Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24/11/2024, 07:22
Static task
static1
Behavioral task
behavioral1
Sample
Payment Transfer Request Form.bat.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Payment Transfer Request Form.bat.exe
Resource
win10v2004-20241007-en
General
-
Target
Payment Transfer Request Form.bat.exe
-
Size
1.2MB
-
MD5
fc5a80adf45d78ffa834283d0a78f9f6
-
SHA1
6865dec6f71546ea01420295b7175038c3a81ec4
-
SHA256
e588a098e9ceb33f2616e11a3faf28162e5f4b7f3800b22ab3023bc376aeb18c
-
SHA512
27636cd0d31e3b1ff384869f1f2be6c23d7f02ecd70027c5d689de0893835d070218596a941472481d637cc6253ed3f2405991a6af4772596cc88f909a7dd7cb
-
SSDEEP
24576:RYdgfvzAKzxWCC9vSA6GRdsttHVqowvVpBdlvlOUa:rzAcWFt96ydyQow5dldna
Malware Config
Extracted
remcos
RemoteHost
212.162.149.226:9285
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
AppUpdate
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-VCJ8ZS
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
AppUpdate
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2608 powershell.exe 2740 powershell.exe 2552 powershell.exe 2132 powershell.exe -
Executes dropped EXE 2 IoCs
pid Process 328 remcos.exe 2448 remcos.exe -
Loads dropped DLL 1 IoCs
pid Process 2824 cmd.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\AppUpdate = "\"C:\\ProgramData\\AppUpdate\\remcos.exe\"" Payment Transfer Request Form.bat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AppUpdate = "\"C:\\ProgramData\\AppUpdate\\remcos.exe\"" Payment Transfer Request Form.bat.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\AppUpdate = "\"C:\\ProgramData\\AppUpdate\\remcos.exe\"" remcos.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AppUpdate = "\"C:\\ProgramData\\AppUpdate\\remcos.exe\"" remcos.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2676 set thread context of 2912 2676 Payment Transfer Request Form.bat.exe 37 PID 328 set thread context of 2448 328 remcos.exe 48 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Payment Transfer Request Form.bat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Payment Transfer Request Form.bat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2580 schtasks.exe 2136 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2676 Payment Transfer Request Form.bat.exe 2676 Payment Transfer Request Form.bat.exe 2676 Payment Transfer Request Form.bat.exe 2676 Payment Transfer Request Form.bat.exe 2740 powershell.exe 2608 powershell.exe 328 remcos.exe 328 remcos.exe 328 remcos.exe 2132 powershell.exe 2552 powershell.exe 328 remcos.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2676 Payment Transfer Request Form.bat.exe Token: SeDebugPrivilege 2740 powershell.exe Token: SeDebugPrivilege 2608 powershell.exe Token: SeDebugPrivilege 328 remcos.exe Token: SeDebugPrivilege 2132 powershell.exe Token: SeDebugPrivilege 2552 powershell.exe -
Suspicious use of WriteProcessMemory 62 IoCs
description pid Process procid_target PID 2676 wrote to memory of 2608 2676 Payment Transfer Request Form.bat.exe 31 PID 2676 wrote to memory of 2608 2676 Payment Transfer Request Form.bat.exe 31 PID 2676 wrote to memory of 2608 2676 Payment Transfer Request Form.bat.exe 31 PID 2676 wrote to memory of 2608 2676 Payment Transfer Request Form.bat.exe 31 PID 2676 wrote to memory of 2740 2676 Payment Transfer Request Form.bat.exe 33 PID 2676 wrote to memory of 2740 2676 Payment Transfer Request Form.bat.exe 33 PID 2676 wrote to memory of 2740 2676 Payment Transfer Request Form.bat.exe 33 PID 2676 wrote to memory of 2740 2676 Payment Transfer Request Form.bat.exe 33 PID 2676 wrote to memory of 2580 2676 Payment Transfer Request Form.bat.exe 34 PID 2676 wrote to memory of 2580 2676 Payment Transfer Request Form.bat.exe 34 PID 2676 wrote to memory of 2580 2676 Payment Transfer Request Form.bat.exe 34 PID 2676 wrote to memory of 2580 2676 Payment Transfer Request Form.bat.exe 34 PID 2676 wrote to memory of 2912 2676 Payment Transfer Request Form.bat.exe 37 PID 2676 wrote to memory of 2912 2676 Payment Transfer Request Form.bat.exe 37 PID 2676 wrote to memory of 2912 2676 Payment Transfer Request Form.bat.exe 37 PID 2676 wrote to memory of 2912 2676 Payment Transfer Request Form.bat.exe 37 PID 2676 wrote to memory of 2912 2676 Payment Transfer Request Form.bat.exe 37 PID 2676 wrote to memory of 2912 2676 Payment Transfer Request Form.bat.exe 37 PID 2676 wrote to memory of 2912 2676 Payment Transfer Request Form.bat.exe 37 PID 2676 wrote to memory of 2912 2676 Payment Transfer Request Form.bat.exe 37 PID 2676 wrote to memory of 2912 2676 Payment Transfer Request Form.bat.exe 37 PID 2676 wrote to memory of 2912 2676 Payment Transfer Request Form.bat.exe 37 PID 2676 wrote to memory of 2912 2676 Payment Transfer Request Form.bat.exe 37 PID 2676 wrote to memory of 2912 2676 Payment Transfer Request Form.bat.exe 37 PID 2676 wrote to memory of 2912 2676 Payment Transfer Request Form.bat.exe 37 PID 2912 wrote to memory of 2996 2912 Payment Transfer Request Form.bat.exe 38 PID 2912 wrote to memory of 2996 2912 Payment Transfer Request Form.bat.exe 38 PID 2912 wrote to memory of 2996 2912 Payment Transfer Request Form.bat.exe 38 PID 2912 wrote to memory of 2996 2912 Payment Transfer Request Form.bat.exe 38 PID 2996 wrote to memory of 2824 2996 WScript.exe 39 PID 2996 wrote to memory of 2824 2996 WScript.exe 39 PID 2996 wrote to memory of 2824 2996 WScript.exe 39 PID 2996 wrote to memory of 2824 2996 WScript.exe 39 PID 2824 wrote to memory of 328 2824 cmd.exe 41 PID 2824 wrote to memory of 328 2824 cmd.exe 41 PID 2824 wrote to memory of 328 2824 cmd.exe 41 PID 2824 wrote to memory of 328 2824 cmd.exe 41 PID 328 wrote to memory of 2132 328 remcos.exe 42 PID 328 wrote to memory of 2132 328 remcos.exe 42 PID 328 wrote to memory of 2132 328 remcos.exe 42 PID 328 wrote to memory of 2132 328 remcos.exe 42 PID 328 wrote to memory of 2552 328 remcos.exe 44 PID 328 wrote to memory of 2552 328 remcos.exe 44 PID 328 wrote to memory of 2552 328 remcos.exe 44 PID 328 wrote to memory of 2552 328 remcos.exe 44 PID 328 wrote to memory of 2136 328 remcos.exe 46 PID 328 wrote to memory of 2136 328 remcos.exe 46 PID 328 wrote to memory of 2136 328 remcos.exe 46 PID 328 wrote to memory of 2136 328 remcos.exe 46 PID 328 wrote to memory of 2448 328 remcos.exe 48 PID 328 wrote to memory of 2448 328 remcos.exe 48 PID 328 wrote to memory of 2448 328 remcos.exe 48 PID 328 wrote to memory of 2448 328 remcos.exe 48 PID 328 wrote to memory of 2448 328 remcos.exe 48 PID 328 wrote to memory of 2448 328 remcos.exe 48 PID 328 wrote to memory of 2448 328 remcos.exe 48 PID 328 wrote to memory of 2448 328 remcos.exe 48 PID 328 wrote to memory of 2448 328 remcos.exe 48 PID 328 wrote to memory of 2448 328 remcos.exe 48 PID 328 wrote to memory of 2448 328 remcos.exe 48 PID 328 wrote to memory of 2448 328 remcos.exe 48 PID 328 wrote to memory of 2448 328 remcos.exe 48
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment Transfer Request Form.bat.exe"C:\Users\Admin\AppData\Local\Temp\Payment Transfer Request Form.bat.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Payment Transfer Request Form.bat.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\iKgKaogJ.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2740
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iKgKaogJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4AE5.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2580
-
-
C:\Users\Admin\AppData\Local\Temp\Payment Transfer Request Form.bat.exe"C:\Users\Admin\AppData\Local\Temp\Payment Transfer Request Form.bat.exe"2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\AppUpdate\remcos.exe"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\ProgramData\AppUpdate\remcos.exeC:\ProgramData\AppUpdate\remcos.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:328 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\AppUpdate\remcos.exe"6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2132
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\iKgKaogJ.exe"6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2552
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iKgKaogJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB6C1.tmp"6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2136
-
-
C:\ProgramData\AppUpdate\remcos.exe"C:\ProgramData\AppUpdate\remcos.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2448
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5fc5a80adf45d78ffa834283d0a78f9f6
SHA16865dec6f71546ea01420295b7175038c3a81ec4
SHA256e588a098e9ceb33f2616e11a3faf28162e5f4b7f3800b22ab3023bc376aeb18c
SHA51227636cd0d31e3b1ff384869f1f2be6c23d7f02ecd70027c5d689de0893835d070218596a941472481d637cc6253ed3f2405991a6af4772596cc88f909a7dd7cb
-
Filesize
392B
MD5046708368578d720d91fb9ceecec742e
SHA11dc732f67f48a1d5694f4cf14a8d279dbd1d6ee6
SHA25604f4edc28e97a16f93cf7acac864aba17cc467282550ae61baac719262be6f5e
SHA5129106f645ee74c9e061fcb396a00d706512d41054a356125f26a10d42390d8f0d3ea3dd785393bf5de358b62464ec3c0f7d2e27411e87bb408581f820c427e7f0
-
Filesize
1KB
MD59266495575bbdfdee2cbae074fdcb810
SHA1799a493dc7164c9aaaca0a59cfe4d7d81e76e843
SHA256aece6d8cc315c0fe19abff064c50e8b1df67fbf01c080997019a841f214bc5ed
SHA5128e918713a765c73ca05dea8c66277f8a0352c168f97f1cc94b7cd1d3ac6a6668ca99dba2906de3a5f80acad2809e8d7ad11d69daa7fdc0ffe5561fa4fd6c83de
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5b90de0c65e78841070d5762a368da5b5
SHA1d181c83b3e2dd906d7849a9363e40a52e5cb6493
SHA2569e9c036894ed966983b49721d4087e7aedf8101e8f657105512b0475732f1e88
SHA51246fd3ebcb093bf63fa0a7c48b4b6aa3656f5e934e657d438b49b2de7b6b5150fb90c7efe90ef622e39344f40f9c85126647103af74bd0998f29ef52a35abd2ec
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD51e7e983aa0fa2158edfd9376cd55d70f
SHA15cf9f54bcbeac571f8b5daacf7a5b2210785d441
SHA2561e3d8557680fa9c8d6af0ecc19e3cb4aead3968810ee6ebf331eb65ac1d6a43b
SHA512541a06101c37765a67b892e0d7f9de384611258ec18ae167eb6bba7ee9ecc9672ad0ecb0eacb4eecb9a817c3130796f999d0f3d4fa195d7d06b943c39975e1d1