Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
157s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
23/10/2023, 11:11
Static task
static1
Behavioral task
behavioral1
Sample
Cheque copy.exe
Resource
win7-20231020-en
General
-
Target
Cheque copy.exe
-
Size
1.0MB
-
MD5
23a617011a3d71135f895ed5fd643c6e
-
SHA1
15b7efb6dfa050ee1892a1112329ef360bc1317c
-
SHA256
ce39a137b9ff86bf23d7c62480a804e8d25c8b9154e9792b669374ac7f92e192
-
SHA512
0e7f3fe27c6ebd66a93291349f91db1e30dc88f0bc96064a935f6e5f42b93e6967e8a9101fae14a9e7d18224dcffb1e8402dab451f16e465550d960970e1fcad
-
SSDEEP
24576:tDDxs6gnAsLzJ6Wy3V6yANOVofLAw8meQcOQezIcLUCs:tDNs6gnAsL9O+gCfLAwdcOQYI
Malware Config
Extracted
remcos
fun
194.147.140.194:1998
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-62Q8OD
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation Cheque copy.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1444 set thread context of 2380 1444 Cheque copy.exe 99 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2036 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 1444 Cheque copy.exe 1444 Cheque copy.exe 1444 Cheque copy.exe 1444 Cheque copy.exe 1444 Cheque copy.exe 1444 Cheque copy.exe 1444 Cheque copy.exe 1444 Cheque copy.exe 1444 Cheque copy.exe 1144 powershell.exe 1144 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1444 Cheque copy.exe Token: SeDebugPrivilege 1144 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2380 Cheque copy.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1444 wrote to memory of 1144 1444 Cheque copy.exe 94 PID 1444 wrote to memory of 1144 1444 Cheque copy.exe 94 PID 1444 wrote to memory of 1144 1444 Cheque copy.exe 94 PID 1444 wrote to memory of 2036 1444 Cheque copy.exe 96 PID 1444 wrote to memory of 2036 1444 Cheque copy.exe 96 PID 1444 wrote to memory of 2036 1444 Cheque copy.exe 96 PID 1444 wrote to memory of 2248 1444 Cheque copy.exe 98 PID 1444 wrote to memory of 2248 1444 Cheque copy.exe 98 PID 1444 wrote to memory of 2248 1444 Cheque copy.exe 98 PID 1444 wrote to memory of 2380 1444 Cheque copy.exe 99 PID 1444 wrote to memory of 2380 1444 Cheque copy.exe 99 PID 1444 wrote to memory of 2380 1444 Cheque copy.exe 99 PID 1444 wrote to memory of 2380 1444 Cheque copy.exe 99 PID 1444 wrote to memory of 2380 1444 Cheque copy.exe 99 PID 1444 wrote to memory of 2380 1444 Cheque copy.exe 99 PID 1444 wrote to memory of 2380 1444 Cheque copy.exe 99 PID 1444 wrote to memory of 2380 1444 Cheque copy.exe 99 PID 1444 wrote to memory of 2380 1444 Cheque copy.exe 99 PID 1444 wrote to memory of 2380 1444 Cheque copy.exe 99 PID 1444 wrote to memory of 2380 1444 Cheque copy.exe 99 PID 1444 wrote to memory of 2380 1444 Cheque copy.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\Cheque copy.exe"C:\Users\Admin\AppData\Local\Temp\Cheque copy.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SzKneWgZlzw.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1144
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SzKneWgZlzw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7395.tmp"2⤵
- Creates scheduled task(s)
PID:2036
-
-
C:\Users\Admin\AppData\Local\Temp\Cheque copy.exe"C:\Users\Admin\AppData\Local\Temp\Cheque copy.exe"2⤵PID:2248
-
-
C:\Users\Admin\AppData\Local\Temp\Cheque copy.exe"C:\Users\Admin\AppData\Local\Temp\Cheque copy.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:2380
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD546600e1a05113752997a87b8f9c6606f
SHA1be9826312dfaa3b662920a80a66c932db4cb5d69
SHA2565a5fe701e5bf06dbccf7bf5e61fd2597036348fd27d61e0aee1316678a955129
SHA512f9ef45a78ccb5f641eebe29192783c30f4901bb3bf0a1291c7e35447c147375879c8d21269c6e6885a98133bdca11050ac1c8795e4972867ee201763e4c4f817
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD53c9dbb2a10187a7019b27dc164aea819
SHA191ae106eb51162a8da28d8af1afe9d4a64d2240e
SHA256371bc721c219ea23fc99c926b98f074e52a82d89b47d53e46ae3ba023a3aebcc
SHA512453e9918aa7e2c9e53dac1f5b7d0bce9633a22fa620e22277e3148f0c2f9af7a91ca9dbea6cbe28a2593c1cdc6cf94df2f9ce3df31f2868582d5eb84b5a10661