Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
23/10/2023, 11:11
Static task
static1
Behavioral task
behavioral1
Sample
Cheque copy.exe
Resource
win7-20231020-en
General
-
Target
Cheque copy.exe
-
Size
1.0MB
-
MD5
23a617011a3d71135f895ed5fd643c6e
-
SHA1
15b7efb6dfa050ee1892a1112329ef360bc1317c
-
SHA256
ce39a137b9ff86bf23d7c62480a804e8d25c8b9154e9792b669374ac7f92e192
-
SHA512
0e7f3fe27c6ebd66a93291349f91db1e30dc88f0bc96064a935f6e5f42b93e6967e8a9101fae14a9e7d18224dcffb1e8402dab451f16e465550d960970e1fcad
-
SSDEEP
24576:tDDxs6gnAsLzJ6Wy3V6yANOVofLAw8meQcOQezIcLUCs:tDNs6gnAsL9O+gCfLAwdcOQYI
Malware Config
Extracted
remcos
fun
194.147.140.194:1998
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-62Q8OD
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3052 set thread context of 2268 3052 Cheque copy.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2872 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3052 Cheque copy.exe 3052 Cheque copy.exe 3052 Cheque copy.exe 3052 Cheque copy.exe 3052 Cheque copy.exe 3052 Cheque copy.exe 3052 Cheque copy.exe 2864 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3052 Cheque copy.exe Token: SeDebugPrivilege 2864 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2268 Cheque copy.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 3052 wrote to memory of 2864 3052 Cheque copy.exe 30 PID 3052 wrote to memory of 2864 3052 Cheque copy.exe 30 PID 3052 wrote to memory of 2864 3052 Cheque copy.exe 30 PID 3052 wrote to memory of 2864 3052 Cheque copy.exe 30 PID 3052 wrote to memory of 2872 3052 Cheque copy.exe 32 PID 3052 wrote to memory of 2872 3052 Cheque copy.exe 32 PID 3052 wrote to memory of 2872 3052 Cheque copy.exe 32 PID 3052 wrote to memory of 2872 3052 Cheque copy.exe 32 PID 3052 wrote to memory of 2268 3052 Cheque copy.exe 34 PID 3052 wrote to memory of 2268 3052 Cheque copy.exe 34 PID 3052 wrote to memory of 2268 3052 Cheque copy.exe 34 PID 3052 wrote to memory of 2268 3052 Cheque copy.exe 34 PID 3052 wrote to memory of 2268 3052 Cheque copy.exe 34 PID 3052 wrote to memory of 2268 3052 Cheque copy.exe 34 PID 3052 wrote to memory of 2268 3052 Cheque copy.exe 34 PID 3052 wrote to memory of 2268 3052 Cheque copy.exe 34 PID 3052 wrote to memory of 2268 3052 Cheque copy.exe 34 PID 3052 wrote to memory of 2268 3052 Cheque copy.exe 34 PID 3052 wrote to memory of 2268 3052 Cheque copy.exe 34 PID 3052 wrote to memory of 2268 3052 Cheque copy.exe 34 PID 3052 wrote to memory of 2268 3052 Cheque copy.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\Cheque copy.exe"C:\Users\Admin\AppData\Local\Temp\Cheque copy.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SzKneWgZlzw.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SzKneWgZlzw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp10E2.tmp"2⤵
- Creates scheduled task(s)
PID:2872
-
-
C:\Users\Admin\AppData\Local\Temp\Cheque copy.exe"C:\Users\Admin\AppData\Local\Temp\Cheque copy.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:2268
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5c05b4328707e5cd1bcc53759de66ba54
SHA1aa18f1e194af65fc900ac38574fb462cb8702c9c
SHA2563153e8a8df3385acc52c3b01d15fb5899d688bef500141266d7eeefcc2fb1b6a
SHA512dc83f9d6358ead4284e1b814e34078266cb605717a02d749e070e8d5657104f4ac25ac1827eb86efd1726b0a82fd3ed79172ae166ee747dec40991195c21c095
-
Filesize
1KB
MD587ef0e44e18cd544eb4a625decfa4701
SHA151a2e859e2cb1b32db46f18682e9df1ac2f3b35c
SHA256124ea08e5164a8fe4c3ca1ee265d1675e3a5038a6b1769f534ef2c10600e51b7
SHA5123b979ddd4ee391b7889e639e3dabcdea9d8972f74ea0261accc5203e8bead99bd8c29165db1fc3e9e407452217814471bcf95697a3979f4668d0a9ab15a9f8e9