Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/01/2025, 05:10
Behavioral task
behavioral1
Sample
c889443786dc57c284a40fd1a9764bad2f026a8c20e191059707d1646ff931e0.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c889443786dc57c284a40fd1a9764bad2f026a8c20e191059707d1646ff931e0.exe
Resource
win10v2004-20241007-en
General
-
Target
c889443786dc57c284a40fd1a9764bad2f026a8c20e191059707d1646ff931e0.exe
-
Size
900KB
-
MD5
be20dfffcba37064d6087aa714036873
-
SHA1
4f50f7f954ed27b8e3373a5d900905d98d1bb51e
-
SHA256
c889443786dc57c284a40fd1a9764bad2f026a8c20e191059707d1646ff931e0
-
SHA512
955a14d104edf528cd3d1f140181e6222cc1f88c8f1fb0a6a60fa0d37962b34c535a29e45ba029cf8daa039df06d25b26689feb600fb8b499fe46de0b3bf4696
-
SSDEEP
24576:0rl6kD68JmlotQf1nQr8zKS7ifTcvt2S3Sc1YNTN:Cl328U2yfuo2hfwvtJCxT
Malware Config
Extracted
remcos
RemoteHost
192.210.150.26:3678
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-MKYDDH
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Milburr.vbs Milburr.exe -
Executes dropped EXE 2 IoCs
pid Process 4072 Milburr.exe 3272 Milburr.exe -
AutoIT Executable 6 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2512-19-0x0000000000730000-0x000000000091E000-memory.dmp autoit_exe behavioral2/memory/4072-33-0x0000000000FA0000-0x00000000013A0000-memory.dmp autoit_exe behavioral2/memory/3272-38-0x0000000000C60000-0x0000000000E4E000-memory.dmp autoit_exe behavioral2/memory/4072-37-0x0000000000C60000-0x0000000000E4E000-memory.dmp autoit_exe behavioral2/memory/3272-65-0x0000000000C60000-0x0000000000E4E000-memory.dmp autoit_exe behavioral2/memory/3272-66-0x00000000017E0000-0x0000000001BE0000-memory.dmp autoit_exe -
resource yara_rule behavioral2/memory/2512-0-0x0000000000730000-0x000000000091E000-memory.dmp upx behavioral2/files/0x000a000000023b83-15.dat upx behavioral2/memory/4072-16-0x0000000000C60000-0x0000000000E4E000-memory.dmp upx behavioral2/memory/2512-19-0x0000000000730000-0x000000000091E000-memory.dmp upx behavioral2/memory/3272-38-0x0000000000C60000-0x0000000000E4E000-memory.dmp upx behavioral2/memory/4072-37-0x0000000000C60000-0x0000000000E4E000-memory.dmp upx behavioral2/memory/3272-65-0x0000000000C60000-0x0000000000E4E000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Milburr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Milburr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c889443786dc57c284a40fd1a9764bad2f026a8c20e191059707d1646ff931e0.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 2512 c889443786dc57c284a40fd1a9764bad2f026a8c20e191059707d1646ff931e0.exe 2512 c889443786dc57c284a40fd1a9764bad2f026a8c20e191059707d1646ff931e0.exe 4072 Milburr.exe 4072 Milburr.exe 3272 Milburr.exe 3272 Milburr.exe -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 2512 c889443786dc57c284a40fd1a9764bad2f026a8c20e191059707d1646ff931e0.exe 2512 c889443786dc57c284a40fd1a9764bad2f026a8c20e191059707d1646ff931e0.exe 4072 Milburr.exe 4072 Milburr.exe 3272 Milburr.exe 3272 Milburr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2512 wrote to memory of 4072 2512 c889443786dc57c284a40fd1a9764bad2f026a8c20e191059707d1646ff931e0.exe 82 PID 2512 wrote to memory of 4072 2512 c889443786dc57c284a40fd1a9764bad2f026a8c20e191059707d1646ff931e0.exe 82 PID 2512 wrote to memory of 4072 2512 c889443786dc57c284a40fd1a9764bad2f026a8c20e191059707d1646ff931e0.exe 82 PID 4072 wrote to memory of 3272 4072 Milburr.exe 83 PID 4072 wrote to memory of 3272 4072 Milburr.exe 83 PID 4072 wrote to memory of 3272 4072 Milburr.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\c889443786dc57c284a40fd1a9764bad2f026a8c20e191059707d1646ff931e0.exe"C:\Users\Admin\AppData\Local\Temp\c889443786dc57c284a40fd1a9764bad2f026a8c20e191059707d1646ff931e0.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Users\Admin\AppData\Local\obtenebrate\Milburr.exe"C:\Users\Admin\AppData\Local\Temp\c889443786dc57c284a40fd1a9764bad2f026a8c20e191059707d1646ff931e0.exe"2⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Users\Admin\AppData\Local\obtenebrate\Milburr.exe"C:\Users\Admin\AppData\Local\obtenebrate\Milburr.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3272
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5446426af783773ce524c85d356f67ae0
SHA104a83c60136fe6265d32c643ed5139ab9c9ea505
SHA25619b923c3dfa4aba9956127e0c3c20435954ab66dfbc7da827a87b88f34df0d1e
SHA512a68c94ef7f3f48cb7246e382d6acdfd399bc7a0ca919cb1c6914c3f81aec81e02b11606cd46957455b9b1ed69eb589c1a2bce0e23d3f2e09cfc6408810991d14
-
Filesize
481KB
MD5e8f92d99524eff3de429c3718b7a1491
SHA1b0c6f6a240841e77e7d20f99b379a9c6ee35d85b
SHA256894cb71ad99ff88b5c93218788de1d133b4d0404d4996f7e5d3255209322f6e9
SHA5124cf796747db21c4eb2cda23fb79e184c49b62b2e84e15b669a0025224991e4f9e0e261c6e03a12dd8b5e6b105d2aa7e8e652aa3f4863cec73a88bc02906c17d6
-
Filesize
404KB
MD5df6ce24c1d936b4b56dcd548def18b8d
SHA1bb8cca79e83c81605fe2b2ffcfb657612fd798a1
SHA256fed7b359f763f28d9e01bb5f6c734a29f17a67ae34161f4053ddac0407f52610
SHA5127aea698b0a2c06812fbe00d0315af7ba18c15ae572c2ef7088db28ce3a5b6ab122ce4e711e8fe20d7763a47e8591afb248a02b55d5059f49f06b3201918648e8
-
Filesize
14KB
MD500360588750369bc243ed68948507859
SHA1861af2e9e7e94f3fbabb95259d86f2a93c4eddb3
SHA25671e5d5e454b65c35189f3cc57c5923678f53758420abf6c3975a0e188fb8d855
SHA512c8b360b472a1e0cb8957afce1ec644d465eb087b28328d7b3d3c88b3c2870ca885d42d66c9cfaeae2347d02a87e47da645a92f16c6140ceb036df147f91d51df
-
Filesize
140KB
MD5b98ee815fe928b457a8ca6290ca38293
SHA1b2a6929d5a5b461ad3aa6a8ed873f2e5fc106fd5
SHA256d1de55cc4b804a902cd9ecbc8c4658586a9b85d4a26f147e49ca17406ebe5c6b
SHA5122964c872a41ddac596490be2c9b4797ee97294503d509ea8e6b8fc8d43336bf2896189af88c8a225bb3e59f4127bc7cb81b9c05ed927b813aeb04de4f80af5bb
-
Filesize
900KB
MD5be20dfffcba37064d6087aa714036873
SHA14f50f7f954ed27b8e3373a5d900905d98d1bb51e
SHA256c889443786dc57c284a40fd1a9764bad2f026a8c20e191059707d1646ff931e0
SHA512955a14d104edf528cd3d1f140181e6222cc1f88c8f1fb0a6a60fa0d37962b34c535a29e45ba029cf8daa039df06d25b26689feb600fb8b499fe46de0b3bf4696