Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24/01/2025, 07:01 UTC
Behavioral task
behavioral1
Sample
ApiUpdater.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ApiUpdater.exe
Resource
win10v2004-20241007-en
General
-
Target
ApiUpdater.exe
-
Size
469KB
-
MD5
ebf341ab1088ab009a9f9cf06619e616
-
SHA1
a31d5650c010c421fa81733e4841cf1b52d607d9
-
SHA256
7422bc2c77e70c2e90c27d030a13eb3adf0bcfc1ef2bc55b62871181af5cd955
-
SHA512
40c1481642f8ad2fed9514d0968a43151a189c61e53d60990183e81c16891cdd7a0983568b2910dc8a9098a408136468cff5660d0607cf06331275937c1f60e1
-
SSDEEP
12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSin9:uiLJbpI7I2WhQqZ7i9
Malware Config
Extracted
remcos
RemoteHost
else-directors.gl.at.ply.gg:56448
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
$77-Bitdefender.exe
-
copy_folder
Bitdefender
-
delete_file
true
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-Z3DS2J
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
VisualStudioServer
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
UAC bypass 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Adds policy Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VisualStudioServer = "\"C:\\ProgramData\\Bitdefender\\$77-Bitdefender.exe\"" iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ApiUpdater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VisualStudioServer = "\"C:\\ProgramData\\Bitdefender\\$77-Bitdefender.exe\"" ApiUpdater.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run $77-Bitdefender.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VisualStudioServer = "\"C:\\ProgramData\\Bitdefender\\$77-Bitdefender.exe\"" $77-Bitdefender.exe -
Deletes itself 1 IoCs
pid Process 2788 WScript.exe -
Executes dropped EXE 1 IoCs
pid Process 2808 $77-Bitdefender.exe -
Loads dropped DLL 4 IoCs
pid Process 2716 cmd.exe 2716 cmd.exe 2808 $77-Bitdefender.exe 2808 $77-Bitdefender.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer = "\"C:\\ProgramData\\Bitdefender\\$77-Bitdefender.exe\"" $77-Bitdefender.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer = "\"C:\\ProgramData\\Bitdefender\\$77-Bitdefender.exe\"" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer = "\"C:\\ProgramData\\Bitdefender\\$77-Bitdefender.exe\"" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer = "\"C:\\ProgramData\\Bitdefender\\$77-Bitdefender.exe\"" ApiUpdater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer = "\"C:\\ProgramData\\Bitdefender\\$77-Bitdefender.exe\"" ApiUpdater.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer = "\"C:\\ProgramData\\Bitdefender\\$77-Bitdefender.exe\"" $77-Bitdefender.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2808 set thread context of 2616 2808 $77-Bitdefender.exe 38 PID 2616 set thread context of 2868 2616 iexplore.exe 43 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ApiUpdater.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language $77-Bitdefender.exe -
Modifies registry key 1 TTPs 3 IoCs
pid Process 2524 reg.exe 2864 reg.exe 2608 reg.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2808 $77-Bitdefender.exe 2616 iexplore.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2288 wrote to memory of 2340 2288 ApiUpdater.exe 30 PID 2288 wrote to memory of 2340 2288 ApiUpdater.exe 30 PID 2288 wrote to memory of 2340 2288 ApiUpdater.exe 30 PID 2288 wrote to memory of 2340 2288 ApiUpdater.exe 30 PID 2288 wrote to memory of 2340 2288 ApiUpdater.exe 30 PID 2288 wrote to memory of 2340 2288 ApiUpdater.exe 30 PID 2288 wrote to memory of 2340 2288 ApiUpdater.exe 30 PID 2340 wrote to memory of 2524 2340 cmd.exe 32 PID 2340 wrote to memory of 2524 2340 cmd.exe 32 PID 2340 wrote to memory of 2524 2340 cmd.exe 32 PID 2340 wrote to memory of 2524 2340 cmd.exe 32 PID 2340 wrote to memory of 2524 2340 cmd.exe 32 PID 2340 wrote to memory of 2524 2340 cmd.exe 32 PID 2340 wrote to memory of 2524 2340 cmd.exe 32 PID 2288 wrote to memory of 2788 2288 ApiUpdater.exe 33 PID 2288 wrote to memory of 2788 2288 ApiUpdater.exe 33 PID 2288 wrote to memory of 2788 2288 ApiUpdater.exe 33 PID 2288 wrote to memory of 2788 2288 ApiUpdater.exe 33 PID 2288 wrote to memory of 2788 2288 ApiUpdater.exe 33 PID 2288 wrote to memory of 2788 2288 ApiUpdater.exe 33 PID 2288 wrote to memory of 2788 2288 ApiUpdater.exe 33 PID 2788 wrote to memory of 2716 2788 WScript.exe 34 PID 2788 wrote to memory of 2716 2788 WScript.exe 34 PID 2788 wrote to memory of 2716 2788 WScript.exe 34 PID 2788 wrote to memory of 2716 2788 WScript.exe 34 PID 2788 wrote to memory of 2716 2788 WScript.exe 34 PID 2788 wrote to memory of 2716 2788 WScript.exe 34 PID 2788 wrote to memory of 2716 2788 WScript.exe 34 PID 2716 wrote to memory of 2808 2716 cmd.exe 36 PID 2716 wrote to memory of 2808 2716 cmd.exe 36 PID 2716 wrote to memory of 2808 2716 cmd.exe 36 PID 2716 wrote to memory of 2808 2716 cmd.exe 36 PID 2716 wrote to memory of 2808 2716 cmd.exe 36 PID 2716 wrote to memory of 2808 2716 cmd.exe 36 PID 2716 wrote to memory of 2808 2716 cmd.exe 36 PID 2808 wrote to memory of 2744 2808 $77-Bitdefender.exe 37 PID 2808 wrote to memory of 2744 2808 $77-Bitdefender.exe 37 PID 2808 wrote to memory of 2744 2808 $77-Bitdefender.exe 37 PID 2808 wrote to memory of 2744 2808 $77-Bitdefender.exe 37 PID 2808 wrote to memory of 2744 2808 $77-Bitdefender.exe 37 PID 2808 wrote to memory of 2744 2808 $77-Bitdefender.exe 37 PID 2808 wrote to memory of 2744 2808 $77-Bitdefender.exe 37 PID 2808 wrote to memory of 2616 2808 $77-Bitdefender.exe 38 PID 2808 wrote to memory of 2616 2808 $77-Bitdefender.exe 38 PID 2808 wrote to memory of 2616 2808 $77-Bitdefender.exe 38 PID 2808 wrote to memory of 2616 2808 $77-Bitdefender.exe 38 PID 2808 wrote to memory of 2616 2808 $77-Bitdefender.exe 38 PID 2808 wrote to memory of 2616 2808 $77-Bitdefender.exe 38 PID 2808 wrote to memory of 2616 2808 $77-Bitdefender.exe 38 PID 2808 wrote to memory of 2616 2808 $77-Bitdefender.exe 38 PID 2616 wrote to memory of 2644 2616 iexplore.exe 40 PID 2616 wrote to memory of 2644 2616 iexplore.exe 40 PID 2616 wrote to memory of 2644 2616 iexplore.exe 40 PID 2616 wrote to memory of 2644 2616 iexplore.exe 40 PID 2616 wrote to memory of 2644 2616 iexplore.exe 40 PID 2616 wrote to memory of 2644 2616 iexplore.exe 40 PID 2616 wrote to memory of 2644 2616 iexplore.exe 40 PID 2744 wrote to memory of 2864 2744 cmd.exe 41 PID 2744 wrote to memory of 2864 2744 cmd.exe 41 PID 2744 wrote to memory of 2864 2744 cmd.exe 41 PID 2744 wrote to memory of 2864 2744 cmd.exe 41 PID 2744 wrote to memory of 2864 2744 cmd.exe 41 PID 2744 wrote to memory of 2864 2744 cmd.exe 41 PID 2744 wrote to memory of 2864 2744 cmd.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\ApiUpdater.exe"C:\Users\Admin\AppData\Local\Temp\ApiUpdater.exe"1⤵
- Adds policy Run key to start application
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2524
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Bitdefender\$77-Bitdefender.exe"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\ProgramData\Bitdefender\$77-Bitdefender.exeC:\ProgramData\Bitdefender\$77-Bitdefender.exe4⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f6⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2864
-
-
-
\??\c:\program files (x86)\internet explorer\iexplore.exe"c:\program files (x86)\internet explorer\iexplore.exe"5⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f6⤵
- System Location Discovery: System Language Discovery
PID:2644 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f7⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2608
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:2868
-
-
-
-
-
Network
-
Remote address:8.8.8.8:53Requestelse-directors.gl.at.ply.ggIN AResponseelse-directors.gl.at.ply.ggIN A147.185.221.23
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
546B
MD5b589da137125da0d605bf425b360e9b7
SHA1091b07b800133033ba4ba930a7acb4559c0df6f5
SHA256a9b357b7a182158e54e22ce3e78a6ffaaa5bb25b08717d69d591a92429d39bac
SHA5122bf73d9c2f573c714f7325d6ca279c0c1b2b8e90b7457caafa6174319df0490710affc25b6c185e5730bfd31c9e0539e51e35ac625a5c6d990ca8552e3a53de0
-
Filesize
469KB
MD5ebf341ab1088ab009a9f9cf06619e616
SHA1a31d5650c010c421fa81733e4841cf1b52d607d9
SHA2567422bc2c77e70c2e90c27d030a13eb3adf0bcfc1ef2bc55b62871181af5cd955
SHA51240c1481642f8ad2fed9514d0968a43151a189c61e53d60990183e81c16891cdd7a0983568b2910dc8a9098a408136468cff5660d0607cf06331275937c1f60e1