Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
12/02/2024, 11:31
Static task
static1
Behavioral task
behavioral1
Sample
rORDERCONFIRMATION93892873984883782.exe
Resource
win7-20231129-en
General
-
Target
rORDERCONFIRMATION93892873984883782.exe
-
Size
1.0MB
-
MD5
e5d2981fd9c531b3cfb780cf781bac91
-
SHA1
aaf7084c369138eb5588051eda8aec9aa3c4ac26
-
SHA256
3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b
-
SHA512
ec10e5de423564c17caac9e3c8a4ab2d1ed51882c9cfe145374d69e9f18382d7bd23d370f0389fb56c3b77073da11351978e803dc53c7135e618bbf0507be539
-
SSDEEP
24576:Aazz87bccsW43UyDBU7RCFYK9i3iOpOnC+yqiQDi/DtS:AOz8732BdUCYK9i3X6CPqinDo
Malware Config
Extracted
remcos
P2-bin
84.38.132.126:61445
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-ANE1CN
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/4468-115-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView behavioral2/memory/4468-111-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/4988-103-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/4988-121-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 6 IoCs
resource yara_rule behavioral2/memory/4988-103-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/4468-115-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft behavioral2/memory/2080-116-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/2080-118-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/4988-121-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/4468-111-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation rORDERCONFIRMATION93892873984883782.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts rORDERCONFIRMATION93892873984883782.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2532 set thread context of 2476 2532 rORDERCONFIRMATION93892873984883782.exe 101 PID 2476 set thread context of 4988 2476 rORDERCONFIRMATION93892873984883782.exe 102 PID 2476 set thread context of 4468 2476 rORDERCONFIRMATION93892873984883782.exe 103 PID 2476 set thread context of 2080 2476 rORDERCONFIRMATION93892873984883782.exe 104 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3384 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 2532 rORDERCONFIRMATION93892873984883782.exe 2532 rORDERCONFIRMATION93892873984883782.exe 2268 powershell.exe 2268 powershell.exe 4196 powershell.exe 4196 powershell.exe 2532 rORDERCONFIRMATION93892873984883782.exe 2532 rORDERCONFIRMATION93892873984883782.exe 2532 rORDERCONFIRMATION93892873984883782.exe 2532 rORDERCONFIRMATION93892873984883782.exe 2268 powershell.exe 4196 powershell.exe 4988 rORDERCONFIRMATION93892873984883782.exe 4988 rORDERCONFIRMATION93892873984883782.exe 2080 rORDERCONFIRMATION93892873984883782.exe 2080 rORDERCONFIRMATION93892873984883782.exe 4988 rORDERCONFIRMATION93892873984883782.exe 4988 rORDERCONFIRMATION93892873984883782.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
pid Process 2476 rORDERCONFIRMATION93892873984883782.exe 2476 rORDERCONFIRMATION93892873984883782.exe 2476 rORDERCONFIRMATION93892873984883782.exe 2476 rORDERCONFIRMATION93892873984883782.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2532 rORDERCONFIRMATION93892873984883782.exe Token: SeDebugPrivilege 2268 powershell.exe Token: SeDebugPrivilege 4196 powershell.exe Token: SeDebugPrivilege 2080 rORDERCONFIRMATION93892873984883782.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2476 rORDERCONFIRMATION93892873984883782.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 2532 wrote to memory of 2268 2532 rORDERCONFIRMATION93892873984883782.exe 94 PID 2532 wrote to memory of 2268 2532 rORDERCONFIRMATION93892873984883782.exe 94 PID 2532 wrote to memory of 2268 2532 rORDERCONFIRMATION93892873984883782.exe 94 PID 2532 wrote to memory of 4196 2532 rORDERCONFIRMATION93892873984883782.exe 96 PID 2532 wrote to memory of 4196 2532 rORDERCONFIRMATION93892873984883782.exe 96 PID 2532 wrote to memory of 4196 2532 rORDERCONFIRMATION93892873984883782.exe 96 PID 2532 wrote to memory of 3384 2532 rORDERCONFIRMATION93892873984883782.exe 98 PID 2532 wrote to memory of 3384 2532 rORDERCONFIRMATION93892873984883782.exe 98 PID 2532 wrote to memory of 3384 2532 rORDERCONFIRMATION93892873984883782.exe 98 PID 2532 wrote to memory of 3872 2532 rORDERCONFIRMATION93892873984883782.exe 100 PID 2532 wrote to memory of 3872 2532 rORDERCONFIRMATION93892873984883782.exe 100 PID 2532 wrote to memory of 3872 2532 rORDERCONFIRMATION93892873984883782.exe 100 PID 2532 wrote to memory of 2476 2532 rORDERCONFIRMATION93892873984883782.exe 101 PID 2532 wrote to memory of 2476 2532 rORDERCONFIRMATION93892873984883782.exe 101 PID 2532 wrote to memory of 2476 2532 rORDERCONFIRMATION93892873984883782.exe 101 PID 2532 wrote to memory of 2476 2532 rORDERCONFIRMATION93892873984883782.exe 101 PID 2532 wrote to memory of 2476 2532 rORDERCONFIRMATION93892873984883782.exe 101 PID 2532 wrote to memory of 2476 2532 rORDERCONFIRMATION93892873984883782.exe 101 PID 2532 wrote to memory of 2476 2532 rORDERCONFIRMATION93892873984883782.exe 101 PID 2532 wrote to memory of 2476 2532 rORDERCONFIRMATION93892873984883782.exe 101 PID 2532 wrote to memory of 2476 2532 rORDERCONFIRMATION93892873984883782.exe 101 PID 2532 wrote to memory of 2476 2532 rORDERCONFIRMATION93892873984883782.exe 101 PID 2532 wrote to memory of 2476 2532 rORDERCONFIRMATION93892873984883782.exe 101 PID 2532 wrote to memory of 2476 2532 rORDERCONFIRMATION93892873984883782.exe 101 PID 2476 wrote to memory of 4988 2476 rORDERCONFIRMATION93892873984883782.exe 102 PID 2476 wrote to memory of 4988 2476 rORDERCONFIRMATION93892873984883782.exe 102 PID 2476 wrote to memory of 4988 2476 rORDERCONFIRMATION93892873984883782.exe 102 PID 2476 wrote to memory of 4988 2476 rORDERCONFIRMATION93892873984883782.exe 102 PID 2476 wrote to memory of 4468 2476 rORDERCONFIRMATION93892873984883782.exe 103 PID 2476 wrote to memory of 4468 2476 rORDERCONFIRMATION93892873984883782.exe 103 PID 2476 wrote to memory of 4468 2476 rORDERCONFIRMATION93892873984883782.exe 103 PID 2476 wrote to memory of 4468 2476 rORDERCONFIRMATION93892873984883782.exe 103 PID 2476 wrote to memory of 1804 2476 rORDERCONFIRMATION93892873984883782.exe 105 PID 2476 wrote to memory of 1804 2476 rORDERCONFIRMATION93892873984883782.exe 105 PID 2476 wrote to memory of 1804 2476 rORDERCONFIRMATION93892873984883782.exe 105 PID 2476 wrote to memory of 2080 2476 rORDERCONFIRMATION93892873984883782.exe 104 PID 2476 wrote to memory of 2080 2476 rORDERCONFIRMATION93892873984883782.exe 104 PID 2476 wrote to memory of 2080 2476 rORDERCONFIRMATION93892873984883782.exe 104 PID 2476 wrote to memory of 2080 2476 rORDERCONFIRMATION93892873984883782.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\rORDERCONFIRMATION93892873984883782.exe"C:\Users\Admin\AppData\Local\Temp\rORDERCONFIRMATION93892873984883782.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\rORDERCONFIRMATION93892873984883782.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\bZurkfs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4196
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bZurkfs" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8722.tmp"2⤵
- Creates scheduled task(s)
PID:3384
-
-
C:\Users\Admin\AppData\Local\Temp\rORDERCONFIRMATION93892873984883782.exe"C:\Users\Admin\AppData\Local\Temp\rORDERCONFIRMATION93892873984883782.exe"2⤵PID:3872
-
-
C:\Users\Admin\AppData\Local\Temp\rORDERCONFIRMATION93892873984883782.exe"C:\Users\Admin\AppData\Local\Temp\rORDERCONFIRMATION93892873984883782.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Users\Admin\AppData\Local\Temp\rORDERCONFIRMATION93892873984883782.exeC:\Users\Admin\AppData\Local\Temp\rORDERCONFIRMATION93892873984883782.exe /stext "C:\Users\Admin\AppData\Local\Temp\xlegzwespnpqwugpxhaftvtiiiz"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4988
-
-
C:\Users\Admin\AppData\Local\Temp\rORDERCONFIRMATION93892873984883782.exeC:\Users\Admin\AppData\Local\Temp\rORDERCONFIRMATION93892873984883782.exe /stext "C:\Users\Admin\AppData\Local\Temp\ifrzsopudvhvzautorngwaorrxjrcf"3⤵
- Accesses Microsoft Outlook accounts
PID:4468
-
-
C:\Users\Admin\AppData\Local\Temp\rORDERCONFIRMATION93892873984883782.exeC:\Users\Admin\AppData\Local\Temp\rORDERCONFIRMATION93892873984883782.exe /stext "C:\Users\Admin\AppData\Local\Temp\kzwjtzhnrdzajgqxycaihmiirdaavqdfi"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2080
-
-
C:\Users\Admin\AppData\Local\Temp\rORDERCONFIRMATION93892873984883782.exeC:\Users\Admin\AppData\Local\Temp\rORDERCONFIRMATION93892873984883782.exe /stext "C:\Users\Admin\AppData\Local\Temp\kzwjtzhnrdzajgqxycaihmiirdaavqdfi"3⤵PID:1804
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5f636871dba54f24c08cda0828e1c1d8c
SHA177ca38aa8ff07ba95ee17cefa411622179c77c85
SHA256690e30c8368315325026f89750c2f5993727700fa2862e02787a5ed9b5293d6a
SHA51255b118d9f3f2f7dc6faa244627f389ac31af239c72f981176c428ee22b9734fd375aa1f41a231564674e84c18e555ce7925f7ac23b6c2a79ccae87e0f8df879d
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD5585c600c9348775e4970297f935696a7
SHA196839c4df94378eca303f2a067ba1ffacfbb4ab1
SHA25697dbcb38a4df35e5c0c8a4d6495917d44991dffe2d2f2eb25604ec7e1028e0b7
SHA51274d1807720de8bcad00e5b7904fcd9d1c20bd51b7044f098eb222c529e9e8f2dd6a6036b8f93fddf2f943517488dd412c5c07d5f8f0f2372b053f4b3c08627ba
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD564126d5147d5d30cd5c60c324a94606c
SHA1376aab5990b79526c7a218dcc8eb9594c6d3bb86
SHA256112cac119307c519fa55120d14fbaf8e5ea13fa6e87c76fa5b5f58115974bfa2
SHA5127ac74044df24918156ea4a6e5188a682caf0667a21353cf25e2281a8357d2d4ace49b46e5bb1cdc478aa2509f661edfdfa1cc1aaf14fe78e818be83b58296f3c
-
Filesize
4KB
MD55c45226c7bdcd87ae920b1717198c4a4
SHA11ddd033bc2e4398dfd19ba5cb321e05b293e7ab6
SHA256a3a582b7b4e21cb54fa5c7a2f0e39d10a4c12de1c376d86e909d9c7b3047287f
SHA51267596b4b7bdd3cfad64fa205cb9b74a6d4f5f4b3efd3eb47a68d831e8a342d7ffb784d8a19a4f845ed86c6f3683ea9286cf5eed59b8e5d8c2f487d1a5f8abb2c