Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

1d818c67cd...0a.exe

windows7-x64

8

1d818c67cd...0a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/09/2024, 23:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1d818c67cd7b934a84588a3207b2e50a.exe

  • Size

    879KB

  • MD5

    1d818c67cd7b934a84588a3207b2e50a

  • SHA1

    f143719dafea314eb6ae638e9a7694da54c3a445

  • SHA256

    932c8687387b5fa94ef7b5c11358b0d0dc90ea488729382e09ec126d61457d6d

  • SHA512

    41e68271ed5c52427c1e9953bc3ac9c0562541a186a6a44712602dd88968fdd2d896f3c56dccc39dac512c9885e0eb9c194d26f148ce484418b001d1bf60401e

  • SSDEEP

    24576:Ovd+fC6BjsHpE+dOj+18tyAgajKCzMlTyFjSIi0/:O1+a6NsHp3MlhOGM1mO0/

Score
10/10
remcosremotehostdiscoveryexecutionrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

www.c42staging.com:2404

www.vdoclabs.com:2404

www.ozkol-aluminyum.com:2404
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    dfghj

  • mouse_option

    false

  • mutex

    Rmc-QCH1J0

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1d818c67cd7b934a84588a3207b2e50a.exe
    "C:\Users\Admin\AppData\Local\Temp\1d818c67cd7b934a84588a3207b2e50a.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:536
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1d818c67cd7b934a84588a3207b2e50a.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4848
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wTTruYPumnUe.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2076
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wTTruYPumnUe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEB1B.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:1740
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1452

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\dfghj\logs.dat
    Filesize

    144B

    MD5

    0a1a0df29df39b142256974ad10d589d

    SHA1

    7276437f1f91dfc73fc9e141b848d2556fe2009f

    SHA256

    d15de8a63755f3b419bf15f4b511664cfee217b14d2a0cc67522d36d88650c9b

    SHA512

    da9019a68f20a4afbfc54fb61d9d3663cef9191ee26ecbac1955cd9ddb7258539b424f1b38c9603c9db6b875c4039b94fae6707987a2d8544891d293db56b30c

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    3d086a433708053f9bf9523e1d87a4e8

    SHA1

    b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

    SHA256

    6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

    SHA512

    931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    cffeb726176e7a62462f13697e957930

    SHA1

    d2184a3a8d9053100e2a05509c2c8075b44b0c18

    SHA256

    5da639c3f9aa4592f758dd8411ff72eea76773e61ee150f84da8cf3e1be68625

    SHA512

    0120cddf333c82e05c7a28dfe2f710e947bdfdf07642838f294162a751707db393092216846a53a9bcd412eb3cd109cf65b0cc51ae96f732ec7d0ce0fef231d9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gnf2pvl4.svr.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpEB1B.tmp
    Filesize

    1KB

    MD5

    a35c9021bd72bfa7816014a5bf73bb9f

    SHA1

    1a201bf52f28c7ced971706c9f19202c31524886

    SHA256

    960c09c2a7f8d37be98447c31cde430aa292f0091b421c04c0aa1188ea9c1490

    SHA512

    be8ec3c1e31e7d3f3604d8299f82d80b8a542c569289c41fa64a3bfd4aa59987b278e8e8d81fc0a09c8fd3e49b9cb883756258c28503b58dfe92e5c8489ac5b2

    Download Submit

  • memory/536-4-0x0000000004D20000-0x0000000004D2A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/536-6-0x0000000006390000-0x000000000646A000-memory.dmp

    Filesize

    872KB

    Download

  • memory/536-7-0x0000000005230000-0x0000000005240000-memory.dmp

    Filesize

    64KB

    Download

  • memory/536-8-0x00000000753AE000-0x00000000753AF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/536-9-0x00000000753A0000-0x0000000075B50000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/536-10-0x0000000006850000-0x0000000006910000-memory.dmp

    Filesize

    768KB

    Download

  • memory/536-11-0x0000000008F60000-0x0000000008FFC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/536-5-0x00000000753A0000-0x0000000075B50000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/536-3-0x0000000004D60000-0x0000000004DF2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/536-0-0x00000000753AE000-0x00000000753AF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/536-54-0x00000000753A0000-0x0000000075B50000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/536-2-0x0000000005270000-0x0000000005814000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/536-1-0x0000000000380000-0x0000000000462000-memory.dmp

    Filesize

    904KB

    Download

  • memory/1452-55-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1452-41-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1452-135-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1452-118-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1452-111-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1452-134-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1452-110-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1452-33-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1452-40-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1452-119-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1452-44-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1452-61-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1452-62-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1452-126-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1452-127-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1452-60-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1452-58-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1452-59-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2076-103-0x00000000753A0000-0x0000000075B50000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2076-80-0x0000000075C30000-0x0000000075C7C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2076-23-0x00000000753A0000-0x0000000075B50000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2076-22-0x00000000753A0000-0x0000000075B50000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2076-24-0x00000000753A0000-0x0000000075B50000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2076-96-0x0000000007320000-0x0000000007328000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4848-56-0x0000000005A80000-0x0000000005A9E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4848-78-0x0000000007400000-0x0000000007A7A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/4848-79-0x0000000006DC0000-0x0000000006DDA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4848-65-0x0000000006C70000-0x0000000006CA2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4848-90-0x0000000006E30000-0x0000000006E3A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4848-91-0x0000000007040000-0x00000000070D6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/4848-92-0x0000000006FC0000-0x0000000006FD1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4848-93-0x0000000006FF0000-0x0000000006FFE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4848-94-0x0000000007000000-0x0000000007014000-memory.dmp

    Filesize

    80KB

    Download

  • memory/4848-95-0x0000000007100000-0x000000000711A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4848-66-0x0000000075C30000-0x0000000075C7C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4848-76-0x0000000006C30000-0x0000000006C4E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4848-77-0x0000000006CB0000-0x0000000006D53000-memory.dmp

    Filesize

    652KB

    Download

  • memory/4848-102-0x00000000753A0000-0x0000000075B50000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4848-57-0x0000000005AA0000-0x0000000005AEC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4848-38-0x00000000055B0000-0x0000000005904000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4848-25-0x0000000005200000-0x0000000005222000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4848-32-0x0000000005440000-0x00000000054A6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4848-31-0x00000000052A0000-0x0000000005306000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4848-20-0x00000000753A0000-0x0000000075B50000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4848-19-0x0000000004B90000-0x00000000051B8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4848-18-0x00000000753A0000-0x0000000075B50000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4848-17-0x00000000753A0000-0x0000000075B50000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4848-16-0x00000000021B0000-0x00000000021E6000-memory.dmp

    Filesize

    216KB

    Download