Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

Launcher.exe

windows7-x64

10

Launcher.exe

windows10-2004-x64

10

module.dll

windows7-x64

1

module.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    147s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    28/09/2024, 22:56 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Launcher.exe

  • Size

    1.0MB

  • MD5

    389e49fd591fbdbe272575573a922085

  • SHA1

    2145dacbed53f6b64ea96938cff8758531961c1a

  • SHA256

    24191589d733c928bce4654a950c0f6bd02b6675a78e47e22893e72d27067264

  • SHA512

    74b957d349a3241143525a6085372b8131551de3c1df25b61dc4fbbb74a868234cb36c32db14a61ab6eb516258a85d551956c408e20c0523eaa7e8e1d2b19bd4

  • SSDEEP

    24576:82+IxnXZC4MQdHAsU/O552srSCbBJwNQEwTtaMmVL:uIByQhK/Og6BKNQkdl

Score
10/10
remcosdiscoveryevasionpersistenceratvmprotect

Malware Config

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • VMProtect packed file 7 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Launcher.exe
    "C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Adds Run key to start application
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2748
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
      2⤵
      • Deletes itself
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2664
      • C:\Windows\SysWOW64\PING.EXE
        PING 127.0.0.1 -n 2
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2632
      • C:\Windows\SysWOW64\remcos\sys.exe
        "C:\Windows\SysWOW64\remcos\sys.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2336

Network

  • flag-us
    DNS
    hamareskids.ddns.net
    sys.exe
    Remote address:
    8.8.8.8:53
    Request
    hamareskids.ddns.net
    IN A
    Response
No results found
  • 8.8.8.8:53
    hamareskids.ddns.net
    dns
    sys.exe
    66 B
     126 B
     1
    1

    DNS Request

    hamareskids.ddns.net

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\install.bat
    Filesize

    139B

    MD5

    843fadf88dbddfc1a2d3c21e989a8e5a

    SHA1

    c432ce68e04961580744b489daa452dc4d978a8d

    SHA256

    f3b8a0dabf78adbb6b6b3664877a4622fc3624b6a513879a00057767a86880b9

    SHA512

    e69b3334fe806ea17defb7eb6bfc4f8ca8186f12929cbbede3f563b900f38a2afcb2ef4045946b43c5e4cc682f24ddd158bfdfaf9f750cf00babd818fe7b090c

    Download Submit

  • \Windows\SysWOW64\remcos\sys.exe
    Filesize

    1.0MB

    MD5

    389e49fd591fbdbe272575573a922085

    SHA1

    2145dacbed53f6b64ea96938cff8758531961c1a

    SHA256

    24191589d733c928bce4654a950c0f6bd02b6675a78e47e22893e72d27067264

    SHA512

    74b957d349a3241143525a6085372b8131551de3c1df25b61dc4fbbb74a868234cb36c32db14a61ab6eb516258a85d551956c408e20c0523eaa7e8e1d2b19bd4

    Download Submit

  • memory/2336-28-0x0000000000400000-0x0000000000603000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2336-37-0x0000000000400000-0x0000000000603000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2336-39-0x0000000000400000-0x0000000000603000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2664-26-0x0000000002420000-0x0000000002623000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2748-0-0x0000000000400000-0x0000000000603000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2748-7-0x0000000075840000-0x0000000075841000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2748-3-0x0000000077230000-0x0000000077231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2748-1-0x0000000077230000-0x0000000077231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2748-9-0x0000000000400000-0x0000000000603000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2748-21-0x0000000000400000-0x0000000000603000-memory.dmp

    Filesize

    2.0MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.