Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Item_list0025.exe

windows7-x64

10

Item_list0025.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25/01/2024, 07:56 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Item_list0025.exe

  • Size

    862KB

  • MD5

    8c0808705c8abff0a07a6ca91c6df24e

  • SHA1

    28aaae99c9b7290252d7f4bb8fd7e50e9942345c

  • SHA256

    8957582ccd1876780ff5a43336984ee23ff03be1c8184a6ff9797828f52536e1

  • SHA512

    1ff6598349a3d82f7160dcf3dc7189a85872ce5b47ac8bacd74bbfc166668573b2b923fabf07059dbc0bc8b5cf956993355219bcae26169440c5c8283217deac

  • SSDEEP

    24576:mJci+WaRI9bCsla3fAqdfXu5IIhxiwe7:KmI9afu+Iff

Score
10/10
remcosdkcollectionratspywarestealer

Malware Config

Extracted

Family

remcos

Botnet

dk

C2

64.188.20.186:5050

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-TPXVZV

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Item_list0025.exe
    "C:\Users\Admin\AppData\Local\Temp\Item_list0025.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hFjPDstJByxXbg.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2724
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hFjPDstJByxXbg" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA44B.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2768
    • C:\Users\Admin\AppData\Local\Temp\Item_list0025.exe
      "C:\Users\Admin\AppData\Local\Temp\Item_list0025.exe"
      2⤵
        PID:2764
      • C:\Users\Admin\AppData\Local\Temp\Item_list0025.exe
        "C:\Users\Admin\AppData\Local\Temp\Item_list0025.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2936
        • C:\Users\Admin\AppData\Local\Temp\Item_list0025.exe
          C:\Users\Admin\AppData\Local\Temp\Item_list0025.exe /stext "C:\Users\Admin\AppData\Local\Temp\mgvlrtzqdg"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2956
        • C:\Users\Admin\AppData\Local\Temp\Item_list0025.exe
          C:\Users\Admin\AppData\Local\Temp\Item_list0025.exe /stext "C:\Users\Admin\AppData\Local\Temp\pjjdsmjjromfz"
          3⤵
            PID:2960
          • C:\Users\Admin\AppData\Local\Temp\Item_list0025.exe
            C:\Users\Admin\AppData\Local\Temp\Item_list0025.exe /stext "C:\Users\Admin\AppData\Local\Temp\pjjdsmjjromfz"
            3⤵
              PID:2168
            • C:\Users\Admin\AppData\Local\Temp\Item_list0025.exe
              C:\Users\Admin\AppData\Local\Temp\Item_list0025.exe /stext "C:\Users\Admin\AppData\Local\Temp\pjjdsmjjromfz"
              3⤵
              • Accesses Microsoft Outlook accounts
              PID:3036
            • C:\Users\Admin\AppData\Local\Temp\Item_list0025.exe
              C:\Users\Admin\AppData\Local\Temp\Item_list0025.exe /stext "C:\Users\Admin\AppData\Local\Temp\zdowseulnwekbygps"
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1972

        Network

        • flag-us
          DNS
          geoplugin.net
          Item_list0025.exe
          Remote address:
          8.8.8.8:53
          Request
          geoplugin.net
          IN A
          Response
          geoplugin.net
          IN A
          178.237.33.50
        • flag-nl
          GET
          http://geoplugin.net/json.gp
          Item_list0025.exe
          Remote address:
          178.237.33.50:80
          Request
          GET /json.gp HTTP/1.1
          Host: geoplugin.net
          Cache-Control: no-cache
          Response
          HTTP/1.1 200 OK
          date: Thu, 25 Jan 2024 07:56:59 GMT
          server: Apache
          content-length: 953
          content-type: application/json; charset=utf-8
          cache-control: public, max-age=300
          access-control-allow-origin: *
        • 64.188.20.186:5050
          tls
          Item_list0025.exe
          3.4kB
           1.7kB
           14
          18
        • 64.188.20.186:5050
          tls
          Item_list0025.exe
          30.4kB
           501.8kB
           212
          372
        • 178.237.33.50:80
          http://geoplugin.net/json.gp
          http
          Item_list0025.exe
          577 B
           2.5kB
           11
          4

          HTTP Request

          GET http://geoplugin.net/json.gp

          HTTP Response

          200
        • 8.8.8.8:53
          geoplugin.net
          dns
          Item_list0025.exe
          59 B
           75 B
           1
          1

          DNS Request

          geoplugin.net

          DNS Response

          178.237.33.50

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\mgvlrtzqdg
          Filesize

          2B

          MD5

          f3b25701fe362ec84616a93a45ce9998

          SHA1

          d62636d8caec13f04e28442a0a6fa1afeb024bbb

          SHA256

          b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

          SHA512

          98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmpA44B.tmp
          Filesize

          1KB

          MD5

          cc0f01ba1d295e94297cc15ae19c307d

          SHA1

          70d424f7209c2120f27cbce982ff04caf84a43df

          SHA256

          ad2489aace77e9b39f0b0b06bfa68de65596808b247b41a42abe5bac7980280a

          SHA512

          b28a1377ea680053b571f8cbeadf4b8a3493553132a161fba166d71c6e6bb6752b89e116aaa2fa0fed1293ec024b3caf98c9bcbdf6ebd9dca001eb87f5d1085d

          Download Submit

        • memory/1972-62-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/1972-64-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/1972-66-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/1972-67-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/2040-5-0x0000000000690000-0x000000000069C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/2040-1-0x0000000074C50000-0x000000007533E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2040-30-0x0000000074C50000-0x000000007533E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2040-4-0x0000000000540000-0x0000000000548000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2040-3-0x0000000000520000-0x0000000000538000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2040-2-0x0000000004960000-0x00000000049A0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2040-0-0x00000000013C0000-0x000000000149E000-memory.dmp

          Filesize

          888KB

          Download

        • memory/2040-6-0x00000000054C0000-0x0000000005578000-memory.dmp

          Filesize

          736KB

          Download

        • memory/2724-46-0x0000000073A90000-0x000000007403B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2724-41-0x00000000026C0000-0x0000000002700000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2724-36-0x00000000026C0000-0x0000000002700000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2724-34-0x0000000073A90000-0x000000007403B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2724-35-0x00000000026C0000-0x0000000002700000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2724-33-0x0000000073A90000-0x000000007403B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2936-43-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2936-81-0x0000000010000000-0x0000000010019000-memory.dmp

          Filesize

          100KB

          Download

        • memory/2936-32-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2936-31-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2936-28-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2936-24-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2936-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2936-37-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2936-38-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2936-40-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2936-39-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2936-21-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2936-20-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2936-44-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2936-45-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2936-19-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2936-91-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2936-90-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2936-89-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2936-88-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2936-87-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2936-86-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2936-18-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2936-85-0x0000000010000000-0x0000000010019000-memory.dmp

          Filesize

          100KB

          Download

        • memory/2936-17-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2936-16-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2936-14-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2936-84-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2936-12-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2936-74-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2936-83-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2936-76-0x0000000010000000-0x0000000010019000-memory.dmp

          Filesize

          100KB

          Download

        • memory/2936-79-0x0000000010000000-0x0000000010019000-memory.dmp

          Filesize

          100KB

          Download

        • memory/2936-80-0x0000000010000000-0x0000000010019000-memory.dmp

          Filesize

          100KB

          Download

        • memory/2936-29-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2936-82-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2956-72-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/2956-53-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/2956-49-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/2956-51-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/2956-47-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3036-75-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB

          Download

        • memory/3036-61-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB

          Download

        • memory/3036-58-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB

          Download

        • memory/3036-55-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB

          Download

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.