Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

PO Spare p...LY.exe

windows7-x64

10

PO Spare p...LY.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    14/11/2024, 06:51 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO Spare parts and list of the prodcuts URGENT SUPPLY.exe

  • Size

    920KB

  • MD5

    837245dd0067f14b51b01c3ec2abd1e2

  • SHA1

    050af9b128d86975c8afa6d62b1bedec0d6f20b0

  • SHA256

    972d31f6bff6eed33197d77be4cf2027535bd64d42965c207c6e541257a4e112

  • SHA512

    b0372c59246b7263fa213cf341af74aab174205d8ba6f06cfa18b92c16a8aed16b889fb2c37ffe27e1aa79f41c2a6be02e756dee6bad86d8ade27797d80a91c7

  • SSDEEP

    24576:jMyQZrc+IbxyYMv5KXgoNV8LCZacnu4Z1aNR3:PQ9c+IFrnemod46d

Score
10/10
remcosremotehostdiscoveryexecutionrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

172.245.123.14:2404

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-3DXQCZ

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PO Spare parts and list of the prodcuts URGENT SUPPLY.exe
    "C:\Users\Admin\AppData\Local\Temp\PO Spare parts and list of the prodcuts URGENT SUPPLY.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2668
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ppcjCFk.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2832
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ppcjCFk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3266.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2720
    • C:\Users\Admin\AppData\Local\Temp\PO Spare parts and list of the prodcuts URGENT SUPPLY.exe
      "C:\Users\Admin\AppData\Local\Temp\PO Spare parts and list of the prodcuts URGENT SUPPLY.exe"
      2⤵
        PID:2556
      • C:\Users\Admin\AppData\Local\Temp\PO Spare parts and list of the prodcuts URGENT SUPPLY.exe
        "C:\Users\Admin\AppData\Local\Temp\PO Spare parts and list of the prodcuts URGENT SUPPLY.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2600

    Network

    • flag-us
      DNS
      geoplugin.net
      PO Spare parts and list of the prodcuts URGENT SUPPLY.exe
      Remote address:
      8.8.8.8:53
      Request
      geoplugin.net
      IN A
      Response
      geoplugin.net
      IN A
      178.237.33.50
    • flag-nl
      GET
      http://geoplugin.net/json.gp
      PO Spare parts and list of the prodcuts URGENT SUPPLY.exe
      Remote address:
      178.237.33.50:80
      Request
      GET /json.gp HTTP/1.1
      Host: geoplugin.net
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      date: Thu, 14 Nov 2024 06:51:22 GMT
      server: Apache
      content-length: 954
      content-type: application/json; charset=utf-8
      cache-control: public, max-age=300
      access-control-allow-origin: *
    • 172.245.123.14:2404
      tls
      PO Spare parts and list of the prodcuts URGENT SUPPLY.exe
      3.4kB
       1.5kB
       12
      15
    • 178.237.33.50:80
      http://geoplugin.net/json.gp
      http
      PO Spare parts and list of the prodcuts URGENT SUPPLY.exe
      629 B
       2.5kB
       12
      4

      HTTP Request

      GET http://geoplugin.net/json.gp

      HTTP Response

      200
    • 8.8.8.8:53
      geoplugin.net
      dns
      PO Spare parts and list of the prodcuts URGENT SUPPLY.exe
      59 B
       75 B
       1
      1

      DNS Request

      geoplugin.net

      DNS Response

      178.237.33.50

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp3266.tmp
      Filesize

      1KB

      MD5

      df37ce0b69b921bf14f42d6b3cab8e79

      SHA1

      42272bfc4a8af5117d102cf1bfcafab96c1380a4

      SHA256

      ec4bad6469125379fa668eb0bb216b108e45d9b0d7bc3929145c3d4bbf99e434

      SHA512

      9fe6066ea2c4fcc4c70a2009dd4a8e0f6165f9c6ba8177f482dabe374f82bbce83312f62f117ca463681d0308efa9cf5800aa369d5068fc27951b09db5090b1c

      Download Submit

    • memory/2600-20-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

      Download

    • memory/2600-18-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

      Download

    • memory/2600-44-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

      Download

    • memory/2600-43-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

      Download

    • memory/2600-42-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

      Download

    • memory/2600-41-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

      Download

    • memory/2600-39-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

      Download

    • memory/2600-14-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

      Download

    • memory/2600-30-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

      Download

    • memory/2600-29-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

      Download

    • memory/2600-28-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

      Download

    • memory/2600-27-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

      Download

    • memory/2600-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2600-24-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

      Download

    • memory/2600-40-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

      Download

    • memory/2600-22-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

      Download

    • memory/2600-38-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

      Download

    • memory/2600-16-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

      Download

    • memory/2600-37-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

      Download

    • memory/2600-33-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

      Download

    • memory/2600-32-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

      Download

    • memory/2600-34-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

      Download

    • memory/2600-36-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

      Download

    • memory/2668-0-0x0000000073F4E000-0x0000000073F4F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2668-31-0x0000000073F40000-0x000000007462E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2668-2-0x0000000073F40000-0x000000007462E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2668-1-0x00000000013E0000-0x00000000014CC000-memory.dmp

      Filesize

      944KB

      Download

    • memory/2668-6-0x0000000004F90000-0x0000000005054000-memory.dmp

      Filesize

      784KB

      Download

    • memory/2668-5-0x0000000073F40000-0x000000007462E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2668-4-0x0000000073F4E000-0x0000000073F4F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2668-3-0x00000000007E0000-0x00000000007F2000-memory.dmp

      Filesize

      72KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.