Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
0c724088f1514a0d94864926816ab77c638b1204f4f5651a04e6d26dfee04ea7.rtf
-
Size
73KB
-
Sample
240425-bfwwxacf6v
-
MD5
f97c50feb93e72f7d26909c1180de9f2
-
SHA1
809c718c1685b18ace672b7aae0a3b9be1b9627b
-
SHA256
0c724088f1514a0d94864926816ab77c638b1204f4f5651a04e6d26dfee04ea7
-
SHA512
3a02c2538959001e1dd45667b362df7c967bee68e939919b58bd593cde9cc653201c2bb0a64d408d8c7e5d5c80f849b8af6303998013ffcd4562bc1df49e7796
-
SSDEEP
1536:pUlKpWpupfL9+HlHkDOEAgG+Re7LGhzgTExsjaY9qyrcseX1VgLY:zWpupfLQlHHngxRoKhzgTq4rBeX1VgLY
Static task
static1
Behavioral task
behavioral1
Sample
0c724088f1514a0d94864926816ab77c638b1204f4f5651a04e6d26dfee04ea7.rtf
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0c724088f1514a0d94864926816ab77c638b1204f4f5651a04e6d26dfee04ea7.rtf
Resource
win10v2004-20240412-en
Malware Config
Extracted
remcos
Zynova
remcjulia.duckdns.org:14645
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-76C83U
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
0c724088f1514a0d94864926816ab77c638b1204f4f5651a04e6d26dfee04ea7.rtf
-
Size
73KB
-
MD5
f97c50feb93e72f7d26909c1180de9f2
-
SHA1
809c718c1685b18ace672b7aae0a3b9be1b9627b
-
SHA256
0c724088f1514a0d94864926816ab77c638b1204f4f5651a04e6d26dfee04ea7
-
SHA512
3a02c2538959001e1dd45667b362df7c967bee68e939919b58bd593cde9cc653201c2bb0a64d408d8c7e5d5c80f849b8af6303998013ffcd4562bc1df49e7796
-
SSDEEP
1536:pUlKpWpupfL9+HlHkDOEAgG+Re7LGhzgTExsjaY9qyrcseX1VgLY:zWpupfLQlHHngxRoKhzgTq4rBeX1VgLY
Score10/10-
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
-
Blocklisted process makes network request
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-