Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
842s -
max time network
907s -
platform
windows10-1703_x64 -
resource
win10-20230220-de -
resource tags
arch:x64arch:x86image:win10-20230220-delocale:de-deos:windows10-1703-x64systemwindows -
submitted
31/03/2023, 15:47
Static task
static1
Behavioral task
behavioral1
Sample
RemixOSPlayerPackage-B2016111403.exe
Resource
win10-20230220-de
Errors
General
-
Target
RemixOSPlayerPackage-B2016111403.exe
-
Size
744.0MB
-
MD5
2d0e233d68d1bf8641a6d2e0f4c9f9f1
-
SHA1
91d055cca30a83b82cbf42b84c6e13892eda28ba
-
SHA256
2272b208346e5c190762c7b3110c6bd02a26f09d5bf6a9ace0942f23271d276d
-
SHA512
2ab156c4536b85120c345d87c67663476061e324d7d47157088bcab3aaee915a3bd54c1b4591cce3959f7c7e8439c69e30cd5f9c6671c2486260df638d92e829
-
SSDEEP
12582912:LHjigS5NeiGCPJPTc81di4WMAxsyozyxd8stJv0bItGsjShqm:LHj5S5UiGCPVcqi4RO4Oxd8sLMbI70qm
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 4360 RemixOSPlayer.exe 68 RemixOSPlayer.exe 2044 RemixOSPlayer.exe 3084 RemixOSPlayer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 436 WINWORD.EXE 436 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2152 RemixOSPlayerPackage-B2016111403.exe 2152 RemixOSPlayerPackage-B2016111403.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 436 WINWORD.EXE 436 WINWORD.EXE 436 WINWORD.EXE 436 WINWORD.EXE 436 WINWORD.EXE 436 WINWORD.EXE 436 WINWORD.EXE 4884 LogonUI.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2152 wrote to memory of 4360 2152 RemixOSPlayerPackage-B2016111403.exe 67 PID 2152 wrote to memory of 4360 2152 RemixOSPlayerPackage-B2016111403.exe 67
Processes
-
C:\Users\Admin\AppData\Local\Temp\RemixOSPlayerPackage-B2016111403.exe"C:\Users\Admin\AppData\Local\Temp\RemixOSPlayerPackage-B2016111403.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Users\Admin\AppData\Local\Temp\RemixOSPlayer\RemixOSPlayer.exe"C:\Users\Admin\AppData\Local\Temp\RemixOSPlayer\RemixOSPlayer.exe"2⤵
- Executes dropped EXE
PID:4360
-
-
C:\Users\Admin\AppData\Local\Temp\RemixOSPlayer\RemixOSPlayer.exe"C:\Users\Admin\AppData\Local\Temp\RemixOSPlayer\RemixOSPlayer.exe"1⤵
- Executes dropped EXE
PID:68
-
C:\Users\Admin\AppData\Local\Temp\RemixOSPlayer\RemixOSPlayer.exe"C:\Users\Admin\AppData\Local\Temp\RemixOSPlayer\RemixOSPlayer.exe"1⤵
- Executes dropped EXE
PID:2044
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\PushRename.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:436
-
C:\Users\Admin\AppData\Local\Temp\RemixOSPlayer\RemixOSPlayer.exe"C:\Users\Admin\AppData\Local\Temp\RemixOSPlayer\RemixOSPlayer.exe"1⤵
- Executes dropped EXE
PID:3084
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3ace855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4884
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Jide_Technology_Co.,_Ltd\RemixOSPlayer.exe_Url_xrnheckjhanapt051fo2kbsecc4trxam\1.0.110.0\gqgwh1nh.newcfg
Filesize938B
MD51e6a984558dab04f20ef4e263eae071e
SHA1e62cb1221a7ddc000a3bbf80954b6c3e4fd9e025
SHA256ee3a4fb9400d2710d4293d4945fc3ed32d770e3085b2b9dfd9c4612c7e8217da
SHA51224f46d5b2981b5e42f7dfdf557013ff6462b99527fcaeeb3ab9edfc29a02fce3bc2d846c0a0e7f2f960b164a5492ab5a8b1e628ca5d95d65a9aa8f6e4b95a31d
-
C:\Users\Admin\AppData\Local\Jide_Technology_Co.,_Ltd\RemixOSPlayer.exe_Url_xrnheckjhanapt051fo2kbsecc4trxam\1.0.110.0\user.config
Filesize819B
MD5fd8986d145694d3e2a7bd8d70895a661
SHA1cbe1b1ac620e5a278f66c886021221042ad9d2f6
SHA2569607265e66726ab76866b108f64a33b7bce5eab276de675e1520228781ecaa1f
SHA512d3ac96c994108f7e8046205f38790d9b3eb826b631e57636710403bd540a410dd904762b79ea013f551e61313ec4521366019e039ec94fba50559ede4f827c0d
-
C:\Users\Admin\AppData\Local\Jide_Technology_Co.,_Ltd\RemixOSPlayer.exe_Url_xrnheckjhanapt051fo2kbsecc4trxam\1.0.110.0\user.config
Filesize819B
MD5fd8986d145694d3e2a7bd8d70895a661
SHA1cbe1b1ac620e5a278f66c886021221042ad9d2f6
SHA2569607265e66726ab76866b108f64a33b7bce5eab276de675e1520228781ecaa1f
SHA512d3ac96c994108f7e8046205f38790d9b3eb826b631e57636710403bd540a410dd904762b79ea013f551e61313ec4521366019e039ec94fba50559ede4f827c0d
-
Filesize
1KB
MD5af50e3bb1754f35e9ebac22ebe9c7cde
SHA13db53b5baddd04b6d18fd6a45e4d15c8b96d9c16
SHA2560b09df284e815b95bda30e69d35c4761935780e9fd746dacd70c00ba6fbdbc2d
SHA5123f0fbccc6816f7d509a9ce606d100f79803923df428bc3197dc885ffbff36bc854be7379979b41272777574bd53e37c68533a84010d6647a94a175a270437cfd
-
Filesize
2.6MB
MD52714fea14c1f7e7c3acdc9bdfcc6d15f
SHA1cd8a94aa3b73036db2a06caf1460a7e21564b1e0
SHA256e6e2e90d2229d1544dc4227dcff33601fb89e093d017508e5e79313f4b580901
SHA512bddc816832c6d3b431d2e275b43556a08c46b8a7b2f2ea7c769bd73ae1ae3660a5c98464060e73de637548c5793e189d0e87748b7d4350b506e4fa6bbc63cf43
-
Filesize
2.6MB
MD52714fea14c1f7e7c3acdc9bdfcc6d15f
SHA1cd8a94aa3b73036db2a06caf1460a7e21564b1e0
SHA256e6e2e90d2229d1544dc4227dcff33601fb89e093d017508e5e79313f4b580901
SHA512bddc816832c6d3b431d2e275b43556a08c46b8a7b2f2ea7c769bd73ae1ae3660a5c98464060e73de637548c5793e189d0e87748b7d4350b506e4fa6bbc63cf43
-
Filesize
2.6MB
MD52714fea14c1f7e7c3acdc9bdfcc6d15f
SHA1cd8a94aa3b73036db2a06caf1460a7e21564b1e0
SHA256e6e2e90d2229d1544dc4227dcff33601fb89e093d017508e5e79313f4b580901
SHA512bddc816832c6d3b431d2e275b43556a08c46b8a7b2f2ea7c769bd73ae1ae3660a5c98464060e73de637548c5793e189d0e87748b7d4350b506e4fa6bbc63cf43
-
Filesize
2.6MB
MD52714fea14c1f7e7c3acdc9bdfcc6d15f
SHA1cd8a94aa3b73036db2a06caf1460a7e21564b1e0
SHA256e6e2e90d2229d1544dc4227dcff33601fb89e093d017508e5e79313f4b580901
SHA512bddc816832c6d3b431d2e275b43556a08c46b8a7b2f2ea7c769bd73ae1ae3660a5c98464060e73de637548c5793e189d0e87748b7d4350b506e4fa6bbc63cf43
-
Filesize
2.6MB
MD52714fea14c1f7e7c3acdc9bdfcc6d15f
SHA1cd8a94aa3b73036db2a06caf1460a7e21564b1e0
SHA256e6e2e90d2229d1544dc4227dcff33601fb89e093d017508e5e79313f4b580901
SHA512bddc816832c6d3b431d2e275b43556a08c46b8a7b2f2ea7c769bd73ae1ae3660a5c98464060e73de637548c5793e189d0e87748b7d4350b506e4fa6bbc63cf43
-
Filesize
32B
MD5521aa059bb3f6cfa4019f88a59a6248a
SHA16cc82fb2d88c7b0717b3570cbddfd1914936f610
SHA256835a6cf92bd5d7edfc7d70710419bd6b144adeea00d141446b7a94b90a40e037
SHA512419453c9c6b526d6a0a851e6123f0f88a3e1fdc248a923bbba1cf4aa1f957cba6c84e72891d0baa0d171b5393af5e19e64547dc013e311a7132707dffd63bec9