Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
30/08/2024, 07:57
Static task
static1
Behavioral task
behavioral1
Sample
354b34a3694e2b4d54ba3bca624aa3c3.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
354b34a3694e2b4d54ba3bca624aa3c3.exe
Resource
win10v2004-20240802-en
General
-
Target
354b34a3694e2b4d54ba3bca624aa3c3.exe
-
Size
1.2MB
-
MD5
354b34a3694e2b4d54ba3bca624aa3c3
-
SHA1
660ee183f7f7a17eace0556c8883a2c361424cb0
-
SHA256
52e5414e2e8aabecfc1c38926a3d863e1ee26bef5dc8453fc0568d9f263cf384
-
SHA512
f78bbbd45ee9dc147394f79c0aed2c8104c42116b72c653586ac0855d0c075e3b17571bc62e33ba055bcc91197f6e2a491e97ad35eab8f425bbf713a5e0b5870
-
SSDEEP
24576:+tb20pkaCqT5TBWgNQ7aLHWD2rmiOWlcIqDBZLAkxy06A:rVg5tQ7aLHWDd/B9A65
Malware Config
Extracted
remcos
RemoteHost
spacesave.duckdns.org:14645
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-RLABK3
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dddddd.vbs dddddd.exe -
Executes dropped EXE 1 IoCs
pid Process 716 dddddd.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x00050000000226f8-15.dat autoit_exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 354b34a3694e2b4d54ba3bca624aa3c3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddddd.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 3352 354b34a3694e2b4d54ba3bca624aa3c3.exe 3352 354b34a3694e2b4d54ba3bca624aa3c3.exe 716 dddddd.exe 716 dddddd.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 3352 354b34a3694e2b4d54ba3bca624aa3c3.exe 3352 354b34a3694e2b4d54ba3bca624aa3c3.exe 716 dddddd.exe 716 dddddd.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3352 wrote to memory of 716 3352 354b34a3694e2b4d54ba3bca624aa3c3.exe 89 PID 3352 wrote to memory of 716 3352 354b34a3694e2b4d54ba3bca624aa3c3.exe 89 PID 3352 wrote to memory of 716 3352 354b34a3694e2b4d54ba3bca624aa3c3.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\354b34a3694e2b4d54ba3bca624aa3c3.exe"C:\Users\Admin\AppData\Local\Temp\354b34a3694e2b4d54ba3bca624aa3c3.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Users\Admin\AppData\Local\directory\dddddd.exe"C:\Users\Admin\AppData\Local\Temp\354b34a3694e2b4d54ba3bca624aa3c3.exe"2⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:716
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
56KB
MD5be57919a8e6f5c3d638c08144dfff614
SHA1a096881aaea02eecc45536e041050cf08917b433
SHA25688b06124dd503e93614f8dc3fd011565c949e2a36ecb44c0a9de685465330167
SHA5128c6154154f3ee2ed6d19b6527f89ae3279fc64b0489baf415b1779cbe2af12d4f4cac2fd67e2c57a825639f86e8b4a72ca2ead831fe93bc90141a013bb4bbcf5
-
Filesize
483KB
MD5f4461a02e25109973cdf62c9260edc73
SHA1988eaf6cf392bc92f09c514a99db3b44bd9d0450
SHA25635317bf8ab08c12751490059e9af81b8226b013401e9906ad109e49c1924d13f
SHA512f6d86a3f8702d89acc1c4cb63fbd81d03a8f86d8f43ce1a244343b59b6121416420c421e10830675dd970d97064ab2b7b422b60fe2658b263daf12f2932707dc
-
Filesize
1.2MB
MD5354b34a3694e2b4d54ba3bca624aa3c3
SHA1660ee183f7f7a17eace0556c8883a2c361424cb0
SHA25652e5414e2e8aabecfc1c38926a3d863e1ee26bef5dc8453fc0568d9f263cf384
SHA512f78bbbd45ee9dc147394f79c0aed2c8104c42116b72c653586ac0855d0c075e3b17571bc62e33ba055bcc91197f6e2a491e97ad35eab8f425bbf713a5e0b5870