Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    689s
  • max time network
    495s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/09/2024, 21:10

General

  • Target

    remcos_a.exe

  • Size

    469KB

  • MD5

    48f4a8f633bf5535811c23a81d8d8506

  • SHA1

    c2a98525bfda82421cb8670db223b19acef31f23

  • SHA256

    9ec9c4c81c67d6628d141981a7020bb7ded83b4c40ff693870cd98eaebf74912

  • SHA512

    7903c322d886bcffc06a9310ba451b0f0eac53d2acedf45b544548ae3656ef477b5a03a86d54452d65461957df4c643082338119bdeb0f2303f528daf0642e29

  • SSDEEP

    12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSOn9:uiLJbpI7I2WhQqZ7O9

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

192.168.1.56:13970

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    Windows32.exe

  • copy_folder

    Health

  • delete_file

    true

  • hide_file

    true

  • hide_keylog_file

    true

  • install_flag

    true

  • install_path

    %WinDir%\System32

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    filer32

  • keylog_path

    %WinDir%\System32

  • mouse_option

    false

  • mutex

    Rmc-36XJ31

  • screenshot_crypt

    true

  • screenshot_flag

    true

  • screenshot_folder

    Screenshots

  • screenshot_path

    %WinDir%\System32

  • screenshot_time

    10

  • startup_value

    WindowsHealth

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • UAC bypass 3 TTPs 4 IoCs
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Adds policy Run key to start application 2 TTPs 8 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
  • Drops file in System32 directory 14 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 9 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 38 IoCs
  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\remcos_a.exe
    "C:\Users\Admin\AppData\Local\Temp\remcos_a.exe"
    1⤵
    • Adds policy Run key to start application
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:5004
    • C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4672
      • C:\Windows\SysWOW64\reg.exe
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • UAC bypass
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:1864
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1284
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "C:\Windows\SysWOW64\Health\Windows32.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3440
        • C:\Windows\SysWOW64\Health\Windows32.exe
          C:\Windows\SysWOW64\Health\Windows32.exe
          4⤵
          • Adds policy Run key to start application
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:4180
          • C:\Windows\SysWOW64\cmd.exe
            /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1812
            • C:\Windows\SysWOW64\reg.exe
              C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
              6⤵
              • UAC bypass
              • System Location Discovery: System Language Discovery
              • Modifies registry key
              PID:3116
          • \??\c:\program files (x86)\internet explorer\iexplore.exe
            "c:\program files (x86)\internet explorer\iexplore.exe"
            5⤵
            • Adds policy Run key to start application
            • Adds Run key to start application
            • Drops file in System32 directory
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2460
            • C:\Windows\SysWOW64\cmd.exe
              /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3292
              • C:\Windows\SysWOW64\reg.exe
                C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                7⤵
                • UAC bypass
                • System Location Discovery: System Language Discovery
                • Modifies registry key
                PID:1956
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:4796
              • C:\Windows\SysWOW64\Health\Windows32.exe
                "C:\Windows\SysWOW64\Health\Windows32.exe"
                7⤵
                • Adds policy Run key to start application
                • Executes dropped EXE
                • Adds Run key to start application
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of WriteProcessMemory
                PID:2052
                • C:\Windows\SysWOW64\cmd.exe
                  /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:4356
                  • C:\Windows\SysWOW64\reg.exe
                    C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                    9⤵
                    • UAC bypass
                    • System Location Discovery: System Language Discovery
                    • Modifies registry key
                    PID:1316
                • \??\c:\program files (x86)\internet explorer\iexplore.exe
                  "c:\program files (x86)\internet explorer\iexplore.exe"
                  8⤵
                    PID:2156
              • C:\Windows\SysWOW64\dxdiag.exe
                "C:\Windows\System32\dxdiag.exe" /t C:\Users\Admin\AppData\Local\Temp\sysinfo.txt
                6⤵
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Checks SCSI registry key(s)
                • Modifies registry class
                • Suspicious use of SetWindowsHookEx
                PID:4000
              • \??\c:\program files (x86)\internet explorer\iexplore.exe
                "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\kalloqvx"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:4844
              • \??\c:\program files (x86)\internet explorer\iexplore.exe
                "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\vdqehjgrcfce"
                6⤵
                • Accesses Microsoft Outlook accounts
                • System Location Discovery: System Language Discovery
                PID:556
              • \??\c:\program files (x86)\internet explorer\iexplore.exe
                "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\fxeohbqtqnujgsh"
                6⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:1272
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3432

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\install.vbs

      Filesize

      530B

      MD5

      6784c2405607c045981319c5fd5b43c9

      SHA1

      2b4e2992215cc6446b74a19b90837576bc3f9d75

      SHA256

      af1a632c6db106051517586cc70e10329d95fe4222fe2770f69c4ee05c2bb8ce

      SHA512

      aedb8b3a48f13290761383a8ccb4027f81a657cc8fb7e1b9d5e92ec8f42f16e3cefeb06d6cd40f65d6a1f0747794983eb3321b42a21d3362a3925f685ddc2e0c

    • C:\Users\Admin\AppData\Local\Temp\kalloqvx

      Filesize

      4KB

      MD5

      a7e181f6aa185be0ab0ca68b30406fe6

      SHA1

      58c86162658dc609615b8b6400f85c92506dfdc8

      SHA256

      c3071dc55b94db225d9c0f2c1b21c7e8f27dbfd168b85b7d618d8d19950e7ff2

      SHA512

      49969eb10e0bf7925940eb7374451f811658ef9ccfb83b86fb337c4d06c3ba17eb0181f598d9e0ec9ca25bfaf644209ac47b73d62ac924e73d03a4dcf8f8dd0f

    • C:\Users\Admin\AppData\Local\Temp\sysinfo.txt

      Filesize

      84KB

      MD5

      192efc6306df3490d11dec2b21259291

      SHA1

      88397fd81e86973194908af350d683675bbaa766

      SHA256

      2b2d05d7dea856220fc56df53b51ac55b958712dddc354c02d3c78db7b75cfae

      SHA512

      885d761e26f334f491cc825311ac4dd57c2a613b8ba18c99ec574d8de2b2d61e493fdac9137223c8478a7692c5c41dbc2bb964920889f96cbfeb437d197ee6c7

    • C:\Windows\SysWOW64\Health\Windows32.exe

      Filesize

      469KB

      MD5

      48f4a8f633bf5535811c23a81d8d8506

      SHA1

      c2a98525bfda82421cb8670db223b19acef31f23

      SHA256

      9ec9c4c81c67d6628d141981a7020bb7ded83b4c40ff693870cd98eaebf74912

      SHA512

      7903c322d886bcffc06a9310ba451b0f0eac53d2acedf45b544548ae3656ef477b5a03a86d54452d65461957df4c643082338119bdeb0f2303f528daf0642e29

    • C:\Windows\SysWOW64\filer32\logs.dat

      Filesize

      584B

      MD5

      e069db22c582870556bb31636e941244

      SHA1

      e0ba5b65af898828e3193cdd4b24ef9bd95c7cf8

      SHA256

      64264a1b92f18c86c90dd299288e16974b86f005b24a7701be03ac41f2bbd7af

      SHA512

      dbf5c88e3fd2b93fe11cbb721983b911e10fe841126f37b312e29766aeda9cbd9490ae7da6dfe23d78d1efe4e7931908a87ddb739c46eee96343ff157c30555b

    • C:\Windows\SysWOW64\filer32\logs.dat

      Filesize

      742B

      MD5

      e921e01fc6f2980321881ff55c2e4f15

      SHA1

      4bf595f5b62264506f5e83824b782f73363719f9

      SHA256

      92fe2e92be41231c51f0cf503234d5f1c91c5a75790c626e23bfa086366db956

      SHA512

      1412e325fdfa43deffea85743dad03e224edadef4ad26adcc938a5fa27e27cb315c4d1a4e543184e89bd1769c4a0eca34dee437ee31e746c7489542a0d002221

    • C:\Windows\SysWOW64\filer32\logs.dat

      Filesize

      824B

      MD5

      c8e9ee51e764db551139fc90bc659a3d

      SHA1

      bc228c51f8276413bf06270cd077bf9a4a0750ea

      SHA256

      d36e6db854121fa1a2cb86f9f74fa076425595971adfeb901d28d8e65895ed7e

      SHA512

      d7467379dc51c6f61e981e2e03fbe11da063a55a8b86f56a0c5ce234f7b65497d2bce5b4b4328dcff3c2b31a7046c8a9edc47f9fb2791dd5d54cc71adb690565

    • C:\Windows\SysWOW64\filer32\logs.dat

      Filesize

      902B

      MD5

      3949585020ae42859800a94d1eab203d

      SHA1

      f15539b39eb88132f4db766f18f95aa62d7525aa

      SHA256

      401a39db33e90db276a3a1d8e5c9c3adc68bb2d77a46152340bc93bc8db3447d

      SHA512

      a5b98c0cfdb81fcfc94baaffd61e487f21cfefbdef60b36266046d281cc3ca1a60451db4dc648e383aeac68d27e7ae5726908e8beb72b6f0c3dde1009d40ead1

    • C:\Windows\SysWOW64\filer32\logs.dat

      Filesize

      1KB

      MD5

      9233f9151aba2241905fa71f7ccc7bec

      SHA1

      c68d746cacfba976f16df080f64b48d05c01d6df

      SHA256

      08ee263b0329931ac52a60d6f0a7f6082b24982edd9a735f457a1ce46c39e529

      SHA512

      968f0e90ec5fd344950c57cd3317c9d75307f69ed03f9bff335de55bb40efe83d4c742f52848b21fd22e0ec8a68239e880bc6de8142c01686eebf1f5cc514f11

    • C:\Windows\SysWOW64\filer32\logs.dat

      Filesize

      428B

      MD5

      1fcc289ef3f6763f148126ab1bf2a2b4

      SHA1

      bec76b18ef307d4c6fe34f56c1e7078ca349c9f6

      SHA256

      7c7a1c6fe9c422aced330b4e1d99b7bbb47466159cce8338f0c660bf98ef8f6a

      SHA512

      4feb12e4db7915807e9bec19e493e980d2128c7a7354441b604e1690d654ac7aa77f90469d6676cca2cdb4cddbc949f95204dba2a0b497ac87dd176bcfd25201

    • C:\Windows\SysWOW64\filer32\logs.dat

      Filesize

      504B

      MD5

      2f8d2edc0255e9d3cc7a3b4404def342

      SHA1

      2ba6f3cd354830e243437911f49c3fef2df78135

      SHA256

      13b15b183e336f9b58455bb6306ef17ead98ee4dc480b7628c47b28a9ddaa76d

      SHA512

      fbf4b6c9b9a2403c911f8472a0c95a50892d4a56def7695ca8f988ac9abf95504b7ea6e520ee8456011509e3397774f38925ddb2466a8b24cda94a827328af8a

    • memory/2460-82-0x0000000001020000-0x000000000109F000-memory.dmp

      Filesize

      508KB

    • memory/2460-21-0x0000000001020000-0x000000000109F000-memory.dmp

      Filesize

      508KB

    • memory/2460-17-0x0000000001020000-0x000000000109F000-memory.dmp

      Filesize

      508KB

    • memory/2460-13-0x0000000001020000-0x000000000109F000-memory.dmp

      Filesize

      508KB

    • memory/2460-11-0x0000000001020000-0x000000000109F000-memory.dmp

      Filesize

      508KB

    • memory/2460-9-0x0000000001020000-0x000000000109F000-memory.dmp

      Filesize

      508KB

    • memory/2460-10-0x0000000001020000-0x000000000109F000-memory.dmp

      Filesize

      508KB

    • memory/2460-84-0x0000000001020000-0x000000000109F000-memory.dmp

      Filesize

      508KB

    • memory/2460-83-0x0000000001020000-0x000000000109F000-memory.dmp

      Filesize

      508KB

    • memory/2460-80-0x0000000001020000-0x000000000109F000-memory.dmp

      Filesize

      508KB

    • memory/2460-79-0x0000000001020000-0x000000000109F000-memory.dmp

      Filesize

      508KB

    • memory/2460-23-0x0000000001020000-0x000000000109F000-memory.dmp

      Filesize

      508KB

    • memory/2460-52-0x0000000001020000-0x000000000109F000-memory.dmp

      Filesize

      508KB

    • memory/2460-53-0x0000000001020000-0x000000000109F000-memory.dmp

      Filesize

      508KB

    • memory/2460-55-0x0000000001020000-0x000000000109F000-memory.dmp

      Filesize

      508KB

    • memory/2460-61-0x0000000001020000-0x000000000109F000-memory.dmp

      Filesize

      508KB

    • memory/2460-62-0x0000000001020000-0x000000000109F000-memory.dmp

      Filesize

      508KB

    • memory/2460-64-0x0000000001020000-0x000000000109F000-memory.dmp

      Filesize

      508KB

    • memory/2460-71-0x0000000001020000-0x000000000109F000-memory.dmp

      Filesize

      508KB

    • memory/2460-72-0x0000000001020000-0x000000000109F000-memory.dmp

      Filesize

      508KB

    • memory/2460-73-0x0000000001020000-0x000000000109F000-memory.dmp

      Filesize

      508KB

    • memory/2460-74-0x0000000001020000-0x000000000109F000-memory.dmp

      Filesize

      508KB

    • memory/2460-75-0x0000000001020000-0x000000000109F000-memory.dmp

      Filesize

      508KB

    • memory/2460-77-0x0000000001020000-0x000000000109F000-memory.dmp

      Filesize

      508KB

    • memory/3432-34-0x000001F44C840000-0x000001F44C841000-memory.dmp

      Filesize

      4KB

    • memory/3432-43-0x000001F44C840000-0x000001F44C841000-memory.dmp

      Filesize

      4KB

    • memory/3432-40-0x000001F44C840000-0x000001F44C841000-memory.dmp

      Filesize

      4KB

    • memory/3432-41-0x000001F44C840000-0x000001F44C841000-memory.dmp

      Filesize

      4KB

    • memory/3432-42-0x000001F44C840000-0x000001F44C841000-memory.dmp

      Filesize

      4KB

    • memory/3432-32-0x000001F44C840000-0x000001F44C841000-memory.dmp

      Filesize

      4KB

    • memory/3432-39-0x000001F44C840000-0x000001F44C841000-memory.dmp

      Filesize

      4KB

    • memory/3432-33-0x000001F44C840000-0x000001F44C841000-memory.dmp

      Filesize

      4KB

    • memory/3432-38-0x000001F44C840000-0x000001F44C841000-memory.dmp

      Filesize

      4KB

    • memory/3432-44-0x000001F44C840000-0x000001F44C841000-memory.dmp

      Filesize

      4KB

    • memory/4000-89-0x00000000020D0000-0x00000000020D1000-memory.dmp

      Filesize

      4KB

    • memory/4000-96-0x00000000020D0000-0x00000000020D1000-memory.dmp

      Filesize

      4KB

    • memory/4000-97-0x00000000020D0000-0x00000000020D1000-memory.dmp

      Filesize

      4KB

    • memory/4000-98-0x00000000020D0000-0x00000000020D1000-memory.dmp

      Filesize

      4KB

    • memory/4000-95-0x00000000020D0000-0x00000000020D1000-memory.dmp

      Filesize

      4KB

    • memory/4000-93-0x00000000020D0000-0x00000000020D1000-memory.dmp

      Filesize

      4KB

    • memory/4000-94-0x00000000020D0000-0x00000000020D1000-memory.dmp

      Filesize

      4KB

    • memory/4000-88-0x00000000020D0000-0x00000000020D1000-memory.dmp

      Filesize

      4KB

    • memory/4000-87-0x00000000020D0000-0x00000000020D1000-memory.dmp

      Filesize

      4KB

    • memory/4796-20-0x0000000001200000-0x000000000127F000-memory.dmp

      Filesize

      508KB

    • memory/4796-19-0x0000000001200000-0x000000000127F000-memory.dmp

      Filesize

      508KB