Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
11/10/2023, 19:52
Static task
static1
Behavioral task
behavioral1
Sample
TNT Original Invoice.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
TNT Original Invoice.exe
Resource
win10v2004-20230915-en
General
-
Target
TNT Original Invoice.exe
-
Size
1023KB
-
MD5
119eaa1129f88196cae8f81a75ab8b31
-
SHA1
51223c629345eb969f8f56abcc6a11792178ff77
-
SHA256
8be324c37f356ce39300e054d452a5d5aa215449a25f431371aab8585d234d2b
-
SHA512
450239eabafa344c487f8a0ee17f000fefe39f0a78d6ea2ec09a0ad425c51c936428a48f1d853e5eff131f6ef1b5b2519c79e03d955452bc0b2a951af4a6af4d
-
SSDEEP
24576:ToMSdOp+dBHPdYBtO+mMP7tyUKVdZ39sakOzwsHru:kMDpQH2/OdP4a98ea
Malware Config
Extracted
remcos
RemoteHost
167.114.189.33:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-7ZDF66
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2092 set thread context of 2568 2092 TNT Original Invoice.exe 36 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2108 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2092 TNT Original Invoice.exe 2092 TNT Original Invoice.exe 2092 TNT Original Invoice.exe 2092 TNT Original Invoice.exe 2092 TNT Original Invoice.exe 2092 TNT Original Invoice.exe 2092 TNT Original Invoice.exe 2092 TNT Original Invoice.exe 2092 TNT Original Invoice.exe 2092 TNT Original Invoice.exe 2712 powershell.exe 1648 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2092 TNT Original Invoice.exe Token: SeDebugPrivilege 2712 powershell.exe Token: SeDebugPrivilege 1648 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2568 TNT Original Invoice.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2092 wrote to memory of 2712 2092 TNT Original Invoice.exe 30 PID 2092 wrote to memory of 2712 2092 TNT Original Invoice.exe 30 PID 2092 wrote to memory of 2712 2092 TNT Original Invoice.exe 30 PID 2092 wrote to memory of 2712 2092 TNT Original Invoice.exe 30 PID 2092 wrote to memory of 1648 2092 TNT Original Invoice.exe 32 PID 2092 wrote to memory of 1648 2092 TNT Original Invoice.exe 32 PID 2092 wrote to memory of 1648 2092 TNT Original Invoice.exe 32 PID 2092 wrote to memory of 1648 2092 TNT Original Invoice.exe 32 PID 2092 wrote to memory of 2108 2092 TNT Original Invoice.exe 34 PID 2092 wrote to memory of 2108 2092 TNT Original Invoice.exe 34 PID 2092 wrote to memory of 2108 2092 TNT Original Invoice.exe 34 PID 2092 wrote to memory of 2108 2092 TNT Original Invoice.exe 34 PID 2092 wrote to memory of 2568 2092 TNT Original Invoice.exe 36 PID 2092 wrote to memory of 2568 2092 TNT Original Invoice.exe 36 PID 2092 wrote to memory of 2568 2092 TNT Original Invoice.exe 36 PID 2092 wrote to memory of 2568 2092 TNT Original Invoice.exe 36 PID 2092 wrote to memory of 2568 2092 TNT Original Invoice.exe 36 PID 2092 wrote to memory of 2568 2092 TNT Original Invoice.exe 36 PID 2092 wrote to memory of 2568 2092 TNT Original Invoice.exe 36 PID 2092 wrote to memory of 2568 2092 TNT Original Invoice.exe 36 PID 2092 wrote to memory of 2568 2092 TNT Original Invoice.exe 36 PID 2092 wrote to memory of 2568 2092 TNT Original Invoice.exe 36 PID 2092 wrote to memory of 2568 2092 TNT Original Invoice.exe 36 PID 2092 wrote to memory of 2568 2092 TNT Original Invoice.exe 36 PID 2092 wrote to memory of 2568 2092 TNT Original Invoice.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.exe"C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QQTpFQa.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1648
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QQTpFQa" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3312.tmp"2⤵
- Creates scheduled task(s)
PID:2108
-
-
C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.exe"C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:2568
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD59f3c88ff1932b003a949ae1971e920c0
SHA106707d4ba5edff4dbe5da2fbe71129256fe3aaa2
SHA2567cafe6c1df4467557f3b2459380e8a9a6d8e4543ed38ae188a94fef591c08cba
SHA51271b9afb9f942c25789ad6dcf9dfe0e663c92672f59bf93b608a4fa97f15720cdf4d702cc7a883764fe2b91388c44f1eb5bac436eacbdded7134373c542e7d3e1
-
Filesize
1KB
MD5d8836b5d43daca19a9b1907f6e34cb2a
SHA1218400d1b07d31f2ec2abca05448d120a03021c3
SHA25666a93ecb627bf86df6c2c2a4d27fbdf464cfd33bc9ac1d2e84b3dc91f62c9f29
SHA512ee13f08e035da24e1d5d4791b31aa686ed5ebe9f7f5366f5529c288f767d26017f12e984fa980e4f1aa1ad6c4bbc3faa5f5db4ac7375d28bf430ef91c119aa42
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\441KWE1A3VVK9ILRA94Z.temp
Filesize7KB
MD5ebf0742702d496eebf5fc781b5cf3252
SHA1cfe42e940d349558e3259b23de9234a520eefbbd
SHA25633696d7181d6890cf1727fb9378722b005b65e4d747a818e0b83cadd05ec5147
SHA5127db13d1cbceea7f4f81c2702f5f86f8c37dbb0b1e3a75d78013ea6ce97ab32fff6d6998fd9e318ed70ce5f6a2fabc76c5e2c1b7ed2b2b70efbaf3028c4a958bd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5ebf0742702d496eebf5fc781b5cf3252
SHA1cfe42e940d349558e3259b23de9234a520eefbbd
SHA25633696d7181d6890cf1727fb9378722b005b65e4d747a818e0b83cadd05ec5147
SHA5127db13d1cbceea7f4f81c2702f5f86f8c37dbb0b1e3a75d78013ea6ce97ab32fff6d6998fd9e318ed70ce5f6a2fabc76c5e2c1b7ed2b2b70efbaf3028c4a958bd