Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
11/01/2024, 13:46
Static task
static1
Behavioral task
behavioral1
Sample
RFQ ETMT 009462900_pdf(58kb).exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
RFQ ETMT 009462900_pdf(58kb).exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
jjuhibpwa.ps1
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
jjuhibpwa.ps1
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
wnnqrg.exe
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
wnnqrg.exe
Resource
win10v2004-20231222-en
General
-
Target
RFQ ETMT 009462900_pdf(58kb).exe
-
Size
499KB
-
MD5
8db92bb4d4f088c378b9c430b72ac827
-
SHA1
41cc52c3b467aac55ff57ad9d1fd7223fef7ee70
-
SHA256
2fb6f8d101edc0b6a053d332cb32d0134f5c66629970cf411f34f437928b87a4
-
SHA512
2fe47dd6cc30575f8ec65ee5287cc7e345888efba328fff73a339bbe7e748d588186763c5b3d69cd7ca3c2a40a047cac4d755591a29c690bbb01db71a97fbd09
-
SSDEEP
12288:YkSnWVfzb9ybh95rH9P2VtHO8LVS6krP6qwFkOfWeuteV8aV:YJnefzb0toVtHvA3vleK0
Malware Config
Extracted
remcos
FRESH
igw.myfirewall.org:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
outlook
-
mouse_option
false
-
mutex
RmcbWqr-YNNHMH
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4848 wnnqrg.exe 5044 wnnqrg.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nnwsscxhhq = "C:\\Users\\Admin\\AppData\\Roaming\\irrbwwg\\plluqqyiie.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wnnqrg.exe\" " wnnqrg.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4848 set thread context of 5044 4848 wnnqrg.exe 93 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4848 wnnqrg.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5044 wnnqrg.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 656 wrote to memory of 4848 656 RFQ ETMT 009462900_pdf(58kb).exe 91 PID 656 wrote to memory of 4848 656 RFQ ETMT 009462900_pdf(58kb).exe 91 PID 656 wrote to memory of 4848 656 RFQ ETMT 009462900_pdf(58kb).exe 91 PID 4848 wrote to memory of 5044 4848 wnnqrg.exe 93 PID 4848 wrote to memory of 5044 4848 wnnqrg.exe 93 PID 4848 wrote to memory of 5044 4848 wnnqrg.exe 93 PID 4848 wrote to memory of 5044 4848 wnnqrg.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ ETMT 009462900_pdf(58kb).exe"C:\Users\Admin\AppData\Local\Temp\RFQ ETMT 009462900_pdf(58kb).exe"1⤵
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Users\Admin\AppData\Local\Temp\wnnqrg.exe"C:\Users\Admin\AppData\Local\Temp\wnnqrg.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Users\Admin\AppData\Local\Temp\wnnqrg.exe"C:\Users\Admin\AppData\Local\Temp\wnnqrg.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5044
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD50bc6b06160b47ba52d489714c171291f
SHA1003d0a0679e93274432a5a436de3d384c86e27a4
SHA256c8c7bab98994542323a9ab693cc48c20eb7b80afe802811fff65bbd9e5fd068c
SHA5122a7a3135beb4f1d87b5aef70ee25258be2fe744b22e7bdf0981a09a47ffde27c59f3b3adfb23244d49b1ecb286a903d47fee0d2267583ec3cc34e2d5e9ffd548
-
Filesize
377KB
MD5623680efd11f6381a87f51e4e1c6c633
SHA1bef582a13edae1bcd237e9c54f739956cb8fbd74
SHA25654721adedaed24dca72d87cae7f89dbff914165ca61c0ec4fa0a727a6e5609ea
SHA51235b94d8fd18a750b530f9905cd7257d674d0b844e972e8c6b713a74d4f4ce0483a209671b2bd16f2cd16a747431b324cce9944746b040177cf918eb8e4f2cbc5
-
Filesize
62KB
MD5ad65f79ab6bd2884461a198e1d77ef76
SHA1f7ac4388da64c17f92f0c10803de57abad060bb9
SHA256c545d7f6a0c7da83bdabf56728c240bca8dc9f86416123efde1a3e60d87626ce
SHA5127da047e3ce0ffe6d01e603092f12acfa98499b0407ba6b328acd94eb7894f7009163804b6fd645ae6b6d0deb98091cacb71b53c0585381fdb962a205e6a8440e