Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Mit Techno...B).exe

windows7-x64

10

Mit Techno...B).exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/02/2024, 10:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Mit Technologies Iran - MIT PO_TURK00926600.pdf(73KB).exe

  • Size

    5KB

  • MD5

    10531525068f2547147c84cf4b464f75

  • SHA1

    7c05bb4ee5c49eef647837347825c19a1756d73b

  • SHA256

    2821d789c0b37d3ed136eebd66c36216386fa9d4935fcd733b1e8ef4fd388d36

  • SHA512

    d6a9e15f614aab2a2baecb832f5c7ba642893fd62d353bac09d1a247a834ef0e4ec781551e6a5ed9deb97308f19cb333b52f71e82e5ff2536bdcc2d843350fa5

  • SSDEEP

    48:6yZEbVTWEkfWXedefzwYczF5ejsFBCJwUhloy54Rn6l+spsVtiOl1VeRqFSpfbNM:sQEPeoczo4YwUhuyy++BvVeTzNt

Score
10/10
remcoszgratfreshcollectionpersistenceratspywarestealer

Malware Config

Extracted

Family

remcos

Botnet

FRESH

C2

igw.myfirewall.org:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-4HN46L

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Detect ZGRat V1 34 IoCs
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 6 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Mit Technologies Iran - MIT PO_TURK00926600.pdf(73KB).exe
    "C:\Users\Admin\AppData\Local\Temp\Mit Technologies Iran - MIT PO_TURK00926600.pdf(73KB).exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4984
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ipconfig /release
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3112
      • C:\Windows\SysWOW64\ipconfig.exe
        ipconfig /release
        3⤵
        • Gathers network information
        PID:2348
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ipconfig /renew
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4220
      • C:\Windows\SysWOW64\ipconfig.exe
        ipconfig /renew
        3⤵
        • Gathers network information
        PID:2744
    • C:\Users\Admin\AppData\Local\Temp\Mit Technologies Iran - MIT PO_TURK00926600.pdf(73KB).exe
      "C:\Users\Admin\AppData\Local\Temp\Mit Technologies Iran - MIT PO_TURK00926600.pdf(73KB).exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3420
      • C:\Users\Admin\AppData\Local\Temp\Mit Technologies Iran - MIT PO_TURK00926600.pdf(73KB).exe
        "C:\Users\Admin\AppData\Local\Temp\Mit Technologies Iran - MIT PO_TURK00926600.pdf(73KB).exe" /stext "C:\Users\Admin\AppData\Local\Temp\uowgkqtzawtwmlskfxcn"
        3⤵
          PID:2960
        • C:\Users\Admin\AppData\Local\Temp\Mit Technologies Iran - MIT PO_TURK00926600.pdf(73KB).exe
          "C:\Users\Admin\AppData\Local\Temp\Mit Technologies Iran - MIT PO_TURK00926600.pdf(73KB).exe" /stext "C:\Users\Admin\AppData\Local\Temp\uowgkqtzawtwmlskfxcn"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:656
        • C:\Users\Admin\AppData\Local\Temp\Mit Technologies Iran - MIT PO_TURK00926600.pdf(73KB).exe
          "C:\Users\Admin\AppData\Local\Temp\Mit Technologies Iran - MIT PO_TURK00926600.pdf(73KB).exe" /stext "C:\Users\Admin\AppData\Local\Temp\fqczlieaoelbpzoowiwgqxjm"
          3⤵
          • Accesses Microsoft Outlook accounts
          PID:4168
        • C:\Users\Admin\AppData\Local\Temp\Mit Technologies Iran - MIT PO_TURK00926600.pdf(73KB).exe
          "C:\Users\Admin\AppData\Local\Temp\Mit Technologies Iran - MIT PO_TURK00926600.pdf(73KB).exe" /stext "C:\Users\Admin\AppData\Local\Temp\hkprmbpucmdozfcsftjibcedtgq"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2440

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\remcos\logs.dat
      Filesize

      144B

      MD5

      a957012c1cced7427ce0f77a6c50dc66

      SHA1

      e6b42230fb9d6e33718814e1ef49df2268f99f1b

      SHA256

      31b7e37e525c5310f9f65467ebc4a0735b85e57a7a3cb56a002633e6ff48acc9

      SHA512

      475af0e7acfa71400f918bfba444065ee87e4e960133236196001d13765662fbb65b3246b53f34573a7c948336bee6d001af2bb38a362e4d077ac2e920366a74

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\uowgkqtzawtwmlskfxcn
      Filesize

      4KB

      MD5

      0cb17253d14f1f732dfbc3ef9b580d1e

      SHA1

      85d726cf68f14dd34090de9f4d160c0387249b68

      SHA256

      e09a0aed9bbc43da3b7a85d30a9a10b54d11c096aa6cef81c23364bc9c4dfcc9

      SHA512

      f651e62d58e83f9d5e21f3ac8cc516290bfff66c1981dc14cc3a7a900db70d6e7e15c99bb717a18c036b96a6c2f794c2351df7aa39b69531f2112860a51a86ee

      Download Submit

    • memory/656-1157-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/656-1165-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/2440-1158-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/2440-1163-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/3420-1132-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/3420-1180-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/3420-1174-0x0000000010000000-0x0000000010019000-memory.dmp

      Filesize

      100KB

      Download

    • memory/3420-1171-0x0000000010000000-0x0000000010019000-memory.dmp

      Filesize

      100KB

      Download

    • memory/3420-1183-0x0000000010000000-0x0000000010019000-memory.dmp

      Filesize

      100KB

      Download

    • memory/4168-1154-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

      Download

    • memory/4168-1162-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

      Download

    • memory/4984-39-0x00000000054B0000-0x0000000005590000-memory.dmp

      Filesize

      896KB

      Download

    • memory/4984-53-0x00000000054B0000-0x0000000005590000-memory.dmp

      Filesize

      896KB

      Download

    • memory/4984-13-0x00000000054B0000-0x0000000005590000-memory.dmp

      Filesize

      896KB

      Download

    • memory/4984-15-0x00000000054B0000-0x0000000005590000-memory.dmp

      Filesize

      896KB

      Download

    • memory/4984-17-0x00000000054B0000-0x0000000005590000-memory.dmp

      Filesize

      896KB

      Download

    • memory/4984-19-0x00000000054B0000-0x0000000005590000-memory.dmp

      Filesize

      896KB

      Download

    • memory/4984-21-0x00000000054B0000-0x0000000005590000-memory.dmp

      Filesize

      896KB

      Download

    • memory/4984-23-0x00000000054B0000-0x0000000005590000-memory.dmp

      Filesize

      896KB

      Download

    • memory/4984-25-0x00000000054B0000-0x0000000005590000-memory.dmp

      Filesize

      896KB

      Download

    • memory/4984-27-0x00000000054B0000-0x0000000005590000-memory.dmp

      Filesize

      896KB

      Download

    • memory/4984-29-0x00000000054B0000-0x0000000005590000-memory.dmp

      Filesize

      896KB

      Download

    • memory/4984-31-0x00000000054B0000-0x0000000005590000-memory.dmp

      Filesize

      896KB

      Download

    • memory/4984-33-0x00000000054B0000-0x0000000005590000-memory.dmp

      Filesize

      896KB

      Download

    • memory/4984-35-0x00000000054B0000-0x0000000005590000-memory.dmp

      Filesize

      896KB

      Download

    • memory/4984-37-0x00000000054B0000-0x0000000005590000-memory.dmp

      Filesize

      896KB

      Download

    • memory/4984-9-0x00000000054B0000-0x0000000005590000-memory.dmp

      Filesize

      896KB

      Download

    • memory/4984-41-0x00000000054B0000-0x0000000005590000-memory.dmp

      Filesize

      896KB

      Download

    • memory/4984-43-0x00000000054B0000-0x0000000005590000-memory.dmp

      Filesize

      896KB

      Download

    • memory/4984-45-0x00000000054B0000-0x0000000005590000-memory.dmp

      Filesize

      896KB

      Download

    • memory/4984-47-0x00000000054B0000-0x0000000005590000-memory.dmp

      Filesize

      896KB

      Download

    • memory/4984-49-0x00000000054B0000-0x0000000005590000-memory.dmp

      Filesize

      896KB

      Download

    • memory/4984-51-0x00000000054B0000-0x0000000005590000-memory.dmp

      Filesize

      896KB

      Download

    • memory/4984-55-0x00000000054B0000-0x0000000005590000-memory.dmp

      Filesize

      896KB

      Download

    • memory/4984-11-0x00000000054B0000-0x0000000005590000-memory.dmp

      Filesize

      896KB

      Download

    • memory/4984-57-0x00000000054B0000-0x0000000005590000-memory.dmp

      Filesize

      896KB

      Download

    • memory/4984-59-0x00000000054B0000-0x0000000005590000-memory.dmp

      Filesize

      896KB

      Download

    • memory/4984-61-0x00000000054B0000-0x0000000005590000-memory.dmp

      Filesize

      896KB

      Download

    • memory/4984-63-0x00000000054B0000-0x0000000005590000-memory.dmp

      Filesize

      896KB

      Download

    • memory/4984-65-0x00000000054B0000-0x0000000005590000-memory.dmp

      Filesize

      896KB

      Download

    • memory/4984-67-0x00000000054B0000-0x0000000005590000-memory.dmp

      Filesize

      896KB

      Download

    • memory/4984-69-0x00000000054B0000-0x0000000005590000-memory.dmp

      Filesize

      896KB

      Download

    • memory/4984-1120-0x0000000005640000-0x0000000005641000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4984-1122-0x00000000056A0000-0x00000000056EC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4984-7-0x00000000054B0000-0x0000000005590000-memory.dmp

      Filesize

      896KB

      Download

    • memory/4984-6-0x00000000054B0000-0x0000000005590000-memory.dmp

      Filesize

      896KB

      Download

    • memory/4984-5-0x0000000005700000-0x000000000580A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4984-4-0x0000000005BB0000-0x00000000061C8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4984-3-0x00000000054B0000-0x0000000005596000-memory.dmp

      Filesize

      920KB

      Download

    • memory/4984-2-0x0000000004960000-0x0000000004970000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4984-1-0x0000000074430000-0x0000000074BE0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4984-0-0x0000000000020000-0x0000000000028000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4984-1121-0x0000000005880000-0x00000000058F0000-memory.dmp

      Filesize

      448KB

      Download

    • memory/4984-1123-0x0000000074430000-0x0000000074BE0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4984-1124-0x0000000004960000-0x0000000004970000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4984-1125-0x0000000006BF0000-0x0000000007194000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4984-1131-0x0000000074430000-0x0000000074BE0000-memory.dmp

      Filesize

      7.7MB

      Download