Analysis Overview
SHA256
898ac001d0f6c52c1001c640d9860287fdf30a648d580e9f5dd15e2ef84ab18e
Threat Level: Known bad
The file Remcos Professional Cracked By Alcatraz3222.exe was found to be: Known bad.
Malicious Activity Summary
njRAT/Bladabindi
Modifies Windows Firewall
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-27 23:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-27 23:48
Reported
2024-01-27 23:49
Platform
win7-20231215-en
Max time kernel
33s
Max time network
18s
Command Line
Signatures
Loads dropped DLL
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/Remcos Professional Cracked By Alcatraz3222.exe" "%temp%\Profile Remcos\Update_Lock_Remcos.exe" /Y
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f
C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\Profile Remcos\Update_Lock_Remcos.exe:Zone.Identifier
C:\Users\Admin\AppData\Local\Temp\taskhost.exe
"C:\Users\Admin\AppData\Local\Temp\taskhost.exe"
C:\Users\Admin\AppData\Local\Temp\taskhost.exe
"C:\Users\Admin\AppData\Local\Temp\taskhost.exe"
C:\Users\Admin\AppData\Local\Temp\taskhost.exe
"C:\Users\Admin\AppData\Local\Temp\taskhost.exe"
C:\Users\Admin\AppData\Local\Temp\taskhost.exe
"C:\Users\Admin\AppData\Local\Temp\taskhost.exe"
C:\Users\Admin\AppData\Local\Temp\taskhost.exe
"C:\Users\Admin\AppData\Local\Temp\taskhost.exe"
C:\Users\Admin\AppData\Local\Temp\taskhost.exe
"C:\Users\Admin\AppData\Local\Temp\taskhost.exe"
C:\Users\Admin\AppData\Local\Temp\taskhost.exe
"C:\Users\Admin\AppData\Local\Temp\taskhost.exe"
Network
Files
memory/2212-0-0x0000000074730000-0x0000000074E1E000-memory.dmp
memory/2212-1-0x00000000009C0000-0x0000000001B6E000-memory.dmp
memory/2212-2-0x0000000005790000-0x00000000057D0000-memory.dmp
memory/2212-3-0x000000000D420000-0x000000000E5A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe
| MD5 | efc159c7cf75545997f8c6af52d3e802 |
| SHA1 | b85bd368c91a13db1c5de2326deb25ad666c24c1 |
| SHA256 | 898ac001d0f6c52c1001c640d9860287fdf30a648d580e9f5dd15e2ef84ab18e |
| SHA512 | d06a432233dceb731defd53238971699fef201d0f9144ee50e5dd7d6620dfdd6c298d52618bf2c9feb0519574f4565fb0177b00fd8292768fbd8b85dd11e650d |
\Users\Admin\AppData\Local\Temp\taskhost.exe
| MD5 | 9af17c8393f0970ee5136bd3ffa27001 |
| SHA1 | 4b285b72c1a11285a25f31f2597e090da6bbc049 |
| SHA256 | 71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019 |
| SHA512 | b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3 |
memory/2212-33-0x0000000074730000-0x0000000074E1E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-27 23:48
Reported
2024-01-27 23:51
Platform
win10v2004-20231215-en
Max time kernel
146s
Max time network
155s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\taskhost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4716 set thread context of 660 | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe | C:\Users\Admin\AppData\Local\Temp\taskhost.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/Remcos Professional Cracked By Alcatraz3222.exe" "%temp%\Profile Remcos\Update_Lock_Remcos.exe" /Y
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f
C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\Profile Remcos\Update_Lock_Remcos.exe:Zone.Identifier
C:\Users\Admin\AppData\Local\Temp\taskhost.exe
"C:\Users\Admin\AppData\Local\Temp\taskhost.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\taskhost.exe" "taskhost.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dllsys.duckdns.org | udp |
| IT | 84.220.8.178:3202 | dllsys.duckdns.org | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| IT | 84.220.8.178:3202 | dllsys.duckdns.org | tcp |
| IT | 84.220.8.178:3202 | dllsys.duckdns.org | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dllsys.duckdns.org | udp |
| IT | 84.220.8.178:3202 | dllsys.duckdns.org | tcp |
| IT | 84.220.8.178:3202 | dllsys.duckdns.org | tcp |
| US | 8.8.8.8:53 | 26.178.89.13.in-addr.arpa | udp |
| IT | 84.220.8.178:3202 | dllsys.duckdns.org | tcp |
Files
memory/4716-0-0x0000000074570000-0x0000000074D20000-memory.dmp
memory/4716-1-0x0000000000690000-0x000000000183E000-memory.dmp
memory/4716-2-0x0000000006210000-0x00000000062AC000-memory.dmp
memory/4716-3-0x0000000003C20000-0x0000000003C30000-memory.dmp
memory/4716-4-0x000000000D930000-0x000000000EAB2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe
| MD5 | ced6bb5a0b6e5ab222c596abca4d64a9 |
| SHA1 | 85ae2a35aeecef22b0db218b299fbac9eaca0946 |
| SHA256 | 5d505522ecd24b98ee25d6be6f4f699d7b79354e347f50fde77e7c1c2f1381ae |
| SHA512 | 0c14912140ae315c7b264438a24f977b0b8f4f5f3a8459d56311b7bc9b03929cd8fc9b10d54e4203d3f6967ce4fb39124f369a27a2f6177f6a91bb58d0ba79a3 |
memory/660-12-0x0000000000400000-0x000000000040E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\taskhost.exe
| MD5 | 8fdf47e0ff70c40ed3a17014aeea4232 |
| SHA1 | e6256a0159688f0560b015da4d967f41cbf8c9bd |
| SHA256 | ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82 |
| SHA512 | bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be |
memory/660-17-0x0000000074570000-0x0000000074D20000-memory.dmp
memory/660-18-0x0000000005C10000-0x00000000061B4000-memory.dmp
memory/660-19-0x0000000005780000-0x0000000005812000-memory.dmp
memory/660-20-0x0000000005610000-0x0000000005620000-memory.dmp
memory/660-21-0x0000000005720000-0x000000000572A000-memory.dmp
memory/4716-23-0x0000000074570000-0x0000000074D20000-memory.dmp
memory/660-24-0x0000000074570000-0x0000000074D20000-memory.dmp
memory/660-25-0x0000000005610000-0x0000000005620000-memory.dmp