Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24/01/2025, 07:01 UTC

General

  • Target

    ApiUpdater.exe

  • Size

    469KB

  • MD5

    ebf341ab1088ab009a9f9cf06619e616

  • SHA1

    a31d5650c010c421fa81733e4841cf1b52d607d9

  • SHA256

    7422bc2c77e70c2e90c27d030a13eb3adf0bcfc1ef2bc55b62871181af5cd955

  • SHA512

    40c1481642f8ad2fed9514d0968a43151a189c61e53d60990183e81c16891cdd7a0983568b2910dc8a9098a408136468cff5660d0607cf06331275937c1f60e1

  • SSDEEP

    12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSin9:uiLJbpI7I2WhQqZ7i9

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

else-directors.gl.at.ply.gg:56448

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    $77-Bitdefender.exe

  • copy_folder

    Bitdefender

  • delete_file

    true

  • hide_file

    true

  • hide_keylog_file

    false

  • install_flag

    true

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-Z3DS2J

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    VisualStudioServer

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Remcos family
  • UAC bypass 3 TTPs 3 IoCs
  • Adds policy Run key to start application 2 TTPs 6 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 3 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ApiUpdater.exe
    "C:\Users\Admin\AppData\Local\Temp\ApiUpdater.exe"
    1⤵
    • Adds policy Run key to start application
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2288
    • C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2340
      • C:\Windows\SysWOW64\reg.exe
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • UAC bypass
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:2524
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2788
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2716
        • C:\ProgramData\Bitdefender\$77-Bitdefender.exe
          C:\ProgramData\Bitdefender\$77-Bitdefender.exe
          4⤵
          • Adds policy Run key to start application
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:2808
          • C:\Windows\SysWOW64\cmd.exe
            /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2744
            • C:\Windows\SysWOW64\reg.exe
              C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
              6⤵
              • UAC bypass
              • System Location Discovery: System Language Discovery
              • Modifies registry key
              PID:2864
          • \??\c:\program files (x86)\internet explorer\iexplore.exe
            "c:\program files (x86)\internet explorer\iexplore.exe"
            5⤵
            • Adds policy Run key to start application
            • Adds Run key to start application
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:2616
            • C:\Windows\SysWOW64\cmd.exe
              /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2644
              • C:\Windows\SysWOW64\reg.exe
                C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                7⤵
                • UAC bypass
                • System Location Discovery: System Language Discovery
                • Modifies registry key
                PID:2608
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2868

Network

  • flag-us
    DNS
    else-directors.gl.at.ply.gg
    iexplore.exe
    Remote address:
    8.8.8.8:53
    Request
    else-directors.gl.at.ply.gg
    IN A
    Response
    else-directors.gl.at.ply.gg
    IN A
    147.185.221.23
  • 147.185.221.23:56448
    else-directors.gl.at.ply.gg
    iexplore.exe
    152 B
    3
  • 147.185.221.23:56448
    else-directors.gl.at.ply.gg
    iexplore.exe
    152 B
    3
  • 147.185.221.23:56448
    else-directors.gl.at.ply.gg
    iexplore.exe
    152 B
    3
  • 147.185.221.23:56448
    else-directors.gl.at.ply.gg
    iexplore.exe
    152 B
    3
  • 147.185.221.23:56448
    else-directors.gl.at.ply.gg
    iexplore.exe
    152 B
    3
  • 147.185.221.23:56448
    else-directors.gl.at.ply.gg
    iexplore.exe
    152 B
    3
  • 147.185.221.23:56448
    else-directors.gl.at.ply.gg
    iexplore.exe
    152 B
    3
  • 8.8.8.8:53
    else-directors.gl.at.ply.gg
    dns
    iexplore.exe
    73 B
    89 B
    1
    1

    DNS Request

    else-directors.gl.at.ply.gg

    DNS Response

    147.185.221.23

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\install.vbs

    Filesize

    546B

    MD5

    b589da137125da0d605bf425b360e9b7

    SHA1

    091b07b800133033ba4ba930a7acb4559c0df6f5

    SHA256

    a9b357b7a182158e54e22ce3e78a6ffaaa5bb25b08717d69d591a92429d39bac

    SHA512

    2bf73d9c2f573c714f7325d6ca279c0c1b2b8e90b7457caafa6174319df0490710affc25b6c185e5730bfd31c9e0539e51e35ac625a5c6d990ca8552e3a53de0

  • \ProgramData\Bitdefender\$77-Bitdefender.exe

    Filesize

    469KB

    MD5

    ebf341ab1088ab009a9f9cf06619e616

    SHA1

    a31d5650c010c421fa81733e4841cf1b52d607d9

    SHA256

    7422bc2c77e70c2e90c27d030a13eb3adf0bcfc1ef2bc55b62871181af5cd955

    SHA512

    40c1481642f8ad2fed9514d0968a43151a189c61e53d60990183e81c16891cdd7a0983568b2910dc8a9098a408136468cff5660d0607cf06331275937c1f60e1

  • memory/2616-26-0x0000000000090000-0x000000000010F000-memory.dmp

    Filesize

    508KB

  • memory/2616-32-0x0000000000090000-0x000000000010F000-memory.dmp

    Filesize

    508KB

  • memory/2616-14-0x0000000000090000-0x000000000010F000-memory.dmp

    Filesize

    508KB

  • memory/2616-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2616-17-0x0000000000090000-0x000000000010F000-memory.dmp

    Filesize

    508KB

  • memory/2616-37-0x0000000000090000-0x000000000010F000-memory.dmp

    Filesize

    508KB

  • memory/2616-36-0x0000000000090000-0x000000000010F000-memory.dmp

    Filesize

    508KB

  • memory/2616-35-0x0000000000090000-0x000000000010F000-memory.dmp

    Filesize

    508KB

  • memory/2616-34-0x0000000000090000-0x000000000010F000-memory.dmp

    Filesize

    508KB

  • memory/2616-28-0x0000000000090000-0x000000000010F000-memory.dmp

    Filesize

    508KB

  • memory/2616-16-0x0000000000090000-0x000000000010F000-memory.dmp

    Filesize

    508KB

  • memory/2616-27-0x0000000000090000-0x000000000010F000-memory.dmp

    Filesize

    508KB

  • memory/2616-25-0x0000000000090000-0x000000000010F000-memory.dmp

    Filesize

    508KB

  • memory/2616-29-0x0000000000090000-0x000000000010F000-memory.dmp

    Filesize

    508KB

  • memory/2616-30-0x0000000000090000-0x000000000010F000-memory.dmp

    Filesize

    508KB

  • memory/2616-31-0x0000000000090000-0x000000000010F000-memory.dmp

    Filesize

    508KB

  • memory/2616-13-0x0000000000090000-0x000000000010F000-memory.dmp

    Filesize

    508KB

  • memory/2616-33-0x0000000000090000-0x000000000010F000-memory.dmp

    Filesize

    508KB

  • memory/2868-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2868-21-0x0000000000160000-0x00000000001DF000-memory.dmp

    Filesize

    508KB

  • memory/2868-22-0x0000000000160000-0x00000000001DF000-memory.dmp

    Filesize

    508KB

  • memory/2868-24-0x0000000000160000-0x00000000001DF000-memory.dmp

    Filesize

    508KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.