Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
13/03/2024, 10:21
Static task
static1
Behavioral task
behavioral1
Sample
DHL Shipped Documents for 3-Shipments 205+19.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
DHL Shipped Documents for 3-Shipments 205+19.exe
Resource
win10v2004-20231215-en
General
-
Target
DHL Shipped Documents for 3-Shipments 205+19.exe
-
Size
1.0MB
-
MD5
2fd81801e9d0d8b835a4e48372876bf0
-
SHA1
ccf727bd273bdc31ce158a46cfd151fc2b9b85d5
-
SHA256
6a7c6a729d852d01d74832748b6571bafaefcd0bd12aced32e4fa88166af8817
-
SHA512
70b1d7f26c2636084a6550d9ec3ef9d82a89d8316aa15c7b7877f665e5beb164bfcefb77b06f05865f38bb10e05e64f0c48c038fe4f9792c987ec7acfce09805
-
SSDEEP
24576:potl6JnbeVcW1/IksIH96lE38GUmdd3ydnCxtQhMfm9dQGQkeE:potAJnbeVcfk3mE+mednsQhMgdLv5
Malware Config
Extracted
remcos
MR KAY
192.210.201.57:52499
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-GVXREQ
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/2328-150-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView behavioral2/memory/2328-142-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/3264-144-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/3264-154-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 6 IoCs
resource yara_rule behavioral2/memory/3264-144-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/2328-150-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/4332-152-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/4332-151-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/2328-142-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/3264-154-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation DHL Shipped Documents for 3-Shipments 205+19.exe Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation DHL Shipped Documents for 3-Shipments 205+19.exe Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation remcos.exe -
Executes dropped EXE 7 IoCs
pid Process 3236 remcos.exe 4768 remcos.exe 528 remcos.exe 1748 remcos.exe 3264 remcos.exe 2328 remcos.exe 4332 remcos.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts remcos.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-GVXREQ = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" DHL Shipped Documents for 3-Shipments 205+19.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-GVXREQ = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" DHL Shipped Documents for 3-Shipments 205+19.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-GVXREQ = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" remcos.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-GVXREQ = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" remcos.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 1780 set thread context of 5012 1780 DHL Shipped Documents for 3-Shipments 205+19.exe 86 PID 3236 set thread context of 1748 3236 remcos.exe 97 PID 1748 set thread context of 3264 1748 remcos.exe 100 PID 1748 set thread context of 2328 1748 remcos.exe 101 PID 1748 set thread context of 4332 1748 remcos.exe 102 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 1780 DHL Shipped Documents for 3-Shipments 205+19.exe 1780 DHL Shipped Documents for 3-Shipments 205+19.exe 316 powershell.exe 316 powershell.exe 3236 remcos.exe 3236 remcos.exe 3236 remcos.exe 3236 remcos.exe 3236 remcos.exe 3236 remcos.exe 1504 powershell.exe 1504 powershell.exe 3264 remcos.exe 3264 remcos.exe 4332 remcos.exe 4332 remcos.exe 3264 remcos.exe 3264 remcos.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 1748 remcos.exe 1748 remcos.exe 1748 remcos.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1780 DHL Shipped Documents for 3-Shipments 205+19.exe Token: SeDebugPrivilege 316 powershell.exe Token: SeDebugPrivilege 3236 remcos.exe Token: SeDebugPrivilege 1504 powershell.exe Token: SeDebugPrivilege 4332 remcos.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1748 remcos.exe -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 1780 wrote to memory of 316 1780 DHL Shipped Documents for 3-Shipments 205+19.exe 84 PID 1780 wrote to memory of 316 1780 DHL Shipped Documents for 3-Shipments 205+19.exe 84 PID 1780 wrote to memory of 316 1780 DHL Shipped Documents for 3-Shipments 205+19.exe 84 PID 1780 wrote to memory of 5012 1780 DHL Shipped Documents for 3-Shipments 205+19.exe 86 PID 1780 wrote to memory of 5012 1780 DHL Shipped Documents for 3-Shipments 205+19.exe 86 PID 1780 wrote to memory of 5012 1780 DHL Shipped Documents for 3-Shipments 205+19.exe 86 PID 1780 wrote to memory of 5012 1780 DHL Shipped Documents for 3-Shipments 205+19.exe 86 PID 1780 wrote to memory of 5012 1780 DHL Shipped Documents for 3-Shipments 205+19.exe 86 PID 1780 wrote to memory of 5012 1780 DHL Shipped Documents for 3-Shipments 205+19.exe 86 PID 1780 wrote to memory of 5012 1780 DHL Shipped Documents for 3-Shipments 205+19.exe 86 PID 1780 wrote to memory of 5012 1780 DHL Shipped Documents for 3-Shipments 205+19.exe 86 PID 1780 wrote to memory of 5012 1780 DHL Shipped Documents for 3-Shipments 205+19.exe 86 PID 1780 wrote to memory of 5012 1780 DHL Shipped Documents for 3-Shipments 205+19.exe 86 PID 1780 wrote to memory of 5012 1780 DHL Shipped Documents for 3-Shipments 205+19.exe 86 PID 1780 wrote to memory of 5012 1780 DHL Shipped Documents for 3-Shipments 205+19.exe 86 PID 5012 wrote to memory of 3236 5012 DHL Shipped Documents for 3-Shipments 205+19.exe 87 PID 5012 wrote to memory of 3236 5012 DHL Shipped Documents for 3-Shipments 205+19.exe 87 PID 5012 wrote to memory of 3236 5012 DHL Shipped Documents for 3-Shipments 205+19.exe 87 PID 3236 wrote to memory of 1504 3236 remcos.exe 93 PID 3236 wrote to memory of 1504 3236 remcos.exe 93 PID 3236 wrote to memory of 1504 3236 remcos.exe 93 PID 3236 wrote to memory of 4768 3236 remcos.exe 95 PID 3236 wrote to memory of 4768 3236 remcos.exe 95 PID 3236 wrote to memory of 4768 3236 remcos.exe 95 PID 3236 wrote to memory of 528 3236 remcos.exe 96 PID 3236 wrote to memory of 528 3236 remcos.exe 96 PID 3236 wrote to memory of 528 3236 remcos.exe 96 PID 3236 wrote to memory of 1748 3236 remcos.exe 97 PID 3236 wrote to memory of 1748 3236 remcos.exe 97 PID 3236 wrote to memory of 1748 3236 remcos.exe 97 PID 3236 wrote to memory of 1748 3236 remcos.exe 97 PID 3236 wrote to memory of 1748 3236 remcos.exe 97 PID 3236 wrote to memory of 1748 3236 remcos.exe 97 PID 3236 wrote to memory of 1748 3236 remcos.exe 97 PID 3236 wrote to memory of 1748 3236 remcos.exe 97 PID 3236 wrote to memory of 1748 3236 remcos.exe 97 PID 3236 wrote to memory of 1748 3236 remcos.exe 97 PID 3236 wrote to memory of 1748 3236 remcos.exe 97 PID 3236 wrote to memory of 1748 3236 remcos.exe 97 PID 1748 wrote to memory of 3264 1748 remcos.exe 100 PID 1748 wrote to memory of 3264 1748 remcos.exe 100 PID 1748 wrote to memory of 3264 1748 remcos.exe 100 PID 1748 wrote to memory of 3264 1748 remcos.exe 100 PID 1748 wrote to memory of 2328 1748 remcos.exe 101 PID 1748 wrote to memory of 2328 1748 remcos.exe 101 PID 1748 wrote to memory of 2328 1748 remcos.exe 101 PID 1748 wrote to memory of 2328 1748 remcos.exe 101 PID 1748 wrote to memory of 4332 1748 remcos.exe 102 PID 1748 wrote to memory of 4332 1748 remcos.exe 102 PID 1748 wrote to memory of 4332 1748 remcos.exe 102 PID 1748 wrote to memory of 4332 1748 remcos.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipped Documents for 3-Shipments 205+19.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipped Documents for 3-Shipments 205+19.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\DHL Shipped Documents for 3-Shipments 205+19.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:316
-
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipped Documents for 3-Shipments 205+19.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipped Documents for 3-Shipments 205+19.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\ProgramData\Remcos\remcos.exe"C:\ProgramData\Remcos\remcos.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Remcos\remcos.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504
-
-
C:\ProgramData\Remcos\remcos.exe"C:\ProgramData\Remcos\remcos.exe"4⤵
- Executes dropped EXE
PID:4768
-
-
C:\ProgramData\Remcos\remcos.exe"C:\ProgramData\Remcos\remcos.exe"4⤵
- Executes dropped EXE
PID:528
-
-
C:\ProgramData\Remcos\remcos.exe"C:\ProgramData\Remcos\remcos.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\ProgramData\Remcos\remcos.exeC:\ProgramData\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\rsouiulfozqpxhxprqwjsdtpeqstujfh"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3264
-
-
C:\ProgramData\Remcos\remcos.exeC:\ProgramData\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\bmcn"5⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:2328
-
-
C:\ProgramData\Remcos\remcos.exeC:\ProgramData\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\mohykfg"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4332
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5091cddadf49cfb2f8b038e1b4452ed08
SHA1fd53623cd286af9879b3d986a12026f9605c18c0
SHA25690d4bdd432df6776b12cfd21d5dc8bb9bb549acc74f6d8161afdb0fb69a2bac9
SHA512ae3679445f81ec4362d9b4e3d5371f41366767afbec2ad6a0ae67288f8192eca03eb9596225064aca8cfbcc6f503b57761765199d1099fc57f6761b1260f8df8
-
Filesize
650KB
MD535f83c206cb6094928d515b322b88512
SHA16509dfe57d87c063d71afc28de1040ac8ba62e48
SHA2567663dc46dedace9296aa486f95c43100ac0d0df4911c03b6d26a03195af6d1b8
SHA51208ef3d89a139fbb879dead3ff6f5d2666de897f4af71605873944ff48ad9e1a630da3aa243d8919117772cabeaa9985a3dadc1ef4472c4b02e4ff6d0f702cdc6
-
Filesize
349KB
MD5aa700a4ab1eb7e65f09a56f2df26bc18
SHA145787c23f25380d00b14f81d0e427635bf1df3f7
SHA256b7e02bbc9db96f9c1b131ade08556e318e04884f380c8fa2686d0d183afc58ed
SHA512a2ff80591066da62ec4bd238e9e8d645abeee2692cad9ffb36f9d2301d8fb06aea565491f99b26bc4bac80a95ae56c77c0be51024c20b235be36a2ce92212057
-
Filesize
1.0MB
MD52fd81801e9d0d8b835a4e48372876bf0
SHA1ccf727bd273bdc31ce158a46cfd151fc2b9b85d5
SHA2566a7c6a729d852d01d74832748b6571bafaefcd0bd12aced32e4fa88166af8817
SHA51270b1d7f26c2636084a6550d9ec3ef9d82a89d8316aa15c7b7877f665e5beb164bfcefb77b06f05865f38bb10e05e64f0c48c038fe4f9792c987ec7acfce09805
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD57ed765e1822c0282b5cb9ce85ba26d50
SHA1f777f1d35408ba2748cd2d7cbcb7919e3579bd04
SHA256abaa673cd0fc8e71d545bd989d922643386371ddb20d52474ad163f4ee27891d
SHA5122d0d9010cc0a7ca4a13f8a8ef0ab80b6e65bcf0fa47f82a5a9964cc9cddd562d7e01680676dda36c994e4ad50a304dea37fe5563755442a2d39d8d8c0df0bb3a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD5636c8230de66506aa2bdb3deee259503
SHA1244299ce9ed66e9bed0c458c28fa3c417eeabdee
SHA25698e7ebb0441c43ba079892f7fd1e9c1360d9d0e6d37575e452944fa0b08638d4
SHA512fb5756dc8c9726be7b7629230ca5cf12c59f7d01225b9b73f08953bd02087bef10e1d2cdb6ed717776d683bd5ce523a069a6ab081992839a238056d57fc4eb6e