Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 01:08
Static task
static1
Behavioral task
behavioral1
Sample
63e8483b57ff55e73d7c2c3432bb7f7c.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
63e8483b57ff55e73d7c2c3432bb7f7c.exe
Resource
win10v2004-20240426-en
General
-
Target
63e8483b57ff55e73d7c2c3432bb7f7c.exe
-
Size
7.9MB
-
MD5
63e8483b57ff55e73d7c2c3432bb7f7c
-
SHA1
4a3fa272dab1e89642b3529c5dd5e3457ea03b49
-
SHA256
b07b0d5f18622f1892406e84e739e385fa9077592134729637c4b6966c64c1f3
-
SHA512
d75298c3d280ed865a66294f7e87e4ba3cc71e807cd5c2dd1fe535c260259ac5abae89da43998389e2509d080ab3ca448d54a22fa9a6b63d6fcc7e8b2c84db59
-
SSDEEP
98304:Dz16s9EwkidrwQwPdz9u/ZZmDZJErUXQbZT7wIX02kVmH4:Dz16gBrd3gu/XmDZiU0txrH4
Malware Config
Extracted
remcos
CAROS
sdfvsdjvniwjbdiweb.con-ip.com:1662
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-14RQ6Q
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TopicLT = "C:\\Users\\Admin\\Documents\\FocalPoint\\gUpdater.exe" 63e8483b57ff55e73d7c2c3432bb7f7c.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 2060 63e8483b57ff55e73d7c2c3432bb7f7c.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4956 63e8483b57ff55e73d7c2c3432bb7f7c.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2060 wrote to memory of 4956 2060 63e8483b57ff55e73d7c2c3432bb7f7c.exe 92 PID 2060 wrote to memory of 4956 2060 63e8483b57ff55e73d7c2c3432bb7f7c.exe 92 PID 2060 wrote to memory of 4956 2060 63e8483b57ff55e73d7c2c3432bb7f7c.exe 92 PID 2060 wrote to memory of 4956 2060 63e8483b57ff55e73d7c2c3432bb7f7c.exe 92 PID 2060 wrote to memory of 4956 2060 63e8483b57ff55e73d7c2c3432bb7f7c.exe 92 PID 2060 wrote to memory of 4956 2060 63e8483b57ff55e73d7c2c3432bb7f7c.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\63e8483b57ff55e73d7c2c3432bb7f7c.exe"C:\Users\Admin\AppData\Local\Temp\63e8483b57ff55e73d7c2c3432bb7f7c.exe"1⤵
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Users\Admin\AppData\Local\Temp\63e8483b57ff55e73d7c2c3432bb7f7c.exe"C:\Users\Admin\AppData\Local\Temp\63e8483b57ff55e73d7c2c3432bb7f7c.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:4956
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD59c574a67bee1a7e3e9dd2ca72dbdeb16
SHA1d1e43c7eb88ba4302587f15f0e821f87f2045ade
SHA256cc2555a17d5c5248f2496661c3e90bf0bdb36e3e5b50ce5416c0e2fe104f014c
SHA5124b7ce744c4f7e3db3c4e9d1c2cdb8df9db55b6a12d6285ad485d667461b11f184de3e9d26ec21077c9883e054503f3ca53371305519c63ba9dc48ac7358c9454