Malware Analysis Report

2025-08-10 23:17

Sample ID 221101-nrp9qacdgq
Target oder.exe
SHA256 3c7c946ab9bd9f728928c817d648b9808eb7783b4ca73710050093f0c46d5f61
Tags
remcos svnhost persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3c7c946ab9bd9f728928c817d648b9808eb7783b4ca73710050093f0c46d5f61

Threat Level: Known bad

The file oder.exe was found to be: Known bad.

Malicious Activity Summary

remcos svnhost persistence rat

Remcos

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-01 11:38

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-01 11:38

Reported

2022-11-01 11:40

Platform

win7-20220812-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\oder.exe"

Signatures

Remcos

rat remcos

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_49\beqgxodpl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_49\beqgxodpl.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\4_49\beqgxodpl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4_49\\BEQGXO~1.EXE C:\\Users\\Admin\\AppData\\Local\\Temp\\4_49\\xhpfes.jus" C:\Users\Admin\AppData\Local\Temp\4_49\beqgxodpl.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1288 set thread context of 1544 N/A C:\Users\Admin\AppData\Local\Temp\4_49\beqgxodpl.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1976 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\oder.exe C:\Windows\SysWOW64\WScript.exe
PID 1976 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\oder.exe C:\Windows\SysWOW64\WScript.exe
PID 1976 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\oder.exe C:\Windows\SysWOW64\WScript.exe
PID 1976 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\oder.exe C:\Windows\SysWOW64\WScript.exe
PID 1352 wrote to memory of 1288 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\4_49\beqgxodpl.exe
PID 1352 wrote to memory of 1288 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\4_49\beqgxodpl.exe
PID 1352 wrote to memory of 1288 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\4_49\beqgxodpl.exe
PID 1352 wrote to memory of 1288 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\4_49\beqgxodpl.exe
PID 1288 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\4_49\beqgxodpl.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1288 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\4_49\beqgxodpl.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1288 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\4_49\beqgxodpl.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1288 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\4_49\beqgxodpl.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1288 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\4_49\beqgxodpl.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1288 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\4_49\beqgxodpl.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1288 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\4_49\beqgxodpl.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1288 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\4_49\beqgxodpl.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1288 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\4_49\beqgxodpl.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\oder.exe

"C:\Users\Admin\AppData\Local\Temp\oder.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\4_49\qkngrv.vbe"

C:\Users\Admin\AppData\Local\Temp\4_49\beqgxodpl.exe

"C:\Users\Admin\AppData\Local\Temp\4_49\beqgxodpl.exe" xhpfes.jus

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

Network

Country Destination Domain Proto
US 83.229.39.38:2404 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

memory/1976-54-0x00000000754E1000-0x00000000754E3000-memory.dmp

memory/1352-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\temp\4_49\qkngrv.vbe

MD5 c9ab163d2f7bc130856326b41406df9f
SHA1 7b581bc36fbe920087affb4ceed4878277de5b9f
SHA256 b1d50e6e39d34d9ba1c2bee72eebf36750f727ba618bf2caacf5400817fbc306
SHA512 fe3a7308fff00c8f6918945968eb902f0685d7977a0de76d070ba4ef5e48592e135ca7a4d68043941b583884c1da75d185af54f08f7f6d216813e93335b509c2

memory/1288-60-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\4_49\beqgxodpl.exe

MD5 f918014ea55e52d1fa0afd76f3a06e74
SHA1 3b8f11f27e469d02ec54f2ccf452add22413be36
SHA256 f1150309a596ab1c84e27b637edc5bdae2bae5ea0d0cac75736be0432de6821f
SHA512 b1b136f4a748ad6032f7f1fe8468317df1ab78f06a46589929ba8cf10239bc281deb5081a3241de76d26f20d9bffaf3df3859a47ed48bde3156b458db4bdb96f

\Users\Admin\AppData\Local\Temp\4_49\beqgxodpl.exe

MD5 f918014ea55e52d1fa0afd76f3a06e74
SHA1 3b8f11f27e469d02ec54f2ccf452add22413be36
SHA256 f1150309a596ab1c84e27b637edc5bdae2bae5ea0d0cac75736be0432de6821f
SHA512 b1b136f4a748ad6032f7f1fe8468317df1ab78f06a46589929ba8cf10239bc281deb5081a3241de76d26f20d9bffaf3df3859a47ed48bde3156b458db4bdb96f

C:\Users\Admin\AppData\Local\Temp\4_49\beqgxodpl.exe

MD5 f918014ea55e52d1fa0afd76f3a06e74
SHA1 3b8f11f27e469d02ec54f2ccf452add22413be36
SHA256 f1150309a596ab1c84e27b637edc5bdae2bae5ea0d0cac75736be0432de6821f
SHA512 b1b136f4a748ad6032f7f1fe8468317df1ab78f06a46589929ba8cf10239bc281deb5081a3241de76d26f20d9bffaf3df3859a47ed48bde3156b458db4bdb96f

C:\Users\Admin\AppData\Local\Temp\4_49\xhpfes.jus

MD5 c358f58747a462523f062670fa9caa7e
SHA1 063d8a38f699a7ea3f3ded2b740f308d8d5e0731
SHA256 e68ead499ad15805ebae14eb3a567cc8571f2ae8a06fd78ab465b9ffebeed444
SHA512 98776ee8be1a0fd5d21dc99e047ed0d2c65e08b98a6c00ffd0b40c43db93b70674519312fbf75d3c0f9ec34f6c2d6ec1bd695f5aab49449f486fe89b46c3a9f2

C:\Users\Admin\AppData\Local\Temp\4_49\mlnrjrqvgw.exe

MD5 6806cad8f76ac1e64729efabe69a6cc3
SHA1 79e5e3d2f558dc609f36dac2fe0c70a403e80a9b
SHA256 3be3e03a563b786d7ee47aa806c7ecc641bae2bbcc446e7d0b6980edf1e6e308
SHA512 a40937eef628dcec8a13c96859efaa4bf51977f0a9e03eeaa9a93d1e6b74cf5a77a2d23be69651fd18c47ad665df6e68d57cd177bd55a631afd39605e5ce37f8

C:\Users\Admin\AppData\Local\Temp\4_49\hfswkaneb.lwa

MD5 91cd0a1fffab60215a45d8eee93dc28b
SHA1 26e0fa3702d9d11d5077c0fe82b6ef2c177198dc
SHA256 be6a5a94f351db158d5a67f596b85a0baa112efc42fabf3a60e85c0169df73b0
SHA512 84dacf17999aa9efc73562681e9a2571ec9eeb8091e2615e469c705826ffe7ec40400680acc225cdd35548a874bb0bbdc7e41d7a69a6d31154e246ae026c85cd

\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

memory/1544-67-0x00000000003C0000-0x0000000000964000-memory.dmp

memory/1544-70-0x00000000003F27A4-mapping.dmp

memory/1544-69-0x00000000003C0000-0x0000000000964000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

memory/1544-74-0x00000000003C0000-0x0000000000964000-memory.dmp

memory/1544-75-0x00000000003C0000-0x0000000000964000-memory.dmp

memory/1544-76-0x00000000003C0000-0x0000000000964000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-01 11:38

Reported

2022-11-01 11:40

Platform

win10v2004-20220812-en

Max time kernel

152s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\oder.exe"

Signatures

Remcos

rat remcos

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_49\beqgxodpl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\oder.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\4_49\beqgxodpl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4_49\\BEQGXO~1.EXE C:\\Users\\Admin\\AppData\\Local\\Temp\\4_49\\xhpfes.jus" C:\Users\Admin\AppData\Local\Temp\4_49\beqgxodpl.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4792 set thread context of 1380 N/A C:\Users\Admin\AppData\Local\Temp\4_49\beqgxodpl.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\oder.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\oder.exe

"C:\Users\Admin\AppData\Local\Temp\oder.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\4_49\qkngrv.vbe"

C:\Users\Admin\AppData\Local\Temp\4_49\beqgxodpl.exe

"C:\Users\Admin\AppData\Local\Temp\4_49\beqgxodpl.exe" xhpfes.jus

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 83.229.39.38:2404 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
JP 40.79.189.58:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.247.211.254:80 tcp
US 8.247.211.254:80 tcp

Files

memory/4848-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\temp\4_49\qkngrv.vbe

MD5 c9ab163d2f7bc130856326b41406df9f
SHA1 7b581bc36fbe920087affb4ceed4878277de5b9f
SHA256 b1d50e6e39d34d9ba1c2bee72eebf36750f727ba618bf2caacf5400817fbc306
SHA512 fe3a7308fff00c8f6918945968eb902f0685d7977a0de76d070ba4ef5e48592e135ca7a4d68043941b583884c1da75d185af54f08f7f6d216813e93335b509c2

C:\Users\Admin\AppData\Local\Temp\4_49\beqgxodpl.exe

MD5 f918014ea55e52d1fa0afd76f3a06e74
SHA1 3b8f11f27e469d02ec54f2ccf452add22413be36
SHA256 f1150309a596ab1c84e27b637edc5bdae2bae5ea0d0cac75736be0432de6821f
SHA512 b1b136f4a748ad6032f7f1fe8468317df1ab78f06a46589929ba8cf10239bc281deb5081a3241de76d26f20d9bffaf3df3859a47ed48bde3156b458db4bdb96f

memory/4792-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\4_49\beqgxodpl.exe

MD5 f918014ea55e52d1fa0afd76f3a06e74
SHA1 3b8f11f27e469d02ec54f2ccf452add22413be36
SHA256 f1150309a596ab1c84e27b637edc5bdae2bae5ea0d0cac75736be0432de6821f
SHA512 b1b136f4a748ad6032f7f1fe8468317df1ab78f06a46589929ba8cf10239bc281deb5081a3241de76d26f20d9bffaf3df3859a47ed48bde3156b458db4bdb96f

C:\Users\Admin\AppData\Local\Temp\4_49\xhpfes.jus

MD5 c358f58747a462523f062670fa9caa7e
SHA1 063d8a38f699a7ea3f3ded2b740f308d8d5e0731
SHA256 e68ead499ad15805ebae14eb3a567cc8571f2ae8a06fd78ab465b9ffebeed444
SHA512 98776ee8be1a0fd5d21dc99e047ed0d2c65e08b98a6c00ffd0b40c43db93b70674519312fbf75d3c0f9ec34f6c2d6ec1bd695f5aab49449f486fe89b46c3a9f2

C:\Users\Admin\AppData\Local\Temp\4_49\mlnrjrqvgw.exe

MD5 6806cad8f76ac1e64729efabe69a6cc3
SHA1 79e5e3d2f558dc609f36dac2fe0c70a403e80a9b
SHA256 3be3e03a563b786d7ee47aa806c7ecc641bae2bbcc446e7d0b6980edf1e6e308
SHA512 a40937eef628dcec8a13c96859efaa4bf51977f0a9e03eeaa9a93d1e6b74cf5a77a2d23be69651fd18c47ad665df6e68d57cd177bd55a631afd39605e5ce37f8

C:\Users\Admin\AppData\Local\Temp\4_49\hfswkaneb.lwa

MD5 91cd0a1fffab60215a45d8eee93dc28b
SHA1 26e0fa3702d9d11d5077c0fe82b6ef2c177198dc
SHA256 be6a5a94f351db158d5a67f596b85a0baa112efc42fabf3a60e85c0169df73b0
SHA512 84dacf17999aa9efc73562681e9a2571ec9eeb8091e2615e469c705826ffe7ec40400680acc225cdd35548a874bb0bbdc7e41d7a69a6d31154e246ae026c85cd

memory/1380-140-0x0000000000F90000-0x0000000001621000-memory.dmp

memory/1380-141-0x0000000000FC27A4-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 9d352bc46709f0cb5ec974633a0c3c94
SHA1 1969771b2f022f9a86d77ac4d4d239becdf08d07
SHA256 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA512 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

memory/1380-143-0x0000000000F90000-0x0000000001621000-memory.dmp

memory/1380-144-0x0000000000F90000-0x0000000001621000-memory.dmp

memory/1380-145-0x0000000000F90000-0x0000000001621000-memory.dmp

memory/1380-146-0x0000000000F90000-0x0000000001621000-memory.dmp