Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

LPO.exe

windows7-x64

10

LPO.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/11/2024, 07:14 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LPO.exe

  • Size

    1.8MB

  • MD5

    c3bf525ab42ea2e0a37a55b290dd13bf

  • SHA1

    665e8ac35e69dc4a1fa273bd35703a201f9b074d

  • SHA256

    7a422ffa32fcdb0ca5698ef80ea3a7bed96b3fc42e008b0458256f4c680bd395

  • SHA512

    d6f71d29a5e4b94d04181791edf55d22c3640e2c4115a1b17f4d6c14b79ea0b728a06acb0a0c3848ac4edae8535cf923585af13236fdeddf0051345d083fa9d8

  • SSDEEP

    12288:qLXh08hSxuM4AUQC46V10t5hwv1xh14VGpxJz5W+EQpOIzkTJXY8I+6yi:QXNSNVt5+vPh14gxJzsQpOmkTJXY5

Score
10/10
remcosgasplantdiscoveryevasionexecutionrattrojan

Malware Config

Extracted

Family

remcos

Botnet

GASPLANT

C2

dotatech.de:30908

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    chrome-SYTYBI

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Uses the VBS compiler for execution 1 TTPs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\LPO.exe
    "C:\Users\Admin\AppData\Local\Temp\LPO.exe"
    1⤵
    • UAC bypass
    • Windows security bypass
    • Checks computer location settings
    • Windows security modification
    • Checks whether UAC is enabled
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2608
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\LPO.exe" -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:804
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2984

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    dotatech.de
    vbc.exe
    Remote address:
    8.8.8.8:53
    Request
    dotatech.de
    IN A
    Response
    dotatech.de
    IN A
    23.95.60.82
  • flag-us
    DNS
    133.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    82.60.95.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    82.60.95.23.in-addr.arpa
    IN PTR
    Response
    82.60.95.23.in-addr.arpa
    IN PTR
    23-95-60-82-host colocrossingcom
  • flag-us
    DNS
    geoplugin.net
    vbc.exe
    Remote address:
    8.8.8.8:53
    Request
    geoplugin.net
    IN A
    Response
    geoplugin.net
    IN A
    178.237.33.50
  • flag-nl
    GET
    http://geoplugin.net/json.gp
    vbc.exe
    Remote address:
    178.237.33.50:80
    Request
    GET /json.gp HTTP/1.1
    Host: geoplugin.net
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    date: Thu, 14 Nov 2024 07:14:10 GMT
    server: Apache
    content-length: 956
    content-type: application/json; charset=utf-8
    cache-control: public, max-age=300
    access-control-allow-origin: *
  • flag-us
    DNS
    50.33.237.178.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.33.237.178.in-addr.arpa
    IN PTR
    Response
    50.33.237.178.in-addr.arpa
    IN CNAME
    50.32/27.178.237.178.in-addr.arpa
  • flag-us
    DNS
    149.220.183.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    149.220.183.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    65.139.73.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    65.139.73.23.in-addr.arpa
    IN PTR
    Response
    65.139.73.23.in-addr.arpa
    IN PTR
    a23-73-139-65deploystaticakamaitechnologiescom
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • 23.95.60.82:30908
    dotatech.de
    tls
    vbc.exe
    3.4kB
     1.6kB
     14
    17
  • 178.237.33.50:80
    http://geoplugin.net/json.gp
    http
    vbc.exe
    623 B
     1.3kB
     12
    3

    HTTP Request

    GET http://geoplugin.net/json.gp

    HTTP Response

    200
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    dotatech.de
    dns
    vbc.exe
    57 B
     73 B
     1
    1

    DNS Request

    dotatech.de

    DNS Response

    23.95.60.82

  • 8.8.8.8:53
    133.32.126.40.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    133.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    82.60.95.23.in-addr.arpa
    dns
    70 B
     117 B
     1
    1

    DNS Request

    82.60.95.23.in-addr.arpa

  • 8.8.8.8:53
    geoplugin.net
    dns
    vbc.exe
    59 B
     75 B
     1
    1

    DNS Request

    geoplugin.net

    DNS Response

    178.237.33.50

  • 8.8.8.8:53
    50.33.237.178.in-addr.arpa
    dns
    72 B
     155 B
     1
    1

    DNS Request

    50.33.237.178.in-addr.arpa

  • 8.8.8.8:53
    149.220.183.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    149.220.183.52.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    65.139.73.23.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    65.139.73.23.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d4lhfgxv.gss.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/804-11-0x00007FFD9EAD0000-0x00007FFD9F591000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/804-25-0x00007FFD9EAD0000-0x00007FFD9F591000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/804-19-0x000001F863800000-0x000001F863822000-memory.dmp

    Filesize

    136KB

    Download

  • memory/804-9-0x00007FFD9EAD3000-0x00007FFD9EAD5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/804-12-0x00007FFD9EAD0000-0x00007FFD9F591000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2608-1-0x00000144A7750000-0x00000144A7758000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2608-2-0x00007FFD9EAD0000-0x00007FFD9F591000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2608-3-0x00000144C1ED0000-0x00000144C1FA2000-memory.dmp

    Filesize

    840KB

    Download

  • memory/2608-0-0x00007FFD9EAD3000-0x00007FFD9EAD5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2608-26-0x00007FFD9EAD0000-0x00007FFD9F591000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2984-34-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2984-40-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2984-8-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2984-7-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2984-6-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2984-5-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2984-27-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2984-28-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2984-29-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2984-32-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2984-33-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2984-4-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2984-35-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2984-36-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2984-37-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2984-38-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2984-39-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2984-10-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2984-41-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2984-42-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2984-44-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2984-43-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2984-45-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2984-46-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2984-47-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2984-49-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2984-48-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2984-50-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2984-51-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2984-52-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2984-53-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2984-54-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2984-55-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2984-56-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.