Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
CONSOLIDADO DIGITAL DE DEMANDA 12 DE JULIO (1).tar
-
Size
1.2MB
-
Sample
230713-tqqrrahd35
-
MD5
92715c671c4879b4ec0831eff22d20c0
-
SHA1
0edefe7b413fd79214d2f96204d5ebd6c8675e21
-
SHA256
9eceaed803e69f79780b296bc7842a424afaa0761698466630f230a6d138c0cf
-
SHA512
2f8531d18c0a393b96f0722c48d70693c6fffeeec0933adccf83ae2aea7e3f766f6fe9e61fec2b6ad89eec15bf50300d22cabcb9131bc1f3843d405b432d5450
-
SSDEEP
24576:cCdKVg+CWibFB7aYlcC8gTcxcsH6yTyIhBl5x6OOl3:cCIUuGoxWyTdhBln67
Static task
static1
Malware Config
Extracted
remcos
MEXICO
uyfijbuhvuyguhjvuyhuhbg.con-ip.com:1883
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-3CV4OK
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
CONSOLIDADO DIGITAL DE DEMANDA 12 DE JULIO.exe
-
Size
1023.9MB
-
MD5
9780f8e4adc6012e0661b0a343474d40
-
SHA1
8393243c3327e934e6bccb15141820663d55a7b5
-
SHA256
45287b1123b46c3de113324bb247c08643e27fa743e253224c5c5a093e5d9181
-
SHA512
10ec310bd8bcaa3dabbef138dc1b49177d3cd548926d9b7e99d81c54ca7533ff61fe49bf20af03c876ecfc28f506272fb0c6c99aebc01131795ac37fe06a6978
-
SSDEEP
12288:f2+avXb5PBdKkQuWnOmhIx61axFbOXBR/O+yNUMIvkaW0o:e+MB7RQuO11abbqPMNU3vkn0o
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Modifies RDP port number used by Windows
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Loads dropped DLL
-
Registers COM server for autorun
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-