Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
297s -
max time network
278s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19/01/2024, 18:25
Static task
static1
Behavioral task
behavioral1
Sample
Stmt 2024-01.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Stmt 2024-01.exe
Resource
win10-20231215-en
Behavioral task
behavioral3
Sample
Stmt 2024-01.exe
Resource
win10v2004-20231215-en
General
-
Target
Stmt 2024-01.exe
-
Size
1.5MB
-
MD5
fe658ad9c31ff2b67f90178b00c48ecc
-
SHA1
1a066197e1e243409ef8cb70b9d71bf5a5a80f05
-
SHA256
6778fea0bea7bd311fbda7b2f6257a7826733a664199d8073c878e401ba20a33
-
SHA512
468fba52d876a39e1e72ea82f8a70dd758dd2c1e99e31dfe226749f3fbc49e64f635b8282e987e71f3b0b872842e61be016bfc24c9fc4592d3dbb8b5d8822f69
-
SSDEEP
24576:pA9PI47mMe3qTK/MYnyXXQ9cgAwFrDsRMzOFlB6WXg/jz8sleGu2bh:c2MYy6cqdDQSOFJg/jiwbh
Malware Config
Extracted
remcos
RemoteHost
meetre1ms.freeddns.org:2404
mysmeetr.ddns.net:2404
myumysmeetr.ddns.net:2404
bbhmeetre1ms.freeddns.org:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
hsgddj
-
mouse_option
false
-
mutex
WIN2024-GUC4V0
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral3/memory/3596-2-0x0000000002A00000-0x0000000003A00000-memory.dmp modiloader_stage2 -
Creates new service(s) 1 TTPs
-
Executes dropped EXE 2 IoCs
pid Process 1204 easinvoker.exe 1268 easinvoker.exe -
Loads dropped DLL 2 IoCs
pid Process 1204 easinvoker.exe 1268 easinvoker.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qsgbkgqg = "C:\\Users\\Public\\Qsgbkgqg.url" Stmt 2024-01.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1928 sc.exe 2268 sc.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 27 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 22 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe 1204 easinvoker.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 672 Process not Found -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3760 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4432 SndVol.exe -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 3596 wrote to memory of 4216 3596 Stmt 2024-01.exe 95 PID 3596 wrote to memory of 4216 3596 Stmt 2024-01.exe 95 PID 3596 wrote to memory of 4216 3596 Stmt 2024-01.exe 95 PID 4216 wrote to memory of 1368 4216 cmd.exe 97 PID 4216 wrote to memory of 1368 4216 cmd.exe 97 PID 4216 wrote to memory of 1368 4216 cmd.exe 97 PID 4216 wrote to memory of 3176 4216 cmd.exe 99 PID 4216 wrote to memory of 3176 4216 cmd.exe 99 PID 4216 wrote to memory of 3176 4216 cmd.exe 99 PID 4216 wrote to memory of 2104 4216 cmd.exe 100 PID 4216 wrote to memory of 2104 4216 cmd.exe 100 PID 4216 wrote to memory of 2104 4216 cmd.exe 100 PID 4216 wrote to memory of 3116 4216 cmd.exe 102 PID 4216 wrote to memory of 3116 4216 cmd.exe 102 PID 4216 wrote to memory of 3116 4216 cmd.exe 102 PID 4216 wrote to memory of 4872 4216 cmd.exe 101 PID 4216 wrote to memory of 4872 4216 cmd.exe 101 PID 4216 wrote to memory of 4872 4216 cmd.exe 101 PID 4216 wrote to memory of 4940 4216 cmd.exe 103 PID 4216 wrote to memory of 4940 4216 cmd.exe 103 PID 4216 wrote to memory of 4940 4216 cmd.exe 103 PID 4216 wrote to memory of 868 4216 cmd.exe 104 PID 4216 wrote to memory of 868 4216 cmd.exe 104 PID 4216 wrote to memory of 868 4216 cmd.exe 104 PID 4216 wrote to memory of 3608 4216 cmd.exe 105 PID 4216 wrote to memory of 3608 4216 cmd.exe 105 PID 4216 wrote to memory of 3608 4216 cmd.exe 105 PID 4216 wrote to memory of 1428 4216 cmd.exe 106 PID 4216 wrote to memory of 1428 4216 cmd.exe 106 PID 4216 wrote to memory of 1428 4216 cmd.exe 106 PID 4216 wrote to memory of 1204 4216 cmd.exe 107 PID 4216 wrote to memory of 1204 4216 cmd.exe 107 PID 1204 wrote to memory of 2520 1204 easinvoker.exe 108 PID 1204 wrote to memory of 2520 1204 easinvoker.exe 108 PID 2520 wrote to memory of 2336 2520 cmd.exe 110 PID 2520 wrote to memory of 2336 2520 cmd.exe 110 PID 2520 wrote to memory of 1928 2520 cmd.exe 112 PID 2520 wrote to memory of 1928 2520 cmd.exe 112 PID 2520 wrote to memory of 2268 2520 cmd.exe 113 PID 2520 wrote to memory of 2268 2520 cmd.exe 113 PID 2336 wrote to memory of 3760 2336 cmd.exe 114 PID 2336 wrote to memory of 3760 2336 cmd.exe 114 PID 3596 wrote to memory of 4412 3596 Stmt 2024-01.exe 115 PID 3596 wrote to memory of 4412 3596 Stmt 2024-01.exe 115 PID 3596 wrote to memory of 4412 3596 Stmt 2024-01.exe 115 PID 3596 wrote to memory of 4432 3596 Stmt 2024-01.exe 117 PID 3596 wrote to memory of 4432 3596 Stmt 2024-01.exe 117 PID 3596 wrote to memory of 4432 3596 Stmt 2024-01.exe 117 PID 3596 wrote to memory of 4432 3596 Stmt 2024-01.exe 117 PID 4412 wrote to memory of 1268 4412 cmd.exe 118 PID 4412 wrote to memory of 1268 4412 cmd.exe 118
Processes
-
C:\Users\Admin\AppData\Local\Temp\Stmt 2024-01.exe"C:\Users\Admin\AppData\Local\Temp\Stmt 2024-01.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\QsgbkgqgO.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\SysWOW64\cmd.execmd /c mkdir "\\?\C:\Windows "3⤵PID:1368
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO F"3⤵PID:3176
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y3⤵
- Enumerates system info in registry
PID:2104
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y3⤵
- Enumerates system info in registry
PID:4872
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO F"3⤵PID:3116
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO F"3⤵PID:4940
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "KDECO.bat" "C:\Windows \System32\" /K /D /H /Y3⤵
- Enumerates system info in registry
PID:868
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO F"3⤵PID:3608
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "x.bat" "C:\Windows \System32\" /K /D /H /Y3⤵
- Enumerates system info in registry
PID:1428
-
-
C:\Windows \System32\easinvoker.exe"C:\\Windows \\System32\\easinvoker.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows \system32\KDECO.bat""4⤵
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\system32\cmd.execmd /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"5⤵
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3760
-
-
-
C:\Windows\system32\sc.exesc.exe create truesight binPath="C:\Users\Public\Libraries\truesight.sys" type=kernel5⤵
- Launches sc.exe
PID:1928
-
-
C:\Windows\system32\sc.exesc.exe start truesight5⤵
- Launches sc.exe
PID:2268
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\\Windows \\System32\\easinvoker.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows \System32\easinvoker.exe"C:\\Windows \\System32\\easinvoker.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1268
-
-
-
C:\Windows\SysWOW64\SndVol.exeC:\Windows\System32\SndVol.exe2⤵
- Suspicious use of SetWindowsHookEx
PID:4432
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD51e54e9964c59f9087e136ce8c3898bb8
SHA1255a0f3fc3d1fd7bda38ef3509a9677d98b0ce18
SHA2567437e0e5612a9fc32d178079d58fe7922806bb48500c7f35dc441d961054a9ca
SHA5120a2fc0271c7c4d2e0ae9139fee60eafbcce3d187027fd2ab7a033e336b8c80bebb94fcce7f62e55aaa767fa3cc3bf5cf6ac23030c6270f26dba9042d52a7c689
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
271B
MD5d62b11dc4dc821ef23260e5b0e74a835
SHA1cdff2004cb9ef149f75fae296f50f4fbfefb2e84
SHA256d1b19b878a3ae98f650843314cc3ef8d681013f6e18e0201cb47a0afa45fc349
SHA51227b8292eb318413b965e1c7552165e65f9003d03b15ddc0c5c142420a1a174303f983c268942d7b60c74ac4e8e79e01f83510807fc0c492cabdf4948bc69c625
-
Filesize
404B
MD56880148d6cd8fabdce94b7e91dbd8d17
SHA1870e9ad13355a8452746e0904d004ee8c8ec66e5
SHA2560bfe311ffb1de96cbb2616c2a59c2a1a4942ec03073cc2ddfdfc43f79c74d18a
SHA512810ee2896597cbcf813b9285bb2d7f9127360a4d8a872c47460d32710fe114c27ed58f840dc8bcfdaf7b826e7e46c78c0e814e4fa3d380d10737673a1febf38e
-
Filesize
128KB
MD5231ce1e1d7d98b44371ffff407d68b59
SHA125510d0f6353dbf0c9f72fc880de7585e34b28ff
SHA25630951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96
SHA512520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612
-
Filesize
114KB
MD51a2d83c73343d26f40a50fe2fe2f3e99
SHA1cce1c460b809c39f3be25d3e9b57bb5a1584923b
SHA256e2a595076d88ab6a210c395a75a78409e0e4f51cd13f0e10ad1b8c153b4e90d7
SHA51226fffe2a5543f92f2a04996436343b82f99f1cec6e7e6b7b6c40f888d65951c61cb31318bcb3e5af6bd624960069bfb732e31c9ab70da462e1548daaa1ac1734