Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

FG98765678000.exe

windows7-x64

10

FG98765678000.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    159s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    22/12/2023, 09:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FG98765678000.exe

  • Size

    656KB

  • MD5

    0058da743288cb67e15afbfcb0ab6e1a

  • SHA1

    99cde8486c006b735d1d5111d493303291a847fb

  • SHA256

    412c4f354965eb514a79001b512c70e8d36e1d443fe599aca0916893eab369ef

  • SHA512

    b0cb8a7279ad0e8e49b8b84738e009e93cc2e1e02a909ac88d929a374ff1e6aaa470c5226fcfe24969b4993a7d989a36432d948e1516635e32a1a79d1c06a966

  • SSDEEP

    12288:RaoPTJIU4nr5Kfe8tNCqrKgj65I9ra/Q/fGHAW3A79hRff/aY:RDPFv4nVB8tNCqmgj6Ua/Q/fL97f6Y

Score
10/10
remcosdollarcollectionpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

DOLLAR

C2

107.175.229.139:8087

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-UZXQ9B

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\FG98765678000.exe
    "C:\Users\Admin\AppData\Local\Temp\FG98765678000.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:3024
    • C:\Users\Admin\AppData\Local\Temp\deaegyz.exe
      "C:\Users\Admin\AppData\Local\Temp\deaegyz.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2944
      • C:\Users\Admin\AppData\Local\Temp\deaegyz.exe
        "C:\Users\Admin\AppData\Local\Temp\deaegyz.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2844
        • \??\c:\program files (x86)\internet explorer\iexplore.exe
          "c:\program files (x86)\internet explorer\iexplore.exe"
          4⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:2808
          • \??\c:\program files (x86)\internet explorer\iexplore.exe
            "c:\program files (x86)\internet explorer\iexplore.exe"
            5⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2804
            • \??\c:\program files (x86)\internet explorer\iexplore.exe
              "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\csoc"
              6⤵
                PID:2732
              • \??\c:\program files (x86)\internet explorer\iexplore.exe
                "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\csoc"
                6⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:3040
              • \??\c:\program files (x86)\internet explorer\iexplore.exe
                "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\eutnysr"
                6⤵
                • Accesses Microsoft Outlook accounts
                PID:1556
              • \??\c:\program files (x86)\internet explorer\iexplore.exe
                "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\poyfqlbnchh"
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:624
          • \??\c:\program files (x86)\internet explorer\iexplore.exe
            "c:\program files (x86)\internet explorer\iexplore.exe"
            4⤵
              PID:2960
            • \??\c:\program files (x86)\internet explorer\iexplore.exe
              "c:\program files (x86)\internet explorer\iexplore.exe"
              4⤵
                PID:2688

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\remcos\logs.dat
          Filesize

          144B

          MD5

          b3a3f9f09296f9c53276e66bce299863

          SHA1

          4dcd6412b0b7f0fc1ecad646f99e7ff1eee787d5

          SHA256

          e21869047344363fa749a7d6535ded5dab4f0364742b06f4eb1935c4329c3662

          SHA512

          2e0df9e5367679b89651628615fd0e5fcb0c4d1f45c231cf98ed96a42195bd74614cdb46fb7b8f2b698bf9c6f2a3dd1fa479b5bf2088f3c48bc9703e953e2d3d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\csoc
          Filesize

          2B

          MD5

          f3b25701fe362ec84616a93a45ce9998

          SHA1

          d62636d8caec13f04e28442a0a6fa1afeb024bbb

          SHA256

          b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

          SHA512

          98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\deaegyz.exe
          Filesize

          318KB

          MD5

          5affcfc88c7030e66a03274ac1749f2f

          SHA1

          9f69efe64f2c636c6465a0445720f1c00fa1dcf3

          SHA256

          0ec70ffc61c48889baf9b02e9a966e601a9aa0cf7bd5809f2c0c23ff8a461901

          SHA512

          2abdd83f3c9a90019e92119ac2484ee592a9d8d0f58161fc4ae60fbec3d6425a2e5131f03694d3582faacf6c5b6f51060492ccc9959cddb63cb53171162d43c9

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\deaegyz.exe
          Filesize

          187KB

          MD5

          9e0bfe7028a56e45de99caa4c1095a32

          SHA1

          b9df6618ed87fefbbd3359855cefc9e8a98ba4c6

          SHA256

          1b5e56b73b05a90eca78b564b333a27c17aa6de09d93e1d8e9d622be29f9c778

          SHA512

          f7694ed85d0f7cdcf7655a5dd641d6d06836a12beff1a8441e425e9cc56f0e772fdfeeaeeb1c13f18a0f7edccc2c1be0561c6997202bbceb5fddc2a2b59322f2

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\deaegyz.exe
          Filesize

          355KB

          MD5

          a97e8219b3776a69b532c5e70413d3f9

          SHA1

          daf7368c6f434228cfacb2dd8fd0c6eed2f8fef9

          SHA256

          c091c92769ddedd2fdc2b2e55104f45d650331d78b1e05f02bf185f17aa1a543

          SHA512

          4f01370f7c5235ac0f054913bdbb417edaf876476a869af96298161a3a22760d2d06246fa4ef15fcda37eaa00f71061b3c84269c2c932cd24f3e3cb83178cba7

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\midxwnqijin.ekx
          Filesize

          306KB

          MD5

          11e2f7ba2c2a8aee31d0ab8c25ec4998

          SHA1

          df736baf7d0e00c0739d8175c39b59b08c77f5b8

          SHA256

          cd5ce80970b47e47863c06d6631fc0ea61b809c159ebcdf15698b4a96dc65b3a

          SHA512

          6641c59d805477eb1f96c33a5e9133a2c8e73fe2d5d731cb230ddc4b14a08b04bfc061c331a8b7d8f42226b383ab37b2e4287e5b26e04f50c0f38a7ccdc1084f

          Download Submit

        • \Users\Admin\AppData\Local\Temp\deaegyz.exe
          Filesize

          304KB

          MD5

          2f6a939478019a697747d5c9f3c4fb92

          SHA1

          c833cde81515e1f59acd1134d26774a23bcd0ec2

          SHA256

          cc48784b86fcaecd2921851e834dabd094c58469a71f43311d17d15016a23e48

          SHA512

          18c4c72792f750e5b6936c36038f428b27490bc5cc919cc40cc9ac3f7c3ef7bbd9c3e8bbba7d6cd79b3b86538488d6c8a7da273f6a99a9209c32e68315a219db

          Download Submit

        • \Users\Admin\AppData\Local\Temp\deaegyz.exe
          Filesize

          223KB

          MD5

          4e46383adf2d359800bffddf5873c349

          SHA1

          1b091890a795326b155bef4349ca53eaf6ad35fc

          SHA256

          8483b46b397371beaf1e522f41ba938b0c99f2e9fe41015416bd07e155e2e2c7

          SHA512

          cc562345fb9c01836e78b54fa1f22cf2b8f7ec0d55beae358d0a3f4fc35ce1bafce90b989a33929cc4a45eb571f00588ecabe84b33a9d5f5c4372b59624b904a

          Download Submit

        • memory/624-57-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/624-60-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/624-61-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/624-63-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/624-62-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/1556-58-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB

          Download

        • memory/1556-79-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB

          Download

        • memory/1556-56-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB

          Download

        • memory/1556-54-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB

          Download

        • memory/1556-49-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB

          Download

        • memory/2804-95-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2804-27-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2804-34-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2804-35-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2804-37-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2804-36-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2804-39-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2804-41-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2804-40-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2804-85-0x0000000010000000-0x0000000010019000-memory.dmp

          Filesize

          100KB

          Download

        • memory/2804-33-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2804-32-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2804-29-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2804-31-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2804-81-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2804-87-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2804-88-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2804-78-0x0000000010000000-0x0000000010019000-memory.dmp

          Filesize

          100KB

          Download

        • memory/2804-96-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2804-103-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2804-104-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2804-111-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2804-112-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2804-71-0x0000000010000000-0x0000000010019000-memory.dmp

          Filesize

          100KB

          Download

        • memory/2804-75-0x0000000010000000-0x0000000010019000-memory.dmp

          Filesize

          100KB

          Download

        • memory/2804-74-0x0000000010000000-0x0000000010019000-memory.dmp

          Filesize

          100KB

          Download

        • memory/2804-76-0x0000000010000000-0x0000000010019000-memory.dmp

          Filesize

          100KB

          Download

        • memory/2804-77-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2808-24-0x0000000000400000-0x000000000047E000-memory.dmp

          Filesize

          504KB

          Download

        • memory/2808-23-0x0000000000400000-0x000000000047E000-memory.dmp

          Filesize

          504KB

          Download

        • memory/2808-19-0x0000000000400000-0x000000000047E000-memory.dmp

          Filesize

          504KB

          Download

        • memory/2808-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2844-20-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2844-16-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2844-15-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2844-11-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2944-6-0x0000000000250000-0x0000000000252000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3040-68-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/3040-44-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/3040-51-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/3040-47-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download