Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
15/05/2024, 09:12
Static task
static1
Behavioral task
behavioral1
Sample
Purchase_order_PO1989404.cmd
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Purchase_order_PO1989404.cmd
Resource
win10v2004-20240426-en
General
-
Target
Purchase_order_PO1989404.cmd
-
Size
4.5MB
-
MD5
4f9b4171ee4728182a576b52c934da7d
-
SHA1
d58845c88d55aac067b919a5b4bde79d228cf5b6
-
SHA256
bd4ac830b43dc0f7f7ed19e1cb9b51783bfe36dfd8e58cc93a2e139fcce2c1e8
-
SHA512
7782a15c610d419935960f8f73243c9016441476f666c99bb71de4234f9006aa94bdc643ecda6f274187a8f41953796ea089abc20a001c771776d9b4d2355f0a
-
SSDEEP
24576:ajN3QGmU4n/+6JVT+avOgeF/ehZ2gCrxBJGhRCAQ:iFQGmdn/+GdRvOX9gCqQ
Malware Config
Extracted
remcos
RemoteHost
taker202.ddns.net:3017
taker202.duckdns.org:5033
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
xmnw-AAJ144
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/4048-66-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView behavioral2/memory/4048-58-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView behavioral2/memory/4048-56-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/2216-60-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/2216-73-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 7 IoCs
resource yara_rule behavioral2/memory/2216-60-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/4048-66-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/2676-64-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/4048-58-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/4048-56-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/2676-71-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/2216-73-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
Executes dropped EXE 11 IoCs
pid Process 4892 alpha.exe 1696 alpha.exe 3308 kn.exe 2476 alpha.exe 5004 kn.exe 4788 sppsvc.pif 2880 alpha.exe 532 alpha.exe 2216 sppsvc.pif 4048 sppsvc.pif 2676 sppsvc.pif -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts sppsvc.pif -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Xhqgbabp = "C:\\Users\\Public\\Xhqgbabp.url" sppsvc.pif -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4788 set thread context of 2216 4788 sppsvc.pif 104 PID 4788 set thread context of 4048 4788 sppsvc.pif 105 PID 4788 set thread context of 2676 4788 sppsvc.pif 106 -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 17 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 19 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2216 sppsvc.pif 2216 sppsvc.pif 2676 sppsvc.pif 2676 sppsvc.pif 2216 sppsvc.pif 2216 sppsvc.pif -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 4788 sppsvc.pif 4788 sppsvc.pif 4788 sppsvc.pif -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2676 sppsvc.pif -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4788 sppsvc.pif -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 1040 wrote to memory of 1688 1040 cmd.exe 83 PID 1040 wrote to memory of 1688 1040 cmd.exe 83 PID 1040 wrote to memory of 4892 1040 cmd.exe 84 PID 1040 wrote to memory of 4892 1040 cmd.exe 84 PID 4892 wrote to memory of 936 4892 alpha.exe 85 PID 4892 wrote to memory of 936 4892 alpha.exe 85 PID 1040 wrote to memory of 1696 1040 cmd.exe 86 PID 1040 wrote to memory of 1696 1040 cmd.exe 86 PID 1696 wrote to memory of 3308 1696 alpha.exe 87 PID 1696 wrote to memory of 3308 1696 alpha.exe 87 PID 1040 wrote to memory of 2476 1040 cmd.exe 89 PID 1040 wrote to memory of 2476 1040 cmd.exe 89 PID 2476 wrote to memory of 5004 2476 alpha.exe 90 PID 2476 wrote to memory of 5004 2476 alpha.exe 90 PID 1040 wrote to memory of 4788 1040 cmd.exe 93 PID 1040 wrote to memory of 4788 1040 cmd.exe 93 PID 1040 wrote to memory of 4788 1040 cmd.exe 93 PID 1040 wrote to memory of 2880 1040 cmd.exe 94 PID 1040 wrote to memory of 2880 1040 cmd.exe 94 PID 1040 wrote to memory of 532 1040 cmd.exe 95 PID 1040 wrote to memory of 532 1040 cmd.exe 95 PID 4788 wrote to memory of 1500 4788 sppsvc.pif 100 PID 4788 wrote to memory of 1500 4788 sppsvc.pif 100 PID 4788 wrote to memory of 1500 4788 sppsvc.pif 100 PID 4788 wrote to memory of 2216 4788 sppsvc.pif 104 PID 4788 wrote to memory of 2216 4788 sppsvc.pif 104 PID 4788 wrote to memory of 2216 4788 sppsvc.pif 104 PID 4788 wrote to memory of 4048 4788 sppsvc.pif 105 PID 4788 wrote to memory of 4048 4788 sppsvc.pif 105 PID 4788 wrote to memory of 4048 4788 sppsvc.pif 105 PID 4788 wrote to memory of 2676 4788 sppsvc.pif 106 PID 4788 wrote to memory of 2676 4788 sppsvc.pif 106 PID 4788 wrote to memory of 2676 4788 sppsvc.pif 106
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Purchase_order_PO1989404.cmd"1⤵
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\System32\extrac32.exeC:\\Windows\\System32\\extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe2⤵PID:1688
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\system32\extrac32.exeextrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe3⤵PID:936
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Purchase_order_PO1989404.cmd" "C:\\Users\\Public\\sppsvc.rtf" 92⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Purchase_order_PO1989404.cmd" "C:\\Users\\Public\\sppsvc.rtf" 93⤵
- Executes dropped EXE
PID:3308
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 122⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 123⤵
- Executes dropped EXE
PID:5004
-
-
-
C:\Users\Public\Libraries\sppsvc.pifC:\Users\Public\Libraries\sppsvc.pif2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\SysWOW64\extrac32.exeC:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\sppsvc.pif C:\\Users\\Public\\Libraries\\Xhqgbabp.PIF3⤵PID:1500
-
-
C:\Users\Public\Libraries\sppsvc.pifC:\Users\Public\Libraries\sppsvc.pif /stext "C:\Users\Admin\AppData\Local\Temp\qrpv"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2216
-
-
C:\Users\Public\Libraries\sppsvc.pifC:\Users\Public\Libraries\sppsvc.pif /stext "C:\Users\Admin\AppData\Local\Temp\btvopuxm"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:4048
-
-
C:\Users\Public\Libraries\sppsvc.pifC:\Users\Public\Libraries\sppsvc.pif /stext "C:\Users\Admin\AppData\Local\Temp\dnayqniocnf"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2676
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del "C:\Users\Public\sppsvc.rtf" / A / F / Q / S2⤵
- Executes dropped EXE
PID:2880
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del "C:\Users\Public\kn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
PID:532
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD59df8e941e0f6a1aed8a3bb99a97179dc
SHA1a487e7e65765cc4dad0e5d507c12381f7aead6f8
SHA256094e579daafbd1340b5c3591acfb0d4b133ceb1e63d3b9d7ed80953ef6233a19
SHA51265ce7376c048f2e36482cf3cfd4a8508b9e72032bbb8062aeeb587eb5678fa3723965d439e5c7aa06d82b0bf21366dc70fc21e662e10ccfe1bf312e0379996cb
-
Filesize
4KB
MD5788d7419b32411807cc6753cbbccecbe
SHA1761b99a1e5bc168f525181d78cff3f6ed82daa14
SHA25676150e857b36f1f070422d2ad4df17f87454466348e4bfc158b028977378140b
SHA5123003f104b0b07870015ff4e9e0d254c2e537d4c68ef664a772d7018827b0ccbeb5481a2ce587b88e6ab1d71d6ce523a620c11c00c676857d5fd5ab949fa617b4
-
Filesize
1.6MB
MD5c26c2acac8badfe751f8614f4ff978a0
SHA1e7bddc0bf4cd8b3fe801bb3fc4d75a0bddf52dda
SHA256190278e5db1ab39792859b7d7cbb4dfcf544bd4d6d52404bfc616b81e4e76196
SHA5126ea022497945444c85434895f21629d5620729d587cfe04dc74d4b62487468a0deffedfd791978582292f00b85e0622a81fdff9a7204de3a185a3d3f765389cb
-
Filesize
283KB
MD58a2122e8162dbef04694b9c3e0b6cdee
SHA1f1efb0fddc156e4c61c5f78a54700e4e7984d55d
SHA256b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
SHA51299e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397
-
Filesize
1.6MB
MD5bd8d9943a9b1def98eb83e0fa48796c2
SHA170e89852f023ab7cde0173eda1208dbb580f1e4f
SHA2568de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2
SHA51295630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b
-
Filesize
3.2MB
MD5739d994938a47a060d86879b231f8e0a
SHA12f519f991592f576e5cabf599aebbd2ee8e76059
SHA256a2c31a1b37d6ffb30d2767cd3fc8779e23f7e834da6e3846aeaefa8dacc20b99
SHA512ada3f148c979fd8bbf87a14d524f9238aee70607c4a51ad7b75144cc86ec84514c091d2696d884adce59be804bce3535631f638455b5313c2a8fccb9b39a4e8c