Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
123s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
14/02/2024, 05:34
General
-
Target
INV-M673778.01_CRM03283275.bat
-
Size
1.7MB
-
MD5
4684b78291fbd184c63fc72362ad6638
-
SHA1
18b9acfef0f9cb0bc368a3f7bab870b5c8d0ea45
-
SHA256
104dabc5458396ad4bc4bd595a18dd578a0fbbabcf2dc2446fa25d4dd3cd4395
-
SHA512
008d9be60f83bbcb8923bf63c19940e25b53c4df2ff86c3f6ce8c46d2570eebc47774179a99d05c96e87e01e40b48e8a154d4ba412ad8494f4eef4b995d24eac
-
SSDEEP
24576:ibbzU4JA5g17ST/0F1tjX48FSYlb+7jx9N29q6VeR6:inBA5g1uT/G1tjX48hw7jB6g8
Malware Config
Extracted
remcos
RemoteHost
127.0.0.1:55677
127.0.0.1:45671
mypersonrem.duckdns.org:45671
mypersonrem.duckdns.org:55677
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-146CM0
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 10 IoCs
-
Detects executables built or packed with MPress PE compressor 16 IoCs
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 2 IoCs
-
Detects executables referencing many email and collaboration clients. Observed in information stealers 2 IoCs
-
ModiLoader Second Stage 1 IoCs
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
-
Nirsoft 7 IoCs
-
Executes dropped EXE 5 IoCs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\INV-M673778.01_CRM03283275.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c del "C:\Users\Public\pointer.com" / A / F / Q / S2⤵
-
-
C:\Windows\system32\certutil.execertutil -decodehex "C:\Users\Admin\AppData\Local\Temp\INV-M673778.01_CRM03283275.bat" "C:\Users\Public\pointer.com" 32⤵
-
-
C:\Windows\system32\cmd.execmd /c PING -n 2 127.0.0.12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEPING -n 2 127.0.0.13⤵
- Runs ping.exe
-
-
-
C:\Windows\system32\cmd.execmd /c start C:\Users\Public\pointer.com2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\pointer.comC:\Users\Public\pointer.com3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Public\Libraries\YfqfzmgjO.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c mkdir "\\?\C:\Windows "5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO F"5⤵
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y5⤵
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO F"5⤵
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y5⤵
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO F"5⤵
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "KDECO.bat" "C:\Windows \System32\" /K /D /H /Y5⤵
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO F"5⤵
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "x.bat" "C:\Windows \System32\" /K /D /H /Y5⤵
- Enumerates system info in registry
-
-
C:\Windows \System32\easinvoker.exe"C:\\Windows \\System32\\easinvoker.exe"5⤵
- Executes dropped EXE
-
-
C:\Windows \System32\easinvoker.exe"C:\Windows \System32\easinvoker.exe"5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\\Windows \\System32\\easinvoker.exe"4⤵
-
C:\Windows \System32\easinvoker.exe"C:\\Windows \\System32\\easinvoker.exe"5⤵
- Executes dropped EXE
-
-
C:\Windows \System32\easinvoker.exe"C:\Windows \System32\easinvoker.exe"5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\colorcpl.exeC:\Windows\System32\colorcpl.exe4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\colorcpl.exeC:\Windows\SysWOW64\colorcpl.exe /stext "C:\Users\Admin\AppData\Local\Temp\suiw"5⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SysWOW64\colorcpl.exeC:\Windows\SysWOW64\colorcpl.exe /stext "C:\Users\Admin\AppData\Local\Temp\conpkmx"5⤵
- Accesses Microsoft Outlook accounts
-
-
C:\Windows\SysWOW64\colorcpl.exeC:\Windows\SysWOW64\colorcpl.exe /stext "C:\Users\Admin\AppData\Local\Temp\nrshlfimhb"5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 8845⤵
- Program crash
-
-
-
-
-
C:\Windows\system32\cmd.execmd /c exit /b 02⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
4KB
MD5785e8193007bcd7858b9df41c9d45f89
SHA129b206de05ab075138ca9e0b9fccdddf3c30cdfe
SHA256c8e1912a3328802e98563e32eb053ae3e28249b701054af227e9f1ba6bfe24d9
SHA512a4d6fd586800f27939d8c152e89d2a231dc9fd8466e715dfeba22e2aa0428509095e12e6e66f2cb5e40ff5c998b439dc3f6792e20c179f41ac9cae31ada9d45f
-
Filesize
7KB
MD50d0d24b46d4bb0e4962595d455020d48
SHA148b247c1cb2577b28aabd7dfa999e0642b5dc6de
SHA256f46e0cc2c119a32dd87edf97bfc73d985ee97d2c9dc00274b6b20d641e29deea
SHA512d5a8779e1cfd2a284173ce8a205cacb41fc7c744fa84e55682ac50b327c676ff50f668ecd176e0ab84420d143a8023d8b4590362b223704c55f5b0d7e116ba2c
-
Filesize
128KB
MD5231ce1e1d7d98b44371ffff407d68b59
SHA125510d0f6353dbf0c9f72fc880de7585e34b28ff
SHA25630951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96
SHA512520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612
-
Filesize
115KB
MD539be9ce198b925133f2597d6b3017a06
SHA1a9ac8167f2018ff331b6d6c88a9dc35df40b1f5e
SHA2566da1571c3392650a1e125c3d37d674140896c10da705c052375992997de77281
SHA51278df6a17b2b345d1bdd09e30aceb15e3df6cf0d5c2f202ca443cb461ad66fb178eb08c704ffb94a9966d60b1f015338cb0164c03ad07c1282052872bb65eea0d
-
Filesize
1.2MB
MD5d14f89ddd1132f5fcfb7ae6beb00ddd8
SHA17ead6b2af17ed2e387ef917ad72eb64165768291
SHA2563d16630c2cd9dd265f07dc3399c679233f2908baf02ea279ff0b0e8f7eee77b2
SHA512a7a4ca888d6799bfade22b75894124dfc922634e2215c2247b388799aa566388115aebb109cc2fc2983498311839366bd5cc438f5d8f1b56c8cc92cbb6e1a3e8
-
Filesize
4KB
-
Filesize
348KB
-
Filesize
4KB
-
Filesize
348KB
-
Filesize
348KB
-
Filesize
348KB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
100KB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
4KB
-
Filesize
480KB
-
Filesize
4KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
4KB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
4KB
-
Filesize
1.3MB