Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
300s -
max time network
305s -
platform
windows10-1703_x64 -
resource
win10-20231215-en -
resource tags
arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system -
submitted
19/01/2024, 18:25
Static task
static1
Behavioral task
behavioral1
Sample
Stmt 2024-01.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Stmt 2024-01.exe
Resource
win10-20231215-en
Behavioral task
behavioral3
Sample
Stmt 2024-01.exe
Resource
win10v2004-20231215-en
General
-
Target
Stmt 2024-01.exe
-
Size
1.5MB
-
MD5
fe658ad9c31ff2b67f90178b00c48ecc
-
SHA1
1a066197e1e243409ef8cb70b9d71bf5a5a80f05
-
SHA256
6778fea0bea7bd311fbda7b2f6257a7826733a664199d8073c878e401ba20a33
-
SHA512
468fba52d876a39e1e72ea82f8a70dd758dd2c1e99e31dfe226749f3fbc49e64f635b8282e987e71f3b0b872842e61be016bfc24c9fc4592d3dbb8b5d8822f69
-
SSDEEP
24576:pA9PI47mMe3qTK/MYnyXXQ9cgAwFrDsRMzOFlB6WXg/jz8sleGu2bh:c2MYy6cqdDQSOFJg/jiwbh
Malware Config
Extracted
remcos
RemoteHost
meetre1ms.freeddns.org:2404
mysmeetr.ddns.net:2404
myumysmeetr.ddns.net:2404
bbhmeetre1ms.freeddns.org:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
hsgddj
-
mouse_option
false
-
mutex
WIN2024-GUC4V0
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral2/memory/1260-2-0x0000000002E00000-0x0000000003E00000-memory.dmp modiloader_stage2 -
Creates new service(s) 1 TTPs
-
Executes dropped EXE 2 IoCs
pid Process 4128 easinvoker.exe 208 easinvoker.exe -
Loads dropped DLL 2 IoCs
pid Process 4128 easinvoker.exe 208 easinvoker.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000\Software\Microsoft\Windows\CurrentVersion\Run\Qsgbkgqg = "C:\\Users\\Public\\Qsgbkgqg.url" Stmt 2024-01.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2020 sc.exe 3176 sc.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 5 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 8 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe 4128 easinvoker.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3672 SndVol.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 612 Process not Found -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeDebugPrivilege 2756 powershell.exe Token: SeIncreaseQuotaPrivilege 2756 powershell.exe Token: SeSecurityPrivilege 2756 powershell.exe Token: SeTakeOwnershipPrivilege 2756 powershell.exe Token: SeLoadDriverPrivilege 2756 powershell.exe Token: SeSystemProfilePrivilege 2756 powershell.exe Token: SeSystemtimePrivilege 2756 powershell.exe Token: SeProfSingleProcessPrivilege 2756 powershell.exe Token: SeIncBasePriorityPrivilege 2756 powershell.exe Token: SeCreatePagefilePrivilege 2756 powershell.exe Token: SeBackupPrivilege 2756 powershell.exe Token: SeRestorePrivilege 2756 powershell.exe Token: SeShutdownPrivilege 2756 powershell.exe Token: SeDebugPrivilege 2756 powershell.exe Token: SeSystemEnvironmentPrivilege 2756 powershell.exe Token: SeRemoteShutdownPrivilege 2756 powershell.exe Token: SeUndockPrivilege 2756 powershell.exe Token: SeManageVolumePrivilege 2756 powershell.exe Token: 33 2756 powershell.exe Token: 34 2756 powershell.exe Token: 35 2756 powershell.exe Token: 36 2756 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3672 SndVol.exe -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 1260 wrote to memory of 2916 1260 Stmt 2024-01.exe 72 PID 1260 wrote to memory of 2916 1260 Stmt 2024-01.exe 72 PID 1260 wrote to memory of 2916 1260 Stmt 2024-01.exe 72 PID 2916 wrote to memory of 4392 2916 cmd.exe 74 PID 2916 wrote to memory of 4392 2916 cmd.exe 74 PID 2916 wrote to memory of 4392 2916 cmd.exe 74 PID 2916 wrote to memory of 3356 2916 cmd.exe 76 PID 2916 wrote to memory of 3356 2916 cmd.exe 76 PID 2916 wrote to memory of 3356 2916 cmd.exe 76 PID 2916 wrote to memory of 2104 2916 cmd.exe 77 PID 2916 wrote to memory of 2104 2916 cmd.exe 77 PID 2916 wrote to memory of 2104 2916 cmd.exe 77 PID 2916 wrote to memory of 4596 2916 cmd.exe 78 PID 2916 wrote to memory of 4596 2916 cmd.exe 78 PID 2916 wrote to memory of 4596 2916 cmd.exe 78 PID 2916 wrote to memory of 1340 2916 cmd.exe 79 PID 2916 wrote to memory of 1340 2916 cmd.exe 79 PID 2916 wrote to memory of 1340 2916 cmd.exe 79 PID 2916 wrote to memory of 4852 2916 cmd.exe 80 PID 2916 wrote to memory of 4852 2916 cmd.exe 80 PID 2916 wrote to memory of 4852 2916 cmd.exe 80 PID 2916 wrote to memory of 3024 2916 cmd.exe 81 PID 2916 wrote to memory of 3024 2916 cmd.exe 81 PID 2916 wrote to memory of 3024 2916 cmd.exe 81 PID 2916 wrote to memory of 2280 2916 cmd.exe 82 PID 2916 wrote to memory of 2280 2916 cmd.exe 82 PID 2916 wrote to memory of 2280 2916 cmd.exe 82 PID 2916 wrote to memory of 716 2916 cmd.exe 83 PID 2916 wrote to memory of 716 2916 cmd.exe 83 PID 2916 wrote to memory of 716 2916 cmd.exe 83 PID 2916 wrote to memory of 4128 2916 cmd.exe 84 PID 2916 wrote to memory of 4128 2916 cmd.exe 84 PID 4128 wrote to memory of 4180 4128 easinvoker.exe 85 PID 4128 wrote to memory of 4180 4128 easinvoker.exe 85 PID 4180 wrote to memory of 356 4180 cmd.exe 87 PID 4180 wrote to memory of 356 4180 cmd.exe 87 PID 4180 wrote to memory of 3176 4180 cmd.exe 88 PID 4180 wrote to memory of 3176 4180 cmd.exe 88 PID 356 wrote to memory of 2756 356 cmd.exe 90 PID 356 wrote to memory of 2756 356 cmd.exe 90 PID 4180 wrote to memory of 2020 4180 cmd.exe 91 PID 4180 wrote to memory of 2020 4180 cmd.exe 91 PID 1260 wrote to memory of 1640 1260 Stmt 2024-01.exe 93 PID 1260 wrote to memory of 1640 1260 Stmt 2024-01.exe 93 PID 1260 wrote to memory of 1640 1260 Stmt 2024-01.exe 93 PID 1260 wrote to memory of 3672 1260 Stmt 2024-01.exe 95 PID 1260 wrote to memory of 3672 1260 Stmt 2024-01.exe 95 PID 1260 wrote to memory of 3672 1260 Stmt 2024-01.exe 95 PID 1260 wrote to memory of 3672 1260 Stmt 2024-01.exe 95 PID 1640 wrote to memory of 208 1640 cmd.exe 96 PID 1640 wrote to memory of 208 1640 cmd.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\Stmt 2024-01.exe"C:\Users\Admin\AppData\Local\Temp\Stmt 2024-01.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\QsgbkgqgO.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\cmd.execmd /c mkdir "\\?\C:\Windows "3⤵PID:4392
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO F"3⤵PID:3356
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y3⤵
- Enumerates system info in registry
PID:2104
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO F"3⤵PID:4596
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y3⤵
- Enumerates system info in registry
PID:1340
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO F"3⤵PID:4852
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "KDECO.bat" "C:\Windows \System32\" /K /D /H /Y3⤵
- Enumerates system info in registry
PID:3024
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO F"3⤵PID:2280
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "x.bat" "C:\Windows \System32\" /K /D /H /Y3⤵
- Enumerates system info in registry
PID:716
-
-
C:\Windows \System32\easinvoker.exe"C:\\Windows \\System32\\easinvoker.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows \system32\KDECO.bat""4⤵
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\system32\cmd.execmd /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"5⤵
- Suspicious use of WriteProcessMemory
PID:356 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2756
-
-
-
C:\Windows\system32\sc.exesc.exe create truesight binPath="C:\Users\Public\Libraries\truesight.sys" type=kernel5⤵
- Launches sc.exe
PID:3176
-
-
C:\Windows\system32\sc.exesc.exe start truesight5⤵
- Launches sc.exe
PID:2020
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\\Windows \\System32\\easinvoker.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows \System32\easinvoker.exe"C:\\Windows \\System32\\easinvoker.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:208
-
-
-
C:\Windows\SysWOW64\SndVol.exeC:\Windows\System32\SndVol.exe2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3672
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD53685e5606e34664fd7cc7c6683d694a0
SHA164e537367953c720a1b3c51c61f772c858a77ffe
SHA256b05de151b5a351fd2421aa20741fc896e5e5bda5636193f4ced917713cb62591
SHA51299c4c70984380acf393661d5258ca9c29aa4525dbad1a9cefbae9543bda47860835c8912db322345bfbc972a780063abbc6fe1f8e7030db174ca9d28b7066ac9
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
271B
MD5d62b11dc4dc821ef23260e5b0e74a835
SHA1cdff2004cb9ef149f75fae296f50f4fbfefb2e84
SHA256d1b19b878a3ae98f650843314cc3ef8d681013f6e18e0201cb47a0afa45fc349
SHA51227b8292eb318413b965e1c7552165e65f9003d03b15ddc0c5c142420a1a174303f983c268942d7b60c74ac4e8e79e01f83510807fc0c492cabdf4948bc69c625
-
Filesize
404B
MD56880148d6cd8fabdce94b7e91dbd8d17
SHA1870e9ad13355a8452746e0904d004ee8c8ec66e5
SHA2560bfe311ffb1de96cbb2616c2a59c2a1a4942ec03073cc2ddfdfc43f79c74d18a
SHA512810ee2896597cbcf813b9285bb2d7f9127360a4d8a872c47460d32710fe114c27ed58f840dc8bcfdaf7b826e7e46c78c0e814e4fa3d380d10737673a1febf38e
-
Filesize
128KB
MD5231ce1e1d7d98b44371ffff407d68b59
SHA125510d0f6353dbf0c9f72fc880de7585e34b28ff
SHA25630951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96
SHA512520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612
-
Filesize
114KB
MD51a2d83c73343d26f40a50fe2fe2f3e99
SHA1cce1c460b809c39f3be25d3e9b57bb5a1584923b
SHA256e2a595076d88ab6a210c395a75a78409e0e4f51cd13f0e10ad1b8c153b4e90d7
SHA51226fffe2a5543f92f2a04996436343b82f99f1cec6e7e6b7b6c40f888d65951c61cb31318bcb3e5af6bd624960069bfb732e31c9ab70da462e1548daaa1ac1734