Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/12/2024, 07:30
Static task
static1
Behavioral task
behavioral1
Sample
Justificante de pago.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Justificante de pago.exe
Resource
win10v2004-20241007-en
General
-
Target
Justificante de pago.exe
-
Size
1001KB
-
MD5
0c0b566099d8f32313cac142624e9b89
-
SHA1
c91bd91424a20a9d45cc62cd3aaa85afefe60a74
-
SHA256
e47dfbb5bd64ac09562d7d20618ba7f024a0b7547d864217feb0586f7145cdb0
-
SHA512
de9de86a26a0d0eee105908e1c378be6c18a99a4c03b7d8a6e9d2049a0fc830903e077684156928d7b97176c6fa05a6d9e66793760e2a9edd1b54dd22c98fa2d
-
SSDEEP
24576:2oIeeaYI32l/Pow+E9rW2rtaldr+3dmBABsNJUI:JBeaWl/Pow+EW2RaLrbw
Malware Config
Extracted
remcos
RemoteHost
127.0.0.1:7643
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-14OQCD
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2556 powershell.exe 2704 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1660 set thread context of 1364 1660 Justificante de pago.exe 35 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Justificante de pago.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2728 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1660 Justificante de pago.exe 1660 Justificante de pago.exe 1660 Justificante de pago.exe 2556 powershell.exe 2704 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1660 Justificante de pago.exe Token: SeDebugPrivilege 2556 powershell.exe Token: SeDebugPrivilege 2704 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1364 Justificante de pago.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 1660 wrote to memory of 2556 1660 Justificante de pago.exe 29 PID 1660 wrote to memory of 2556 1660 Justificante de pago.exe 29 PID 1660 wrote to memory of 2556 1660 Justificante de pago.exe 29 PID 1660 wrote to memory of 2556 1660 Justificante de pago.exe 29 PID 1660 wrote to memory of 2704 1660 Justificante de pago.exe 31 PID 1660 wrote to memory of 2704 1660 Justificante de pago.exe 31 PID 1660 wrote to memory of 2704 1660 Justificante de pago.exe 31 PID 1660 wrote to memory of 2704 1660 Justificante de pago.exe 31 PID 1660 wrote to memory of 2728 1660 Justificante de pago.exe 32 PID 1660 wrote to memory of 2728 1660 Justificante de pago.exe 32 PID 1660 wrote to memory of 2728 1660 Justificante de pago.exe 32 PID 1660 wrote to memory of 2728 1660 Justificante de pago.exe 32 PID 1660 wrote to memory of 1364 1660 Justificante de pago.exe 35 PID 1660 wrote to memory of 1364 1660 Justificante de pago.exe 35 PID 1660 wrote to memory of 1364 1660 Justificante de pago.exe 35 PID 1660 wrote to memory of 1364 1660 Justificante de pago.exe 35 PID 1660 wrote to memory of 1364 1660 Justificante de pago.exe 35 PID 1660 wrote to memory of 1364 1660 Justificante de pago.exe 35 PID 1660 wrote to memory of 1364 1660 Justificante de pago.exe 35 PID 1660 wrote to memory of 1364 1660 Justificante de pago.exe 35 PID 1660 wrote to memory of 1364 1660 Justificante de pago.exe 35 PID 1660 wrote to memory of 1364 1660 Justificante de pago.exe 35 PID 1660 wrote to memory of 1364 1660 Justificante de pago.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\Justificante de pago.exe"C:\Users\Admin\AppData\Local\Temp\Justificante de pago.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Justificante de pago.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\TYLngHLuy.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TYLngHLuy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3FFD.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2728
-
-
C:\Users\Admin\AppData\Local\Temp\Justificante de pago.exe"C:\Users\Admin\AppData\Local\Temp\Justificante de pago.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:1364
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5196e6e60d89001b9bd380dff4d428d26
SHA11098c57947878a0ebf09400a488f6ec0a7ddd871
SHA256646917914ea392f047d47fbff7744d3b1eec9a1ab4f5ff1ec73062190aa89b68
SHA512d75a774c86e4819ad680d4b109fe303416f4152c362a5c18323d61b733da007aea4dac2c2d8f297b6ca450dd71528cc2d201553c52949f4d57ac44f10812df81
-
Filesize
1KB
MD5ce28a8c7a27f2d5ba1c9abf26f4361b3
SHA1d545c2cc1ce390474d6638636ae5fae6ee7a9246
SHA256874620e688a695146508375a8bf09e27ac9bc8065e8e70c8718985866a8620f1
SHA5121affbd00d30ade83cd2182b123eeb098870193cba563331079b8fb5b20173e55c1cf84fecd77c9ed9cbff9c8f7b186d267bdab84c0eda29d29d8a27bcc8786dd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KRYZ49XGURY2HG03V7WR.temp
Filesize7KB
MD5a1cb58b1d9e899b7fec36fec72462ca4
SHA17bf3dfc584544d1319c1fffa925217697dc8ac0e
SHA256032d07874a7a8353d6238df64678a6dd75b0ecd36912f6338739ed179e13ce1d
SHA51266d6badbf61464869702947eda1bc8663c5c580936cced1cd1116094959be174cd8ffe974fb1a459d76bc0988dc4384222a1a4cbae36abf8fb32a415ab29a8ba