Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

c413b5fc35...08.exe

windows7-x64

6

c413b5fc35...08.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/11/2024, 19:57 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c413b5fc353f566a47c17c56b69b2cc7b33e048673b78678d33b3aa8804d1d08.exe

  • Size

    2.6MB

  • MD5

    8e921737fd53f5a40e982495f0c7c3c9

  • SHA1

    c46e2cae95d387f64964fa000b8daff2f646bdbb

  • SHA256

    c413b5fc353f566a47c17c56b69b2cc7b33e048673b78678d33b3aa8804d1d08

  • SHA512

    e767b00c4ea757b4af8dd0339260f5748d2475d5b94c6c2a83d20077990379068e8bf7bbfb7b2cf1015ad4f56968456131447ab63225975d2bb5cdb2535f0fdc

  • SSDEEP

    49152:rTOYjy2jq6ZutrfM2IAIbu/GFcThB84muqmSj9TgM/rhiYO/CeQTWoNdjjEPOaDT:rBIknAIbuQ2mtnhiY8dT

Score
10/10
remcosrojodiscoverypersistencerat

Malware Config

Extracted

Family

remcos

Botnet

ROJO

C2

nuevodntestchec.addns.org:3018

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    registros.dat

  • keylog_flag

    false

  • keylog_folder

    data

  • mouse_option

    false

  • mutex

    jjajbsfbisfablklsafg-LEIC4X

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Capturas de pantalla

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Downloads MZ/PE file
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c413b5fc353f566a47c17c56b69b2cc7b33e048673b78678d33b3aa8804d1d08.exe
    "C:\Users\Admin\AppData\Local\Temp\c413b5fc353f566a47c17c56b69b2cc7b33e048673b78678d33b3aa8804d1d08.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2764
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:220
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:5572

Network

  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    75.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    75.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    araguatec.addns.org
    csc.exe
    Remote address:
    8.8.8.8:53
    Request
    araguatec.addns.org
    IN A
    Response
    araguatec.addns.org
    IN A
    181.141.40.225
  • flag-us
    DNS
    225.40.141.181.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    225.40.141.181.in-addr.arpa
    IN PTR
    Response
    225.40.141.181.in-addr.arpa
    IN PTR
    hfc-181-141-40-225unenetco
  • flag-us
    DNS
    225.40.141.181.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    225.40.141.181.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    225.40.141.181.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    225.40.141.181.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    225.40.141.181.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    225.40.141.181.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    contath.org
    csc.exe
    Remote address:
    8.8.8.8:53
    Request
    contath.org
    IN A
    Response
    contath.org
    IN A
    69.49.234.173
  • flag-us
    GET
    https://contath.org/ROJO.exe
    csc.exe
    Remote address:
    69.49.234.173:443
    Request
    GET /ROJO.exe HTTP/1.1
    Host: contath.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Thu, 14 Nov 2024 19:58:30 GMT
    Server: Apache
    Last-Modified: Wed, 13 Nov 2024 13:51:59 GMT
    Accept-Ranges: bytes
    Content-Length: 492544
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Content-Type: application/x-msdownload
  • flag-us
    DNS
    197.87.175.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    197.87.175.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    173.234.49.69.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    173.234.49.69.in-addr.arpa
    IN PTR
    Response
    173.234.49.69.in-addr.arpa
    IN PTR
    69-49-234-173 webhostboxnet
  • flag-us
    DNS
    nuevodntestchec.addns.org
    MSBuild.exe
    Remote address:
    8.8.8.8:53
    Request
    nuevodntestchec.addns.org
    IN A
    Response
    nuevodntestchec.addns.org
    IN A
    181.141.40.225
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    geoplugin.net
    MSBuild.exe
    Remote address:
    8.8.8.8:53
    Request
    geoplugin.net
    IN A
    Response
    geoplugin.net
    IN A
    178.237.33.50
  • flag-us
    DNS
    geoplugin.net
    MSBuild.exe
    Remote address:
    8.8.8.8:53
    Request
    geoplugin.net
    IN A
  • flag-nl
    GET
    http://geoplugin.net/json.gp
    MSBuild.exe
    Remote address:
    178.237.33.50:80
    Request
    GET /json.gp HTTP/1.1
    Host: geoplugin.net
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    date: Thu, 14 Nov 2024 19:58:34 GMT
    server: Apache
    content-length: 956
    content-type: application/json; charset=utf-8
    cache-control: public, max-age=300
    access-control-allow-origin: *
  • flag-us
    DNS
    103.209.201.84.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    103.209.201.84.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    50.33.237.178.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.33.237.178.in-addr.arpa
    IN PTR
    Response
    50.33.237.178.in-addr.arpa
    IN CNAME
    50.32/27.178.237.178.in-addr.arpa
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 181.141.40.225:30201
    araguatec.addns.org
    csc.exe
    482 B
     352 B
     7
    6
  • 69.49.234.173:443
    https://contath.org/ROJO.exe
    tls, http
    csc.exe
    9.1kB
     512.8kB
     191
    373

    HTTP Request

    GET https://contath.org/ROJO.exe

    HTTP Response

    200
  • 181.141.40.225:30201
    araguatec.addns.org
    csc.exe
    436 B
     172 B
     6
    4
  • 181.141.40.225:3018
    nuevodntestchec.addns.org
    MSBuild.exe
    2.5kB
     664 B
     11
    13
  • 178.237.33.50:80
    http://geoplugin.net/json.gp
    http
    MSBuild.exe
    531 B
     1.3kB
     10
    3

    HTTP Request

    GET http://geoplugin.net/json.gp

    HTTP Response

    200
  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    75.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    75.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    154.239.44.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    154.239.44.20.in-addr.arpa

  • 8.8.8.8:53
    araguatec.addns.org
    dns
    csc.exe
    65 B
     81 B
     1
    1

    DNS Request

    araguatec.addns.org

    DNS Response

    181.141.40.225

  • 8.8.8.8:53
    225.40.141.181.in-addr.arpa
    dns
    292 B
     116 B
     4
    1

    DNS Request

    225.40.141.181.in-addr.arpa

    DNS Request

    225.40.141.181.in-addr.arpa

    DNS Request

    225.40.141.181.in-addr.arpa

    DNS Request

    225.40.141.181.in-addr.arpa

  • 8.8.8.8:53
    contath.org
    dns
    csc.exe
    57 B
     73 B
     1
    1

    DNS Request

    contath.org

    DNS Response

    69.49.234.173

  • 8.8.8.8:53
    197.87.175.4.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    197.87.175.4.in-addr.arpa

  • 8.8.8.8:53
    173.234.49.69.in-addr.arpa
    dns
    72 B
     114 B
     1
    1

    DNS Request

    173.234.49.69.in-addr.arpa

  • 8.8.8.8:53
    nuevodntestchec.addns.org
    dns
    MSBuild.exe
    71 B
     87 B
     1
    1

    DNS Request

    nuevodntestchec.addns.org

    DNS Response

    181.141.40.225

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    144 B
     158 B
     2
    1

    DNS Request

    171.39.242.20.in-addr.arpa

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    geoplugin.net
    dns
    MSBuild.exe
    118 B
     75 B
     2
    1

    DNS Request

    geoplugin.net

    DNS Request

    geoplugin.net

    DNS Response

    178.237.33.50

  • 8.8.8.8:53
    103.209.201.84.in-addr.arpa
    dns
    73 B
     133 B
     1
    1

    DNS Request

    103.209.201.84.in-addr.arpa

  • 8.8.8.8:53
    50.33.237.178.in-addr.arpa
    dns
    72 B
     155 B
     1
    1

    DNS Request

    50.33.237.178.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    13.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    13.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\data\registros.dat
    Filesize

    184B

    MD5

    85846c3074f3273b7dfaead3b06cb609

    SHA1

    c9265a2b0f1b8ed42cd56fc5141cb13f0ced293d

    SHA256

    e1e1a2810bdb9cae7f5acdf742375271ae79ccae0a5a78d3b4875d15675e43d8

    SHA512

    68c604ca7c4f75b92b490c4f94ccaeace13865faa40cfee80d1a437169d15d4a6c0c5cbc861ab65bf83261384a8a704770441045159b2c78450cf1de909260a3

    Download Submit

  • memory/220-33-0x0000000004F90000-0x000000000505E000-memory.dmp

    Filesize

    824KB

    Download

  • memory/220-3928-0x0000000005170000-0x00000000051BC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/220-11-0x0000000074970000-0x0000000075120000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/220-15-0x0000000004F90000-0x000000000505E000-memory.dmp

    Filesize

    824KB

    Download

  • memory/220-9-0x000000007497E000-0x000000007497F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/220-3932-0x0000000005920000-0x0000000005974000-memory.dmp

    Filesize

    336KB

    Download

  • memory/220-3931-0x0000000074970000-0x0000000075120000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/220-58-0x0000000004F90000-0x000000000505E000-memory.dmp

    Filesize

    824KB

    Download

  • memory/220-63-0x0000000004F90000-0x000000000505E000-memory.dmp

    Filesize

    824KB

    Download

  • memory/220-61-0x0000000004F90000-0x000000000505E000-memory.dmp

    Filesize

    824KB

    Download

  • memory/220-59-0x0000000004F90000-0x000000000505E000-memory.dmp

    Filesize

    824KB

    Download

  • memory/220-55-0x0000000004F90000-0x000000000505E000-memory.dmp

    Filesize

    824KB

    Download

  • memory/220-53-0x0000000004F90000-0x000000000505E000-memory.dmp

    Filesize

    824KB

    Download

  • memory/220-49-0x0000000004F90000-0x000000000505E000-memory.dmp

    Filesize

    824KB

    Download

  • memory/220-47-0x0000000004F90000-0x000000000505E000-memory.dmp

    Filesize

    824KB

    Download

  • memory/220-45-0x0000000004F90000-0x000000000505E000-memory.dmp

    Filesize

    824KB

    Download

  • memory/220-43-0x0000000004F90000-0x000000000505E000-memory.dmp

    Filesize

    824KB

    Download

  • memory/220-41-0x0000000004F90000-0x000000000505E000-memory.dmp

    Filesize

    824KB

    Download

  • memory/220-67-0x0000000004F90000-0x000000000505E000-memory.dmp

    Filesize

    824KB

    Download

  • memory/220-65-0x0000000004F90000-0x000000000505E000-memory.dmp

    Filesize

    824KB

    Download

  • memory/220-39-0x0000000004F90000-0x000000000505E000-memory.dmp

    Filesize

    824KB

    Download

  • memory/220-37-0x0000000004F90000-0x000000000505E000-memory.dmp

    Filesize

    824KB

    Download

  • memory/220-35-0x0000000004F90000-0x000000000505E000-memory.dmp

    Filesize

    824KB

    Download

  • memory/220-6-0x0000000000680000-0x0000000000724000-memory.dmp

    Filesize

    656KB

    Download

  • memory/220-10-0x0000000004F90000-0x0000000005064000-memory.dmp

    Filesize

    848KB

    Download

  • memory/220-31-0x0000000004F90000-0x000000000505E000-memory.dmp

    Filesize

    824KB

    Download

  • memory/220-52-0x0000000004F90000-0x000000000505E000-memory.dmp

    Filesize

    824KB

    Download

  • memory/220-27-0x0000000004F90000-0x000000000505E000-memory.dmp

    Filesize

    824KB

    Download

  • memory/220-25-0x0000000004F90000-0x000000000505E000-memory.dmp

    Filesize

    824KB

    Download

  • memory/220-23-0x0000000004F90000-0x000000000505E000-memory.dmp

    Filesize

    824KB

    Download

  • memory/220-21-0x0000000004F90000-0x000000000505E000-memory.dmp

    Filesize

    824KB

    Download

  • memory/220-19-0x0000000004F90000-0x000000000505E000-memory.dmp

    Filesize

    824KB

    Download

  • memory/220-17-0x0000000004F90000-0x000000000505E000-memory.dmp

    Filesize

    824KB

    Download

  • memory/220-12-0x0000000004F90000-0x000000000505E000-memory.dmp

    Filesize

    824KB

    Download

  • memory/220-13-0x0000000004F90000-0x000000000505E000-memory.dmp

    Filesize

    824KB

    Download

  • memory/220-3930-0x000000007497E000-0x000000007497F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/220-3929-0x0000000005280000-0x00000000052E6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/220-29-0x0000000004F90000-0x000000000505E000-memory.dmp

    Filesize

    824KB

    Download

  • memory/220-3927-0x0000000005110000-0x0000000005166000-memory.dmp

    Filesize

    344KB

    Download

  • memory/2764-7-0x0000000000400000-0x00000000006A9000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/2764-1582-0x000000000042F000-0x0000000000448000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2764-8-0x0000000000400000-0x00000000006A9000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/2764-2-0x0000000000400000-0x00000000006A9000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/2764-5-0x0000000000400000-0x00000000006A9000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/2764-4-0x0000000000400000-0x00000000006A9000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/2764-3-0x0000000000400000-0x00000000006A9000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/2764-0-0x0000000000400000-0x00000000006A9000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/2764-1-0x000000000042F000-0x0000000000448000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5572-3937-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/5572-3951-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.