Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24/01/2025, 07:01

General

  • Target

    ApiUpdater.exe

  • Size

    469KB

  • MD5

    ebf341ab1088ab009a9f9cf06619e616

  • SHA1

    a31d5650c010c421fa81733e4841cf1b52d607d9

  • SHA256

    7422bc2c77e70c2e90c27d030a13eb3adf0bcfc1ef2bc55b62871181af5cd955

  • SHA512

    40c1481642f8ad2fed9514d0968a43151a189c61e53d60990183e81c16891cdd7a0983568b2910dc8a9098a408136468cff5660d0607cf06331275937c1f60e1

  • SSDEEP

    12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSin9:uiLJbpI7I2WhQqZ7i9

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

else-directors.gl.at.ply.gg:56448

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    $77-Bitdefender.exe

  • copy_folder

    Bitdefender

  • delete_file

    true

  • hide_file

    true

  • hide_keylog_file

    false

  • install_flag

    true

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-Z3DS2J

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    VisualStudioServer

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Remcos family
  • UAC bypass 3 TTPs 3 IoCs
  • Adds policy Run key to start application 2 TTPs 6 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 3 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ApiUpdater.exe
    "C:\Users\Admin\AppData\Local\Temp\ApiUpdater.exe"
    1⤵
    • Adds policy Run key to start application
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2288
    • C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2340
      • C:\Windows\SysWOW64\reg.exe
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • UAC bypass
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:2524
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2788
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2716
        • C:\ProgramData\Bitdefender\$77-Bitdefender.exe
          C:\ProgramData\Bitdefender\$77-Bitdefender.exe
          4⤵
          • Adds policy Run key to start application
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:2808
          • C:\Windows\SysWOW64\cmd.exe
            /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2744
            • C:\Windows\SysWOW64\reg.exe
              C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
              6⤵
              • UAC bypass
              • System Location Discovery: System Language Discovery
              • Modifies registry key
              PID:2864
          • \??\c:\program files (x86)\internet explorer\iexplore.exe
            "c:\program files (x86)\internet explorer\iexplore.exe"
            5⤵
            • Adds policy Run key to start application
            • Adds Run key to start application
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:2616
            • C:\Windows\SysWOW64\cmd.exe
              /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2644
              • C:\Windows\SysWOW64\reg.exe
                C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                7⤵
                • UAC bypass
                • System Location Discovery: System Language Discovery
                • Modifies registry key
                PID:2608
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2868

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\install.vbs

    Filesize

    546B

    MD5

    b589da137125da0d605bf425b360e9b7

    SHA1

    091b07b800133033ba4ba930a7acb4559c0df6f5

    SHA256

    a9b357b7a182158e54e22ce3e78a6ffaaa5bb25b08717d69d591a92429d39bac

    SHA512

    2bf73d9c2f573c714f7325d6ca279c0c1b2b8e90b7457caafa6174319df0490710affc25b6c185e5730bfd31c9e0539e51e35ac625a5c6d990ca8552e3a53de0

  • \ProgramData\Bitdefender\$77-Bitdefender.exe

    Filesize

    469KB

    MD5

    ebf341ab1088ab009a9f9cf06619e616

    SHA1

    a31d5650c010c421fa81733e4841cf1b52d607d9

    SHA256

    7422bc2c77e70c2e90c27d030a13eb3adf0bcfc1ef2bc55b62871181af5cd955

    SHA512

    40c1481642f8ad2fed9514d0968a43151a189c61e53d60990183e81c16891cdd7a0983568b2910dc8a9098a408136468cff5660d0607cf06331275937c1f60e1

  • memory/2616-26-0x0000000000090000-0x000000000010F000-memory.dmp

    Filesize

    508KB

  • memory/2616-32-0x0000000000090000-0x000000000010F000-memory.dmp

    Filesize

    508KB

  • memory/2616-14-0x0000000000090000-0x000000000010F000-memory.dmp

    Filesize

    508KB

  • memory/2616-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2616-17-0x0000000000090000-0x000000000010F000-memory.dmp

    Filesize

    508KB

  • memory/2616-37-0x0000000000090000-0x000000000010F000-memory.dmp

    Filesize

    508KB

  • memory/2616-36-0x0000000000090000-0x000000000010F000-memory.dmp

    Filesize

    508KB

  • memory/2616-35-0x0000000000090000-0x000000000010F000-memory.dmp

    Filesize

    508KB

  • memory/2616-34-0x0000000000090000-0x000000000010F000-memory.dmp

    Filesize

    508KB

  • memory/2616-28-0x0000000000090000-0x000000000010F000-memory.dmp

    Filesize

    508KB

  • memory/2616-16-0x0000000000090000-0x000000000010F000-memory.dmp

    Filesize

    508KB

  • memory/2616-27-0x0000000000090000-0x000000000010F000-memory.dmp

    Filesize

    508KB

  • memory/2616-25-0x0000000000090000-0x000000000010F000-memory.dmp

    Filesize

    508KB

  • memory/2616-29-0x0000000000090000-0x000000000010F000-memory.dmp

    Filesize

    508KB

  • memory/2616-30-0x0000000000090000-0x000000000010F000-memory.dmp

    Filesize

    508KB

  • memory/2616-31-0x0000000000090000-0x000000000010F000-memory.dmp

    Filesize

    508KB

  • memory/2616-13-0x0000000000090000-0x000000000010F000-memory.dmp

    Filesize

    508KB

  • memory/2616-33-0x0000000000090000-0x000000000010F000-memory.dmp

    Filesize

    508KB

  • memory/2868-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2868-21-0x0000000000160000-0x00000000001DF000-memory.dmp

    Filesize

    508KB

  • memory/2868-22-0x0000000000160000-0x00000000001DF000-memory.dmp

    Filesize

    508KB

  • memory/2868-24-0x0000000000160000-0x00000000001DF000-memory.dmp

    Filesize

    508KB