Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
140s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
09/01/2025, 18:14
Static task
static1
General
-
Target
TNT invoice 9.26.2024 .exe
-
Size
881KB
-
MD5
7afd5be4b77090388ddecb8169cf0bc3
-
SHA1
d3b6ba2e53aed1471c12196c577b7be56d14cf2f
-
SHA256
68a4b0d743c427d59d076376e5c3a131ee7ab29cdc959b8872735c06b70b7036
-
SHA512
2f16fce3f75bce88c79286f41010d76691fe0fab37c4fad814867b819c60c81fe4dff17ad722952cc6c7a7d99aaec75d51d2fd16350babb8d3388e11d2236a06
-
SSDEEP
24576:VE8AE9lxicGLP0CDyB/1FNlUcDos713jb:VExsxiTVe1F/UcDosVb
Malware Config
Extracted
remcos
IRN
irnserv1.ddns.net:4424
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-CA8761
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1888 powershell.exe 2828 powershell.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\Control Panel\International\Geo\Nation TNT invoice 9.26.2024 .exe Key value queried \REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\Control Panel\International\Geo\Nation TNT invoice 9.26.2024 .exe Key value queried \REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\Control Panel\International\Geo\Nation remcos.exe -
Executes dropped EXE 2 IoCs
pid Process 1572 remcos.exe 3344 remcos.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-CA8761 = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" TNT invoice 9.26.2024 .exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-CA8761 = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" TNT invoice 9.26.2024 .exe Set value (str) \REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-CA8761 = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" remcos.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-CA8761 = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" remcos.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 60 set thread context of 4216 60 TNT invoice 9.26.2024 .exe 98 PID 1572 set thread context of 3344 1572 remcos.exe 105 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TNT invoice 9.26.2024 .exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TNT invoice 9.26.2024 .exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5100 schtasks.exe 3812 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 60 TNT invoice 9.26.2024 .exe 60 TNT invoice 9.26.2024 .exe 60 TNT invoice 9.26.2024 .exe 60 TNT invoice 9.26.2024 .exe 60 TNT invoice 9.26.2024 .exe 60 TNT invoice 9.26.2024 .exe 2828 powershell.exe 2828 powershell.exe 1888 powershell.exe 1888 powershell.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeDebugPrivilege 60 TNT invoice 9.26.2024 .exe Token: SeDebugPrivilege 2828 powershell.exe Token: SeIncreaseQuotaPrivilege 2828 powershell.exe Token: SeSecurityPrivilege 2828 powershell.exe Token: SeTakeOwnershipPrivilege 2828 powershell.exe Token: SeLoadDriverPrivilege 2828 powershell.exe Token: SeSystemProfilePrivilege 2828 powershell.exe Token: SeSystemtimePrivilege 2828 powershell.exe Token: SeProfSingleProcessPrivilege 2828 powershell.exe Token: SeIncBasePriorityPrivilege 2828 powershell.exe Token: SeCreatePagefilePrivilege 2828 powershell.exe Token: SeBackupPrivilege 2828 powershell.exe Token: SeRestorePrivilege 2828 powershell.exe Token: SeShutdownPrivilege 2828 powershell.exe Token: SeDebugPrivilege 2828 powershell.exe Token: SeSystemEnvironmentPrivilege 2828 powershell.exe Token: SeRemoteShutdownPrivilege 2828 powershell.exe Token: SeUndockPrivilege 2828 powershell.exe Token: SeManageVolumePrivilege 2828 powershell.exe Token: 33 2828 powershell.exe Token: 34 2828 powershell.exe Token: 35 2828 powershell.exe Token: 36 2828 powershell.exe Token: SeDebugPrivilege 1888 powershell.exe Token: SeIncreaseQuotaPrivilege 1888 powershell.exe Token: SeSecurityPrivilege 1888 powershell.exe Token: SeTakeOwnershipPrivilege 1888 powershell.exe Token: SeLoadDriverPrivilege 1888 powershell.exe Token: SeSystemProfilePrivilege 1888 powershell.exe Token: SeSystemtimePrivilege 1888 powershell.exe Token: SeProfSingleProcessPrivilege 1888 powershell.exe Token: SeIncBasePriorityPrivilege 1888 powershell.exe Token: SeCreatePagefilePrivilege 1888 powershell.exe Token: SeBackupPrivilege 1888 powershell.exe Token: SeRestorePrivilege 1888 powershell.exe Token: SeShutdownPrivilege 1888 powershell.exe Token: SeDebugPrivilege 1888 powershell.exe Token: SeSystemEnvironmentPrivilege 1888 powershell.exe Token: SeRemoteShutdownPrivilege 1888 powershell.exe Token: SeUndockPrivilege 1888 powershell.exe Token: SeManageVolumePrivilege 1888 powershell.exe Token: 33 1888 powershell.exe Token: 34 1888 powershell.exe Token: 35 1888 powershell.exe Token: 36 1888 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3344 remcos.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 60 wrote to memory of 2828 60 TNT invoice 9.26.2024 .exe 91 PID 60 wrote to memory of 2828 60 TNT invoice 9.26.2024 .exe 91 PID 60 wrote to memory of 2828 60 TNT invoice 9.26.2024 .exe 91 PID 60 wrote to memory of 5100 60 TNT invoice 9.26.2024 .exe 93 PID 60 wrote to memory of 5100 60 TNT invoice 9.26.2024 .exe 93 PID 60 wrote to memory of 5100 60 TNT invoice 9.26.2024 .exe 93 PID 60 wrote to memory of 4192 60 TNT invoice 9.26.2024 .exe 95 PID 60 wrote to memory of 4192 60 TNT invoice 9.26.2024 .exe 95 PID 60 wrote to memory of 4192 60 TNT invoice 9.26.2024 .exe 95 PID 60 wrote to memory of 4136 60 TNT invoice 9.26.2024 .exe 96 PID 60 wrote to memory of 4136 60 TNT invoice 9.26.2024 .exe 96 PID 60 wrote to memory of 4136 60 TNT invoice 9.26.2024 .exe 96 PID 60 wrote to memory of 2388 60 TNT invoice 9.26.2024 .exe 97 PID 60 wrote to memory of 2388 60 TNT invoice 9.26.2024 .exe 97 PID 60 wrote to memory of 2388 60 TNT invoice 9.26.2024 .exe 97 PID 60 wrote to memory of 4216 60 TNT invoice 9.26.2024 .exe 98 PID 60 wrote to memory of 4216 60 TNT invoice 9.26.2024 .exe 98 PID 60 wrote to memory of 4216 60 TNT invoice 9.26.2024 .exe 98 PID 60 wrote to memory of 4216 60 TNT invoice 9.26.2024 .exe 98 PID 60 wrote to memory of 4216 60 TNT invoice 9.26.2024 .exe 98 PID 60 wrote to memory of 4216 60 TNT invoice 9.26.2024 .exe 98 PID 60 wrote to memory of 4216 60 TNT invoice 9.26.2024 .exe 98 PID 60 wrote to memory of 4216 60 TNT invoice 9.26.2024 .exe 98 PID 60 wrote to memory of 4216 60 TNT invoice 9.26.2024 .exe 98 PID 60 wrote to memory of 4216 60 TNT invoice 9.26.2024 .exe 98 PID 60 wrote to memory of 4216 60 TNT invoice 9.26.2024 .exe 98 PID 60 wrote to memory of 4216 60 TNT invoice 9.26.2024 .exe 98 PID 4216 wrote to memory of 1572 4216 TNT invoice 9.26.2024 .exe 99 PID 4216 wrote to memory of 1572 4216 TNT invoice 9.26.2024 .exe 99 PID 4216 wrote to memory of 1572 4216 TNT invoice 9.26.2024 .exe 99 PID 1572 wrote to memory of 1888 1572 remcos.exe 101 PID 1572 wrote to memory of 1888 1572 remcos.exe 101 PID 1572 wrote to memory of 1888 1572 remcos.exe 101 PID 1572 wrote to memory of 3812 1572 remcos.exe 103 PID 1572 wrote to memory of 3812 1572 remcos.exe 103 PID 1572 wrote to memory of 3812 1572 remcos.exe 103 PID 1572 wrote to memory of 3344 1572 remcos.exe 105 PID 1572 wrote to memory of 3344 1572 remcos.exe 105 PID 1572 wrote to memory of 3344 1572 remcos.exe 105 PID 1572 wrote to memory of 3344 1572 remcos.exe 105 PID 1572 wrote to memory of 3344 1572 remcos.exe 105 PID 1572 wrote to memory of 3344 1572 remcos.exe 105 PID 1572 wrote to memory of 3344 1572 remcos.exe 105 PID 1572 wrote to memory of 3344 1572 remcos.exe 105 PID 1572 wrote to memory of 3344 1572 remcos.exe 105 PID 1572 wrote to memory of 3344 1572 remcos.exe 105 PID 1572 wrote to memory of 3344 1572 remcos.exe 105 PID 1572 wrote to memory of 3344 1572 remcos.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\TNT invoice 9.26.2024 .exe"C:\Users\Admin\AppData\Local\Temp\TNT invoice 9.26.2024 .exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GLFzLcBn.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2828
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GLFzLcBn" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF6A4.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5100
-
-
C:\Users\Admin\AppData\Local\Temp\TNT invoice 9.26.2024 .exe"C:\Users\Admin\AppData\Local\Temp\TNT invoice 9.26.2024 .exe"2⤵PID:4192
-
-
C:\Users\Admin\AppData\Local\Temp\TNT invoice 9.26.2024 .exe"C:\Users\Admin\AppData\Local\Temp\TNT invoice 9.26.2024 .exe"2⤵PID:4136
-
-
C:\Users\Admin\AppData\Local\Temp\TNT invoice 9.26.2024 .exe"C:\Users\Admin\AppData\Local\Temp\TNT invoice 9.26.2024 .exe"2⤵PID:2388
-
-
C:\Users\Admin\AppData\Local\Temp\TNT invoice 9.26.2024 .exe"C:\Users\Admin\AppData\Local\Temp\TNT invoice 9.26.2024 .exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\ProgramData\Remcos\remcos.exe"C:\ProgramData\Remcos\remcos.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GLFzLcBn.exe"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1888
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GLFzLcBn" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2D74.tmp"4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3812
-
-
C:\ProgramData\Remcos\remcos.exe"C:\ProgramData\Remcos\remcos.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3344
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5434ad60812b2cb1d325cfee0ded9f6b4
SHA1adcd8390170d94e0d1d9dec1326a0d78b3ef3e42
SHA2568a70b1e70798253580946064bbb204a913ccd3b123a5205bf16f1176c80f1ebf
SHA51256241385a1e14a95f45ff774b36a36d7328d7efd750494153a61f8379190c57b60b7a0b60f5c90ac86db0d044065bb7e7010b9bb65733e8bfb16fd1e1a96319a
-
Filesize
881KB
MD57afd5be4b77090388ddecb8169cf0bc3
SHA1d3b6ba2e53aed1471c12196c577b7be56d14cf2f
SHA25668a4b0d743c427d59d076376e5c3a131ee7ab29cdc959b8872735c06b70b7036
SHA5122f16fce3f75bce88c79286f41010d76691fe0fab37c4fad814867b819c60c81fe4dff17ad722952cc6c7a7d99aaec75d51d2fd16350babb8d3388e11d2236a06
-
Filesize
2KB
MD5f9349064c7c8f8467cc12d78a462e5f9
SHA15e1d27fc64751cd8c0e9448ee47741da588b3484
SHA256883481fe331cb89fb6061e76b43acd4dd638c16f499b10088b261036c6d0547b
SHA5123229668491b5e4068e743b31f2896b30b1842faf96aff09fad01b08771c2f11eb8d8f02a3b76e31f0d6ad650c2894c5ac1822204e132c03d9c2b8df6ca4cd7cf
-
Filesize
21KB
MD5bed47656915cd7ff7ba11120b5bbb195
SHA1ec415f01efcc1751984e7564ad95dd422aae27ef
SHA2565bbfd8fb7cb002c0c55897ed8055dccc44e2d4024f69c88daa4ee0387db2aa71
SHA512c7dc292d610526fab71717c417d15cefb1ae5239425e0e7f1da82f9307066431d0ef6e47d641acf17bfdb2cad8af38fd9bafed03e23ea8013c3d7d7926aed8ee
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD599ea069363cc8a6198962c359d662ac9
SHA188153c7f272c85e62cdd00aabb4328dc4e0fe5df
SHA256358ec15f1cd292e738b2c9a4ddd1975f06320b8faf407cb97b0656c5888b18b8
SHA512834cce5e350c9a77f85d5d75270df1d72f7623f1ec6da1dde6f5fec4f9631b779589ec1aa2bf79f1c4c8b4e81553f52954200dd71d834b739f01d413e973af7a