Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11/03/2024, 12:56
Static task
static1
Behavioral task
behavioral1
Sample
c0a3f3e598d83fa8ee8a25857dd8eac7.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c0a3f3e598d83fa8ee8a25857dd8eac7.exe
Resource
win10v2004-20240226-en
General
-
Target
c0a3f3e598d83fa8ee8a25857dd8eac7.exe
-
Size
1.3MB
-
MD5
c0a3f3e598d83fa8ee8a25857dd8eac7
-
SHA1
bb2d23cc6f0050192840861534d7f8e4d227c8fc
-
SHA256
9df34db4426f1e4b552636fd8ac7d48c919ba88eb3f402280a43b451f6bcfc42
-
SHA512
c4ded8b4d6e7dde536cf429ce54c50a979f43562ce137e7b82c0c5fd4ec216573ba87b4088a3ee4a0f4a1aa8a4cda0a41f088879835104a987ba9608b98bf2d2
-
SSDEEP
24576:rAOcZAh/UjDCacEZHkbeNWe1E7mtq2D9lH38KyO14OuKOw7scoPE+FQYcXGI99:tl9Db97iBZlX8rO3JOzco8+6T99
Malware Config
Extracted
remcos
3.1.5 Pro
RemoteHost
a2ztradiingventures.ddns.net:3814
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-J15A38
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2404 nmdpgv.pif 1376 RegSvcs.exe -
Loads dropped DLL 5 IoCs
pid Process 1112 c0a3f3e598d83fa8ee8a25857dd8eac7.exe 1112 c0a3f3e598d83fa8ee8a25857dd8eac7.exe 1112 c0a3f3e598d83fa8ee8a25857dd8eac7.exe 1112 c0a3f3e598d83fa8ee8a25857dd8eac7.exe 2404 nmdpgv.pif -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\23807057\\nmdpgv.pif c:\\23807057\\iqcd.vel" nmdpgv.pif -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2404 set thread context of 1376 2404 nmdpgv.pif 38 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2404 nmdpgv.pif -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1376 RegSvcs.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 1112 wrote to memory of 2404 1112 c0a3f3e598d83fa8ee8a25857dd8eac7.exe 28 PID 1112 wrote to memory of 2404 1112 c0a3f3e598d83fa8ee8a25857dd8eac7.exe 28 PID 1112 wrote to memory of 2404 1112 c0a3f3e598d83fa8ee8a25857dd8eac7.exe 28 PID 1112 wrote to memory of 2404 1112 c0a3f3e598d83fa8ee8a25857dd8eac7.exe 28 PID 2404 wrote to memory of 2540 2404 nmdpgv.pif 29 PID 2404 wrote to memory of 2540 2404 nmdpgv.pif 29 PID 2404 wrote to memory of 2540 2404 nmdpgv.pif 29 PID 2404 wrote to memory of 2540 2404 nmdpgv.pif 29 PID 2404 wrote to memory of 2352 2404 nmdpgv.pif 30 PID 2404 wrote to memory of 2352 2404 nmdpgv.pif 30 PID 2404 wrote to memory of 2352 2404 nmdpgv.pif 30 PID 2404 wrote to memory of 2352 2404 nmdpgv.pif 30 PID 2404 wrote to memory of 324 2404 nmdpgv.pif 31 PID 2404 wrote to memory of 324 2404 nmdpgv.pif 31 PID 2404 wrote to memory of 324 2404 nmdpgv.pif 31 PID 2404 wrote to memory of 324 2404 nmdpgv.pif 31 PID 2404 wrote to memory of 1748 2404 nmdpgv.pif 32 PID 2404 wrote to memory of 1748 2404 nmdpgv.pif 32 PID 2404 wrote to memory of 1748 2404 nmdpgv.pif 32 PID 2404 wrote to memory of 1748 2404 nmdpgv.pif 32 PID 2404 wrote to memory of 2104 2404 nmdpgv.pif 33 PID 2404 wrote to memory of 2104 2404 nmdpgv.pif 33 PID 2404 wrote to memory of 2104 2404 nmdpgv.pif 33 PID 2404 wrote to memory of 2104 2404 nmdpgv.pif 33 PID 2404 wrote to memory of 2752 2404 nmdpgv.pif 36 PID 2404 wrote to memory of 2752 2404 nmdpgv.pif 36 PID 2404 wrote to memory of 2752 2404 nmdpgv.pif 36 PID 2404 wrote to memory of 2752 2404 nmdpgv.pif 36 PID 2404 wrote to memory of 564 2404 nmdpgv.pif 37 PID 2404 wrote to memory of 564 2404 nmdpgv.pif 37 PID 2404 wrote to memory of 564 2404 nmdpgv.pif 37 PID 2404 wrote to memory of 564 2404 nmdpgv.pif 37 PID 2404 wrote to memory of 1376 2404 nmdpgv.pif 38 PID 2404 wrote to memory of 1376 2404 nmdpgv.pif 38 PID 2404 wrote to memory of 1376 2404 nmdpgv.pif 38 PID 2404 wrote to memory of 1376 2404 nmdpgv.pif 38 PID 2404 wrote to memory of 1376 2404 nmdpgv.pif 38 PID 2404 wrote to memory of 1376 2404 nmdpgv.pif 38 PID 2404 wrote to memory of 1376 2404 nmdpgv.pif 38 PID 2404 wrote to memory of 1376 2404 nmdpgv.pif 38 PID 2404 wrote to memory of 1376 2404 nmdpgv.pif 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0a3f3e598d83fa8ee8a25857dd8eac7.exe"C:\Users\Admin\AppData\Local\Temp\c0a3f3e598d83fa8ee8a25857dd8eac7.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\23807057\nmdpgv.pif"C:\23807057\nmdpgv.pif" iqcd.vel2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"3⤵PID:2540
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"3⤵PID:2352
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"3⤵PID:324
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"3⤵PID:1748
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"3⤵PID:2104
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"3⤵PID:2752
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"3⤵PID:564
-
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1376
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
970KB
MD5291c0ced67797962de776166ecfe43c5
SHA171a78d36a40d8fea4535a8cb67b30b1e322ea77d
SHA2560336925b06ee2e8b8c4ba480abe122ffc4a207623a0ec7129c6288ea0496a181
SHA5127cd791f8db5e8b5553501ef39acfcf3e6ef9fbb652f75a54a9ac28d2451ad2b948870a77bd6ff85d016b2e5b166d166fd6b7f173320a6d2fcdff8171405737f8
-
Filesize
8.1MB
MD57573ba026f4d0c89736c8c1cfab5c12f
SHA18cd9e17fc9d5ba0f349ef1156f77b7b72ac4a807
SHA25615e6d3611cee9f9f1080b2269e40ca9afdbdcd15400daa6ab4949f54a151ea71
SHA512965f6a256f1a96181b65b4de73469553c7dba9c249dcc93859dc004eb3fe56bfb4d484bb3def8b0cf945280fa7a7b5394bf08dd09b8ea0d39ca6745eebd884fb
-
Filesize
148B
MD5b712510f3034bf93b922506d1c128954
SHA18b21f6eb5af73001db242e9ae45db8a1393313d4
SHA256b896ab1b6192978aa9babc45fb89af1239db6ef07ec08ad3c66b138cf7ed79ee
SHA512ea48dbd3ce651e110f469051bc76594f9ff5d0b96bee2db317a72c8884c482117c352c1d980299b1c1a852df41e806fd37f89b6a9466c9c0c074ea724f87f5f0
-
Filesize
649KB
MD5e423fa6f72ef1a0d63ef5f85380657d6
SHA183114ec1db55867fde6d249352fcb3c52ef53af2
SHA2564c38d6dc99e8219ccc923bddc94c9298f6b5aee6b4b42323d924cffdeafd356e
SHA512687407a6354547f11faf190472e5fa5c50c0d01d911823b372d80029054e2e830c08b2a9100f5f1b1a742d0755bddfb784854bd7431f98b6b352010e2d01dac3
-
Filesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215