Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

Solara2.0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    426s
  • max time network
    427s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/09/2024, 21:48 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Solara2.0.exe

  • Size

    469KB

  • MD5

    48f4a8f633bf5535811c23a81d8d8506

  • SHA1

    c2a98525bfda82421cb8670db223b19acef31f23

  • SHA256

    9ec9c4c81c67d6628d141981a7020bb7ded83b4c40ff693870cd98eaebf74912

  • SHA512

    7903c322d886bcffc06a9310ba451b0f0eac53d2acedf45b544548ae3656ef477b5a03a86d54452d65461957df4c643082338119bdeb0f2303f528daf0642e29

  • SSDEEP

    12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSOn9:uiLJbpI7I2WhQqZ7O9

Score
10/10
remcosremotehostdiscoveryevasionpersistencerattrojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

192.168.1.56:13970

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    Windows32.exe

  • copy_folder

    Health

  • delete_file

    true

  • hide_file

    true

  • hide_keylog_file

    true

  • install_flag

    true

  • install_path

    %WinDir%\System32

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    filer32

  • keylog_path

    %WinDir%\System32

  • mouse_option

    false

  • mutex

    Rmc-36XJ31

  • screenshot_crypt

    true

  • screenshot_flag

    true

  • screenshot_folder

    Screenshots

  • screenshot_path

    %WinDir%\System32

  • screenshot_time

    10

  • startup_value

    WindowsHealth

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Solara2.0.exe
    "C:\Users\Admin\AppData\Local\Temp\Solara2.0.exe"
    1⤵
    • Adds policy Run key to start application
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1980
    • C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3448
      • C:\Windows\SysWOW64\reg.exe
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • UAC bypass
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:4344
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2240
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "C:\Windows\SysWOW64\Health\Windows32.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4932
        • C:\Windows\SysWOW64\Health\Windows32.exe
          C:\Windows\SysWOW64\Health\Windows32.exe
          4⤵
          • Adds policy Run key to start application
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:2540
          • C:\Windows\SysWOW64\cmd.exe
            /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4396
            • C:\Windows\SysWOW64\reg.exe
              C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
              6⤵
              • UAC bypass
              • System Location Discovery: System Language Discovery
              • Modifies registry key
              PID:1864
          • \??\c:\program files (x86)\internet explorer\iexplore.exe
            "c:\program files (x86)\internet explorer\iexplore.exe"
            5⤵
              PID:1476

    Network

    • flag-us
      DNS
      13.86.106.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      13.86.106.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      240.143.123.92.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      240.143.123.92.in-addr.arpa
      IN PTR
      Response
      240.143.123.92.in-addr.arpa
      IN PTR
      a92-123-143-240deploystaticakamaitechnologiescom
    • flag-us
      DNS
      22.160.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      22.160.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      232.168.11.51.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      232.168.11.51.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      26.165.165.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      26.165.165.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      171.39.242.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      171.39.242.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      121.170.16.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      121.170.16.2.in-addr.arpa
      IN PTR
      Response
      121.170.16.2.in-addr.arpa
      IN PTR
      a2-16-170-121deploystaticakamaitechnologiescom
    • flag-us
      DNS
      203.142.123.92.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      203.142.123.92.in-addr.arpa
      IN PTR
      Response
      203.142.123.92.in-addr.arpa
      IN PTR
      a92-123-142-203deploystaticakamaitechnologiescom
    • flag-us
      DNS
      13.227.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      13.227.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      208.143.182.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      208.143.182.52.in-addr.arpa
      IN PTR
      Response
    No results found
    • 8.8.8.8:53
      13.86.106.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      13.86.106.20.in-addr.arpa

    • 8.8.8.8:53
      240.143.123.92.in-addr.arpa
      dns
      73 B
       139 B
       1
      1

      DNS Request

      240.143.123.92.in-addr.arpa

    • 8.8.8.8:53
      22.160.190.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      22.160.190.20.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      232.168.11.51.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      232.168.11.51.in-addr.arpa

    • 8.8.8.8:53
      26.165.165.52.in-addr.arpa
      dns
      72 B
       146 B
       1
      1

      DNS Request

      26.165.165.52.in-addr.arpa

    • 8.8.8.8:53
      171.39.242.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      171.39.242.20.in-addr.arpa

    • 8.8.8.8:53
      121.170.16.2.in-addr.arpa
      dns
      71 B
       135 B
       1
      1

      DNS Request

      121.170.16.2.in-addr.arpa

    • 8.8.8.8:53
      203.142.123.92.in-addr.arpa
      dns
      73 B
       139 B
       1
      1

      DNS Request

      203.142.123.92.in-addr.arpa

    • 8.8.8.8:53
      13.227.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      13.227.111.52.in-addr.arpa

    • 8.8.8.8:53
      208.143.182.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      208.143.182.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\install.vbs
      Filesize

      532B

      MD5

      54092daa1c86c0bb88b02c6c785c3f56

      SHA1

      b18d571d5ae2661afcec864164dcdf504d5f8aa9

      SHA256

      e04f8f0d847b43ce378eb5732fb167cbb18956fa8f0a56d7ccbe1bd3ef66d3ae

      SHA512

      e9ab8db402092945eed036f9c91e2571337d4f68810d3ab7233d90b57b80d4900294ab30310003e006473f9314baf2caa658038b97c7d77a87f431b4f9df771e

      Download Submit

    • C:\Windows\SysWOW64\Health\Windows32.exe
      Filesize

      469KB

      MD5

      48f4a8f633bf5535811c23a81d8d8506

      SHA1

      c2a98525bfda82421cb8670db223b19acef31f23

      SHA256

      9ec9c4c81c67d6628d141981a7020bb7ded83b4c40ff693870cd98eaebf74912

      SHA512

      7903c322d886bcffc06a9310ba451b0f0eac53d2acedf45b544548ae3656ef477b5a03a86d54452d65461957df4c643082338119bdeb0f2303f528daf0642e29

      Download Submit

    • memory/1476-10-0x0000000001170000-0x00000000011EF000-memory.dmp

      Filesize

      508KB

      Download

    • memory/1476-9-0x0000000001170000-0x00000000011EF000-memory.dmp

      Filesize

      508KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.