Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    92s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/01/2025, 14:59 UTC

General

  • Target

    d51b3625115680dc3d6e0f5881f914f0373a277e2ef2ec56c88c3f45de997877.exe

  • Size

    1.3MB

  • MD5

    5f38edf8c588efd365f6c82c92d5f0f6

  • SHA1

    6f8ec411858b7410a22401f6c9d6a2a5c45aaa9b

  • SHA256

    d51b3625115680dc3d6e0f5881f914f0373a277e2ef2ec56c88c3f45de997877

  • SHA512

    7bc7886d3c81421d6d9cdc1cf4ee3af5fea572de578fbc8c42509129b37716de7552e3147a3ac84261c463fe79fb60511eff18d45c3bc3d411905c22389028ef

  • SSDEEP

    24576:Cu6J33O0c+JY5UZ+XC0kGso6FapubMGC8db/ZOid2MNTosdIIDnWY:ku0c++OCvkGs9FapCX0yTnyY

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

192.3.64.152:2559

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-ZFXG9Y

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Remcos family
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d51b3625115680dc3d6e0f5881f914f0373a277e2ef2ec56c88c3f45de997877.exe
    "C:\Users\Admin\AppData\Local\Temp\d51b3625115680dc3d6e0f5881f914f0373a277e2ef2ec56c88c3f45de997877.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4396
    • C:\Users\Admin\AppData\Local\miaou\derogates.exe
      "C:\Users\Admin\AppData\Local\Temp\d51b3625115680dc3d6e0f5881f914f0373a277e2ef2ec56c88c3f45de997877.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4316
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\d51b3625115680dc3d6e0f5881f914f0373a277e2ef2ec56c88c3f45de997877.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:3568
        • \??\c:\program files (x86)\internet explorer\iexplore.exe
          "c:\program files (x86)\internet explorer\iexplore.exe"
          4⤵
            PID:1088

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      196.249.167.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      196.249.167.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      8.153.16.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.153.16.2.in-addr.arpa
      IN PTR
      Response
      8.153.16.2.in-addr.arpa
      IN PTR
      a2-16-153-8deploystaticakamaitechnologiescom
    • flag-us
      DNS
      0.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      0.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      13.86.106.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      13.86.106.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      212.20.149.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      212.20.149.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      198.187.3.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      198.187.3.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.214.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.214.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      181.129.81.91.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      181.129.81.91.in-addr.arpa
      IN PTR
      Response
    No results found
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
      90 B
      1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      196.249.167.52.in-addr.arpa
      dns
      73 B
      147 B
      1
      1

      DNS Request

      196.249.167.52.in-addr.arpa

    • 8.8.8.8:53
      8.153.16.2.in-addr.arpa
      dns
      69 B
      131 B
      1
      1

      DNS Request

      8.153.16.2.in-addr.arpa

    • 8.8.8.8:53
      0.159.190.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      0.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
      144 B
      1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      13.86.106.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      13.86.106.20.in-addr.arpa

    • 8.8.8.8:53
      212.20.149.52.in-addr.arpa
      dns
      72 B
      146 B
      1
      1

      DNS Request

      212.20.149.52.in-addr.arpa

    • 8.8.8.8:53
      198.187.3.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      198.187.3.20.in-addr.arpa

    • 8.8.8.8:53
      172.214.232.199.in-addr.arpa
      dns
      74 B
      128 B
      1
      1

      DNS Request

      172.214.232.199.in-addr.arpa

    • 8.8.8.8:53
      181.129.81.91.in-addr.arpa
      dns
      72 B
      147 B
      1
      1

      DNS Request

      181.129.81.91.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\cerecloths

      Filesize

      483KB

      MD5

      1feec4959309f93b31ed96bb1c991a90

      SHA1

      65bed2ab9ebce344e29322980c4782ac2921c1d9

      SHA256

      b9e8c2ee4bec14965b15f8e28fce1ba98c3bbd412bcde16dce424d1698df3132

      SHA512

      722513d8cf35ce524576e870a4d6ad9ae59c14bb5aabcbfe17417a3543423b089a63fe867025bcae8427ba4d47bd4c0efe682a9317f1ac35ab768be9fcd80051

    • C:\Users\Admin\AppData\Local\miaou\derogates.exe

      Filesize

      1.3MB

      MD5

      5f38edf8c588efd365f6c82c92d5f0f6

      SHA1

      6f8ec411858b7410a22401f6c9d6a2a5c45aaa9b

      SHA256

      d51b3625115680dc3d6e0f5881f914f0373a277e2ef2ec56c88c3f45de997877

      SHA512

      7bc7886d3c81421d6d9cdc1cf4ee3af5fea572de578fbc8c42509129b37716de7552e3147a3ac84261c463fe79fb60511eff18d45c3bc3d411905c22389028ef

    • memory/1088-24-0x0000000000E30000-0x0000000000E3E000-memory.dmp

      Filesize

      56KB

    • memory/1088-29-0x0000000000E30000-0x0000000000E3E000-memory.dmp

      Filesize

      56KB

    • memory/1088-28-0x0000000000E30000-0x0000000000E3E000-memory.dmp

      Filesize

      56KB

    • memory/1088-26-0x0000000000E30000-0x0000000000E3E000-memory.dmp

      Filesize

      56KB

    • memory/3568-25-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

    • memory/3568-23-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

    • memory/3568-22-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

    • memory/3568-21-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

    • memory/3568-20-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

    • memory/4316-18-0x0000000000C40000-0x0000000001040000-memory.dmp

      Filesize

      4.0MB

    • memory/4396-6-0x0000000000F00000-0x0000000001300000-memory.dmp

      Filesize

      4.0MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.