Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06/10/2024, 17:39
Static task
static1
Behavioral task
behavioral1
Sample
cayV0Deo9jSt417.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
cayV0Deo9jSt417.exe
Resource
win10v2004-20240802-en
General
-
Target
cayV0Deo9jSt417.exe
-
Size
958KB
-
MD5
aa3cdd5145d9fb980c061d2d8653fa8d
-
SHA1
de696701275b01ddad5461e269d7ab15b7466d6a
-
SHA256
41376827ba300374727d29048920ca2a2d9f20b929e964098181981581e47af2
-
SHA512
4be32b5e9eaffa8d3f4cce515717faa6259373e8dbd258b9ebc2534fd0b62aaa7043093204e43627983fe332f63d8f998a90dc1cbb74f54a18c55f67e42a8a32
-
SSDEEP
24576:PExy+NP2Gc/hgXzYRVG7mRPQeMeokqjVnlqud+/2P+A:6+Gc/hD67mJQeMhkqXfd+/9A
Malware Config
Extracted
remcos
Go!!!
dangerous.hopto.org:2404
dangerous.hopto.org:2602
91.92.242.184:2602
91.92.242.184:2404
-
audio_folder
??????????? ??????
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
taskhost.exe
-
copy_folder
System32
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
tapiui.dat
-
keylog_flag
false
-
keylog_folder
System32
-
mouse_option
false
-
mutex
???-LDKG91
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
?????????
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2852 taskhost.exe -
Loads dropped DLL 1 IoCs
pid Process 2784 clip.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\???-LDKG91 = "\"C:\\Users\\Admin\\AppData\\Roaming\\System32\\taskhost.exe\"" clip.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2668 set thread context of 2784 2668 cayV0Deo9jSt417.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cayV0Deo9jSt417.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language clip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskhost.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2668 wrote to memory of 2784 2668 cayV0Deo9jSt417.exe 31 PID 2668 wrote to memory of 2784 2668 cayV0Deo9jSt417.exe 31 PID 2668 wrote to memory of 2784 2668 cayV0Deo9jSt417.exe 31 PID 2668 wrote to memory of 2784 2668 cayV0Deo9jSt417.exe 31 PID 2668 wrote to memory of 2784 2668 cayV0Deo9jSt417.exe 31 PID 2668 wrote to memory of 2784 2668 cayV0Deo9jSt417.exe 31 PID 2668 wrote to memory of 2784 2668 cayV0Deo9jSt417.exe 31 PID 2668 wrote to memory of 2784 2668 cayV0Deo9jSt417.exe 31 PID 2668 wrote to memory of 2784 2668 cayV0Deo9jSt417.exe 31 PID 2668 wrote to memory of 2784 2668 cayV0Deo9jSt417.exe 31 PID 2668 wrote to memory of 2784 2668 cayV0Deo9jSt417.exe 31 PID 2668 wrote to memory of 2784 2668 cayV0Deo9jSt417.exe 31 PID 2668 wrote to memory of 2784 2668 cayV0Deo9jSt417.exe 31 PID 2784 wrote to memory of 2852 2784 clip.exe 32 PID 2784 wrote to memory of 2852 2784 clip.exe 32 PID 2784 wrote to memory of 2852 2784 clip.exe 32 PID 2784 wrote to memory of 2852 2784 clip.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\cayV0Deo9jSt417.exe"C:\Users\Admin\AppData\Local\Temp\cayV0Deo9jSt417.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\clip.exe"C:\Windows\SysWOW64\clip.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Users\Admin\AppData\Roaming\System32\taskhost.exe"C:\Users\Admin\AppData\Roaming\System32\taskhost.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2852
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25KB
MD504ebddcc3a90b6512aef4aa2eee36624
SHA1185cd595c19dec765d5fcbdff914140b5354a864
SHA2561c4b1acf31ec2dd48c746ad7cf2cc1404c76c7492bd15a6953f2ce6991496856
SHA512fbb7d67593018cd5a12355800b8e2974ad8f04918fafedb89c98fe3ed9cde53fa3ae91e26474cb9d2b1f9e4f7b6267ba1eece6f02ae5df20e95ce94bbb1f28da