Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
30/08/2024, 13:14
Behavioral task
behavioral1
Sample
SALKI098765R400.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
SALKI098765R400.exe
Resource
win10v2004-20240802-en
General
-
Target
SALKI098765R400.exe
-
Size
1.0MB
-
MD5
2a2526a15732cd1f3f8859fe3f504cb9
-
SHA1
53f5eee1f770d79666d7421823f29ee21d8cba3e
-
SHA256
406306efb272acd3c69ab3b1c1fadea2c41bf817ce71e5872b6ff426248207d5
-
SHA512
029f573edc92908f027a46d035d0ce6b69f9ac2cd0b82dd1df75bb8ee43a02850e644217fc68d67b4a9633ed408534f7e46896afb7f337b71d9072b5140003d8
-
SSDEEP
24576:4iUmSB/o5d1ubcvqqJGyUyTlUJS0Xtw5amFnRn2cdB:4/mU/ohubcvqq8oUJS7agd
Malware Config
Extracted
remcos
RemoteHost
192.210.150.26:8787
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-NKQ1SM
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Detected Nirsoft tools 9 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral2/memory/1232-53-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/1888-63-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/2332-66-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/2332-68-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/1888-67-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/1888-65-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/2332-64-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/1232-52-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/1232-70-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/2332-66-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView behavioral2/memory/2332-68-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView behavioral2/memory/2332-64-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/1232-53-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/1232-52-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/1232-70-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monteverdi.vbs Monteverdi.exe -
Executes dropped EXE 5 IoCs
pid Process 3124 Monteverdi.exe 4296 Monteverdi.exe 1232 Monteverdi.exe 2332 Monteverdi.exe 1888 Monteverdi.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/4820-0-0x0000000000590000-0x00000000007BF000-memory.dmp upx behavioral2/files/0x0002000000022a83-14.dat upx behavioral2/memory/3124-15-0x0000000000C90000-0x0000000000EBF000-memory.dmp upx behavioral2/memory/4820-18-0x0000000000590000-0x00000000007BF000-memory.dmp upx behavioral2/memory/3124-78-0x0000000000C90000-0x0000000000EBF000-memory.dmp upx -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Monteverdi.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4820-18-0x0000000000590000-0x00000000007BF000-memory.dmp autoit_exe behavioral2/memory/3124-78-0x0000000000C90000-0x0000000000EBF000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3124 set thread context of 1232 3124 Monteverdi.exe 95 PID 3124 set thread context of 2332 3124 Monteverdi.exe 96 PID 3124 set thread context of 1888 3124 Monteverdi.exe 97 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SALKI098765R400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Monteverdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Monteverdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Monteverdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Monteverdi.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1232 Monteverdi.exe 1232 Monteverdi.exe 1888 Monteverdi.exe 1888 Monteverdi.exe 1232 Monteverdi.exe 1232 Monteverdi.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
pid Process 3124 Monteverdi.exe 3124 Monteverdi.exe 3124 Monteverdi.exe 3124 Monteverdi.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1888 Monteverdi.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 4820 SALKI098765R400.exe 4820 SALKI098765R400.exe 3124 Monteverdi.exe 3124 Monteverdi.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 4820 SALKI098765R400.exe 4820 SALKI098765R400.exe 3124 Monteverdi.exe 3124 Monteverdi.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4820 wrote to memory of 3124 4820 SALKI098765R400.exe 89 PID 4820 wrote to memory of 3124 4820 SALKI098765R400.exe 89 PID 4820 wrote to memory of 3124 4820 SALKI098765R400.exe 89 PID 3124 wrote to memory of 4296 3124 Monteverdi.exe 94 PID 3124 wrote to memory of 4296 3124 Monteverdi.exe 94 PID 3124 wrote to memory of 4296 3124 Monteverdi.exe 94 PID 3124 wrote to memory of 1232 3124 Monteverdi.exe 95 PID 3124 wrote to memory of 1232 3124 Monteverdi.exe 95 PID 3124 wrote to memory of 1232 3124 Monteverdi.exe 95 PID 3124 wrote to memory of 1232 3124 Monteverdi.exe 95 PID 3124 wrote to memory of 2332 3124 Monteverdi.exe 96 PID 3124 wrote to memory of 2332 3124 Monteverdi.exe 96 PID 3124 wrote to memory of 2332 3124 Monteverdi.exe 96 PID 3124 wrote to memory of 2332 3124 Monteverdi.exe 96 PID 3124 wrote to memory of 1888 3124 Monteverdi.exe 97 PID 3124 wrote to memory of 1888 3124 Monteverdi.exe 97 PID 3124 wrote to memory of 1888 3124 Monteverdi.exe 97 PID 3124 wrote to memory of 1888 3124 Monteverdi.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\SALKI098765R400.exe"C:\Users\Admin\AppData\Local\Temp\SALKI098765R400.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Users\Admin\AppData\Local\scrolar\Monteverdi.exe"C:\Users\Admin\AppData\Local\Temp\SALKI098765R400.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Users\Admin\AppData\Local\scrolar\Monteverdi.exeC:\Users\Admin\AppData\Local\scrolar\Monteverdi.exe /stext "C:\Users\Admin\AppData\Local\Temp\hydxzggfbvnfdfsqigxwdtzqf"3⤵
- Executes dropped EXE
PID:4296
-
-
C:\Users\Admin\AppData\Local\scrolar\Monteverdi.exeC:\Users\Admin\AppData\Local\scrolar\Monteverdi.exe /stext "C:\Users\Admin\AppData\Local\Temp\hydxzggfbvnfdfsqigxwdtzqf"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1232
-
-
C:\Users\Admin\AppData\Local\scrolar\Monteverdi.exeC:\Users\Admin\AppData\Local\scrolar\Monteverdi.exe /stext "C:\Users\Admin\AppData\Local\Temp\ssiqazrgpdfjflouzqkxgythoqgf"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:2332
-
-
C:\Users\Admin\AppData\Local\scrolar\Monteverdi.exeC:\Users\Admin\AppData\Local\scrolar\Monteverdi.exe /stext "C:\Users\Admin\AppData\Local\Temp\cmvabjbadlyoprcyibwrrkoywepoggqv"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1888
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5a026c0f14cd3dd0df86b353f48de29a3
SHA1a23f98fafaa69bad30d12e27a5cade9985265510
SHA256af05cde5d68f47e38122d0299dd27f0481387a6a2b08a487f3e68dea076c54f9
SHA51282fdae698f3225d60acfde9174fe97a2a08cd0e150975a07ab9a61dd7a154c4fed6775ba28819328479b7051693f7a2027f774d83e2c0f9d3a603860bf92dd40
-
Filesize
4KB
MD52538ec9e8425a905937573069b77d4c2
SHA1ad0c2b7aff4382e23444d26adac96d9697b849f3
SHA25629338949fae4c88a972837aae898529e4c7a2c4df35982eef2f8d7b602c17f4e
SHA512a867a471b837b9c662528ee7a5904e8fe7b1eebb277b8a7fe4d4caf423fae914baf692bb5004c02ddb539b157d63326178467e28b03aa92a533cda19155d501c
-
Filesize
56KB
MD5ab1d29274213556fd265d9e44a8e2813
SHA1902af8adb5d52a2871dc1e956162514d829be033
SHA2569dbb2c43e92fb67336afded940c19e37de86ca86554341c9c8c94030f84f893d
SHA512a4fe1e9adf1cd45e9843268899035b417009e3dfbb6b11bde32c04bf202a25dfdec670ed08a83dcece1a9efed590ec950dfe3a60f6395479f289e0adac207033
-
Filesize
482KB
MD5cf1214864ab14d2bf906b73636da3a0e
SHA1ad71b3268d6f91395727d02ddd007e5b75cfbcc9
SHA2565960b9ac19d8d6c016e018d72f6376e4ec87bdf440b126393bebe526b5e10dbc
SHA5121502d6017b1523fda0526479a4481a966707bb3f8d8eb3b890079c5fd92f58d6554da59268940c2fdad0d2daeaae863e9e46549a3a1a2dcdf2184fccd7de4ba4
-
Filesize
1.0MB
MD52a2526a15732cd1f3f8859fe3f504cb9
SHA153f5eee1f770d79666d7421823f29ee21d8cba3e
SHA256406306efb272acd3c69ab3b1c1fadea2c41bf817ce71e5872b6ff426248207d5
SHA512029f573edc92908f027a46d035d0ce6b69f9ac2cd0b82dd1df75bb8ee43a02850e644217fc68d67b4a9633ed408534f7e46896afb7f337b71d9072b5140003d8