Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
17/05/2023, 15:41
Static task
static1
Behavioral task
behavioral1
Sample
0b94975f5dde6feab979853991933616.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
0b94975f5dde6feab979853991933616.exe
Resource
win10v2004-20230220-en
General
-
Target
0b94975f5dde6feab979853991933616.exe
-
Size
1.0MB
-
MD5
0b94975f5dde6feab979853991933616
-
SHA1
6b15f943d7ae7e265e455026a70b2116bc7a407d
-
SHA256
a6bf09d8242fd2933426629a504f995a5d624d555bd2f28a49876762ec0a03a6
-
SHA512
7e8a156ea625dbe2d15f76a70bd79b6a123526ee1d71450b8e16b3df069f9cf6c2d25e9ee7796d644891537ee243618ae39ede7f4e1c75a66618c9ab1e452a37
-
SSDEEP
24576:cWRK9jeP8CWr4cBKXh83adVzgXF37tBJp:cWQ9+8Br45Xe36VS37H
Malware Config
Extracted
remcos
RemoteHost
seanblacin.sytes.net:6110
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
chrcrh.exe
-
copy_folder
chrcrh
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
chrcrh
-
mouse_option
false
-
mutex
Rmc-FDI6XX
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
chrcrh
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1444 set thread context of 268 1444 0b94975f5dde6feab979853991933616.exe 27 -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 268 0b94975f5dde6feab979853991933616.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1444 wrote to memory of 268 1444 0b94975f5dde6feab979853991933616.exe 27 PID 1444 wrote to memory of 268 1444 0b94975f5dde6feab979853991933616.exe 27 PID 1444 wrote to memory of 268 1444 0b94975f5dde6feab979853991933616.exe 27 PID 1444 wrote to memory of 268 1444 0b94975f5dde6feab979853991933616.exe 27 PID 1444 wrote to memory of 268 1444 0b94975f5dde6feab979853991933616.exe 27 PID 1444 wrote to memory of 268 1444 0b94975f5dde6feab979853991933616.exe 27 PID 1444 wrote to memory of 268 1444 0b94975f5dde6feab979853991933616.exe 27 PID 1444 wrote to memory of 268 1444 0b94975f5dde6feab979853991933616.exe 27 PID 1444 wrote to memory of 268 1444 0b94975f5dde6feab979853991933616.exe 27 PID 1444 wrote to memory of 268 1444 0b94975f5dde6feab979853991933616.exe 27 PID 1444 wrote to memory of 268 1444 0b94975f5dde6feab979853991933616.exe 27 PID 1444 wrote to memory of 268 1444 0b94975f5dde6feab979853991933616.exe 27 PID 1444 wrote to memory of 268 1444 0b94975f5dde6feab979853991933616.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b94975f5dde6feab979853991933616.exe"C:\Users\Admin\AppData\Local\Temp\0b94975f5dde6feab979853991933616.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Users\Admin\AppData\Local\Temp\0b94975f5dde6feab979853991933616.exe"C:\Users\Admin\AppData\Local\Temp\0b94975f5dde6feab979853991933616.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:268
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5bdda7e7f5c2553028840e514509cc7b1
SHA1d9807452b230a812bad8ff46a2fff365115e7651
SHA256b62803c0320a57cec55ba89f91117e000e4a1bf4f2567ca31f70d3972be1c4f7
SHA51216e9a14a9cfebdd7c47d9f016b904d850d2100d1492e2b5c3ab9b545b38cf714455658e4b96fc53ed66d44f864f8d511dce34f65c132cef5557632977e38d48f