Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Urgent new order.exe

windows7-x64

10

Urgent new order.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/09/2024, 08:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Urgent new order.exe

  • Size

    1.7MB

  • MD5

    2ba2caed8e7776c9895db0a3e5e0714c

  • SHA1

    a3db8f2e22f6674ec60f6fbb11adf1bf65986827

  • SHA256

    1df5b2a41831081a752bfd626acb7e216d0c03b0e1b1a7c829a7348a54833c58

  • SHA512

    5ca99a0247c154b78a48f0e1b9e663f4ed6f4f1a78f0ff0d93e8d8579d419051ace94d8b91d3889b83f4c227ed387641614365e0ee5e81f23f409654b86677ee

  • SSDEEP

    24576:nIx+lXcmg/23DrVykOe1L2gj/EjuJajIA:nrlXc3kVJzBjIuo

Score
10/10
remcosremotehostdiscoveryrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

127.0.0.1:52121

officerem.duckdns.org:52121
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-6GPUH1

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 55 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Urgent new order.exe
    "C:\Users\Admin\AppData\Local\Temp\Urgent new order.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1620
    • C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      2⤵
        PID:436
      • C:\Windows\System32\svchost.exe
        "C:\Windows\System32\svchost.exe"
        2⤵
          PID:2896
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
          2⤵
            PID:2948
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
            2⤵
              PID:2852
            • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
              "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
              2⤵
              • System Location Discovery: System Language Discovery
              PID:2724
            • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
              "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
              2⤵
                PID:1944

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/436-12-0x0000000000400000-0x000000000047F000-memory.dmp

              Filesize

              508KB

              Download

            • memory/436-10-0x0000000000400000-0x000000000047F000-memory.dmp

              Filesize

              508KB

              Download

            • memory/436-6-0x0000000000400000-0x000000000047F000-memory.dmp

              Filesize

              508KB

              Download

            • memory/436-8-0x0000000000400000-0x000000000047F000-memory.dmp

              Filesize

              508KB

              Download

            • memory/436-4-0x0000000000400000-0x000000000047F000-memory.dmp

              Filesize

              508KB

              Download

            • memory/436-18-0x0000000000400000-0x000000000047F000-memory.dmp

              Filesize

              508KB

              Download

            • memory/436-16-0x0000000000400000-0x000000000047F000-memory.dmp

              Filesize

              508KB

              Download

            • memory/436-14-0x0000000000400000-0x000000000047F000-memory.dmp

              Filesize

              508KB

              Download

            • memory/1620-1-0x0000000000BD0000-0x0000000000BD8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/1620-3-0x000000001ABF0000-0x000000001ACBE000-memory.dmp

              Filesize

              824KB

              Download

            • memory/1620-0-0x000007FEF6003000-0x000007FEF6004000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1620-2-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/1620-75-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/2724-71-0x0000000000400000-0x000000000047F000-memory.dmp

              Filesize

              508KB

              Download

            • memory/2724-70-0x0000000000400000-0x000000000047F000-memory.dmp

              Filesize

              508KB

              Download

            • memory/2724-72-0x0000000000400000-0x000000000047F000-memory.dmp

              Filesize

              508KB

              Download

            • memory/2724-83-0x0000000000400000-0x000000000047F000-memory.dmp

              Filesize

              508KB

              Download