Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/12/2024, 05:34
Static task
static1
Behavioral task
behavioral1
Sample
a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe
Resource
win7-20240903-en
General
-
Target
a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe
-
Size
1.1MB
-
MD5
86e5451f3367e6580295e46b33d3d8ea
-
SHA1
b27ac49886349182a8f3cb9cdd7eaed0438ba3a3
-
SHA256
a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49
-
SHA512
1b0bfc3df08ef499b2c1d7d24f9e31a027c98592645512d73cd58b50f12d52fda4a1287a7a61e6e7ce63a418db393c3546586ea6bf043e8a9de873a2e0ac85eb
-
SSDEEP
12288:P2yGdJI1QkIO0QRBajzGStJLkGwiAlVXAjxfkc14c1ZTii1/RwCmcJwAFxrXbqs8:PfOiavjzGStJLXwiyAjxfkcacLOxjA4
Malware Config
Extracted
remcos
2.7.0 Pro
10
duckdne7832732.duckdns.org:1718
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-RN68N0
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Signatures
-
Remcos family
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2232 set thread context of 3044 2232 a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2696 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2232 a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3044 RegSvcs.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2232 wrote to memory of 2696 2232 a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe 31 PID 2232 wrote to memory of 2696 2232 a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe 31 PID 2232 wrote to memory of 2696 2232 a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe 31 PID 2232 wrote to memory of 2696 2232 a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe 31 PID 2232 wrote to memory of 3044 2232 a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe 33 PID 2232 wrote to memory of 3044 2232 a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe 33 PID 2232 wrote to memory of 3044 2232 a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe 33 PID 2232 wrote to memory of 3044 2232 a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe 33 PID 2232 wrote to memory of 3044 2232 a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe 33 PID 2232 wrote to memory of 3044 2232 a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe 33 PID 2232 wrote to memory of 3044 2232 a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe 33 PID 2232 wrote to memory of 3044 2232 a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe 33 PID 2232 wrote to memory of 3044 2232 a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe 33 PID 2232 wrote to memory of 3044 2232 a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe 33 PID 2232 wrote to memory of 3044 2232 a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe 33 PID 2232 wrote to memory of 3044 2232 a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe 33 PID 2232 wrote to memory of 3044 2232 a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe 33 PID 2232 wrote to memory of 3044 2232 a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe"C:\Users\Admin\AppData\Local\Temp\a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VuYmmGpWGSWON" /XML "C:\Users\Admin\AppData\Local\Temp\tmp32D3.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2696
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Suspicious use of SetWindowsHookEx
PID:3044
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD56aa6ff7a8f596daf7c13f072509d2789
SHA1664e640769d007621bff55099c20a3c793a04cc2
SHA256c97ccba91af0a6292f051071e8dd31071bfec4ff07f9cda2e80a797d914e9dee
SHA51248240cc27237528b2ec6a3a2e16c9b53cbabec26cc7ed5f485258631c58ad973495512f30ce1da533e48d606523ba415a669baa0870f91c79fcc8c5ad0de7a34
-
Filesize
74B
MD52c37d363ab76ababd52577823730eb44
SHA17fea3274e7d445efef7df2d010552ddd69c5c05a
SHA256428e31c45503f4ee6c4d4a26f1dd17123067049368a66ddfda15807ae83c16a8
SHA512ed6c54028573112b977b1ca8849445d5a87b78103f25739da98dc145a3dcfa6042cb7e8255bd4a40aa13856f11b483d07b21af4fce264ca32c715409286fc1ec