Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    143s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2023, 06:08

General

  • Target

    file.exe

  • Size

    574KB

  • MD5

    69bf840d279bb17e387e74914a122af6

  • SHA1

    7c5e6a9c7107ed3ef251d5571ef2dd053165ec8d

  • SHA256

    343b2ad0290badf5ce4700a3b93866f63ef8157b157f09cb3c9da4f3efd1c1c2

  • SHA512

    6d374c7b929b3f52b1723e0a13e316a0d51e6fee43e949a3453b77b1d7a7e11018a5ae279996c004fa26f161115c331a96f0a1ef01725aa847ce292d18792d84

  • SSDEEP

    12288:V0obxAhh3kCS/ylnAjQSLhBPlyF1+SULR2NpT5R:hlAoiFSnlyFk1LR8pT5R

Malware Config

Extracted

Family

remcos

Botnet

Sammmmm

C2

185.225.74.166:1606

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-46ILKG

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 6 IoCs
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks QEMU agent file
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:4880
    • C:\Users\Admin\AppData\Local\Temp\file.exe
      "C:\Users\Admin\AppData\Local\Temp\file.exe"
      2⤵
      • Checks QEMU agent file
      • Adds Run key to start application
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3104
      • C:\Users\Admin\AppData\Local\Temp\file.exe
        C:\Users\Admin\AppData\Local\Temp\file.exe /stext "C:\Users\Admin\AppData\Local\Temp\ndvtkriylzb"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1844
      • C:\Users\Admin\AppData\Local\Temp\file.exe
        C:\Users\Admin\AppData\Local\Temp\file.exe /stext "C:\Users\Admin\AppData\Local\Temp\xfimkcsazhtvafk"
        3⤵
        • Accesses Microsoft Outlook accounts
        PID:1788
      • C:\Users\Admin\AppData\Local\Temp\file.exe
        C:\Users\Admin\AppData\Local\Temp\file.exe /stext "C:\Users\Admin\AppData\Local\Temp\aznwludtvqlaklgsvl"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4704
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 1892
        3⤵
        • Program crash
        PID:1708
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3104 -ip 3104
    1⤵
      PID:1384

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\ndvtkriylzb

      Filesize

      4KB

      MD5

      eb3c3b62670ddbade705bcd24e9aa579

      SHA1

      1b81d999e9a5746ff5d24505c26f717c4e4be8b7

      SHA256

      7f741423d89d34e74539783a8ffd1463bc67300bd8a4bdf4f95faaa53c9efa23

      SHA512

      4187e1796c875b39860c6df698f2317d3b0c9a1328a635aebe37576625f510f28e842cc30f06bb1847de3ceef53b7cdb0001290aec90a5fcada51d0f75bce3f1

    • C:\Users\Admin\AppData\Local\Temp\nsu7783.tmp\System.dll

      Filesize

      11KB

      MD5

      34442e1e0c2870341df55e1b7b3cccdc

      SHA1

      99b2fa21aead4b6ccd8ff2f6d3d3453a51d9c70c

      SHA256

      269d232712c86983336badb40b9e55e80052d8389ed095ebf9214964d43b6bb1

      SHA512

      4a8c57fb12997438b488b862f3fc9dc0f236e07bb47b2bce6053dcb03ac7ad171842f02ac749f02dda4719c681d186330524cd2953d33cb50854844e74b33d51

    • C:\Users\Admin\AppData\Local\Temp\nsu7783.tmp\System.dll

      Filesize

      11KB

      MD5

      34442e1e0c2870341df55e1b7b3cccdc

      SHA1

      99b2fa21aead4b6ccd8ff2f6d3d3453a51d9c70c

      SHA256

      269d232712c86983336badb40b9e55e80052d8389ed095ebf9214964d43b6bb1

      SHA512

      4a8c57fb12997438b488b862f3fc9dc0f236e07bb47b2bce6053dcb03ac7ad171842f02ac749f02dda4719c681d186330524cd2953d33cb50854844e74b33d51

    • C:\Users\Admin\AppData\Local\Temp\nsu7783.tmp\System.dll

      Filesize

      11KB

      MD5

      34442e1e0c2870341df55e1b7b3cccdc

      SHA1

      99b2fa21aead4b6ccd8ff2f6d3d3453a51d9c70c

      SHA256

      269d232712c86983336badb40b9e55e80052d8389ed095ebf9214964d43b6bb1

      SHA512

      4a8c57fb12997438b488b862f3fc9dc0f236e07bb47b2bce6053dcb03ac7ad171842f02ac749f02dda4719c681d186330524cd2953d33cb50854844e74b33d51

    • C:\Users\Admin\antirachitically.ini

      Filesize

      37B

      MD5

      dc162b140294db15512791cd220783b0

      SHA1

      3aea809077577eea8a6615d32964dbbc2f74e783

      SHA256

      dee92e7829a8e3773852fab991cf08c61f9f47cd377aef602d778f2ab4b64af4

      SHA512

      b2fb8452db12a05ae6bbf7f50aa608cd219418f467c90f4d0023f5e666580bf613709ad50664c14a352412fc96ead8236850a338ca52e5327f09e9d704bf96f0

    • memory/1788-255-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

    • memory/1788-250-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

    • memory/1788-245-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

    • memory/1788-242-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

    • memory/1844-240-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

    • memory/1844-263-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

    • memory/1844-248-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

    • memory/1844-244-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

    • memory/3104-216-0x0000000000460000-0x0000000002483000-memory.dmp

      Filesize

      32.1MB

    • memory/3104-266-0x0000000033630000-0x0000000033649000-memory.dmp

      Filesize

      100KB

    • memory/3104-237-0x0000000000460000-0x0000000002483000-memory.dmp

      Filesize

      32.1MB

    • memory/3104-233-0x00000000726F0000-0x0000000073944000-memory.dmp

      Filesize

      18.3MB

    • memory/3104-219-0x0000000076FA1000-0x00000000770C1000-memory.dmp

      Filesize

      1.1MB

    • memory/3104-218-0x0000000077028000-0x0000000077029000-memory.dmp

      Filesize

      4KB

    • memory/3104-217-0x0000000000460000-0x0000000002483000-memory.dmp

      Filesize

      32.1MB

    • memory/3104-272-0x0000000033630000-0x0000000033649000-memory.dmp

      Filesize

      100KB

    • memory/3104-271-0x00000000726F0000-0x0000000073944000-memory.dmp

      Filesize

      18.3MB

    • memory/3104-238-0x00000000726F0000-0x0000000073944000-memory.dmp

      Filesize

      18.3MB

    • memory/3104-270-0x0000000000460000-0x0000000002483000-memory.dmp

      Filesize

      32.1MB

    • memory/3104-269-0x0000000033630000-0x0000000033649000-memory.dmp

      Filesize

      100KB

    • memory/4704-247-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

    • memory/4704-260-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

    • memory/4704-259-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

    • memory/4704-256-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

    • memory/4880-213-0x0000000004320000-0x0000000006343000-memory.dmp

      Filesize

      32.1MB

    • memory/4880-212-0x0000000004320000-0x0000000006343000-memory.dmp

      Filesize

      32.1MB

    • memory/4880-214-0x0000000076FA1000-0x00000000770C1000-memory.dmp

      Filesize

      1.1MB

    • memory/4880-215-0x0000000073BF0000-0x0000000073BF6000-memory.dmp

      Filesize

      24KB