Analysis Overview
SHA256
2f4d1b809b6f776b81a5c2aba52fb5deb61658b4617b52832f727d64a6d4ea7b
Threat Level: Known bad
The file 2f4d1b809b6f776b81a5c2aba52fb5deb61658b4617b52832f727d64a6d4ea7b was found to be: Known bad.
Malicious Activity Summary
Remcos family
Nirsoft
NirSoft MailPassView
NirSoft WebBrowserPassView
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-15 14:32
Signatures
Remcos family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-15 14:32
Reported
2024-02-15 14:35
Platform
win7-20231129-en
Max time kernel
147s
Max time network
141s
Command Line
Signatures
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\2f4d1b809b6f776b81a5c2aba52fb5deb61658b4617b52832f727d64a6d4ea7b.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2360 set thread context of 1644 | N/A | C:\Users\Admin\AppData\Local\Temp\2f4d1b809b6f776b81a5c2aba52fb5deb61658b4617b52832f727d64a6d4ea7b.exe | C:\Users\Admin\AppData\Local\Temp\2f4d1b809b6f776b81a5c2aba52fb5deb61658b4617b52832f727d64a6d4ea7b.exe |
| PID 2360 set thread context of 2540 | N/A | C:\Users\Admin\AppData\Local\Temp\2f4d1b809b6f776b81a5c2aba52fb5deb61658b4617b52832f727d64a6d4ea7b.exe | C:\Users\Admin\AppData\Local\Temp\2f4d1b809b6f776b81a5c2aba52fb5deb61658b4617b52832f727d64a6d4ea7b.exe |
| PID 2360 set thread context of 2928 | N/A | C:\Users\Admin\AppData\Local\Temp\2f4d1b809b6f776b81a5c2aba52fb5deb61658b4617b52832f727d64a6d4ea7b.exe | C:\Users\Admin\AppData\Local\Temp\2f4d1b809b6f776b81a5c2aba52fb5deb61658b4617b52832f727d64a6d4ea7b.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2f4d1b809b6f776b81a5c2aba52fb5deb61658b4617b52832f727d64a6d4ea7b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2f4d1b809b6f776b81a5c2aba52fb5deb61658b4617b52832f727d64a6d4ea7b.exe | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2f4d1b809b6f776b81a5c2aba52fb5deb61658b4617b52832f727d64a6d4ea7b.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2f4d1b809b6f776b81a5c2aba52fb5deb61658b4617b52832f727d64a6d4ea7b.exe
"C:\Users\Admin\AppData\Local\Temp\2f4d1b809b6f776b81a5c2aba52fb5deb61658b4617b52832f727d64a6d4ea7b.exe"
C:\Users\Admin\AppData\Local\Temp\2f4d1b809b6f776b81a5c2aba52fb5deb61658b4617b52832f727d64a6d4ea7b.exe
C:\Users\Admin\AppData\Local\Temp\2f4d1b809b6f776b81a5c2aba52fb5deb61658b4617b52832f727d64a6d4ea7b.exe /stext "C:\Users\Admin\AppData\Local\Temp\tyysaqujjskhmgztjvkmyt"
C:\Users\Admin\AppData\Local\Temp\2f4d1b809b6f776b81a5c2aba52fb5deb61658b4617b52832f727d64a6d4ea7b.exe
C:\Users\Admin\AppData\Local\Temp\2f4d1b809b6f776b81a5c2aba52fb5deb61658b4617b52832f727d64a6d4ea7b.exe /stext "C:\Users\Admin\AppData\Local\Temp\qwtzayjpvksucadpskx"
C:\Users\Admin\AppData\Local\Temp\2f4d1b809b6f776b81a5c2aba52fb5deb61658b4617b52832f727d64a6d4ea7b.exe
C:\Users\Admin\AppData\Local\Temp\2f4d1b809b6f776b81a5c2aba52fb5deb61658b4617b52832f727d64a6d4ea7b.exe /stext "C:\Users\Admin\AppData\Local\Temp\gcfhzgyohcapaup"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | email.imforums.in | udp |
| NL | 91.92.253.17:3393 | email.imforums.in | tcp |
| NL | 91.92.253.17:3393 | email.imforums.in | tcp |
| NL | 91.92.253.17:3393 | email.imforums.in | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
Files
memory/1644-6-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1644-4-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1644-8-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2540-9-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2928-7-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2540-3-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2540-12-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2928-16-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2928-15-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2928-14-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2928-13-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1644-1-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1644-21-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gcfhzgyohcapaup
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/2360-24-0x0000000010000000-0x0000000010019000-memory.dmp
memory/2360-28-0x0000000010000000-0x0000000010019000-memory.dmp
memory/2540-30-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2360-29-0x0000000010000000-0x0000000010019000-memory.dmp
memory/2360-27-0x0000000010000000-0x0000000010019000-memory.dmp
memory/2360-32-0x0000000010000000-0x0000000010019000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-15 14:32
Reported
2024-02-15 14:35
Platform
win10v2004-20231215-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\2f4d1b809b6f776b81a5c2aba52fb5deb61658b4617b52832f727d64a6d4ea7b.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 536 set thread context of 1168 | N/A | C:\Users\Admin\AppData\Local\Temp\2f4d1b809b6f776b81a5c2aba52fb5deb61658b4617b52832f727d64a6d4ea7b.exe | C:\Users\Admin\AppData\Local\Temp\2f4d1b809b6f776b81a5c2aba52fb5deb61658b4617b52832f727d64a6d4ea7b.exe |
| PID 536 set thread context of 3008 | N/A | C:\Users\Admin\AppData\Local\Temp\2f4d1b809b6f776b81a5c2aba52fb5deb61658b4617b52832f727d64a6d4ea7b.exe | C:\Users\Admin\AppData\Local\Temp\2f4d1b809b6f776b81a5c2aba52fb5deb61658b4617b52832f727d64a6d4ea7b.exe |
| PID 536 set thread context of 4088 | N/A | C:\Users\Admin\AppData\Local\Temp\2f4d1b809b6f776b81a5c2aba52fb5deb61658b4617b52832f727d64a6d4ea7b.exe | C:\Users\Admin\AppData\Local\Temp\2f4d1b809b6f776b81a5c2aba52fb5deb61658b4617b52832f727d64a6d4ea7b.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2f4d1b809b6f776b81a5c2aba52fb5deb61658b4617b52832f727d64a6d4ea7b.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2f4d1b809b6f776b81a5c2aba52fb5deb61658b4617b52832f727d64a6d4ea7b.exe
"C:\Users\Admin\AppData\Local\Temp\2f4d1b809b6f776b81a5c2aba52fb5deb61658b4617b52832f727d64a6d4ea7b.exe"
C:\Users\Admin\AppData\Local\Temp\2f4d1b809b6f776b81a5c2aba52fb5deb61658b4617b52832f727d64a6d4ea7b.exe
C:\Users\Admin\AppData\Local\Temp\2f4d1b809b6f776b81a5c2aba52fb5deb61658b4617b52832f727d64a6d4ea7b.exe /stext "C:\Users\Admin\AppData\Local\Temp\mhqjyxjrubjuymoblsjcjunxq"
C:\Users\Admin\AppData\Local\Temp\2f4d1b809b6f776b81a5c2aba52fb5deb61658b4617b52832f727d64a6d4ea7b.exe
C:\Users\Admin\AppData\Local\Temp\2f4d1b809b6f776b81a5c2aba52fb5deb61658b4617b52832f727d64a6d4ea7b.exe /stext "C:\Users\Admin\AppData\Local\Temp\xkwczptlqjbzbbcnddweuzhozkzs"
C:\Users\Admin\AppData\Local\Temp\2f4d1b809b6f776b81a5c2aba52fb5deb61658b4617b52832f727d64a6d4ea7b.exe
C:\Users\Admin\AppData\Local\Temp\2f4d1b809b6f776b81a5c2aba52fb5deb61658b4617b52832f727d64a6d4ea7b.exe /stext "C:\Users\Admin\AppData\Local\Temp\zebuaieeertdlhyrmoqfxluxzzrbzsyb"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | email.imforums.in | udp |
| NL | 91.92.253.17:3393 | email.imforums.in | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| NL | 91.92.253.17:3393 | email.imforums.in | tcp |
| NL | 91.92.253.17:3393 | email.imforums.in | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 17.253.92.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.78.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.71.105.51.in-addr.arpa | udp |
Files
memory/1168-1-0x0000000000400000-0x0000000000478000-memory.dmp
memory/3008-3-0x0000000000400000-0x0000000000457000-memory.dmp
memory/1168-6-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4088-4-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3008-7-0x0000000000400000-0x0000000000457000-memory.dmp
memory/3008-11-0x0000000000400000-0x0000000000457000-memory.dmp
memory/4088-12-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1168-10-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4088-13-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3008-17-0x0000000000400000-0x0000000000457000-memory.dmp
memory/4088-20-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1168-22-0x0000000000400000-0x0000000000478000-memory.dmp
memory/536-25-0x0000000010000000-0x0000000010019000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mhqjyxjrubjuymoblsjcjunxq
| MD5 | a4b83bf48e62a41c2f45628d10c5bba1 |
| SHA1 | 2596a41d8da2eb88f7f69e27cc16a046a2287f35 |
| SHA256 | 7b29149f6971b7fba6137f401c2d515cc576dafd233b7d312dd7d818b9f91829 |
| SHA512 | afcaee732127ad05cc70a2a9cca8e4ccdcacf8161b16ed4c5e346418a7c221f3da4f20d95b449fb813a6ccbd2aad05a3a9449a9db01f8fd5c132068d1cf4c7bd |
memory/536-28-0x0000000010000000-0x0000000010019000-memory.dmp
memory/536-30-0x0000000010000000-0x0000000010019000-memory.dmp
memory/536-31-0x0000000010000000-0x0000000010019000-memory.dmp
memory/536-32-0x0000000010000000-0x0000000010019000-memory.dmp