Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/12/2024, 04:34
Behavioral task
behavioral1
Sample
HKP098767890HJ.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
HKP098767890HJ.exe
Resource
win10v2004-20241007-en
General
-
Target
HKP098767890HJ.exe
-
Size
813KB
-
MD5
d6b16370cd4e60185aa88607316a0c05
-
SHA1
7fbc63b1203617c67e5491745beaedb424baed78
-
SHA256
a6d6d1c8299f97f966d72373e999b5a8e6768914e27d5533307cf6878b95dce2
-
SHA512
16c468948e568343ab1a1460d82b4c5859d09043e3a0115aa9c0aefeabfa22c796cca505ede8b1f194764dda7c5263979230e3fa272ee1fb3b21919202b01906
-
SSDEEP
24576:Erl6kD68JmlotQfXTwzecW/wCyFbxXdRC:yl328U2yfdcZFFd
Malware Config
Extracted
remcos
RemoteHost
192.210.150.26:3678
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-MKYDDH
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Detected Nirsoft tools 6 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral2/memory/1668-57-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/1424-58-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/1424-67-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/4432-63-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/1668-59-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/1668-70-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/1424-58-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView behavioral2/memory/1424-67-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/1668-57-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/1668-59-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/1668-70-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outvaunts.vbs outvaunts.exe -
Executes dropped EXE 4 IoCs
pid Process 3440 outvaunts.exe 1668 outvaunts.exe 1424 outvaunts.exe 4432 outvaunts.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts outvaunts.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1980-18-0x0000000000E00000-0x0000000000FC4000-memory.dmp autoit_exe behavioral2/memory/3440-33-0x00000000010A0000-0x00000000014A0000-memory.dmp autoit_exe behavioral2/memory/3440-68-0x0000000000EA0000-0x0000000001064000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3440 set thread context of 1668 3440 outvaunts.exe 83 PID 3440 set thread context of 1424 3440 outvaunts.exe 84 PID 3440 set thread context of 4432 3440 outvaunts.exe 85 -
resource yara_rule behavioral2/memory/1980-0-0x0000000000E00000-0x0000000000FC4000-memory.dmp upx behavioral2/memory/3440-16-0x0000000000EA0000-0x0000000001064000-memory.dmp upx behavioral2/memory/1980-18-0x0000000000E00000-0x0000000000FC4000-memory.dmp upx behavioral2/files/0x000a000000023b8a-15.dat upx behavioral2/memory/3440-68-0x0000000000EA0000-0x0000000001064000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HKP098767890HJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language outvaunts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language outvaunts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language outvaunts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language outvaunts.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1668 outvaunts.exe 1668 outvaunts.exe 4432 outvaunts.exe 4432 outvaunts.exe 1668 outvaunts.exe 1668 outvaunts.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 3440 outvaunts.exe 3440 outvaunts.exe 3440 outvaunts.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4432 outvaunts.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1980 HKP098767890HJ.exe 1980 HKP098767890HJ.exe 3440 outvaunts.exe 3440 outvaunts.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 1980 HKP098767890HJ.exe 1980 HKP098767890HJ.exe 3440 outvaunts.exe 3440 outvaunts.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1980 wrote to memory of 3440 1980 HKP098767890HJ.exe 82 PID 1980 wrote to memory of 3440 1980 HKP098767890HJ.exe 82 PID 1980 wrote to memory of 3440 1980 HKP098767890HJ.exe 82 PID 3440 wrote to memory of 1668 3440 outvaunts.exe 83 PID 3440 wrote to memory of 1668 3440 outvaunts.exe 83 PID 3440 wrote to memory of 1668 3440 outvaunts.exe 83 PID 3440 wrote to memory of 1668 3440 outvaunts.exe 83 PID 3440 wrote to memory of 1424 3440 outvaunts.exe 84 PID 3440 wrote to memory of 1424 3440 outvaunts.exe 84 PID 3440 wrote to memory of 1424 3440 outvaunts.exe 84 PID 3440 wrote to memory of 1424 3440 outvaunts.exe 84 PID 3440 wrote to memory of 4432 3440 outvaunts.exe 85 PID 3440 wrote to memory of 4432 3440 outvaunts.exe 85 PID 3440 wrote to memory of 4432 3440 outvaunts.exe 85 PID 3440 wrote to memory of 4432 3440 outvaunts.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\HKP098767890HJ.exe"C:\Users\Admin\AppData\Local\Temp\HKP098767890HJ.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Users\Admin\AppData\Local\complacence\outvaunts.exe"C:\Users\Admin\AppData\Local\Temp\HKP098767890HJ.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Users\Admin\AppData\Local\complacence\outvaunts.exeC:\Users\Admin\AppData\Local\complacence\outvaunts.exe /stext "C:\Users\Admin\AppData\Local\Temp\liivyiy"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1668
-
-
C:\Users\Admin\AppData\Local\complacence\outvaunts.exeC:\Users\Admin\AppData\Local\complacence\outvaunts.exe /stext "C:\Users\Admin\AppData\Local\Temp\ncnoztrbtq"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:1424
-
-
C:\Users\Admin\AppData\Local\complacence\outvaunts.exeC:\Users\Admin\AppData\Local\complacence\outvaunts.exe /stext "C:\Users\Admin\AppData\Local\Temp\yftgalcupyojv"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4432
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5b193f2f75c24c01ca5e099247a1170aa
SHA1f7f65cea265998b4b0f8c813123b3efd445522d6
SHA256cf27767303516d5c7ba508e1e8e80f47227b4aaf5482d667b058f355eb4b51ae
SHA5121ddcc5815becad35cc70e842b6604a8dd108e1bf49d0829cd862aaa52e625bc239378c90d59ac1366c61fce82aefa880eb820e40e999054b7f6f08461b15e10f
-
Filesize
481KB
MD5134b1f6d71374d538d0ce5268bc547d2
SHA14ed396631e1f50adfecebdad795152ad189f1516
SHA2566ddf551c3d7019061800785cc189ed10619ea9bf3234f5504e1ced315d0d2e96
SHA512d108362aa77dcf0c824b2090f58f7f6ad0f53d76fad5ab6fe9271330bfe3337262b82ce9a5150e03139df8ed9c42417c9eeeb12cc1847067f91c20e7cbe64539
-
Filesize
145KB
MD5b97cfa7d4c0914ef3bb656cf7b6a95c6
SHA1e6c61c2a88f83b07a868e7b4f8c6496697944445
SHA256069ecc03912bf679890e24416e068607345f8c77c7968f75ce52775c471d676f
SHA5124233719255f746dd17b22c0fbfa60aab086c71de4078b75e7e921bbb5432b35522d04bcb5c3d92bbf4e56d29e950fd8fbafa06c0b69e97e5d3f73301b181782b
-
Filesize
4KB
MD575379d3dcbcea6a69bc75b884816dd40
SHA17e073a03c3bdbbc60375ddbe56bba211c3d412a6
SHA256cab559f3bbe4a0beb194dffca723b3072184b92687100462eaab04d66fff8de9
SHA512710c2cee369a57a0039fc0d0c59de6118780210ef60ad0daf374f03ba94ab08039bc2aff821f7c99a0ecd0e16189c52e5b6d630b3d541f7b11375f134b985e8c
-
Filesize
813KB
MD5d6b16370cd4e60185aa88607316a0c05
SHA17fbc63b1203617c67e5491745beaedb424baed78
SHA256a6d6d1c8299f97f966d72373e999b5a8e6768914e27d5533307cf6878b95dce2
SHA51216c468948e568343ab1a1460d82b4c5859d09043e3a0115aa9c0aefeabfa22c796cca505ede8b1f194764dda7c5263979230e3fa272ee1fb3b21919202b01906