Analysis Overview
SHA256
e825cdfc2e4a1b1c6a56602cce16417f55e4f42c699cea18b4dddbbf85d9527f
Threat Level: Known bad
The file Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe was found to be: Known bad.
Malicious Activity Summary
Remcos
Uses the VBS compiler for execution
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-25 16:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-25 16:26
Reported
2024-03-25 16:28
Platform
win7-20240221-en
Max time kernel
151s
Max time network
155s
Command Line
Signatures
Remcos
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1288 set thread context of 1948 | N/A | C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe
"C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UlvywtFnmZtH.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UlvywtFnmZtH" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9943.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 91.92.247.97:2505 | tcp | |
| US | 8.8.8.8:53 | stefracino.store | udp |
| NL | 91.92.247.97:2505 | tcp | |
| NL | 91.92.247.97:2505 | tcp |
Files
memory/1288-0-0x0000000000F20000-0x0000000001016000-memory.dmp
memory/1288-1-0x0000000074440000-0x0000000074B2E000-memory.dmp
memory/1288-2-0x0000000000B30000-0x0000000000B70000-memory.dmp
memory/1288-3-0x0000000000330000-0x0000000000342000-memory.dmp
memory/1288-4-0x00000000003D0000-0x00000000003DC000-memory.dmp
memory/1288-5-0x00000000054D0000-0x0000000005590000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp9943.tmp
| MD5 | b338ed8878f6e1471e061dde45f83012 |
| SHA1 | d65949ace7b565f4ae10148d25a99b10cc781605 |
| SHA256 | 39da6e37b3cca8829b88ae87e09b778601e7b8d3349fd1e9e2eacaaf51785d8b |
| SHA512 | cf4ff805781421ac9b62c6d1a8d185263b3053bb1d5e7e031b380c048499a542fe515d7aac5e24bbba70a9abe2e06f39d8310047a17e12924ba6137f2dfd4e28 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RHYJEI419AV3OIO9M4ZM.temp
| MD5 | 84caf5967138d71086202e97532bf1a5 |
| SHA1 | d1bbc9de1affa643a7830e6e1f049a34c7164918 |
| SHA256 | ab1b219cafe5da829026f33bd94a475cf068d4031c5793093548ac71e991ae91 |
| SHA512 | e0b027e459c22a2b0d08710227d5ba4279d4de396146c22dff8152f4ebac1d0f693aee971171718aa1d81024c0192f56bd45e9c8337870e451cacffde52cd0f8 |
memory/2616-18-0x000000006DF60000-0x000000006E50B000-memory.dmp
memory/2564-19-0x000000006DF60000-0x000000006E50B000-memory.dmp
memory/2616-20-0x000000006DF60000-0x000000006E50B000-memory.dmp
memory/2564-21-0x00000000025D0000-0x0000000002610000-memory.dmp
memory/1948-22-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1948-23-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1948-26-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1948-24-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1948-28-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1948-30-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1948-32-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1948-34-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1948-36-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/1948-37-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1948-39-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1288-40-0x0000000074440000-0x0000000074B2E000-memory.dmp
memory/1948-41-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1948-42-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1948-43-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1948-44-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2616-45-0x000000006DF60000-0x000000006E50B000-memory.dmp
memory/2564-46-0x000000006DF60000-0x000000006E50B000-memory.dmp
memory/1948-47-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1948-48-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1948-49-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1948-50-0x0000000000400000-0x0000000000482000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-25 16:26
Reported
2024-03-25 16:28
Platform
win10v2004-20240226-en
Max time kernel
151s
Max time network
156s
Command Line
Signatures
Remcos
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe | N/A |
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4216 set thread context of 3988 | N/A | C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe
"C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Ref [HSBC Ref# H240322-X793Y1] Transaction_Confirmation_2024.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UlvywtFnmZtH.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UlvywtFnmZtH" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB0C2.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| NL | 91.92.247.97:2505 | tcp | |
| US | 8.8.8.8:53 | 97.247.92.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 195.177.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stefracino.store | udp |
| NL | 91.92.247.97:2505 | tcp | |
| US | 8.8.8.8:53 | 128.225.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stefracino.store | udp |
| NL | 91.92.247.97:2505 | tcp | |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
| GB | 88.221.134.18:80 | tcp |
Files
memory/4216-0-0x00000000744B0000-0x0000000074C60000-memory.dmp
memory/4216-1-0x0000000000050000-0x0000000000146000-memory.dmp
memory/4216-2-0x0000000005150000-0x00000000056F4000-memory.dmp
memory/4216-3-0x0000000004AE0000-0x0000000004B72000-memory.dmp
memory/4216-4-0x0000000004C80000-0x0000000004C90000-memory.dmp
memory/4216-5-0x0000000004BA0000-0x0000000004BAA000-memory.dmp
memory/4216-6-0x0000000004D80000-0x0000000004E1C000-memory.dmp
memory/4216-7-0x0000000004E20000-0x0000000004E32000-memory.dmp
memory/4216-8-0x0000000005140000-0x000000000514C000-memory.dmp
memory/4216-9-0x0000000006370000-0x0000000006430000-memory.dmp
memory/1508-14-0x0000000002F30000-0x0000000002F66000-memory.dmp
memory/1508-15-0x00000000744B0000-0x0000000074C60000-memory.dmp
memory/1508-17-0x0000000002FE0000-0x0000000002FF0000-memory.dmp
memory/1508-16-0x0000000002FE0000-0x0000000002FF0000-memory.dmp
memory/4088-19-0x00000000744B0000-0x0000000074C60000-memory.dmp
memory/4088-20-0x0000000002930000-0x0000000002940000-memory.dmp
memory/1508-18-0x0000000005A30000-0x0000000006058000-memory.dmp
memory/4216-21-0x00000000744B0000-0x0000000074C60000-memory.dmp
memory/4088-22-0x0000000002930000-0x0000000002940000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpB0C2.tmp
| MD5 | 54f871890eae5d789e1802ce7b1f0ca9 |
| SHA1 | 14fe7b9446b35492e9b7f09ad9768d2e9ca2d5f1 |
| SHA256 | 4b85c999de1eea4610320f789cd9519e4741c48c1d8f806f445b797541ceb15f |
| SHA512 | 8c1484701b40e92fa5cd9ddc3b1c1cc88bc360aa191eb178562807a0553dc8e1de44b96c807d763ecf931f9babc9debc1c9092f71595249db5b9aa3badd0d76b |
memory/4088-25-0x0000000005130000-0x0000000005196000-memory.dmp
memory/4088-26-0x0000000005A10000-0x0000000005A76000-memory.dmp
memory/1508-24-0x0000000005790000-0x00000000057B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_usfmofov.3vf.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1508-37-0x0000000006280000-0x00000000065D4000-memory.dmp
memory/3988-43-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3988-47-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3988-49-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4216-50-0x00000000744B0000-0x0000000074C60000-memory.dmp
memory/3988-52-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3988-51-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3988-53-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3988-54-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3988-56-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4088-55-0x0000000006170000-0x000000000618E000-memory.dmp
memory/4088-57-0x0000000006200000-0x000000000624C000-memory.dmp
memory/4088-58-0x0000000002930000-0x0000000002940000-memory.dmp
memory/1508-59-0x0000000002FE0000-0x0000000002FF0000-memory.dmp
memory/4088-62-0x0000000070AA0000-0x0000000070AEC000-memory.dmp
memory/4088-63-0x000000007F330000-0x000000007F340000-memory.dmp
memory/1508-74-0x0000000070AA0000-0x0000000070AEC000-memory.dmp
memory/4088-73-0x00000000070C0000-0x00000000070DE000-memory.dmp
memory/4088-84-0x0000000007130000-0x00000000071D3000-memory.dmp
memory/1508-61-0x0000000006E30000-0x0000000006E62000-memory.dmp
memory/1508-60-0x000000007F610000-0x000000007F620000-memory.dmp
memory/4088-86-0x0000000007470000-0x000000000748A000-memory.dmp
memory/4088-85-0x0000000007AB0000-0x000000000812A000-memory.dmp
memory/4088-87-0x00000000074E0000-0x00000000074EA000-memory.dmp
memory/1508-88-0x0000000007E00000-0x0000000007E96000-memory.dmp
memory/1508-89-0x0000000007D80000-0x0000000007D91000-memory.dmp
memory/4088-90-0x00000000076A0000-0x00000000076AE000-memory.dmp
memory/4088-91-0x00000000076B0000-0x00000000076C4000-memory.dmp
memory/1508-92-0x0000000007EC0000-0x0000000007EDA000-memory.dmp
memory/4088-93-0x0000000007790000-0x0000000007798000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
memory/4088-98-0x00000000744B0000-0x0000000074C60000-memory.dmp
memory/1508-97-0x00000000744B0000-0x0000000074C60000-memory.dmp
memory/3988-99-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3988-100-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3988-101-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3988-102-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3988-103-0x0000000000400000-0x0000000000482000-memory.dmp