Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
19/05/2023, 04:51
Static task
static1
Behavioral task
behavioral1
Sample
SYN2023060702.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
SYN2023060702.exe
Resource
win10v2004-20230220-en
General
-
Target
SYN2023060702.exe
-
Size
551KB
-
MD5
e550594dbf07c3a445d0ee6d44325c96
-
SHA1
ac62125f63e40ed06e6b3cf7a4b180543894d797
-
SHA256
efcc97c8dac23a0c8bc179fd3b54efd3594e71d5103f211bf468e2a6e550590e
-
SHA512
92924f57caf0c7b5fc08576d807079c7c060ccecc882766c5298af18288c9cbd9a9d01bd325007b52d983e669e90db9b42fcbe525442887e3de66d9246c1565e
-
SSDEEP
12288:ZLLsWrDu24O0XFrfiPfuw91uhQ9TaQX5eQ4L1NbRHgWAvHv3cIXsSlwjFh:ZLLTrfj9TaY5eV5N95AfUVSoFh
Malware Config
Extracted
remcos
RemoteHost
155.94.185.15:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-FUG8H1
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
description ioc Process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe SYN2023060702.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe SYN2023060702.exe -
Loads dropped DLL 1 IoCs
pid Process 1948 SYN2023060702.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 320 SYN2023060702.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1948 SYN2023060702.exe 320 SYN2023060702.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1948 set thread context of 320 1948 SYN2023060702.exe 28 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1948 SYN2023060702.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 320 SYN2023060702.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1948 wrote to memory of 320 1948 SYN2023060702.exe 28 PID 1948 wrote to memory of 320 1948 SYN2023060702.exe 28 PID 1948 wrote to memory of 320 1948 SYN2023060702.exe 28 PID 1948 wrote to memory of 320 1948 SYN2023060702.exe 28 PID 1948 wrote to memory of 320 1948 SYN2023060702.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\SYN2023060702.exe"C:\Users\Admin\AppData\Local\Temp\SYN2023060702.exe"1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Users\Admin\AppData\Local\Temp\SYN2023060702.exe"C:\Users\Admin\AppData\Local\Temp\SYN2023060702.exe"2⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:320
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5b1e27118ea300aff5faa4ea5ebe8b045
SHA14f06e5bd97129db44efc4c7bd653311ce96c854e
SHA2567a480cb7be0e96f855ea7043264b4c965aec6074021ca92a9f8344c16305a3e9
SHA51246b163e19b415dc9aa42b8e8adfc4e653068907f9aabff27af73dc71394a8a86c323f7c0dddb67dc07b397f94bf86386735b4dacf66469e2fc02193a1b6871c6
-
Filesize
11KB
MD5c9473cb90d79a374b2ba6040ca16e45c
SHA1ab95b54f12796dce57210d65f05124a6ed81234a
SHA256b80a5cba69d1853ed5979b0ca0352437bf368a5cfb86cb4528edadd410e11352
SHA512eafe7d5894622bc21f663bca4dd594392ee0f5b29270b6b56b0187093d6a3a103545464ff6398ad32d2cf15dab79b1f133218ba9ba337ddc01330b5ada804d7b