Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
25s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21/11/2024, 09:32
Static task
static1
Behavioral task
behavioral1
Sample
Instrument lists , coporate info and po sample drawing.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
Instrument lists , coporate info and po sample drawing.exe
Resource
win10v2004-20241007-en
General
-
Target
Instrument lists , coporate info and po sample drawing.exe
-
Size
1.1MB
-
MD5
ad27097cd76b134d0d2d1509b5c3e3a6
-
SHA1
5eb2ba9bdeecad9c6ab8c762edf499bab2222b40
-
SHA256
3e4da255f51276918b7cdc4e47fa529e7ef5e6f5a2107b4932cf767ed82ca43f
-
SHA512
8e49faa5ad48af9d1cfc4081a07daf380a659ff236999fd0110d85fa9f09db0358cbeba9c90bf88b18b3083ed90298f6604cbf3dfe45e818a53e83d3880881a5
-
SSDEEP
24576:bQ3AgyE7jZH6EPfywOXd7e+AbCr9xeNdcrOYLaUa:bQQCjZH6EPfyJXdatbyazcCY+Ua
Malware Config
Extracted
remcos
RemoteHost
www.humptex.store:2404
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
edfghjk
-
mouse_option
false
-
mutex
Rmc-8D13LS
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3296 powershell.exe 5104 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Instrument lists , coporate info and po sample drawing.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Instrument lists , coporate info and po sample drawing.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1132 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1208 Instrument lists , coporate info and po sample drawing.exe 5104 powershell.exe 3296 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1208 Instrument lists , coporate info and po sample drawing.exe Token: SeDebugPrivilege 3296 powershell.exe Token: SeDebugPrivilege 5104 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1208 wrote to memory of 3296 1208 Instrument lists , coporate info and po sample drawing.exe 90 PID 1208 wrote to memory of 3296 1208 Instrument lists , coporate info and po sample drawing.exe 90 PID 1208 wrote to memory of 3296 1208 Instrument lists , coporate info and po sample drawing.exe 90 PID 1208 wrote to memory of 5104 1208 Instrument lists , coporate info and po sample drawing.exe 92 PID 1208 wrote to memory of 5104 1208 Instrument lists , coporate info and po sample drawing.exe 92 PID 1208 wrote to memory of 5104 1208 Instrument lists , coporate info and po sample drawing.exe 92 PID 1208 wrote to memory of 1132 1208 Instrument lists , coporate info and po sample drawing.exe 94 PID 1208 wrote to memory of 1132 1208 Instrument lists , coporate info and po sample drawing.exe 94 PID 1208 wrote to memory of 1132 1208 Instrument lists , coporate info and po sample drawing.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\Instrument lists , coporate info and po sample drawing.exe"C:\Users\Admin\AppData\Local\Temp\Instrument lists , coporate info and po sample drawing.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Instrument lists , coporate info and po sample drawing.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3296
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\jIjBkznYJBuTm.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5104
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jIjBkznYJBuTm" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE8F8.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1132
-
-
C:\Users\Admin\AppData\Local\Temp\Instrument lists , coporate info and po sample drawing.exe"C:\Users\Admin\AppData\Local\Temp\Instrument lists , coporate info and po sample drawing.exe"2⤵PID:1160
-
-
C:\Users\Admin\AppData\Local\Temp\Instrument lists , coporate info and po sample drawing.exe"C:\Users\Admin\AppData\Local\Temp\Instrument lists , coporate info and po sample drawing.exe"2⤵PID:748
-
-
C:\Users\Admin\AppData\Local\Temp\Instrument lists , coporate info and po sample drawing.exe"C:\Users\Admin\AppData\Local\Temp\Instrument lists , coporate info and po sample drawing.exe"2⤵PID:2212
-
-
C:\Users\Admin\AppData\Local\Temp\Instrument lists , coporate info and po sample drawing.exe"C:\Users\Admin\AppData\Local\Temp\Instrument lists , coporate info and po sample drawing.exe"2⤵PID:3180
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD57f3d62dacbe61d0440e66ab159aec6b0
SHA1a334fbfb95e7b0536a88d72694c1ee0e7a624c2e
SHA2567723e1306da8df05982688498e0881992ccaf4329d0143b9149152d79ad792e5
SHA512ab64009b5eb6db69d6262e69c9aa33b4e5946afabd9246b4b05af5d57812acad976e9f284783aacc6727613cf5003716d664b89fab48cd33d4b7c0967aaa8070
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD53bc3b8158f8b23234b88f31523a3550f
SHA192a3fad95546e32d8610a0f17676d225224d04ee
SHA256fe3d9026666d0b40e629d8ae908182f9d86411b355f819d48eca69c0c51d0d51
SHA512d1ee0f202bf91420a871ea49ed96bf14f33fd6b8d7d44ea8e5191a3ec59ce5c99752c5cdfce8610ee757f073f790168c266bc0cb2916eb0ee0ac2f37bb83e779
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5530a90c689376bb58bbae541a9b47616
SHA1897c11aea4385b949ffe1de90648786344abca80
SHA25643898dd4eb87e0a3c297bd7b515cf16a58871caf79ebc015c756d3f12d048559
SHA512afebafae0f6f319a235fc8cf760a5363fe2cc59ee7f24f70f27df7799968fa33fffcb584ec166288c8da6236cdccdcf680cff0efab0340690d94cf9752645dbd