc43c5c5c0bfc725344407433b4b497fa9.exe Token: SeDebugPrivilege 3536 powershell.exe Token: SeDebugPrivilege 2140 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4736 e3a64adc43c5c5c0bfc725344407433b4b497fa9.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 640 wrote to memory of 3536 640 e3a64adc43c5c5c0bfc725344407433b4b497fa9.exe 90 PID 640 wrote to memory of 3536 640 e3a64adc43c5c5c0bfc725344407433b4b497fa9.exe 90 PID 640 wrote to memory of 3536 640 e3a64adc43c5c5c0bfc725344407433b4b497fa9.exe 90 PID 640 wrote to memory of 2140 640 e3a64adc43c5c5c0bfc725344407433b4b497fa9.exe 92 PID 640 wrote to memory of 2140 640 e3a64adc43c5c5c0bfc725344407433b4b497fa9.exe 92 PID 640 wrote to memory of 2140 640 e3a64adc43c5c5c0bfc725344407433b4b497fa9.exe 92 PID 640 wrote to memory of 4868 640 e3a64adc43c5c5c0bfc725344407433b4b497fa9.exe 94 PID 640 wrote to memory of 4868 640 e3a64adc43c5c5c0bfc725344407433b4b497fa9.exe 94 PID 640 wrote to memory of 4868 640 e3a64adc43c5c5c0bfc725344407433b4b497fa9.exe 94 PID 640 wrote to memory of 456 640 e3a64adc43c5c5c0bfc725344407433b4b497fa9.exe 96 PID 640 wrote to memory of 456 640 e3a64adc43c5c5c0bfc725344407433b4b497fa9.exe 96 PID 640 wrote to memory of 456 640 e3a64adc43c5c5c0bfc725344407433b4b497fa9.exe 96 PID 640 wrote to memory of 4736 640 e3a64adc43c5c5c0bfc725344407433b4b497fa9.exe 97 PID 640 wrote to memory of 4736 640 e3a64adc43c5c5c0bfc725344407433b4b497fa9.exe 97 PID 640 wrote to memory of 4736 640 e3a64adc43c5c5c0bfc725344407433b4b497fa9.exe 97 PID 640 wrote to memory of 4736 640 e3a64adc43c5c5c0bfc725344407433b4b497fa9.exe 97 PID 640 wrote to memory of 4736 640 e3a64adc43c5c5c0bfc725344407433b4b497fa9.exe 97 PID 640 wrote to memory of 4736 640 e3a64adc43c5c5c0bfc725344407433b4b497fa9.exe 97 PID 640 wrote to memory of 4736 640 e3a64adc43c5c5c0bfc725344407433b4b497fa9.exe 97 PID 640 wrote to memory of 4736 640 e3a64adc43c5c5c0bfc725344407433b4b497fa9.exe 97 PID 640 wrote to memory of 4736 640 e3a64adc43c5c5c0bfc725344407433b4b497fa9.exe 97 PID 640 wrote to memory of 4736 640 e3a64adc43c5c5c0bfc725344407433b4b497fa9.exe 97 PID 640 wrote to memory of 4736 640 e3a64adc43c5c5c0bfc725344407433b4b497fa9.exe 97 PID 640 wrote to memory of 4736 640 e3a64adc43c5c5c0bfc725344407433b4b497fa9.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\e3a64adc43c5c5c0bfc725344407433b4b497fa9.exe"C:\Users\Admin\AppData\Local\Temp\e3a64adc43c5c5c0bfc725344407433b4b497fa9.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e3a64adc43c5c5c0bfc725344407433b4b497fa9.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3536
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\oCfQiTZ.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2140
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oCfQiTZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp21E0.tmp"2⤵
- Creates scheduled task(s)
PID:4868
-
-
C:\Users\Admin\AppData\Local\Temp\e3a64adc43c5c5c0bfc725344407433b4b497fa9.exe"C:\Users\Admin\AppData\Local\Temp\e3a64adc43c5c5c0bfc725344407433b4b497fa9.exe"2⤵PID:456
-
-
C:\Users\Admin\AppData\Local\Temp\e3a64adc43c5c5c0bfc725344407433b4b497fa9.exe"C:\Users\Admin\AppData\Local\Temp\e3a64adc43c5c5c0bfc725344407433b4b497fa9.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:4736
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
1KB
MD5badbd008911c2684c00657df8aadeb0f
SHA1046def4ff1268f40065c3f8cb73ea7c5eb065219
SHA256bc5fbeb32cec7d1952a7ede90fba3576427ac33218537bf78e9846568e19d382
SHA512c023e25b500d9dc686f084a2056ae838e47aaf4d8534e82d6b3b9f3a4e251a80164392b265be6fffe1c4ace133dc97e6d01736d1df7458d0ada8a6f7d6a7d254