Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
03/10/2023, 06:08
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230915-en
General
-
Target
file.exe
-
Size
574KB
-
MD5
69bf840d279bb17e387e74914a122af6
-
SHA1
7c5e6a9c7107ed3ef251d5571ef2dd053165ec8d
-
SHA256
343b2ad0290badf5ce4700a3b93866f63ef8157b157f09cb3c9da4f3efd1c1c2
-
SHA512
6d374c7b929b3f52b1723e0a13e316a0d51e6fee43e949a3453b77b1d7a7e11018a5ae279996c004fa26f161115c331a96f0a1ef01725aa847ce292d18792d84
-
SSDEEP
12288:V0obxAhh3kCS/ylnAjQSLhBPlyF1+SULR2NpT5R:hlAoiFSnlyFk1LR8pT5R
Malware Config
Extracted
remcos
Sammmmm
185.225.74.166:1606
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-46ILKG
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/1788-250-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView behavioral2/memory/1788-255-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/1844-248-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/1844-263-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 6 IoCs
resource yara_rule behavioral2/memory/1844-248-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/1788-250-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft behavioral2/memory/1788-255-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft behavioral2/memory/4704-259-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/4704-260-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/1844-263-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
description ioc Process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe file.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe file.exe -
Loads dropped DLL 2 IoCs
pid Process 4880 file.exe 4880 file.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts file.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Ischialgia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Foreteelserne211\\Bistaaedes244.exe" file.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 3104 file.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4880 file.exe 3104 file.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 4880 set thread context of 3104 4880 file.exe 99 PID 3104 set thread context of 1844 3104 file.exe 102 PID 3104 set thread context of 1788 3104 file.exe 103 PID 3104 set thread context of 4704 3104 file.exe 104 -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\resources\amelanchier\fagpolitisk.lid file.exe File opened for modification C:\Windows\gedeskg\jeminas.chu file.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1708 3104 WerFault.exe 99 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1844 file.exe 1844 file.exe 4704 file.exe 4704 file.exe 1844 file.exe 1844 file.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
pid Process 4880 file.exe 3104 file.exe 3104 file.exe 3104 file.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4704 file.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3104 file.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 3104 file.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4880 wrote to memory of 3104 4880 file.exe 99 PID 4880 wrote to memory of 3104 4880 file.exe 99 PID 4880 wrote to memory of 3104 4880 file.exe 99 PID 4880 wrote to memory of 3104 4880 file.exe 99 PID 4880 wrote to memory of 3104 4880 file.exe 99 PID 3104 wrote to memory of 1844 3104 file.exe 102 PID 3104 wrote to memory of 1844 3104 file.exe 102 PID 3104 wrote to memory of 1844 3104 file.exe 102 PID 3104 wrote to memory of 1788 3104 file.exe 103 PID 3104 wrote to memory of 1788 3104 file.exe 103 PID 3104 wrote to memory of 1788 3104 file.exe 103 PID 3104 wrote to memory of 4704 3104 file.exe 104 PID 3104 wrote to memory of 4704 3104 file.exe 104 PID 3104 wrote to memory of 4704 3104 file.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Checks QEMU agent file
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Users\Admin\AppData\Local\Temp\file.exeC:\Users\Admin\AppData\Local\Temp\file.exe /stext "C:\Users\Admin\AppData\Local\Temp\ndvtkriylzb"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1844
-
-
C:\Users\Admin\AppData\Local\Temp\file.exeC:\Users\Admin\AppData\Local\Temp\file.exe /stext "C:\Users\Admin\AppData\Local\Temp\xfimkcsazhtvafk"3⤵
- Accesses Microsoft Outlook accounts
PID:1788
-
-
C:\Users\Admin\AppData\Local\Temp\file.exeC:\Users\Admin\AppData\Local\Temp\file.exe /stext "C:\Users\Admin\AppData\Local\Temp\aznwludtvqlaklgsvl"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4704
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 18923⤵
- Program crash
PID:1708
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3104 -ip 31041⤵PID:1384
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5eb3c3b62670ddbade705bcd24e9aa579
SHA11b81d999e9a5746ff5d24505c26f717c4e4be8b7
SHA2567f741423d89d34e74539783a8ffd1463bc67300bd8a4bdf4f95faaa53c9efa23
SHA5124187e1796c875b39860c6df698f2317d3b0c9a1328a635aebe37576625f510f28e842cc30f06bb1847de3ceef53b7cdb0001290aec90a5fcada51d0f75bce3f1
-
Filesize
11KB
MD534442e1e0c2870341df55e1b7b3cccdc
SHA199b2fa21aead4b6ccd8ff2f6d3d3453a51d9c70c
SHA256269d232712c86983336badb40b9e55e80052d8389ed095ebf9214964d43b6bb1
SHA5124a8c57fb12997438b488b862f3fc9dc0f236e07bb47b2bce6053dcb03ac7ad171842f02ac749f02dda4719c681d186330524cd2953d33cb50854844e74b33d51
-
Filesize
11KB
MD534442e1e0c2870341df55e1b7b3cccdc
SHA199b2fa21aead4b6ccd8ff2f6d3d3453a51d9c70c
SHA256269d232712c86983336badb40b9e55e80052d8389ed095ebf9214964d43b6bb1
SHA5124a8c57fb12997438b488b862f3fc9dc0f236e07bb47b2bce6053dcb03ac7ad171842f02ac749f02dda4719c681d186330524cd2953d33cb50854844e74b33d51
-
Filesize
11KB
MD534442e1e0c2870341df55e1b7b3cccdc
SHA199b2fa21aead4b6ccd8ff2f6d3d3453a51d9c70c
SHA256269d232712c86983336badb40b9e55e80052d8389ed095ebf9214964d43b6bb1
SHA5124a8c57fb12997438b488b862f3fc9dc0f236e07bb47b2bce6053dcb03ac7ad171842f02ac749f02dda4719c681d186330524cd2953d33cb50854844e74b33d51
-
Filesize
37B
MD5dc162b140294db15512791cd220783b0
SHA13aea809077577eea8a6615d32964dbbc2f74e783
SHA256dee92e7829a8e3773852fab991cf08c61f9f47cd377aef602d778f2ab4b64af4
SHA512b2fb8452db12a05ae6bbf7f50aa608cd219418f467c90f4d0023f5e666580bf613709ad50664c14a352412fc96ead8236850a338ca52e5327f09e9d704bf96f0