Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07/06/2024, 08:28
Static task
static1
Behavioral task
behavioral1
Sample
e1d3e9feb67fde0b13f317d2bbfe700a6cc1249658b7b5a6970c944872a2e736.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e1d3e9feb67fde0b13f317d2bbfe700a6cc1249658b7b5a6970c944872a2e736.exe
Resource
win10v2004-20240226-en
General
-
Target
e1d3e9feb67fde0b13f317d2bbfe700a6cc1249658b7b5a6970c944872a2e736.exe
-
Size
1.5MB
-
MD5
727ef110c7a27f21d4bbfc8b0e2edd92
-
SHA1
6e05d62821268c5d783d53ccde347b9a6ca588c8
-
SHA256
e1d3e9feb67fde0b13f317d2bbfe700a6cc1249658b7b5a6970c944872a2e736
-
SHA512
661a0b4005a001e01e62d33ff05650ebad1164a9845aa5b2a9ec277e061acb798bd3ab04cd41335c15db694b13a00d9d31f3428120bc7e1af17aa78e3b8e310a
-
SSDEEP
24576:2D39v74lfGQrFUspugRNJI2DJ53J/J/L5dJPjoc:2p7E+QrFUBgq2R
Malware Config
Extracted
remcos
Host
213.183.58.19:4000
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
read.dat
-
keylog_flag
false
-
keylog_folder
CastC
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
remcos_sccafsoidz
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
detects Windows exceutables potentially bypassing UAC using eventvwr.exe 1 IoCs
resource yara_rule behavioral2/memory/1416-35-0x0000000000730000-0x0000000000747000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation e1d3e9feb67fde0b13f317d2bbfe700a6cc1249658b7b5a6970c944872a2e736.exe -
Executes dropped EXE 2 IoCs
pid Process 2380 sbietrcl.exe 1416 sbietrcl.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\sbietrcl.exe" e1d3e9feb67fde0b13f317d2bbfe700a6cc1249658b7b5a6970c944872a2e736.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2380 set thread context of 1416 2380 sbietrcl.exe 97 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 3708 e1d3e9feb67fde0b13f317d2bbfe700a6cc1249658b7b5a6970c944872a2e736.exe 3708 e1d3e9feb67fde0b13f317d2bbfe700a6cc1249658b7b5a6970c944872a2e736.exe 3708 e1d3e9feb67fde0b13f317d2bbfe700a6cc1249658b7b5a6970c944872a2e736.exe 3708 e1d3e9feb67fde0b13f317d2bbfe700a6cc1249658b7b5a6970c944872a2e736.exe 3708 e1d3e9feb67fde0b13f317d2bbfe700a6cc1249658b7b5a6970c944872a2e736.exe 3708 e1d3e9feb67fde0b13f317d2bbfe700a6cc1249658b7b5a6970c944872a2e736.exe 2380 sbietrcl.exe 2380 sbietrcl.exe 2380 sbietrcl.exe 2380 sbietrcl.exe 2380 sbietrcl.exe 2380 sbietrcl.exe 2380 sbietrcl.exe 2380 sbietrcl.exe 2380 sbietrcl.exe 2380 sbietrcl.exe 2380 sbietrcl.exe 2380 sbietrcl.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3708 e1d3e9feb67fde0b13f317d2bbfe700a6cc1249658b7b5a6970c944872a2e736.exe Token: SeDebugPrivilege 2380 sbietrcl.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3708 wrote to memory of 2380 3708 e1d3e9feb67fde0b13f317d2bbfe700a6cc1249658b7b5a6970c944872a2e736.exe 95 PID 3708 wrote to memory of 2380 3708 e1d3e9feb67fde0b13f317d2bbfe700a6cc1249658b7b5a6970c944872a2e736.exe 95 PID 3708 wrote to memory of 2380 3708 e1d3e9feb67fde0b13f317d2bbfe700a6cc1249658b7b5a6970c944872a2e736.exe 95 PID 2380 wrote to memory of 1416 2380 sbietrcl.exe 97 PID 2380 wrote to memory of 1416 2380 sbietrcl.exe 97 PID 2380 wrote to memory of 1416 2380 sbietrcl.exe 97 PID 2380 wrote to memory of 1416 2380 sbietrcl.exe 97 PID 2380 wrote to memory of 1416 2380 sbietrcl.exe 97 PID 2380 wrote to memory of 1416 2380 sbietrcl.exe 97 PID 2380 wrote to memory of 1416 2380 sbietrcl.exe 97 PID 2380 wrote to memory of 1416 2380 sbietrcl.exe 97 PID 2380 wrote to memory of 1416 2380 sbietrcl.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\e1d3e9feb67fde0b13f317d2bbfe700a6cc1249658b7b5a6970c944872a2e736.exe"C:\Users\Admin\AppData\Local\Temp\e1d3e9feb67fde0b13f317d2bbfe700a6cc1249658b7b5a6970c944872a2e736.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"3⤵
- Executes dropped EXE
PID:1416
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:81⤵PID:1500
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD51baa03b303575edaeb617fff1ea2aa67
SHA1b32a48ff6498849d2151672047d5657e75d0d3e0
SHA256cae8c3fdd0eb76df0aec81c2b19d3c1eb66ac8124c2260a91aae2857230c5038
SHA5128eaf3f8d53f87109cd58b216a44ccd7f5542ecf4f143e1579ae83975b474181c9e91bb90797f2ca4ce3bdd9f61d3cda752c66e2de0f9a1df1d5226913bdef26d