Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/02/2025, 07:02
Static task
static1
Behavioral task
behavioral1
Sample
Nuevo orden.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Nuevo orden.exe
Resource
win10v2004-20250129-en
General
-
Target
Nuevo orden.exe
-
Size
1.2MB
-
MD5
8614fbae9f60c8c4ce300e71cf9f13c4
-
SHA1
46f47264d2da2ba48b43f5450243e54cd1525615
-
SHA256
0313c7a5d73a613b775f28f1aaa5186b1f526b773e05e14f7fbcad1103d9f0c0
-
SHA512
e0e54d16cd7b862d2bdd6916a64aa7f3efe978ddb0077cd6153b149960229e4b438c2927909d41b42a57781c4cda02778201f552f735bb61db35869a915a709f
-
SSDEEP
24576:Z8SOnWMvyCyCTdIoCApWzpefFQyqLKEr0pPD8EE0y5MDI:UnW2yCyCpIjefFQyqepDM5MDI
Malware Config
Extracted
remcos
RemoteHost
2.58.56.182:2404
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-GM05WY
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2720 powershell.exe 2064 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1560 set thread context of 3012 1560 Nuevo orden.exe 36 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nuevo orden.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nuevo orden.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2616 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1560 Nuevo orden.exe 1560 Nuevo orden.exe 2720 powershell.exe 2064 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1560 Nuevo orden.exe Token: SeDebugPrivilege 2720 powershell.exe Token: SeDebugPrivilege 2064 powershell.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 1560 wrote to memory of 2720 1560 Nuevo orden.exe 29 PID 1560 wrote to memory of 2720 1560 Nuevo orden.exe 29 PID 1560 wrote to memory of 2720 1560 Nuevo orden.exe 29 PID 1560 wrote to memory of 2720 1560 Nuevo orden.exe 29 PID 1560 wrote to memory of 2064 1560 Nuevo orden.exe 31 PID 1560 wrote to memory of 2064 1560 Nuevo orden.exe 31 PID 1560 wrote to memory of 2064 1560 Nuevo orden.exe 31 PID 1560 wrote to memory of 2064 1560 Nuevo orden.exe 31 PID 1560 wrote to memory of 2616 1560 Nuevo orden.exe 32 PID 1560 wrote to memory of 2616 1560 Nuevo orden.exe 32 PID 1560 wrote to memory of 2616 1560 Nuevo orden.exe 32 PID 1560 wrote to memory of 2616 1560 Nuevo orden.exe 32 PID 1560 wrote to memory of 2464 1560 Nuevo orden.exe 35 PID 1560 wrote to memory of 2464 1560 Nuevo orden.exe 35 PID 1560 wrote to memory of 2464 1560 Nuevo orden.exe 35 PID 1560 wrote to memory of 2464 1560 Nuevo orden.exe 35 PID 1560 wrote to memory of 3012 1560 Nuevo orden.exe 36 PID 1560 wrote to memory of 3012 1560 Nuevo orden.exe 36 PID 1560 wrote to memory of 3012 1560 Nuevo orden.exe 36 PID 1560 wrote to memory of 3012 1560 Nuevo orden.exe 36 PID 1560 wrote to memory of 3012 1560 Nuevo orden.exe 36 PID 1560 wrote to memory of 3012 1560 Nuevo orden.exe 36 PID 1560 wrote to memory of 3012 1560 Nuevo orden.exe 36 PID 1560 wrote to memory of 3012 1560 Nuevo orden.exe 36 PID 1560 wrote to memory of 3012 1560 Nuevo orden.exe 36 PID 1560 wrote to memory of 3012 1560 Nuevo orden.exe 36 PID 1560 wrote to memory of 3012 1560 Nuevo orden.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nuevo orden.exe"C:\Users\Admin\AppData\Local\Temp\Nuevo orden.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Nuevo orden.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JeUXGeN.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2064
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JeUXGeN" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5042.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2616
-
-
C:\Users\Admin\AppData\Local\Temp\Nuevo orden.exe"C:\Users\Admin\AppData\Local\Temp\Nuevo orden.exe"2⤵PID:2464
-
-
C:\Users\Admin\AppData\Local\Temp\Nuevo orden.exe"C:\Users\Admin\AppData\Local\Temp\Nuevo orden.exe"2⤵
- System Location Discovery: System Language Discovery
PID:3012
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54dfd5d203e4584963cb4a318471df5d0
SHA1dd471ce8f898df7c777980ffedf6e1036edbf22e
SHA25633a07cd7432b083694726f42683d8335a4dea28d7ab43913eef3bdef3fe29e35
SHA512f85b95395457f454566983ceb7fab8fd24d22608dc911cf0e2862d4a858f6f35654bb8d93eca612f5d7eaf9f8c5757dc9b86f72e247292bf49f0995fdd2090e0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD57dc1aa267cdc434dc1deb1bdc24c6cf6
SHA13645adfa80a40dafbee4da3be86dd78cbd036c76
SHA2561ab281045155da14513aa45e9b6dca720e9571444dfa63a3a720cb9346867927
SHA512dbc580b6a2b133fec59e0ed6aede80e5beb5742dd586b82721443168ae6bc69ccf4258141a4df3e53c9e4be5d85944b389938f4b3f6ca27170b93996d5716462