Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
20/11/2023, 14:51
Static task
static1
Behavioral task
behavioral1
Sample
jurojarem2.1.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
jurojarem2.1.exe
Resource
win10v2004-20231020-en
General
-
Target
jurojarem2.1.exe
-
Size
572KB
-
MD5
0a1d0f4a278dff187347c1544ab3dc6a
-
SHA1
765e25fcbbdb651ae743dede4a50f10cc672e915
-
SHA256
9ef9b4a8ab8366ea77b049febf61fd2003aa90b9b38f5c301bff8a60a0feef24
-
SHA512
4aba1511baf640947fe77d15c44e27b28bd8d1eb18c8e2136228630910384902ba891cf630ad39fa3a4893196c3490d109722f8fd292447516b364292ed5b385
-
SSDEEP
12288:HVzaqD3kmx8ROJVT7WPBL4lbeItG74jdzGa0oiN/uucM/9:1zNDv8kJ57W2lb/GQGv5
Malware Config
Extracted
remcos
jujufile
sheddy1122.ddns.net:6524
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-YCH6KL
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2060 nrcrae.exe 2728 nrcrae.exe -
Loads dropped DLL 3 IoCs
pid Process 1824 jurojarem2.1.exe 1824 jurojarem2.1.exe 2060 nrcrae.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyuuennjsc = "C:\\Users\\Admin\\AppData\\Roaming\\oxttdmmhqq\\mvvfbkktp.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\nrcrae.exe\" " nrcrae.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2060 set thread context of 2728 2060 nrcrae.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2060 nrcrae.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1824 wrote to memory of 2060 1824 jurojarem2.1.exe 28 PID 1824 wrote to memory of 2060 1824 jurojarem2.1.exe 28 PID 1824 wrote to memory of 2060 1824 jurojarem2.1.exe 28 PID 1824 wrote to memory of 2060 1824 jurojarem2.1.exe 28 PID 2060 wrote to memory of 2728 2060 nrcrae.exe 29 PID 2060 wrote to memory of 2728 2060 nrcrae.exe 29 PID 2060 wrote to memory of 2728 2060 nrcrae.exe 29 PID 2060 wrote to memory of 2728 2060 nrcrae.exe 29 PID 2060 wrote to memory of 2728 2060 nrcrae.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\jurojarem2.1.exe"C:\Users\Admin\AppData\Local\Temp\jurojarem2.1.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Users\Admin\AppData\Local\Temp\nrcrae.exe"C:\Users\Admin\AppData\Local\Temp\nrcrae.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Users\Admin\AppData\Local\Temp\nrcrae.exe"C:\Users\Admin\AppData\Local\Temp\nrcrae.exe"3⤵
- Executes dropped EXE
PID:2728
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
191KB
MD5ee99fc55b29a46169f0540aeb0bca165
SHA101a548e1c1f25ef3fc9bb0b9de385e9c36282033
SHA2567f5b232d44fbdd08ebbc844ca1fd85896a87e3597b03ca0a6f92ccaa4f0a8ef3
SHA51257cb9b568a4513fdff5e1cf85922bf481b4d4b6f95e8f0a38f4a053e5b6a9c34da7156df230e08e39f2cbf09bb610599a75c4c9624455e56136f015e793c0daf
-
Filesize
191KB
MD5ee99fc55b29a46169f0540aeb0bca165
SHA101a548e1c1f25ef3fc9bb0b9de385e9c36282033
SHA2567f5b232d44fbdd08ebbc844ca1fd85896a87e3597b03ca0a6f92ccaa4f0a8ef3
SHA51257cb9b568a4513fdff5e1cf85922bf481b4d4b6f95e8f0a38f4a053e5b6a9c34da7156df230e08e39f2cbf09bb610599a75c4c9624455e56136f015e793c0daf
-
Filesize
191KB
MD5ee99fc55b29a46169f0540aeb0bca165
SHA101a548e1c1f25ef3fc9bb0b9de385e9c36282033
SHA2567f5b232d44fbdd08ebbc844ca1fd85896a87e3597b03ca0a6f92ccaa4f0a8ef3
SHA51257cb9b568a4513fdff5e1cf85922bf481b4d4b6f95e8f0a38f4a053e5b6a9c34da7156df230e08e39f2cbf09bb610599a75c4c9624455e56136f015e793c0daf
-
Filesize
191KB
MD5ee99fc55b29a46169f0540aeb0bca165
SHA101a548e1c1f25ef3fc9bb0b9de385e9c36282033
SHA2567f5b232d44fbdd08ebbc844ca1fd85896a87e3597b03ca0a6f92ccaa4f0a8ef3
SHA51257cb9b568a4513fdff5e1cf85922bf481b4d4b6f95e8f0a38f4a053e5b6a9c34da7156df230e08e39f2cbf09bb610599a75c4c9624455e56136f015e793c0daf
-
Filesize
503KB
MD55ea8e75765169d06ea196ff8199f776f
SHA14ed58a9bab8b37909c4e56cc5c436d685cc5cd5e
SHA256fbfa13ab9d91adbadf4080bbdd528deaae39a252a2da31e29415db9372657436
SHA512a03d986037667d41c0413aacf1ee0fa70e240d9e652da73a633b02d2f78d1f6ffcb3b554c173398f769890489106015938f0687ea34eb723200b7bb678e3409f
-
Filesize
191KB
MD5ee99fc55b29a46169f0540aeb0bca165
SHA101a548e1c1f25ef3fc9bb0b9de385e9c36282033
SHA2567f5b232d44fbdd08ebbc844ca1fd85896a87e3597b03ca0a6f92ccaa4f0a8ef3
SHA51257cb9b568a4513fdff5e1cf85922bf481b4d4b6f95e8f0a38f4a053e5b6a9c34da7156df230e08e39f2cbf09bb610599a75c4c9624455e56136f015e793c0daf
-
Filesize
191KB
MD5ee99fc55b29a46169f0540aeb0bca165
SHA101a548e1c1f25ef3fc9bb0b9de385e9c36282033
SHA2567f5b232d44fbdd08ebbc844ca1fd85896a87e3597b03ca0a6f92ccaa4f0a8ef3
SHA51257cb9b568a4513fdff5e1cf85922bf481b4d4b6f95e8f0a38f4a053e5b6a9c34da7156df230e08e39f2cbf09bb610599a75c4c9624455e56136f015e793c0daf
-
Filesize
191KB
MD5ee99fc55b29a46169f0540aeb0bca165
SHA101a548e1c1f25ef3fc9bb0b9de385e9c36282033
SHA2567f5b232d44fbdd08ebbc844ca1fd85896a87e3597b03ca0a6f92ccaa4f0a8ef3
SHA51257cb9b568a4513fdff5e1cf85922bf481b4d4b6f95e8f0a38f4a053e5b6a9c34da7156df230e08e39f2cbf09bb610599a75c4c9624455e56136f015e793c0daf