Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
298s -
max time network
299s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/01/2025, 10:51
Static task
static1
Behavioral task
behavioral1
Sample
NOTIFICACION JURIDICA/NOTIFICACION JURIDICA FISCAL POR ABUSO DE CONFIANZA.js
Resource
win7-20240729-en
General
-
Target
NOTIFICACION JURIDICA/NOTIFICACION JURIDICA FISCAL POR ABUSO DE CONFIANZA.js
-
Size
3.7MB
-
MD5
227a0b4511190f239ad8a6f1ec17bf4d
-
SHA1
d431266d6bf66c619f8b0f7e5cd8df04cdd24bf2
-
SHA256
c65ee21bdb16755d9ccb650e501f9f4af4ce795347c91b3645ffa71965412a5f
-
SHA512
338fd098c94625589547fdc50b126a5c95595fbc5f379c6a3ca9d646f35d4f002eb4c01be0fd7f48ebecbbcfb8ac7d2775dcfb6ee48abbfe79da61490538c29b
-
SSDEEP
384:TnLznLznLznLznLznLznLznLznLznLznLznLznLznLznLznLznLznLznLD:PvvvvvvvvvvvvvvvvvvD
Malware Config
Extracted
remcos
2025
masterrechargeel.kozow.com:6565
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-FI6YA9
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Blocklisted process makes network request 2 IoCs
flow pid Process 3 4248 wscript.exe 7 2068 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation wscript.exe -
Executes dropped EXE 2 IoCs
pid Process 1316 CiscoCollabHost.exe 4636 svchost.exe -
Loads dropped DLL 2 IoCs
pid Process 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
pid Process 2068 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1584 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2068 powershell.exe 2068 powershell.exe 2068 powershell.exe 2068 powershell.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe 1316 CiscoCollabHost.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 664 Process not Found 664 Process not Found -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2068 powershell.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4248 wrote to memory of 2068 4248 wscript.exe 83 PID 4248 wrote to memory of 2068 4248 wscript.exe 83 PID 2068 wrote to memory of 1316 2068 powershell.exe 88 PID 2068 wrote to memory of 1316 2068 powershell.exe 88 PID 1316 wrote to memory of 4052 1316 CiscoCollabHost.exe 94 PID 1316 wrote to memory of 4052 1316 CiscoCollabHost.exe 94 PID 4052 wrote to memory of 1584 4052 cmd.exe 96 PID 4052 wrote to memory of 1584 4052 cmd.exe 96 PID 1316 wrote to memory of 4636 1316 CiscoCollabHost.exe 97 PID 1316 wrote to memory of 4636 1316 CiscoCollabHost.exe 97 PID 1316 wrote to memory of 4636 1316 CiscoCollabHost.exe 97 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\NOTIFICACION JURIDICA\NOTIFICACION JURIDICA FISCAL POR ABUSO DE CONFIANZA.js"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp.ps1"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Users\Admin\AppData\Local\Temp\Extracted\CiscoCollabHost.exe"C:\Users\Admin\AppData\Local\Temp\Extracted\CiscoCollabHost.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn "Yscu4QXOumPMgkVtT" /tr "C:\Users\Admin\AppData\Roaming\CiscoCollabHost.exe" /sc onlogon /rl highest /f4⤵
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Windows\system32\schtasks.exeschtasks /create /tn "Yscu4QXOumPMgkVtT" /tr "C:\Users\Admin\AppData\Roaming\CiscoCollabHost.exe" /sc onlogon /rl highest /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:1584
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4636
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
121KB
MD59c521a90653df5d1efbd0cea12318863
SHA1ec2afaf10b78dabfead9e9e485d454789c244188
SHA25685bcfc9de06bd0751245ad882f7e2141f340cdedefcaefb8deabbc0792088a58
SHA512d1bbb5e07e7df5fe6da9786ecee06c0dfd9e46067de48a139323aa045f81139b78404c4f3f77b1f6f58c3b11d1edf88d0c06ad42fcf7482436367f2444e6152e
-
Filesize
2.6MB
MD5e2e01305e938ea378a88658d81c0917f
SHA16b3dc7e13347f6fadadc2dbac7d3a3927d9e2aa6
SHA25629c3c48f4dc84e7179881bc3767546878b2db89d418372f687edbd4a72ef0989
SHA5125620ea58d2a7da0fe5d352ea1fe82e76ed84c31b2ae97b28a3ab3b25268f21c0a8eef8ca7baa05ab0f2c80a8125fc7e2441065eda11259b1f636be7b3d6c202d
-
Filesize
6.4MB
MD5f422d060f14e7dc67f89030644d0eab5
SHA1088317ad52c714ecac114dff31a05f1e5a45e351
SHA256602be2353485b1ed7f60e6803141ea1b43441c92755405737c2bec754b0b6178
SHA512fa5a411c603eebcb98a83c93a5128b152205402feec2d113139db285cdc2a58e180eade94a3ea8b70d14885ac973b1f454302379ce6e100a2dac583c475a23c1
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
481KB
MD53a2b3c0c0e1dd3e659e5828e3cd3d3b0
SHA1afb8d4b22e1d9753246917f7638e4b1a5e659f4c
SHA256383f946dfde5e00c9191421b48433bda4e42bad71589893b89ced7efabb06ad8
SHA51287e948901e42ef331e77b62b61f3721a9a5f4e982159391a55097214fff1579c3ead289c08915dc9d953769012b7c4b799abc36c2d7c05facd436835c9c1a2ca
-
Filesize
1KB
MD5e8902879a8b704e7731cccd432bb7558
SHA14ddd7e7dce83a8f638cd6aeedb81ea991b4b768b
SHA256e3eddbc46654a3e5dfe85188e887d0f6b04473543dfe7befd07af04b900cd78b
SHA5120f3b33bffe327657c003c7d5a28c1e43523deeee16f6146312f2eaf33de9b7ebd873a76cd581010dcc9e31068578665d28dbc85aba6ac6677d6a409c7622b68a