Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
06/06/2023, 06:42
230606-hgjrasch41 106/06/2023, 06:42
230606-hgb2fscc89 106/06/2023, 06:41
230606-hf1nescc88 106/06/2023, 06:39
230606-heslescc84 306/06/2023, 06:31
230606-g96absch2z 1006/06/2023, 06:23
230606-g5p3jscg9t 10Analysis
-
max time kernel
95s -
max time network
141s -
platform
windows10-1703_x64 -
resource
win10-20230220-es -
resource tags
-
submitted
06/06/2023, 06:23
General
-
Target
DETALLE Y OFICIO DE CONSIGNACIÓN REALIZADA.rar
-
Size
1.3MB
-
MD5
246eb678d0a6211d010f5465bcc604b6
-
SHA1
e0a121dcac8a5f5f4c4ff4f27974e8d6b9adeeea
-
SHA256
726ff0b67faeacccd97956ddb2383026d3fea83a0d9f0ed761beeadeced8f610
-
SHA512
13b913463c36fcd80ddca12132f0f70fd9edd0bbf4d1dc55a9eff24b840e6af290eadfd8e3935d0e94c7e7baeac766a10bfe6b841fddafc6147a00247932167e
-
SSDEEP
24576:bv7698KdrtTYfx5Osq/cHfEJtppLj6yh/vM6VnPWVj96jgxMcDb9H3rk/avJAd:C935ix0/Ywv6uXJnPApAqrbh3rMavJAd
Malware Config
Extracted
remcos
Euros
jhcdiucishcisdfs.con-ip.com:1883
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-10VB13
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Executes dropped EXE 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 10 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of FindShellTrayWindow 5 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 22 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\DETALLE Y OFICIO DE CONSIGNACIÓN REALIZADA.rar"1⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\DETALLE Y OFICIO DE CONSIGNACIÓN REALIZADA.rar"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\DETALLE Y OFICIO DE CONSIGNACIÓN REALIZADA.rar"3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1796.0.1255370536\675755084" -parentBuildID 20221007134813 -prefsHandle 1656 -prefMapHandle 1648 -prefsLen 20888 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {93bf7e0c-454c-41be-b20b-f0a3f0643ef0} 1796 "\\.\pipe\gecko-crash-server-pipe.1796" 1732 163ccf16558 gpu4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1796.1.1361951685\861223104" -parentBuildID 20221007134813 -prefsHandle 2072 -prefMapHandle 2068 -prefsLen 21749 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {98b614c7-a63c-4f1f-a319-15ca51a0e44d} 1796 "\\.\pipe\gecko-crash-server-pipe.1796" 2100 163c0872558 socket4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1796.2.1566614624\1061709132" -childID 1 -isForBrowser -prefsHandle 3116 -prefMapHandle 3112 -prefsLen 21832 -prefMapSize 232675 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ff03670-6dae-4c8d-abea-8b01b24bcefc} 1796 "\\.\pipe\gecko-crash-server-pipe.1796" 3128 163cfd0c258 tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1796.3.12693799\381921475" -childID 2 -isForBrowser -prefsHandle 3432 -prefMapHandle 3428 -prefsLen 26562 -prefMapSize 232675 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a294ba0-0cfa-48e2-ac2e-c0ed9ba5a0f2} 1796 "\\.\pipe\gecko-crash-server-pipe.1796" 3440 163c0861958 tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1796.5.1068368365\781648259" -childID 4 -isForBrowser -prefsHandle 4800 -prefMapHandle 4804 -prefsLen 26796 -prefMapSize 232675 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0954ab08-5a87-41bb-bfe2-e8c6b97ca936} 1796 "\\.\pipe\gecko-crash-server-pipe.1796" 4792 163d2e6bb58 tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1796.6.1855855233\538442944" -childID 5 -isForBrowser -prefsHandle 4996 -prefMapHandle 5000 -prefsLen 26796 -prefMapSize 232675 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9bb51f53-e9a4-42e2-a8f2-35215d4b18ae} 1796 "\\.\pipe\gecko-crash-server-pipe.1796" 4992 163d2e6e558 tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1796.4.377202364\1505281049" -childID 3 -isForBrowser -prefsHandle 4676 -prefMapHandle 4512 -prefsLen 26796 -prefMapSize 232675 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {16e0e250-a361-4c6e-8dca-733694ce4b07} 1796 "\\.\pipe\gecko-crash-server-pipe.1796" 4576 163d26bbb58 tab4⤵
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\DETALLE Y OFICIO DE CONSIGNACIÓN REALIZADA.rar"1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\DETALLE Y OFICIO DE CONSIGNACIÓN REALIZADA.rar"2⤵
- Checks processor information in registry
-
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap22786:146:7zEvent214421⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\DETALLE Y OFICIO DE CONSIGNACIÓN REALIZADA.exe"C:\Users\Admin\Downloads\DETALLE Y OFICIO DE CONSIGNACIÓN REALIZADA.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"2⤵
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\Downloads\DETALLE Y OFICIO DE CONSIGNACIÓN REALIZADA.exe" "C:\Users\Admin\AppData\Roaming\AppData\AppData.exe"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\AppData"2⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f1⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\AppData\AppData.exeC:\Users\Admin\AppData\Roaming\AppData\AppData.exe1⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\AppData"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\AppData\AppData.exe" "C:\Users\Admin\AppData\Roaming\AppData\AppData.exe"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f2⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f1⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Downloads\DETALLE Y OFICIO DE CONSIGNACIÓN REALIZADA.exe"C:\Users\Admin\Downloads\DETALLE Y OFICIO DE CONSIGNACIÓN REALIZADA.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\Downloads\DETALLE Y OFICIO DE CONSIGNACIÓN REALIZADA.exe" "C:\Users\Admin\AppData\Roaming\AppData\AppData.exe"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\AppData"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 5241⤵
- Program crash
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
132B
MD5bac78ba635cad8210b2b52e1460264bd
SHA10f80bff45d895b50eccfce419993074d91e6441c
SHA256fee5000a09133c6e9c979a8048d5baa15383b5f6f5273fa9e7015535e85f143b
SHA5123d63f0d61b09e9a5488e20a79537e4279ea8917b1bd5e71eac632b33a75cce42883c0417ae93b5bf3c0ba1f78789b4e321054c4917ac9c0e1a542408b764380c
-
Filesize
425B
MD5605f809fab8c19729d39d075f7ffdb53
SHA1c546f877c9bd53563174a90312a8337fdfc5fdd9
SHA2566904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556
SHA51282cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3
-
Filesize
147KB
MD549bc43fce03dfcb01da2874d371b27e5
SHA1f2d3fd859273b23cfe9a207598597aae31e92bf6
SHA256703217eb372bb9a32fa648d2773261d6568dd9187f9adb0c59742dec0e755a65
SHA512f1f36a7b446dfcf272628bc08d1a10fb4e4d1a64b46341d9599b72f0487d6a5d8d8287f25f3dc6a8449789e142ea8a098cceb75c7ae5752bd1de9b670d3dac7a
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
59.9MB
MD52dffc834fa90c2488fd03ab82022dce5
SHA195f8256b7657f509329d10be80d0f17738261f53
SHA2560996295d6e8ae41aacbc5214cea7811cd20917e0f76325f21b73333600cfcd87
SHA5123e567b10a6564d388ee133c3e244d25d0393bce71de15db3a442ab3e15e085493eed33087b6540548491ce5752c394c24b8499ba4d8e624dd8a1b557608ba719
-
Filesize
60.7MB
MD5e43be9c372a323d987a588d4236dc226
SHA1640b8d35211c5459c35ad3140ca16fc0741b3df4
SHA2567935593cddfc9281e4ec64e40abca3c3094f8d61309f4061a074a24716981b46
SHA51287f65ffc9d9d484f6216863b1fbbefbf1a50c919a13b3acbba618375906a4c9d22c8b5305ae4cf24f6869fb3fa33257f3603d32824ae010684ade47281aab48c
-
Filesize
22.5MB
MD538103ec9a539662eb399e5f9567d6bdb
SHA1d6d4136c1475ec700327fd771e3c88a1f955d1aa
SHA256c6c69e4db9972654acb985628c19ade5d41a4b858a77d618e16f433e4d56c673
SHA5124b6b02618380937e706d4faf4dd056ce670d07cfba2153b5c6fa0e0e4a01bc43538af29cecb2823f7c35f4fd5c2547fdff74cf2086533c80db8f650375e8c03b
-
Filesize
997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
Filesize
116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
Filesize
6KB
MD5f843fc3b858888d342076c7199266348
SHA197dea7b7d8486f03cc085ef488fda80fe53515a0
SHA25619b6e95d7e0e109333b648d994d42f1f8552467f8f43a4570f84dc5c5e2189a4
SHA5129b25cfb2a279bda5827e7d4c3446c75cb5057e7a886e23b7f3eb44d3a2fbb04d19249ff423c821cc41ea7a6d8585fafb0b4f9ae8d54274883250c4a4a1c7c1f7
-
Filesize
1KB
MD5d29d6dfaf6ed710c471ba1ed5d9a035c
SHA1eb45f4871b168bb6824dcb88b83ceeeafdcc7290
SHA256c69d7a2014fcb5c2850627e5f71eae1377f698482c42ac591b21968fcd905954
SHA512ffc3fbe8f38032056e90ce5bc464318c0e40dea9575f3a2c9d0e05fdb7545c758d29f9beaaafcf28e08a9a6a484faa0476760748452939e772abb20aee041499
-
Filesize
1KB
MD582d865bcf0430e7a2ed4896b722ad2ed
SHA1554b5ac02722d64b4ec7dd8725c9b74a5508250d
SHA256770b3e6ab11b6a021d5a06c98db6f07ab28f05f1cb1917234dcf8e39bb6a9d0a
SHA512d2dd499bb8e037a76deb534454dec90ecdce67ffcdc66c7104e4d9436f9d98448e3680a81824953cb0f80cf02507d7207ed326bc23368a2a31a35afb842f1f17
-
Filesize
184KB
MD54717c6384744c6a03b44c93a5d5b615d
SHA1b321e4266f6c9bf8b03a5a5c5a3abaa02ba44859
SHA256d1e2309fdb2e21869a326e8be4bc1680eaee56c85304663477aa9d1db12ad721
SHA512b0971e922419c207c2398b0e7716e1c967027598ce77be4ca61ef78615622cb332f0c3b12271f2404af5445467d302b1b12e1c158629709dd426d719086f8474
-
Filesize
281.0MB
MD59ac792e6c71640cf78c11ccecf45e0bd
SHA1d590b67fee281a2e6e47bb792d69be16f3bad56c
SHA256ddb6c0b729851127f9c8edc73a15808df3b1e6cbf5d02ff85f28d72a7847e4b2
SHA512c3edb46379b83c7f8f67a6f7a3a489967dc919595d9cff69d0fa9356d6a6c1e82340231b973c148ec4ab23ad9dc193c0e411ac9507cef5c87004633c46eedcba
-
Filesize
280.0MB
MD5d5d883746c50adf37fe0472dc6cc7394
SHA16fe0fe32fa3f9478c7582e9cef87982a1e96967b
SHA25633c0eb228955cfd5f79d2ea1b1c604f2b9a59abaa730c6d26ddbcebabb56ba60
SHA512e5ce749b40e88b2477e103e7e4d09573bbe37bc02352ec22bebc65aef67afb5118065f53295071dd6125b49b747f6a7788d70afa44544c93eea1499100972942
-
Filesize
34.0MB
MD5a28f0443e4c3399c332f8645d73b81e9
SHA1aaba828fc5ab99f57dcba0f0784d4ccba120905b
SHA256e6826e4d72090161e3fa8b2798b1c1572fa115c34919b6e1909bcd155b2f1800
SHA51220b7a37b03b9d87221a7ebf5457f378317e65f2e4a4c8ae4c77912d1fd14e304dc7b0deb722aa473ed5e079024aa8f3695bdbd7e77f3685136f8ed6b7bd0a7d4
-
Filesize
1.3MB
MD5246eb678d0a6211d010f5465bcc604b6
SHA1e0a121dcac8a5f5f4c4ff4f27974e8d6b9adeeea
SHA256726ff0b67faeacccd97956ddb2383026d3fea83a0d9f0ed761beeadeced8f610
SHA51213b913463c36fcd80ddca12132f0f70fd9edd0bbf4d1dc55a9eff24b840e6af290eadfd8e3935d0e94c7e7baeac766a10bfe6b841fddafc6147a00247932167e
-
Filesize
1.3MB
MD5246eb678d0a6211d010f5465bcc604b6
SHA1e0a121dcac8a5f5f4c4ff4f27974e8d6b9adeeea
SHA256726ff0b67faeacccd97956ddb2383026d3fea83a0d9f0ed761beeadeced8f610
SHA51213b913463c36fcd80ddca12132f0f70fd9edd0bbf4d1dc55a9eff24b840e6af290eadfd8e3935d0e94c7e7baeac766a10bfe6b841fddafc6147a00247932167e
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
64KB
-
Filesize
568KB
-
Filesize
64KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
64KB