Analysis Overview
SHA256
0180ff6061f280ac6c5a2bf84dde5f6ea4a056c7cbf14f796d48c62f2290fcfe
Threat Level: Known bad
The file 0180ff6061f280ac6c5a2bf84dde5f6ea4a056c7cbf14f796d48c62f2290fcfe.exe was found to be: Known bad.
Malicious Activity Summary
Remcos
Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Detects executables embedding command execution via IExecuteCommand COM object
detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Detects executables containing artifacts associated with disabling Widnows Defender
Detects executables potentially checking for WinJail sandbox window
Suspicious use of SetThreadContext
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-02-15 04:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-15 04:57
Reported
2024-02-15 04:59
Platform
win7-20231129-en
Max time kernel
119s
Max time network
119s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\0180ff6061f280ac6c5a2bf84dde5f6ea4a056c7cbf14f796d48c62f2290fcfe.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1540 wrote to memory of 2204 | N/A | C:\Users\Admin\AppData\Local\Temp\0180ff6061f280ac6c5a2bf84dde5f6ea4a056c7cbf14f796d48c62f2290fcfe.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1540 wrote to memory of 2204 | N/A | C:\Users\Admin\AppData\Local\Temp\0180ff6061f280ac6c5a2bf84dde5f6ea4a056c7cbf14f796d48c62f2290fcfe.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1540 wrote to memory of 2204 | N/A | C:\Users\Admin\AppData\Local\Temp\0180ff6061f280ac6c5a2bf84dde5f6ea4a056c7cbf14f796d48c62f2290fcfe.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1540 wrote to memory of 2204 | N/A | C:\Users\Admin\AppData\Local\Temp\0180ff6061f280ac6c5a2bf84dde5f6ea4a056c7cbf14f796d48c62f2290fcfe.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0180ff6061f280ac6c5a2bf84dde5f6ea4a056c7cbf14f796d48c62f2290fcfe.exe
"C:\Users\Admin\AppData\Local\Temp\0180ff6061f280ac6c5a2bf84dde5f6ea4a056c7cbf14f796d48c62f2290fcfe.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 648
Network
Files
memory/1540-0-0x0000000001320000-0x0000000001332000-memory.dmp
memory/1540-1-0x00000000002C0000-0x00000000002DA000-memory.dmp
memory/1540-2-0x0000000074E50000-0x000000007553E000-memory.dmp
memory/1540-3-0x0000000004E70000-0x0000000004EB0000-memory.dmp
memory/1540-4-0x0000000074E50000-0x000000007553E000-memory.dmp
memory/1540-5-0x0000000004E70000-0x0000000004EB0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-15 04:57
Reported
2024-02-15 04:59
Platform
win10v2004-20231215-en
Max time kernel
150s
Max time network
158s
Command Line
Signatures
Remcos
Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables containing artifacts associated with disabling Widnows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables embedding command execution via IExecuteCommand COM object
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables potentially checking for WinJail sandbox window
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
detects Windows exceutables potentially bypassing UAC using eventvwr.exe
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1628 set thread context of 4780 | N/A | C:\Users\Admin\AppData\Local\Temp\0180ff6061f280ac6c5a2bf84dde5f6ea4a056c7cbf14f796d48c62f2290fcfe.exe | C:\Windows\SysWOW64\calc.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0180ff6061f280ac6c5a2bf84dde5f6ea4a056c7cbf14f796d48c62f2290fcfe.exe
"C:\Users\Admin\AppData\Local\Temp\0180ff6061f280ac6c5a2bf84dde5f6ea4a056c7cbf14f796d48c62f2290fcfe.exe"
C:\Windows\SysWOW64\calc.exe
"C:\Windows\SYSWOW64\calc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 232.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | heygirlisheeverythingyouwantedinaman.com | udp |
| US | 104.21.57.121:80 | heygirlisheeverythingyouwantedinaman.com | tcp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.57.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | windowslvlssfebupdate.duckdns.org | udp |
| US | 155.138.207.238:4241 | windowslvlssfebupdate.duckdns.org | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 238.207.138.155.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.16.208.104.in-addr.arpa | udp |
Files
memory/1628-0-0x00000000743F0000-0x0000000074BA0000-memory.dmp
memory/1628-1-0x0000000000080000-0x0000000000092000-memory.dmp
memory/1628-2-0x0000000004990000-0x00000000049AA000-memory.dmp
memory/1628-3-0x0000000004F90000-0x0000000005534000-memory.dmp
memory/1628-4-0x0000000004AC0000-0x0000000004B52000-memory.dmp
memory/1628-5-0x0000000004D50000-0x0000000004D60000-memory.dmp
memory/1628-6-0x0000000004B70000-0x0000000004B7A000-memory.dmp
memory/1628-7-0x00000000743F0000-0x0000000074BA0000-memory.dmp
memory/1628-8-0x00000000074C0000-0x000000000755C000-memory.dmp
memory/1628-9-0x0000000007420000-0x00000000074BE000-memory.dmp
memory/4780-10-0x0000000000400000-0x000000000047F000-memory.dmp
memory/4780-11-0x0000000000400000-0x000000000047F000-memory.dmp
memory/4780-13-0x0000000000400000-0x000000000047F000-memory.dmp
memory/4780-15-0x0000000000400000-0x000000000047F000-memory.dmp
memory/4780-14-0x0000000000400000-0x000000000047F000-memory.dmp
memory/1628-16-0x00000000743F0000-0x0000000074BA0000-memory.dmp
memory/4780-17-0x0000000000400000-0x000000000047F000-memory.dmp
memory/4780-18-0x0000000000400000-0x000000000047F000-memory.dmp
memory/4780-19-0x0000000000400000-0x000000000047F000-memory.dmp
memory/4780-20-0x0000000000400000-0x000000000047F000-memory.dmp
memory/4780-22-0x0000000000400000-0x000000000047F000-memory.dmp
memory/4780-23-0x0000000000400000-0x000000000047F000-memory.dmp
memory/4780-24-0x0000000000400000-0x000000000047F000-memory.dmp
memory/4780-25-0x0000000000400000-0x000000000047F000-memory.dmp
memory/4780-26-0x0000000000400000-0x000000000047F000-memory.dmp
memory/4780-27-0x0000000000400000-0x000000000047F000-memory.dmp
memory/4780-28-0x0000000000400000-0x000000000047F000-memory.dmp
memory/4780-29-0x0000000000400000-0x000000000047F000-memory.dmp