Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
27/06/2024, 17:11
Static task
static1
Behavioral task
behavioral1
Sample
JY-PCB-240109A-3.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
JY-PCB-240109A-3.exe
Resource
win10v2004-20240611-en
General
-
Target
JY-PCB-240109A-3.exe
-
Size
21KB
-
MD5
e05b80c579472d630f481820526c75f5
-
SHA1
7dca7c4bda5302e67ec87073b040ede2be781a6a
-
SHA256
2e410769ac9f0e71df08fda7115ccc473815a0f200a19059972d2c7b6190af4f
-
SHA512
c2b2e567713e3c712a6611a1255270e6695b26e136c80428860fe86a46e9eab5e589085c7bcc5213e0218a67e99949efaf5109fed2975668e8ecf87d11612feb
-
SSDEEP
384:ilFLVGZkhqIg8hR2GZsHEuymVr3JmJZzyF/O7v6qEfTivVqsSqncKxXFY:iTiYxBu93JmvyqEfuNqUcKxXFY
Malware Config
Extracted
remcos
RemoteHost
45.133.116.123:63650
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-3BFGTU
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/2084-36-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/2844-40-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/2844-35-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/2844-45-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 5 IoCs
resource yara_rule behavioral2/memory/5728-39-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/2844-40-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/2084-36-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/2844-35-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/2844-45-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral2/memory/3104-7-0x00000000063C0000-0x0000000006442000-memory.dmp agile_net -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts JY-PCB-240109A-3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JY-PCB-240109A-3 = "C:\\Users\\Admin\\Documents\\JY-PCB-240109A-3.pif" reg.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3104 set thread context of 2772 3104 JY-PCB-240109A-3.exe 95 PID 2772 set thread context of 2844 2772 JY-PCB-240109A-3.exe 98 PID 2772 set thread context of 2084 2772 JY-PCB-240109A-3.exe 100 PID 2772 set thread context of 5728 2772 JY-PCB-240109A-3.exe 101 -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 3104 JY-PCB-240109A-3.exe 3104 JY-PCB-240109A-3.exe 3104 JY-PCB-240109A-3.exe 3104 JY-PCB-240109A-3.exe 3104 JY-PCB-240109A-3.exe 3104 JY-PCB-240109A-3.exe 3104 JY-PCB-240109A-3.exe 3104 JY-PCB-240109A-3.exe 3104 JY-PCB-240109A-3.exe 3104 JY-PCB-240109A-3.exe 3104 JY-PCB-240109A-3.exe 3104 JY-PCB-240109A-3.exe 3104 JY-PCB-240109A-3.exe 3104 JY-PCB-240109A-3.exe 3104 JY-PCB-240109A-3.exe 3104 JY-PCB-240109A-3.exe 3104 JY-PCB-240109A-3.exe 3104 JY-PCB-240109A-3.exe 3104 JY-PCB-240109A-3.exe 3104 JY-PCB-240109A-3.exe 3104 JY-PCB-240109A-3.exe 3104 JY-PCB-240109A-3.exe 3104 JY-PCB-240109A-3.exe 3104 JY-PCB-240109A-3.exe 3104 JY-PCB-240109A-3.exe 3104 JY-PCB-240109A-3.exe 2844 JY-PCB-240109A-3.exe 2844 JY-PCB-240109A-3.exe 5728 JY-PCB-240109A-3.exe 5728 JY-PCB-240109A-3.exe 2844 JY-PCB-240109A-3.exe 2844 JY-PCB-240109A-3.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 2772 JY-PCB-240109A-3.exe 2772 JY-PCB-240109A-3.exe 2772 JY-PCB-240109A-3.exe 2772 JY-PCB-240109A-3.exe 2772 JY-PCB-240109A-3.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3104 JY-PCB-240109A-3.exe Token: SeDebugPrivilege 5728 JY-PCB-240109A-3.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2772 JY-PCB-240109A-3.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 3104 wrote to memory of 4056 3104 JY-PCB-240109A-3.exe 88 PID 3104 wrote to memory of 4056 3104 JY-PCB-240109A-3.exe 88 PID 3104 wrote to memory of 4056 3104 JY-PCB-240109A-3.exe 88 PID 4056 wrote to memory of 3100 4056 cmd.exe 90 PID 4056 wrote to memory of 3100 4056 cmd.exe 90 PID 4056 wrote to memory of 3100 4056 cmd.exe 90 PID 3104 wrote to memory of 1756 3104 JY-PCB-240109A-3.exe 93 PID 3104 wrote to memory of 1756 3104 JY-PCB-240109A-3.exe 93 PID 3104 wrote to memory of 1756 3104 JY-PCB-240109A-3.exe 93 PID 3104 wrote to memory of 2772 3104 JY-PCB-240109A-3.exe 95 PID 3104 wrote to memory of 2772 3104 JY-PCB-240109A-3.exe 95 PID 3104 wrote to memory of 2772 3104 JY-PCB-240109A-3.exe 95 PID 3104 wrote to memory of 2772 3104 JY-PCB-240109A-3.exe 95 PID 3104 wrote to memory of 2772 3104 JY-PCB-240109A-3.exe 95 PID 3104 wrote to memory of 2772 3104 JY-PCB-240109A-3.exe 95 PID 3104 wrote to memory of 2772 3104 JY-PCB-240109A-3.exe 95 PID 3104 wrote to memory of 2772 3104 JY-PCB-240109A-3.exe 95 PID 3104 wrote to memory of 2772 3104 JY-PCB-240109A-3.exe 95 PID 3104 wrote to memory of 2772 3104 JY-PCB-240109A-3.exe 95 PID 3104 wrote to memory of 2772 3104 JY-PCB-240109A-3.exe 95 PID 3104 wrote to memory of 2772 3104 JY-PCB-240109A-3.exe 95 PID 2772 wrote to memory of 5444 2772 JY-PCB-240109A-3.exe 97 PID 2772 wrote to memory of 5444 2772 JY-PCB-240109A-3.exe 97 PID 2772 wrote to memory of 5444 2772 JY-PCB-240109A-3.exe 97 PID 2772 wrote to memory of 2844 2772 JY-PCB-240109A-3.exe 98 PID 2772 wrote to memory of 2844 2772 JY-PCB-240109A-3.exe 98 PID 2772 wrote to memory of 2844 2772 JY-PCB-240109A-3.exe 98 PID 2772 wrote to memory of 2844 2772 JY-PCB-240109A-3.exe 98 PID 2772 wrote to memory of 5528 2772 JY-PCB-240109A-3.exe 99 PID 2772 wrote to memory of 5528 2772 JY-PCB-240109A-3.exe 99 PID 2772 wrote to memory of 5528 2772 JY-PCB-240109A-3.exe 99 PID 2772 wrote to memory of 2084 2772 JY-PCB-240109A-3.exe 100 PID 2772 wrote to memory of 2084 2772 JY-PCB-240109A-3.exe 100 PID 2772 wrote to memory of 2084 2772 JY-PCB-240109A-3.exe 100 PID 2772 wrote to memory of 2084 2772 JY-PCB-240109A-3.exe 100 PID 2772 wrote to memory of 5728 2772 JY-PCB-240109A-3.exe 101 PID 2772 wrote to memory of 5728 2772 JY-PCB-240109A-3.exe 101 PID 2772 wrote to memory of 5728 2772 JY-PCB-240109A-3.exe 101 PID 2772 wrote to memory of 5728 2772 JY-PCB-240109A-3.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\JY-PCB-240109A-3.exe"C:\Users\Admin\AppData\Local\Temp\JY-PCB-240109A-3.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "JY-PCB-240109A-3" /t REG_SZ /F /D "C:\Users\Admin\Documents\JY-PCB-240109A-3.pif"2⤵
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "JY-PCB-240109A-3" /t REG_SZ /F /D "C:\Users\Admin\Documents\JY-PCB-240109A-3.pif"3⤵
- Adds Run key to start application
PID:3100
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c Copy "C:\Users\Admin\AppData\Local\Temp\JY-PCB-240109A-3.exe" "C:\Users\Admin\Documents\JY-PCB-240109A-3.pif"2⤵PID:1756
-
-
C:\Users\Admin\AppData\Local\Temp\JY-PCB-240109A-3.exe"C:\Users\Admin\AppData\Local\Temp\JY-PCB-240109A-3.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Users\Admin\AppData\Local\Temp\JY-PCB-240109A-3.exeC:\Users\Admin\AppData\Local\Temp\JY-PCB-240109A-3.exe /stext "C:\Users\Admin\AppData\Local\Temp\azpgmsqeedopdrbxxnpwsqgbmbsvbf"3⤵PID:5444
-
-
C:\Users\Admin\AppData\Local\Temp\JY-PCB-240109A-3.exeC:\Users\Admin\AppData\Local\Temp\JY-PCB-240109A-3.exe /stext "C:\Users\Admin\AppData\Local\Temp\azpgmsqeedopdrbxxnpwsqgbmbsvbf"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2844
-
-
C:\Users\Admin\AppData\Local\Temp\JY-PCB-240109A-3.exeC:\Users\Admin\AppData\Local\Temp\JY-PCB-240109A-3.exe /stext "C:\Users\Admin\AppData\Local\Temp\ltuynkbfalgcgxybgyjydvssuqkdcqzvk"3⤵PID:5528
-
-
C:\Users\Admin\AppData\Local\Temp\JY-PCB-240109A-3.exeC:\Users\Admin\AppData\Local\Temp\JY-PCB-240109A-3.exe /stext "C:\Users\Admin\AppData\Local\Temp\ltuynkbfalgcgxybgyjydvssuqkdcqzvk"3⤵
- Accesses Microsoft Outlook accounts
PID:2084
-
-
C:\Users\Admin\AppData\Local\Temp\JY-PCB-240109A-3.exeC:\Users\Admin\AppData\Local\Temp\JY-PCB-240109A-3.exe /stext "C:\Users\Admin\AppData\Local\Temp\vvajo"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5728
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD52cfb3fc4fa5e0bf23f8dec19d3a3fe38
SHA128dded559ed4955ba74d590eab14568df53c0a74
SHA2566c67ca29421a82bd235ee9cbe7999a34f05e48181fa1a992f891773c6a5d5a9b
SHA5123cb3d3e7ddb30f267628b44986c9b38ff63374c0ae20142fd1344c62bb99421dc68a8b7ddf1f080550549b825599afb4b15983d204329fbd295abdf981e64827
-
Filesize
4KB
MD5042bbbff30c31fcbdd7f9b0ed3935ca5
SHA1c333db2dceaf9a524147155c79756bc32eda6b03
SHA256626ae16f54b4ca656b0267dade381d30bf042a06ba69b8851e33ab14da2bd9fe
SHA5127f3a8eee89225ced48f8bc69d168713377e0316df3e46b544d9f7bc2c84305020eca3094c8246c8c934e22bd7643ae11f4a1560c3fe7aa717604869bcffa48fe