Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20/09/2024, 15:34
Static task
static1
Behavioral task
behavioral1
Sample
Quotationpdf.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
Quotationpdf.exe
Resource
win10v2004-20240802-en
General
-
Target
Quotationpdf.exe
-
Size
869KB
-
MD5
27934061e8cbcfcf5e5b8937a662c26f
-
SHA1
a508513b842e11c7c277af67e4bc51466d0637b8
-
SHA256
49e7ee12a475105efab2e363450b2e5582fc05d114967fe57a3d80d22a2fea81
-
SHA512
c79374546867ae8197d6fdbec40150b7124e272151e73c2a7361dd96a04b3a5f710d42f82b0d77349a07ae667aee066b11c949782eb2f2329e3711752e2c95d2
-
SSDEEP
24576:q0jXiRZoEJGywbvjCe9WRSKObmSej7vydBs:MDIvjCe4ebmSejzf
Malware Config
Extracted
remcos
RemoteHost
127.0.0.1:59321
nnamoo.duckdns.org:59321
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-41EVS0
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 216 powershell.exe 4716 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation Quotationpdf.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4612 set thread context of 2236 4612 Quotationpdf.exe 95 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Quotationpdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Quotationpdf.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4044 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4612 Quotationpdf.exe 216 powershell.exe 4716 powershell.exe 4612 Quotationpdf.exe 216 powershell.exe 4716 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4612 Quotationpdf.exe Token: SeDebugPrivilege 4716 powershell.exe Token: SeDebugPrivilege 216 powershell.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 4612 wrote to memory of 216 4612 Quotationpdf.exe 89 PID 4612 wrote to memory of 216 4612 Quotationpdf.exe 89 PID 4612 wrote to memory of 216 4612 Quotationpdf.exe 89 PID 4612 wrote to memory of 4716 4612 Quotationpdf.exe 91 PID 4612 wrote to memory of 4716 4612 Quotationpdf.exe 91 PID 4612 wrote to memory of 4716 4612 Quotationpdf.exe 91 PID 4612 wrote to memory of 4044 4612 Quotationpdf.exe 93 PID 4612 wrote to memory of 4044 4612 Quotationpdf.exe 93 PID 4612 wrote to memory of 4044 4612 Quotationpdf.exe 93 PID 4612 wrote to memory of 2236 4612 Quotationpdf.exe 95 PID 4612 wrote to memory of 2236 4612 Quotationpdf.exe 95 PID 4612 wrote to memory of 2236 4612 Quotationpdf.exe 95 PID 4612 wrote to memory of 2236 4612 Quotationpdf.exe 95 PID 4612 wrote to memory of 2236 4612 Quotationpdf.exe 95 PID 4612 wrote to memory of 2236 4612 Quotationpdf.exe 95 PID 4612 wrote to memory of 2236 4612 Quotationpdf.exe 95 PID 4612 wrote to memory of 2236 4612 Quotationpdf.exe 95 PID 4612 wrote to memory of 2236 4612 Quotationpdf.exe 95 PID 4612 wrote to memory of 2236 4612 Quotationpdf.exe 95 PID 4612 wrote to memory of 2236 4612 Quotationpdf.exe 95 PID 4612 wrote to memory of 2236 4612 Quotationpdf.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quotationpdf.exe"C:\Users\Admin\AppData\Local\Temp\Quotationpdf.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Quotationpdf.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:216
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BptXqGmS.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4716
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BptXqGmS" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEAEC.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4044
-
-
C:\Users\Admin\AppData\Local\Temp\Quotationpdf.exe"C:\Users\Admin\AppData\Local\Temp\Quotationpdf.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2236
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD59a81986f8f0e62295c157cbb37515324
SHA1b757a940f12ae361873212c186e92d9c396c11ba
SHA25638c1cedca0ecf71fe9c23122b10d639beb1f6d93bee53073aefb3800a40019ee
SHA51225433fc8d26fa8efc12be3fb02694c90de33a17e77acbdd1606e57bb95714b83d1891949322f892b69b137d620f70381551a860231eb8c2fc2545484d880ddd3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5bd77bd270afb34fa4e1f25ef2917bcae
SHA1844c9de75981b9dba3bd5fc879afd6fad83b3a56
SHA256bac59494025b8ebdade72307fb639bfff7e63b865c40e64f55ea92949b754093
SHA5127f8658098bdb43cd2d6149d585d99e3becc3a0a1158a2edbabd82a07752dbaf07c77d96fece2de3396425a4e55631ca2b00549a3925be07bf5ce5bc99254e381