Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    298s
  • max time network
    299s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/01/2025, 10:51

General

  • Target

    NOTIFICACION JURIDICA/NOTIFICACION JURIDICA FISCAL POR ABUSO DE CONFIANZA.js

  • Size

    3.7MB

  • MD5

    227a0b4511190f239ad8a6f1ec17bf4d

  • SHA1

    d431266d6bf66c619f8b0f7e5cd8df04cdd24bf2

  • SHA256

    c65ee21bdb16755d9ccb650e501f9f4af4ce795347c91b3645ffa71965412a5f

  • SHA512

    338fd098c94625589547fdc50b126a5c95595fbc5f379c6a3ca9d646f35d4f002eb4c01be0fd7f48ebecbbcfb8ac7d2775dcfb6ee48abbfe79da61490538c29b

  • SSDEEP

    384:TnLznLznLznLznLznLznLznLznLznLznLznLznLznLznLznLznLznLznLD:PvvvvvvvvvvvvvvvvvvD

Malware Config

Extracted

Family

remcos

Botnet

2025

C2

masterrechargeel.kozow.com:6565

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-FI6YA9

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Remcos family
  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\NOTIFICACION JURIDICA\NOTIFICACION JURIDICA FISCAL POR ABUSO DE CONFIANZA.js"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4248
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp.ps1"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2068
      • C:\Users\Admin\AppData\Local\Temp\Extracted\CiscoCollabHost.exe
        "C:\Users\Admin\AppData\Local\Temp\Extracted\CiscoCollabHost.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1316
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c schtasks /create /tn "Yscu4QXOumPMgkVtT" /tr "C:\Users\Admin\AppData\Roaming\CiscoCollabHost.exe" /sc onlogon /rl highest /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4052
          • C:\Windows\system32\schtasks.exe
            schtasks /create /tn "Yscu4QXOumPMgkVtT" /tr "C:\Users\Admin\AppData\Roaming\CiscoCollabHost.exe" /sc onlogon /rl highest /f
            5⤵
            • Scheduled Task/Job: Scheduled Task
            PID:1584
        • C:\Users\Admin\AppData\Local\Temp\svchost.exe
          "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4636

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Extracted\CiscoCollabHost.exe

    Filesize

    121KB

    MD5

    9c521a90653df5d1efbd0cea12318863

    SHA1

    ec2afaf10b78dabfead9e9e485d454789c244188

    SHA256

    85bcfc9de06bd0751245ad882f7e2141f340cdedefcaefb8deabbc0792088a58

    SHA512

    d1bbb5e07e7df5fe6da9786ecee06c0dfd9e46067de48a139323aa045f81139b78404c4f3f77b1f6f58c3b11d1edf88d0c06ad42fcf7482436367f2444e6152e

  • C:\Users\Admin\AppData\Local\Temp\Extracted\CiscoSparkLauncher.dll

    Filesize

    2.6MB

    MD5

    e2e01305e938ea378a88658d81c0917f

    SHA1

    6b3dc7e13347f6fadadc2dbac7d3a3927d9e2aa6

    SHA256

    29c3c48f4dc84e7179881bc3767546878b2db89d418372f687edbd4a72ef0989

    SHA512

    5620ea58d2a7da0fe5d352ea1fe82e76ed84c31b2ae97b28a3ab3b25268f21c0a8eef8ca7baa05ab0f2c80a8125fc7e2441065eda11259b1f636be7b3d6c202d

  • C:\Users\Admin\AppData\Local\Temp\Extracted\VERSION.dll

    Filesize

    6.4MB

    MD5

    f422d060f14e7dc67f89030644d0eab5

    SHA1

    088317ad52c714ecac114dff31a05f1e5a45e351

    SHA256

    602be2353485b1ed7f60e6803141ea1b43441c92755405737c2bec754b0b6178

    SHA512

    fa5a411c603eebcb98a83c93a5128b152205402feec2d113139db285cdc2a58e180eade94a3ea8b70d14885ac973b1f454302379ce6e100a2dac583c475a23c1

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yrfo543r.lw2.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Admin\AppData\Local\Temp\svchost.exe

    Filesize

    481KB

    MD5

    3a2b3c0c0e1dd3e659e5828e3cd3d3b0

    SHA1

    afb8d4b22e1d9753246917f7638e4b1a5e659f4c

    SHA256

    383f946dfde5e00c9191421b48433bda4e42bad71589893b89ced7efabb06ad8

    SHA512

    87e948901e42ef331e77b62b61f3721a9a5f4e982159391a55097214fff1579c3ead289c08915dc9d953769012b7c4b799abc36c2d7c05facd436835c9c1a2ca

  • C:\Users\Admin\AppData\Local\Temp\tmp.ps1

    Filesize

    1KB

    MD5

    e8902879a8b704e7731cccd432bb7558

    SHA1

    4ddd7e7dce83a8f638cd6aeedb81ea991b4b768b

    SHA256

    e3eddbc46654a3e5dfe85188e887d0f6b04473543dfe7befd07af04b900cd78b

    SHA512

    0f3b33bffe327657c003c7d5a28c1e43523deeee16f6146312f2eaf33de9b7ebd873a76cd581010dcc9e31068578665d28dbc85aba6ac6677d6a409c7622b68a

  • memory/1316-39-0x0000000000400000-0x00000000009A4000-memory.dmp

    Filesize

    5.6MB

  • memory/1316-59-0x0000000068840000-0x0000000068EB8000-memory.dmp

    Filesize

    6.5MB

  • memory/2068-15-0x00007FF8585D3000-0x00007FF8585D5000-memory.dmp

    Filesize

    8KB

  • memory/2068-16-0x00007FF8585D0000-0x00007FF859091000-memory.dmp

    Filesize

    10.8MB

  • memory/2068-17-0x00007FF8585D0000-0x00007FF859091000-memory.dmp

    Filesize

    10.8MB

  • memory/2068-19-0x000001D57C970000-0x000001D57C97A000-memory.dmp

    Filesize

    40KB

  • memory/2068-20-0x000001D57C9A0000-0x000001D57C9B2000-memory.dmp

    Filesize

    72KB

  • memory/2068-14-0x00007FF8585D0000-0x00007FF859091000-memory.dmp

    Filesize

    10.8MB

  • memory/2068-1-0x00007FF8585D3000-0x00007FF8585D5000-memory.dmp

    Filesize

    8KB

  • memory/2068-12-0x00007FF8585D0000-0x00007FF859091000-memory.dmp

    Filesize

    10.8MB

  • memory/2068-37-0x00007FF8585D0000-0x00007FF859091000-memory.dmp

    Filesize

    10.8MB

  • memory/2068-7-0x000001D57C630000-0x000001D57C652000-memory.dmp

    Filesize

    136KB