Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28/03/2024, 12:57
Static task
static1
Behavioral task
behavioral1
Sample
Specification-Glycyrrhetic Acid 3-O-Glucuronide.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Specification-Glycyrrhetic Acid 3-O-Glucuronide.exe
Resource
win10v2004-20240226-en
General
-
Target
Specification-Glycyrrhetic Acid 3-O-Glucuronide.exe
-
Size
926KB
-
MD5
a5116c0a496d4b011dd2afc12147d1b2
-
SHA1
967e37264a5e0982b21b267211f9c5ccdc1662cf
-
SHA256
98b668f7457089866b6364c672e8dd35b12a24899eb80fdfcfc2a5aab8d9aa5b
-
SHA512
1d1922b3cbd0bc2e3e85ce0e787f63819a8f0a76286f58d590fecc3d5753cf78fe17ce3ecf8253117189a8f994e4b7b167aca394721bf3f1acd708f2702ffe87
-
SSDEEP
24576:8cKhi13lO4V99LzjUdKc7dJ3iPOgrNiFj2+:NKE1hLzjA7Z8Piz
Malware Config
Extracted
remcos
JONS
172.245.208.13:4445
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-R7QS5C
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/4768-40-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView behavioral2/memory/4768-48-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/548-37-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/548-51-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 6 IoCs
resource yara_rule behavioral2/memory/548-37-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/4768-40-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/756-47-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/4768-48-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/756-49-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/548-51-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation Specification-Glycyrrhetic Acid 3-O-Glucuronide.exe -
Executes dropped EXE 1 IoCs
pid Process 2444 svchost.exe -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts csc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" Specification-Glycyrrhetic Acid 3-O-Glucuronide.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2444 set thread context of 1720 2444 svchost.exe 101 PID 1720 set thread context of 548 1720 csc.exe 107 PID 1720 set thread context of 4768 1720 csc.exe 109 PID 1720 set thread context of 756 1720 csc.exe 113 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5052 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4304 timeout.exe -
Runs regedit.exe 1 IoCs
pid Process 4380 regedit.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
pid Process 2120 Specification-Glycyrrhetic Acid 3-O-Glucuronide.exe 2120 Specification-Glycyrrhetic Acid 3-O-Glucuronide.exe 2120 Specification-Glycyrrhetic Acid 3-O-Glucuronide.exe 2120 Specification-Glycyrrhetic Acid 3-O-Glucuronide.exe 2120 Specification-Glycyrrhetic Acid 3-O-Glucuronide.exe 2120 Specification-Glycyrrhetic Acid 3-O-Glucuronide.exe 2120 Specification-Glycyrrhetic Acid 3-O-Glucuronide.exe 2120 Specification-Glycyrrhetic Acid 3-O-Glucuronide.exe 2120 Specification-Glycyrrhetic Acid 3-O-Glucuronide.exe 2120 Specification-Glycyrrhetic Acid 3-O-Glucuronide.exe 2120 Specification-Glycyrrhetic Acid 3-O-Glucuronide.exe 2120 Specification-Glycyrrhetic Acid 3-O-Glucuronide.exe 2120 Specification-Glycyrrhetic Acid 3-O-Glucuronide.exe 2120 Specification-Glycyrrhetic Acid 3-O-Glucuronide.exe 2120 Specification-Glycyrrhetic Acid 3-O-Glucuronide.exe 2120 Specification-Glycyrrhetic Acid 3-O-Glucuronide.exe 2120 Specification-Glycyrrhetic Acid 3-O-Glucuronide.exe 2120 Specification-Glycyrrhetic Acid 3-O-Glucuronide.exe 2120 Specification-Glycyrrhetic Acid 3-O-Glucuronide.exe 2120 Specification-Glycyrrhetic Acid 3-O-Glucuronide.exe 2120 Specification-Glycyrrhetic Acid 3-O-Glucuronide.exe 2120 Specification-Glycyrrhetic Acid 3-O-Glucuronide.exe 2120 Specification-Glycyrrhetic Acid 3-O-Glucuronide.exe 548 csc.exe 548 csc.exe 756 csc.exe 756 csc.exe 548 csc.exe 548 csc.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 1720 csc.exe 1720 csc.exe 1720 csc.exe 1720 csc.exe 1720 csc.exe 1720 csc.exe 1720 csc.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2120 Specification-Glycyrrhetic Acid 3-O-Glucuronide.exe Token: SeDebugPrivilege 2444 svchost.exe Token: SeDebugPrivilege 756 csc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1720 csc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2120 wrote to memory of 3984 2120 Specification-Glycyrrhetic Acid 3-O-Glucuronide.exe 88 PID 2120 wrote to memory of 3984 2120 Specification-Glycyrrhetic Acid 3-O-Glucuronide.exe 88 PID 2120 wrote to memory of 4224 2120 Specification-Glycyrrhetic Acid 3-O-Glucuronide.exe 89 PID 2120 wrote to memory of 4224 2120 Specification-Glycyrrhetic Acid 3-O-Glucuronide.exe 89 PID 4224 wrote to memory of 4304 4224 cmd.exe 92 PID 4224 wrote to memory of 4304 4224 cmd.exe 92 PID 3984 wrote to memory of 5052 3984 cmd.exe 93 PID 3984 wrote to memory of 5052 3984 cmd.exe 93 PID 4224 wrote to memory of 2444 4224 cmd.exe 96 PID 4224 wrote to memory of 2444 4224 cmd.exe 96 PID 2444 wrote to memory of 1276 2444 svchost.exe 99 PID 2444 wrote to memory of 1276 2444 svchost.exe 99 PID 2444 wrote to memory of 1276 2444 svchost.exe 99 PID 2444 wrote to memory of 1276 2444 svchost.exe 99 PID 2444 wrote to memory of 1276 2444 svchost.exe 99 PID 2444 wrote to memory of 1276 2444 svchost.exe 99 PID 2444 wrote to memory of 1276 2444 svchost.exe 99 PID 2444 wrote to memory of 1276 2444 svchost.exe 99 PID 2444 wrote to memory of 1276 2444 svchost.exe 99 PID 2444 wrote to memory of 1276 2444 svchost.exe 99 PID 2444 wrote to memory of 4380 2444 svchost.exe 100 PID 2444 wrote to memory of 4380 2444 svchost.exe 100 PID 2444 wrote to memory of 4380 2444 svchost.exe 100 PID 2444 wrote to memory of 4380 2444 svchost.exe 100 PID 2444 wrote to memory of 4380 2444 svchost.exe 100 PID 2444 wrote to memory of 4380 2444 svchost.exe 100 PID 2444 wrote to memory of 4380 2444 svchost.exe 100 PID 2444 wrote to memory of 4380 2444 svchost.exe 100 PID 2444 wrote to memory of 4380 2444 svchost.exe 100 PID 2444 wrote to memory of 4380 2444 svchost.exe 100 PID 2444 wrote to memory of 1720 2444 svchost.exe 101 PID 2444 wrote to memory of 1720 2444 svchost.exe 101 PID 2444 wrote to memory of 1720 2444 svchost.exe 101 PID 2444 wrote to memory of 1720 2444 svchost.exe 101 PID 2444 wrote to memory of 1720 2444 svchost.exe 101 PID 2444 wrote to memory of 1720 2444 svchost.exe 101 PID 2444 wrote to memory of 1720 2444 svchost.exe 101 PID 2444 wrote to memory of 1720 2444 svchost.exe 101 PID 2444 wrote to memory of 1720 2444 svchost.exe 101 PID 2444 wrote to memory of 1720 2444 svchost.exe 101 PID 2444 wrote to memory of 1720 2444 svchost.exe 101 PID 2444 wrote to memory of 1720 2444 svchost.exe 101 PID 2444 wrote to memory of 4396 2444 svchost.exe 102 PID 2444 wrote to memory of 4396 2444 svchost.exe 102 PID 2444 wrote to memory of 4396 2444 svchost.exe 102 PID 1720 wrote to memory of 548 1720 csc.exe 107 PID 1720 wrote to memory of 548 1720 csc.exe 107 PID 1720 wrote to memory of 548 1720 csc.exe 107 PID 1720 wrote to memory of 548 1720 csc.exe 107 PID 1720 wrote to memory of 1556 1720 csc.exe 108 PID 1720 wrote to memory of 1556 1720 csc.exe 108 PID 1720 wrote to memory of 1556 1720 csc.exe 108 PID 1720 wrote to memory of 4768 1720 csc.exe 109 PID 1720 wrote to memory of 4768 1720 csc.exe 109 PID 1720 wrote to memory of 4768 1720 csc.exe 109 PID 1720 wrote to memory of 4768 1720 csc.exe 109 PID 1720 wrote to memory of 4032 1720 csc.exe 110 PID 1720 wrote to memory of 4032 1720 csc.exe 110 PID 1720 wrote to memory of 4032 1720 csc.exe 110 PID 1720 wrote to memory of 1144 1720 csc.exe 111 PID 1720 wrote to memory of 1144 1720 csc.exe 111 PID 1720 wrote to memory of 1144 1720 csc.exe 111 PID 1720 wrote to memory of 3128 1720 csc.exe 112 PID 1720 wrote to memory of 3128 1720 csc.exe 112 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Specification-Glycyrrhetic Acid 3-O-Glucuronide.exe"C:\Users\Admin\AppData\Local\Temp\Specification-Glycyrrhetic Acid 3-O-Glucuronide.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
PID:5052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6F73.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:4304
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\System32\svchost.exe"C:\Windows\System32\svchost.exe"4⤵PID:1276
-
-
C:\Windows\regedit.exe"C:\Windows\regedit.exe"4⤵
- Runs regedit.exe
PID:4380
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /stext "C:\Users\Admin\AppData\Local\Temp\mribrwna"5⤵
- Suspicious behavior: EnumeratesProcesses
PID:548
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /stext "C:\Users\Admin\AppData\Local\Temp\wtomroxcpuk"5⤵PID:1556
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /stext "C:\Users\Admin\AppData\Local\Temp\wtomroxcpuk"5⤵
- Accesses Microsoft Outlook accounts
PID:4768
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /stext "C:\Users\Admin\AppData\Local\Temp\hnteshivdccltek"5⤵PID:4032
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /stext "C:\Users\Admin\AppData\Local\Temp\hnteshivdccltek"5⤵PID:1144
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /stext "C:\Users\Admin\AppData\Local\Temp\hnteshivdccltek"5⤵PID:3128
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /stext "C:\Users\Admin\AppData\Local\Temp\hnteshivdccltek"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:756
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"4⤵PID:4396
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD502cebfb459dd19e3e73153c88d19a676
SHA1fd63936dba1755cb1c55ce0c279acc9342285167
SHA25604af763bd342951ff15a53a25fecb7f5a1c650cf5ccc732801998288a0cdf756
SHA5123bae54b66f65c7431968d77add0ab2524e80057fb4a604769545724f9eeba42b1bcb231be44a98c3065741b5feb12a4e76087b79e5c1d93cc31dc70f3530f4b3
-
Filesize
4KB
MD532a7b06ba8a0426235849b55b563b06b
SHA147157e4608ac7375544e6a59c7353f5bea8167f5
SHA25614bb01cde2127abdc8cbef51092d1327d4fc63d40b47ca4621947c0dd8475e52
SHA5120a610acf3ee1abcbb198d0d52de567d8c40d3460897ad9cb53d1a9cc463935b13c13e880b23716a429d8680794d24e1d1ecfce2f386e3861798bd03bbf1f8cf6
-
Filesize
151B
MD5299635827d4a5e18cb9f8bdd9a095e21
SHA1beb54dd886e9ef77c73f2931c5834fba6fdd4b15
SHA25622bbc413b236a919af92367dcf1f54641fc62973c192cf684796d827cedc3086
SHA5120175c40926f4792088ebd5d697f4ca0220b7738854576561834388c48e81791e9f6407c8fbe3f43af8b263b846ef0981243d8156e04d798db6739ca095bbbe83
-
Filesize
926KB
MD5a5116c0a496d4b011dd2afc12147d1b2
SHA1967e37264a5e0982b21b267211f9c5ccdc1662cf
SHA25698b668f7457089866b6364c672e8dd35b12a24899eb80fdfcfc2a5aab8d9aa5b
SHA5121d1922b3cbd0bc2e3e85ce0e787f63819a8f0a76286f58d590fecc3d5753cf78fe17ce3ecf8253117189a8f994e4b7b167aca394721bf3f1acd708f2702ffe87