Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
20/03/2024, 02:01
Behavioral task
behavioral1
Sample
043c2ea7473300aeef75d4347969ea2c54784e16892fb535b293b9dddb32b02d.exe
Resource
win7-20240221-en
General
-
Target
043c2ea7473300aeef75d4347969ea2c54784e16892fb535b293b9dddb32b02d.exe
-
Size
233KB
-
MD5
b0e371680c2c465a447d8cb4ad0ffa57
-
SHA1
b622b7dfb03b70219fe047abd365fe88a4316394
-
SHA256
043c2ea7473300aeef75d4347969ea2c54784e16892fb535b293b9dddb32b02d
-
SHA512
b6956d170613bfae4afb1754bf9a2bdcc8ebce5a4e4c2d8052921a929969bf67f8defa8ad6f396fedf45dfd65d70e19bbe2998f49b6f16bb3167b392fb231577
-
SSDEEP
6144:4mvl3n8iOiB4RBucKa3h80tK2gBWvADGGw6j1:tvlX8i8RB5JvADGGnj
Malware Config
Extracted
remcos
chuk
mexbar.duckdns.org:3119
chukwuonye.duckdns.org:3241
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-S6EIWK
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 14 IoCs
resource yara_rule behavioral2/memory/4048-3-0x0000000000400000-0x000000000048A000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral2/memory/4048-6-0x0000000000400000-0x000000000048A000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral2/memory/4048-9-0x0000000000400000-0x000000000048A000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral2/memory/4048-11-0x0000000000400000-0x000000000048A000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral2/memory/4048-15-0x0000000000400000-0x000000000048A000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral2/memory/4048-18-0x0000000000400000-0x000000000048A000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral2/memory/4048-21-0x0000000000400000-0x000000000048A000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral2/memory/4048-23-0x0000000000400000-0x000000000048A000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral2/memory/4048-27-0x0000000000400000-0x000000000048A000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral2/memory/4048-30-0x0000000000400000-0x000000000048A000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral2/memory/4048-32-0x0000000000400000-0x000000000048A000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral2/memory/4048-35-0x0000000000400000-0x000000000048A000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral2/memory/4048-39-0x0000000000400000-0x000000000048A000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral2/memory/4048-42-0x0000000000400000-0x000000000048A000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM -
UPX dump on OEP (original entry point) 15 IoCs
resource yara_rule behavioral2/memory/4048-0-0x0000000000400000-0x000000000048A000-memory.dmp UPX behavioral2/memory/4048-3-0x0000000000400000-0x000000000048A000-memory.dmp UPX behavioral2/memory/4048-6-0x0000000000400000-0x000000000048A000-memory.dmp UPX behavioral2/memory/4048-9-0x0000000000400000-0x000000000048A000-memory.dmp UPX behavioral2/memory/4048-11-0x0000000000400000-0x000000000048A000-memory.dmp UPX behavioral2/memory/4048-15-0x0000000000400000-0x000000000048A000-memory.dmp UPX behavioral2/memory/4048-18-0x0000000000400000-0x000000000048A000-memory.dmp UPX behavioral2/memory/4048-21-0x0000000000400000-0x000000000048A000-memory.dmp UPX behavioral2/memory/4048-23-0x0000000000400000-0x000000000048A000-memory.dmp UPX behavioral2/memory/4048-27-0x0000000000400000-0x000000000048A000-memory.dmp UPX behavioral2/memory/4048-30-0x0000000000400000-0x000000000048A000-memory.dmp UPX behavioral2/memory/4048-32-0x0000000000400000-0x000000000048A000-memory.dmp UPX behavioral2/memory/4048-35-0x0000000000400000-0x000000000048A000-memory.dmp UPX behavioral2/memory/4048-39-0x0000000000400000-0x000000000048A000-memory.dmp UPX behavioral2/memory/4048-42-0x0000000000400000-0x000000000048A000-memory.dmp UPX -
resource yara_rule behavioral2/memory/4048-0-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral2/memory/4048-3-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral2/memory/4048-6-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral2/memory/4048-9-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral2/memory/4048-11-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral2/memory/4048-15-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral2/memory/4048-18-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral2/memory/4048-21-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral2/memory/4048-23-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral2/memory/4048-27-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral2/memory/4048-30-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral2/memory/4048-32-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral2/memory/4048-35-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral2/memory/4048-39-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral2/memory/4048-42-0x0000000000400000-0x000000000048A000-memory.dmp upx -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4048 043c2ea7473300aeef75d4347969ea2c54784e16892fb535b293b9dddb32b02d.exe
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5270f2c3d96a2e605a9d6252cd4237a1e
SHA18a9d67da5cb448e417ac2e389d6d47140ad27058
SHA256f35270dffc9a0b2141236e8e7615c25c2d16498c1a20775dbeb23d3ee8cb7cd4
SHA5122cde61498523edc01d8770ec5593fa518e21febb387a7220fe99d8a596aaf27cabc76d21c36a3606d0ed0e336ed08b8073f9ee60b3c4896846426499dd5afa99