Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
24/09/2024, 09:18
Static task
static1
Behavioral task
behavioral1
Sample
0988986.exe
Resource
win7-20240708-en
General
-
Target
0988986.exe
-
Size
897KB
-
MD5
00cb16ec61346dc7a4410acbb683a6f2
-
SHA1
d4c2741a51aef320c23e66221741bdbfbda9ddea
-
SHA256
1c251b2a58b7c9c19bca9f5eb75fa7cd93a73fe07e34c1759a2381dda79ffda4
-
SHA512
e33736dcb7e553bfdfc708c948413630496befdc9fc4bf5a83e42cea93ea400624379aeca984636b066c7d2377a524ce00112215c68a9dd6b4bdd9aba845ed9d
-
SSDEEP
24576:qgEceydzP4Nj+x/SZ/Jk9R9Hq9AfQaz/smsNqGxDeI:qVkjmK9R9K9Af7sN3
Malware Config
Extracted
remcos
mekus
dpm-sael.com:2017
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
meckus-ODY51K
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2404 powershell.exe 2848 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1716 set thread context of 2616 1716 0988986.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0988986.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0988986.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 836 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2848 powershell.exe 2404 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2848 powershell.exe Token: SeDebugPrivilege 2404 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2616 0988986.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 1716 wrote to memory of 2404 1716 0988986.exe 28 PID 1716 wrote to memory of 2404 1716 0988986.exe 28 PID 1716 wrote to memory of 2404 1716 0988986.exe 28 PID 1716 wrote to memory of 2404 1716 0988986.exe 28 PID 1716 wrote to memory of 2848 1716 0988986.exe 30 PID 1716 wrote to memory of 2848 1716 0988986.exe 30 PID 1716 wrote to memory of 2848 1716 0988986.exe 30 PID 1716 wrote to memory of 2848 1716 0988986.exe 30 PID 1716 wrote to memory of 836 1716 0988986.exe 32 PID 1716 wrote to memory of 836 1716 0988986.exe 32 PID 1716 wrote to memory of 836 1716 0988986.exe 32 PID 1716 wrote to memory of 836 1716 0988986.exe 32 PID 1716 wrote to memory of 2616 1716 0988986.exe 34 PID 1716 wrote to memory of 2616 1716 0988986.exe 34 PID 1716 wrote to memory of 2616 1716 0988986.exe 34 PID 1716 wrote to memory of 2616 1716 0988986.exe 34 PID 1716 wrote to memory of 2616 1716 0988986.exe 34 PID 1716 wrote to memory of 2616 1716 0988986.exe 34 PID 1716 wrote to memory of 2616 1716 0988986.exe 34 PID 1716 wrote to memory of 2616 1716 0988986.exe 34 PID 1716 wrote to memory of 2616 1716 0988986.exe 34 PID 1716 wrote to memory of 2616 1716 0988986.exe 34 PID 1716 wrote to memory of 2616 1716 0988986.exe 34 PID 1716 wrote to memory of 2616 1716 0988986.exe 34 PID 1716 wrote to memory of 2616 1716 0988986.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\0988986.exe"C:\Users\Admin\AppData\Local\Temp\0988986.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0988986.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2404
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\jcXOqLBJLRu.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jcXOqLBJLRu" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB56A.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:836
-
-
C:\Users\Admin\AppData\Local\Temp\0988986.exe"C:\Users\Admin\AppData\Local\Temp\0988986.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2616
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD544e08f01946a132826b8fa8b862192f9
SHA1426bbd7f7f73706a1c418368513c33d665701b75
SHA2561ec68b3f9ab5b0a50ce493da922e588f62cd902410c2bfd297834e80f78c12b8
SHA5126c53d5c97eea145a8e86c3e63f1c4cd713f5fa9e8121c0eff9ace55aa7d3dae04e500199a233367091c604870f7fb878873fa0929312938b2ff1c37790bd13b6
-
Filesize
1KB
MD558e96333ce811eabb9c05609d7f6e7ef
SHA1e8bd0932d5846ca3e103378a476e345891e58387
SHA256aa028dcc3b2719802ecbeb69104fa5460c11995a30ea57b726b1793f19333ed1
SHA5121503cdb91a61a54f9a627dff90d64981946f50bd5f75f09cf62f26f733d1f213a03dad330f6ce4402b7518ecbd7c6d2e7a20a2498eda7619081b7cc868fe5a38
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WYYCP1JDFTMY08007RBT.temp
Filesize7KB
MD5f7e873974c46d79b1ddcc1d484308cb7
SHA19f1210d4735b735f2a77f1621df903dfd399a60e
SHA2563450722c137b102c925016f653febd2d37d9d62ec24ab6a86ed6ef316059c8e5
SHA512489d6b5809ae1b49576039fd5012c3363e18aa4ff4b129dbf44cb7e021696251adc4ccbcdcf44bd036c53a1b3821ecf2ac639effa3b196537c9a12ef99f079fa