Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20/03/2024, 02:01 UTC
Behavioral task
behavioral1
Sample
043c2ea7473300aeef75d4347969ea2c54784e16892fb535b293b9dddb32b02d.exe
Resource
win7-20240221-en
General
-
Target
043c2ea7473300aeef75d4347969ea2c54784e16892fb535b293b9dddb32b02d.exe
-
Size
233KB
-
MD5
b0e371680c2c465a447d8cb4ad0ffa57
-
SHA1
b622b7dfb03b70219fe047abd365fe88a4316394
-
SHA256
043c2ea7473300aeef75d4347969ea2c54784e16892fb535b293b9dddb32b02d
-
SHA512
b6956d170613bfae4afb1754bf9a2bdcc8ebce5a4e4c2d8052921a929969bf67f8defa8ad6f396fedf45dfd65d70e19bbe2998f49b6f16bb3167b392fb231577
-
SSDEEP
6144:4mvl3n8iOiB4RBucKa3h80tK2gBWvADGGw6j1:tvlX8i8RB5JvADGGnj
Malware Config
Extracted
remcos
chuk
mexbar.duckdns.org:3119
chukwuonye.duckdns.org:3241
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-S6EIWK
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 14 IoCs
resource yara_rule behavioral1/memory/1924-3-0x0000000000400000-0x000000000048A000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/1924-6-0x0000000000400000-0x000000000048A000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/1924-9-0x0000000000400000-0x000000000048A000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/1924-12-0x0000000000400000-0x000000000048A000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/1924-15-0x0000000000400000-0x000000000048A000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/1924-18-0x0000000000400000-0x000000000048A000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/1924-21-0x0000000000400000-0x000000000048A000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/1924-24-0x0000000000400000-0x000000000048A000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/1924-27-0x0000000000400000-0x000000000048A000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/1924-30-0x0000000000400000-0x000000000048A000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/1924-32-0x0000000000400000-0x000000000048A000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/1924-36-0x0000000000400000-0x000000000048A000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/1924-39-0x0000000000400000-0x000000000048A000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/1924-42-0x0000000000400000-0x000000000048A000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM -
UPX dump on OEP (original entry point) 15 IoCs
resource yara_rule behavioral1/memory/1924-0-0x0000000000400000-0x000000000048A000-memory.dmp UPX behavioral1/memory/1924-3-0x0000000000400000-0x000000000048A000-memory.dmp UPX behavioral1/memory/1924-6-0x0000000000400000-0x000000000048A000-memory.dmp UPX behavioral1/memory/1924-9-0x0000000000400000-0x000000000048A000-memory.dmp UPX behavioral1/memory/1924-12-0x0000000000400000-0x000000000048A000-memory.dmp UPX behavioral1/memory/1924-15-0x0000000000400000-0x000000000048A000-memory.dmp UPX behavioral1/memory/1924-18-0x0000000000400000-0x000000000048A000-memory.dmp UPX behavioral1/memory/1924-21-0x0000000000400000-0x000000000048A000-memory.dmp UPX behavioral1/memory/1924-24-0x0000000000400000-0x000000000048A000-memory.dmp UPX behavioral1/memory/1924-27-0x0000000000400000-0x000000000048A000-memory.dmp UPX behavioral1/memory/1924-30-0x0000000000400000-0x000000000048A000-memory.dmp UPX behavioral1/memory/1924-32-0x0000000000400000-0x000000000048A000-memory.dmp UPX behavioral1/memory/1924-36-0x0000000000400000-0x000000000048A000-memory.dmp UPX behavioral1/memory/1924-39-0x0000000000400000-0x000000000048A000-memory.dmp UPX behavioral1/memory/1924-42-0x0000000000400000-0x000000000048A000-memory.dmp UPX -
resource yara_rule behavioral1/memory/1924-0-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral1/memory/1924-3-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral1/memory/1924-6-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral1/memory/1924-9-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral1/memory/1924-12-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral1/memory/1924-15-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral1/memory/1924-18-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral1/memory/1924-21-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral1/memory/1924-24-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral1/memory/1924-27-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral1/memory/1924-30-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral1/memory/1924-32-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral1/memory/1924-36-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral1/memory/1924-39-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral1/memory/1924-42-0x0000000000400000-0x000000000048A000-memory.dmp upx -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1924 043c2ea7473300aeef75d4347969ea2c54784e16892fb535b293b9dddb32b02d.exe
Processes
Network
-
Remote address:8.8.8.8:53Requestmexbar.duckdns.orgIN AResponsemexbar.duckdns.orgIN A197.210.55.48
-
Remote address:8.8.8.8:53Requestmexbar.duckdns.orgIN AResponsemexbar.duckdns.orgIN A197.210.55.48
-
Remote address:8.8.8.8:53Requestchukwuonye.duckdns.orgIN AResponsechukwuonye.duckdns.orgIN A94.156.71.212
-
Remote address:8.8.8.8:53Requestchukwuonye.duckdns.orgIN AResponsechukwuonye.duckdns.orgIN A94.156.71.212
-
Remote address:8.8.8.8:53Requestmexbar.duckdns.orgIN AResponsemexbar.duckdns.orgIN A197.210.55.48
-
Remote address:8.8.8.8:53Requestchukwuonye.duckdns.orgIN AResponsechukwuonye.duckdns.orgIN A94.156.71.212
-
197.210.55.48:3119mexbar.duckdns.org043c2ea7473300aeef75d4347969ea2c54784e16892fb535b293b9dddb32b02d.exe152 B 3
-
94.156.71.212:3241chukwuonye.duckdns.org043c2ea7473300aeef75d4347969ea2c54784e16892fb535b293b9dddb32b02d.exe152 B 3
-
197.210.55.48:3119mexbar.duckdns.org043c2ea7473300aeef75d4347969ea2c54784e16892fb535b293b9dddb32b02d.exe152 B 3
-
94.156.71.212:3241chukwuonye.duckdns.org043c2ea7473300aeef75d4347969ea2c54784e16892fb535b293b9dddb32b02d.exe152 B 3
-
197.210.55.48:3119mexbar.duckdns.org043c2ea7473300aeef75d4347969ea2c54784e16892fb535b293b9dddb32b02d.exe152 B 3
-
94.156.71.212:3241chukwuonye.duckdns.org043c2ea7473300aeef75d4347969ea2c54784e16892fb535b293b9dddb32b02d.exe152 B 3
-
197.210.55.48:3119mexbar.duckdns.org043c2ea7473300aeef75d4347969ea2c54784e16892fb535b293b9dddb32b02d.exe152 B 3
-
8.8.8.8:53mexbar.duckdns.orgdns043c2ea7473300aeef75d4347969ea2c54784e16892fb535b293b9dddb32b02d.exe128 B 160 B 2 2
DNS Request
mexbar.duckdns.org
DNS Request
mexbar.duckdns.org
DNS Response
197.210.55.48
DNS Response
197.210.55.48
-
8.8.8.8:53chukwuonye.duckdns.orgdns043c2ea7473300aeef75d4347969ea2c54784e16892fb535b293b9dddb32b02d.exe136 B 168 B 2 2
DNS Request
chukwuonye.duckdns.org
DNS Request
chukwuonye.duckdns.org
DNS Response
94.156.71.212
DNS Response
94.156.71.212
-
8.8.8.8:53mexbar.duckdns.orgdns043c2ea7473300aeef75d4347969ea2c54784e16892fb535b293b9dddb32b02d.exe64 B 80 B 1 1
DNS Request
mexbar.duckdns.org
DNS Response
197.210.55.48
-
8.8.8.8:53chukwuonye.duckdns.orgdns043c2ea7473300aeef75d4347969ea2c54784e16892fb535b293b9dddb32b02d.exe68 B 84 B 1 1
DNS Request
chukwuonye.duckdns.org
DNS Response
94.156.71.212
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD50fb0c230fedbf52184070033bd20b072
SHA11dfa4921757d23c2bd01afe40d7996dc23f4833b
SHA256f62c1b8d80567acb17b522778a1b99779e96fb0a6eed7a15f9cba1830935c1eb
SHA512480aed33acc943ec4c48982cf03fa7fa74a7f2bd0a7fcc7723ec1ff0bc44b11dd818af29669f4d2353d253febb22cfa0fbd513ac3f2ca3182a0cc8193d4548c1