Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
21/11/2024, 03:46
Static task
static1
Behavioral task
behavioral1
Sample
Bank Fund Transfer-589237.scr
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Bank Fund Transfer-589237.scr
Resource
win10v2004-20241007-en
General
-
Target
Bank Fund Transfer-589237.scr
-
Size
1.2MB
-
MD5
552044ce92b78bf4b68d242c2c380afe
-
SHA1
2ef4efa20f4fd0d05d8f49ccb22c9afeada93a62
-
SHA256
cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3
-
SHA512
4dc5ef0fb4b80a81015f4507422a67309074ea01787c9ed0d18c850a1d98ea1e3a444993a1d08428331e2ff044390c873d20c31ffbae049e325a82b64d5a3967
-
SSDEEP
24576:6YdgfvzmIzxWOwxzCJYC3PPoKb0Eci5ihjJVxw9bYOd+8:qzmmWXRCaePPjb0Eci5ih7xw9bYI
Malware Config
Extracted
remcos
RemoteHost
212.162.149.226:9285
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
AppUpdate
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-VCJ8ZS
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
AppUpdate
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2900 powershell.exe 2576 powershell.exe 1672 powershell.exe 2136 powershell.exe -
Executes dropped EXE 2 IoCs
pid Process 2028 remcos.exe 2928 remcos.exe -
Loads dropped DLL 1 IoCs
pid Process 808 cmd.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\AppUpdate = "\"C:\\ProgramData\\AppUpdate\\remcos.exe\"" Bank Fund Transfer-589237.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AppUpdate = "\"C:\\ProgramData\\AppUpdate\\remcos.exe\"" Bank Fund Transfer-589237.scr Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\AppUpdate = "\"C:\\ProgramData\\AppUpdate\\remcos.exe\"" remcos.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AppUpdate = "\"C:\\ProgramData\\AppUpdate\\remcos.exe\"" remcos.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2644 set thread context of 3000 2644 Bank Fund Transfer-589237.scr 36 PID 2028 set thread context of 2928 2028 remcos.exe 48 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bank Fund Transfer-589237.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bank Fund Transfer-589237.scr -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2720 schtasks.exe 2132 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2644 Bank Fund Transfer-589237.scr 2644 Bank Fund Transfer-589237.scr 2644 Bank Fund Transfer-589237.scr 2644 Bank Fund Transfer-589237.scr 2576 powershell.exe 2900 powershell.exe 2028 remcos.exe 2028 remcos.exe 2028 remcos.exe 1672 powershell.exe 2028 remcos.exe 2136 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2644 Bank Fund Transfer-589237.scr Token: SeDebugPrivilege 2576 powershell.exe Token: SeDebugPrivilege 2900 powershell.exe Token: SeDebugPrivilege 2028 remcos.exe Token: SeDebugPrivilege 1672 powershell.exe Token: SeDebugPrivilege 2136 powershell.exe -
Suspicious use of WriteProcessMemory 62 IoCs
description pid Process procid_target PID 2644 wrote to memory of 2900 2644 Bank Fund Transfer-589237.scr 30 PID 2644 wrote to memory of 2900 2644 Bank Fund Transfer-589237.scr 30 PID 2644 wrote to memory of 2900 2644 Bank Fund Transfer-589237.scr 30 PID 2644 wrote to memory of 2900 2644 Bank Fund Transfer-589237.scr 30 PID 2644 wrote to memory of 2576 2644 Bank Fund Transfer-589237.scr 32 PID 2644 wrote to memory of 2576 2644 Bank Fund Transfer-589237.scr 32 PID 2644 wrote to memory of 2576 2644 Bank Fund Transfer-589237.scr 32 PID 2644 wrote to memory of 2576 2644 Bank Fund Transfer-589237.scr 32 PID 2644 wrote to memory of 2720 2644 Bank Fund Transfer-589237.scr 34 PID 2644 wrote to memory of 2720 2644 Bank Fund Transfer-589237.scr 34 PID 2644 wrote to memory of 2720 2644 Bank Fund Transfer-589237.scr 34 PID 2644 wrote to memory of 2720 2644 Bank Fund Transfer-589237.scr 34 PID 2644 wrote to memory of 3000 2644 Bank Fund Transfer-589237.scr 36 PID 2644 wrote to memory of 3000 2644 Bank Fund Transfer-589237.scr 36 PID 2644 wrote to memory of 3000 2644 Bank Fund Transfer-589237.scr 36 PID 2644 wrote to memory of 3000 2644 Bank Fund Transfer-589237.scr 36 PID 2644 wrote to memory of 3000 2644 Bank Fund Transfer-589237.scr 36 PID 2644 wrote to memory of 3000 2644 Bank Fund Transfer-589237.scr 36 PID 2644 wrote to memory of 3000 2644 Bank Fund Transfer-589237.scr 36 PID 2644 wrote to memory of 3000 2644 Bank Fund Transfer-589237.scr 36 PID 2644 wrote to memory of 3000 2644 Bank Fund Transfer-589237.scr 36 PID 2644 wrote to memory of 3000 2644 Bank Fund Transfer-589237.scr 36 PID 2644 wrote to memory of 3000 2644 Bank Fund Transfer-589237.scr 36 PID 2644 wrote to memory of 3000 2644 Bank Fund Transfer-589237.scr 36 PID 2644 wrote to memory of 3000 2644 Bank Fund Transfer-589237.scr 36 PID 3000 wrote to memory of 2972 3000 Bank Fund Transfer-589237.scr 37 PID 3000 wrote to memory of 2972 3000 Bank Fund Transfer-589237.scr 37 PID 3000 wrote to memory of 2972 3000 Bank Fund Transfer-589237.scr 37 PID 3000 wrote to memory of 2972 3000 Bank Fund Transfer-589237.scr 37 PID 2972 wrote to memory of 808 2972 WScript.exe 38 PID 2972 wrote to memory of 808 2972 WScript.exe 38 PID 2972 wrote to memory of 808 2972 WScript.exe 38 PID 2972 wrote to memory of 808 2972 WScript.exe 38 PID 808 wrote to memory of 2028 808 cmd.exe 40 PID 808 wrote to memory of 2028 808 cmd.exe 40 PID 808 wrote to memory of 2028 808 cmd.exe 40 PID 808 wrote to memory of 2028 808 cmd.exe 40 PID 2028 wrote to memory of 1672 2028 remcos.exe 42 PID 2028 wrote to memory of 1672 2028 remcos.exe 42 PID 2028 wrote to memory of 1672 2028 remcos.exe 42 PID 2028 wrote to memory of 1672 2028 remcos.exe 42 PID 2028 wrote to memory of 2136 2028 remcos.exe 44 PID 2028 wrote to memory of 2136 2028 remcos.exe 44 PID 2028 wrote to memory of 2136 2028 remcos.exe 44 PID 2028 wrote to memory of 2136 2028 remcos.exe 44 PID 2028 wrote to memory of 2132 2028 remcos.exe 45 PID 2028 wrote to memory of 2132 2028 remcos.exe 45 PID 2028 wrote to memory of 2132 2028 remcos.exe 45 PID 2028 wrote to memory of 2132 2028 remcos.exe 45 PID 2028 wrote to memory of 2928 2028 remcos.exe 48 PID 2028 wrote to memory of 2928 2028 remcos.exe 48 PID 2028 wrote to memory of 2928 2028 remcos.exe 48 PID 2028 wrote to memory of 2928 2028 remcos.exe 48 PID 2028 wrote to memory of 2928 2028 remcos.exe 48 PID 2028 wrote to memory of 2928 2028 remcos.exe 48 PID 2028 wrote to memory of 2928 2028 remcos.exe 48 PID 2028 wrote to memory of 2928 2028 remcos.exe 48 PID 2028 wrote to memory of 2928 2028 remcos.exe 48 PID 2028 wrote to memory of 2928 2028 remcos.exe 48 PID 2028 wrote to memory of 2928 2028 remcos.exe 48 PID 2028 wrote to memory of 2928 2028 remcos.exe 48 PID 2028 wrote to memory of 2928 2028 remcos.exe 48
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bank Fund Transfer-589237.scr"C:\Users\Admin\AppData\Local\Temp\Bank Fund Transfer-589237.scr" /S1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Bank Fund Transfer-589237.scr"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2900
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uCItbEGgKu.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uCItbEGgKu" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB2BC.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2720
-
-
C:\Users\Admin\AppData\Local\Temp\Bank Fund Transfer-589237.scr"C:\Users\Admin\AppData\Local\Temp\Bank Fund Transfer-589237.scr"2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\AppUpdate\remcos.exe"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:808 -
C:\ProgramData\AppUpdate\remcos.exeC:\ProgramData\AppUpdate\remcos.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\AppUpdate\remcos.exe"6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1672
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uCItbEGgKu.exe"6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2136
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uCItbEGgKu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1CC4.tmp"6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2132
-
-
C:\ProgramData\AppUpdate\remcos.exe"C:\ProgramData\AppUpdate\remcos.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2928
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
392B
MD5046708368578d720d91fb9ceecec742e
SHA11dc732f67f48a1d5694f4cf14a8d279dbd1d6ee6
SHA25604f4edc28e97a16f93cf7acac864aba17cc467282550ae61baac719262be6f5e
SHA5129106f645ee74c9e061fcb396a00d706512d41054a356125f26a10d42390d8f0d3ea3dd785393bf5de358b62464ec3c0f7d2e27411e87bb408581f820c427e7f0
-
Filesize
1KB
MD5c464bf85ef275a5c4571456b842a6793
SHA1fc9eadc99ead34ffe4d2557d033ca19a1a384d71
SHA256575e445bfc922b8a3148c87d366ad46a481cfdcf0db857880e6920348600e552
SHA5123d62fb8b674d2c4783f037e3923465760fa3e48f33fa7f63864c1040925ddddd39654f3dd49b1eaf3e7d881e7d1ba0186fb8c7c254b2ccf38e052a1fbb24d5ec
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KBH5SAV8SMYG0DYT2XNJ.temp
Filesize7KB
MD59439dcb3b286cf608f40b177bc6f006b
SHA11ee3990facb11f3770701bcfa2b1802dabac1ce6
SHA256d0eef15760eeedfbd0c8ab596e72bd123c89426aaad2f3f19855c0cdef436253
SHA51216ea69a96f40c0796a0b412e8d72882037ad29d61b74282e2b6b8223de454d9e045fa99907db733cf71b65e975b9083d25a51d8c30a288f6c8a4398f906620cf
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WGCKS3Y21J11QVITKRFH.temp
Filesize7KB
MD5b35a9f3eea827cb3717b7ed5542b5cb8
SHA1bc83da0bbb11f6d1caa2755a85e5e8214589c4a6
SHA2564a910787d968b73d8f026a9f2f3f05c786dfefd045b1f497602f5fb9ce27271c
SHA512ad25e3ff37c4f67ffe725cae57bf233bda494fbc8741794ab69b5f8937db6c3e7031f3a39b58bae8d7387e68f26e67c212dfc123b2c172917d3629933f4dd101
-
Filesize
1.2MB
MD5552044ce92b78bf4b68d242c2c380afe
SHA12ef4efa20f4fd0d05d8f49ccb22c9afeada93a62
SHA256cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3
SHA5124dc5ef0fb4b80a81015f4507422a67309074ea01787c9ed0d18c850a1d98ea1e3a444993a1d08428331e2ff044390c873d20c31ffbae049e325a82b64d5a3967