Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
06/06/2023, 06:42
230606-hgjrasch41 106/06/2023, 06:42
230606-hgb2fscc89 106/06/2023, 06:41
230606-hf1nescc88 106/06/2023, 06:39
230606-heslescc84 306/06/2023, 06:31
230606-g96absch2z 1006/06/2023, 06:23
230606-g5p3jscg9t 10Analysis
-
max time kernel
228s -
max time network
232s -
platform
windows7_x64 -
resource
win7-20230220-es -
resource tags
-
submitted
06/06/2023, 06:31
General
-
Target
DETALLE Y OFICIO DE CONSIGNACIÓN REALIZADA.rar
-
Size
1.3MB
-
MD5
246eb678d0a6211d010f5465bcc604b6
-
SHA1
e0a121dcac8a5f5f4c4ff4f27974e8d6b9adeeea
-
SHA256
726ff0b67faeacccd97956ddb2383026d3fea83a0d9f0ed761beeadeced8f610
-
SHA512
13b913463c36fcd80ddca12132f0f70fd9edd0bbf4d1dc55a9eff24b840e6af290eadfd8e3935d0e94c7e7baeac766a10bfe6b841fddafc6147a00247932167e
-
SSDEEP
24576:bv7698KdrtTYfx5Osq/cHfEJtppLj6yh/vM6VnPWVj96jgxMcDb9H3rk/avJAd:C935ix0/Ywv6uXJnPApAqrbh3rMavJAd
Malware Config
Extracted
remcos
Euros
jhcdiucishcisdfs.con-ip.com:1883
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-10VB13
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Executes dropped EXE 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 11 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of FindShellTrayWindow 5 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\DETALLE Y OFICIO DE CONSIGNACIÓN REALIZADA.rar"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\DETALLE Y OFICIO DE CONSIGNACIÓN REALIZADA.rar2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\DETALLE Y OFICIO DE CONSIGNACIÓN REALIZADA.rar"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\DETALLE Y OFICIO DE CONSIGNACIÓN REALIZADA.rar"4⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="976.0.1496969592\1379746467" -parentBuildID 20221007134813 -prefsHandle 1192 -prefMapHandle 1184 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {99725b3f-1916-4694-977d-802d4ff97f4e} 976 "\\.\pipe\gecko-crash-server-pipe.976" 1256 139a9c58 gpu5⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="976.1.704449954\701599759" -parentBuildID 20221007134813 -prefsHandle 1460 -prefMapHandle 1456 -prefsLen 21751 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d639f35e-b99d-443e-baa5-255a9891825e} 976 "\\.\pipe\gecko-crash-server-pipe.976" 1472 e70758 socket5⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="976.2.1402317147\985378072" -childID 1 -isForBrowser -prefsHandle 1676 -prefMapHandle 912 -prefsLen 21834 -prefMapSize 232675 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {725652f5-4d84-466b-a8dd-e8f17d844a36} 976 "\\.\pipe\gecko-crash-server-pipe.976" 2008 f399258 tab5⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="976.3.1269209781\1315561010" -childID 2 -isForBrowser -prefsHandle 2740 -prefMapHandle 2736 -prefsLen 26564 -prefMapSize 232675 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e19c2e5f-dd30-49da-847f-7a262f9a00e4} 976 "\\.\pipe\gecko-crash-server-pipe.976" 2752 1ac1b558 tab5⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="976.4.1833211343\1455956241" -childID 3 -isForBrowser -prefsHandle 3632 -prefMapHandle 3616 -prefsLen 26798 -prefMapSize 232675 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c7432ea-fc37-4070-a54d-cf427390a4ce} 976 "\\.\pipe\gecko-crash-server-pipe.976" 3660 1cf62958 tab5⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="976.5.160871547\264300833" -childID 4 -isForBrowser -prefsHandle 3640 -prefMapHandle 3644 -prefsLen 26798 -prefMapSize 232675 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a536e824-57dc-4298-9a01-4e0dbfa8ecf5} 976 "\\.\pipe\gecko-crash-server-pipe.976" 3724 1cf62358 tab5⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="976.6.1782306904\111373945" -childID 5 -isForBrowser -prefsHandle 3668 -prefMapHandle 3664 -prefsLen 26798 -prefMapSize 232675 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4ad8c2e-87a1-4ea0-8bfb-0599bca77cd9} 976 "\\.\pipe\gecko-crash-server-pipe.976" 3620 1f481258 tab5⤵
-
-
-
-
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\DETALLE Y OFICIO DE CONSIGNACIÓN REALIZADA\" -spe -an -ai#7zMap3752:146:7zEvent60651⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4fc1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\DETALLE Y OFICIO DE CONSIGNACIÓN REALIZADA\DETALLE Y OFICIO DE CONSIGNACIÓN REALIZADA.exe"C:\Users\Admin\Downloads\DETALLE Y OFICIO DE CONSIGNACIÓN REALIZADA\DETALLE Y OFICIO DE CONSIGNACIÓN REALIZADA.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"2⤵
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\AppData"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\Downloads\DETALLE Y OFICIO DE CONSIGNACIÓN REALIZADA\DETALLE Y OFICIO DE CONSIGNACIÓN REALIZADA.exe" "C:\Users\Admin\AppData\Roaming\AppData\AppData.exe"2⤵
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
147KB
MD562af347703a67637a00515c3953bba9b
SHA1dc4e5a46deee31f9d5baaa386ba62dfc85357757
SHA256589503379680aadca4103ba5b4696481abc1ae867c0de4eae17b7862589ecf2b
SHA512ce46dfaf990400c89b7ab111c6af1b0221c2e1afb20c3d55b0b9fba1c3958c9c9afbcad19bc6480a451d9a2134de69e77aaf676fc50fc56d1bdf9aab8b3793fb
-
Filesize
6KB
MD5688e8418c56f8bc8f8f741f83d478dba
SHA172d1d4bf60bfa4641a44f06e268557771d06f357
SHA2561e0cab9263cf14166ca223a8bb557403d8d52fecae6c51a2766749f0a4339b36
SHA5121aa4b446947306aa12744f67bf04542b61fccae7ecae3abb6246ca895ad37e0fceadaf4a2353399773d1ce393fcdae7061743a3cc0a086b903690878c87fb33f
-
Filesize
937B
MD5d555a3f5b63d3bff0f930fde40c083f2
SHA15d797903abc04a1388f468951e95b7682f314a8d
SHA2562f55ae99e567cdbb5667533303b359f573f6b5f281a8c97cc951a912980c9137
SHA512c41caa3964e516186243926069cfd3d381c68872dcaa834da6ad295edcd1dc20e0d23e2cdd5d93b2afc6ef39bf75745243d8bf88a966edc7e06674ed93cdbc7d
-
Filesize
687B
MD547645c37fd8c5e6d43f9be9faafea491
SHA179b5af43a2046e9d4bda3d162b3f3191e047f951
SHA25654f09352505c1d3271a9c644e15e8ad5433f38273bb6e03e4089c49c514522be
SHA512af4b8fa7f70d48e98a7b346221905c04f24cf6563d097e916902b536da99f0824085b2187eb1e3bc43eda32c189341fce9b87cb395b34b79d8bebcb229b6973b
-
Filesize
184KB
MD50f30c0c6cf015c003183bd2966aa4011
SHA1884a2c66e4b26bf8ac84224d1ed01b8e4f2d59a7
SHA25662ac97ebb8c62a2ab12bd04f67414006a92a32321d7f9a79ef774c7db2ad63ed
SHA51276e904f0b2e00f08b14addbfd4f30a120a39a85ad1ef2e7315c3987475f1175c516217d51feface1e407b8c5730942fe4e464074a168e906deb3bdba21035121
-
Filesize
1.3MB
MD5246eb678d0a6211d010f5465bcc604b6
SHA1e0a121dcac8a5f5f4c4ff4f27974e8d6b9adeeea
SHA256726ff0b67faeacccd97956ddb2383026d3fea83a0d9f0ed761beeadeced8f610
SHA51213b913463c36fcd80ddca12132f0f70fd9edd0bbf4d1dc55a9eff24b840e6af290eadfd8e3935d0e94c7e7baeac766a10bfe6b841fddafc6147a00247932167e
-
Filesize
70.4MB
MD5a8d04745e8499e42bdd4630a3b5dd92c
SHA15f7d76341a72efcc5316a339b31187a535151fbf
SHA256f2fa9dd01a72d257d6bde350506a2c9358acef6973909d47e65c6be451966544
SHA51280ee47394b4c0d68c8a60bd5d517212611b47ecb63462c4dcba0714cb7674c140db45a977a072ae72eee1143ea556019bd75a40f5eb11aedab78e2f475a055cc
-
Filesize
62.7MB
MD5019163a928e3557005a7956cf83ee3d4
SHA148b1e74297d63bc787644dc0e0314addb858f671
SHA256a96dceab1927898450ca0cc2a6f086a135f18950173c1ed5ce089bfacfaf9869
SHA512c4e8ffdbf0dbcd3d3fa2643de764734805776878710257ed66015f4cfaf7224722de9d290d67ade6c8f018231c81582a2a52717f085f4226fc35179c029a777a
-
Filesize
1.3MB
MD5246eb678d0a6211d010f5465bcc604b6
SHA1e0a121dcac8a5f5f4c4ff4f27974e8d6b9adeeea
SHA256726ff0b67faeacccd97956ddb2383026d3fea83a0d9f0ed761beeadeced8f610
SHA51213b913463c36fcd80ddca12132f0f70fd9edd0bbf4d1dc55a9eff24b840e6af290eadfd8e3935d0e94c7e7baeac766a10bfe6b841fddafc6147a00247932167e
-
Filesize
516KB
-
Filesize
4KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
256KB
-
Filesize
568KB