Analysis Overview
SHA256
145f990406000a1e944fef609e608edd4f6a347d4038e880599bcc1fb6c709b7
Threat Level: Known bad
The file Quotation.pdf.gz was found to be: Known bad.
Malicious Activity Summary
Remcos
Drops startup file
Loads dropped DLL
Executes dropped EXE
AutoIT Executable
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-04-02 08:20
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-02 08:20
Reported
2024-04-02 08:22
Platform
win7-20240221-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
Remcos
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\excel.vbs | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2928 set thread context of 1144 | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | C:\Windows\SysWOW64\svchost.exe |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
C:\Users\Admin\AppData\Local\directory\excel.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | shgoini.com | udp |
| US | 107.175.229.143:30902 | shgoini.com | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
Files
memory/2236-10-0x00000000001A0000-0x00000000001A4000-memory.dmp
\Users\Admin\AppData\Local\directory\excel.exe
| MD5 | e6228228f20b7069720bb08b1d52ba7b |
| SHA1 | d55e4ee12e71394dc8007f3cbc096117a06ab474 |
| SHA256 | 74722750c670e03335a42e44963375399f46ab2ae78383a4cacc136fc943bc63 |
| SHA512 | 0176266cf55ff7c236e5936b682ed8486dc6bdc4f4f567bcd9e7d60fd68c421452b3da9f163c9a63659ed750e36c29ffa6f2da1553b09e62c0fd579e8e6ada5e |
C:\Users\Admin\AppData\Local\Temp\intersentimental
| MD5 | 33b3a37e1729538227a84e8aec307e27 |
| SHA1 | d888cf3906a4bc58ccc74cba9fe6f314d3be29dd |
| SHA256 | 61616629bc83442de66185fb8a8b3ed37d4fc690d473e28cf570527a5db7d456 |
| SHA512 | 7d1f025b2c18f6b1e7d1793897a17bc36f95a417d1764efc109144b0ffbb8c0a43ea216cab1e3d16935565bcd309ac8845e9df1805f99a1ac8d1f687ad52ef80 |
C:\Users\Admin\AppData\Local\Temp\ambiparous
| MD5 | 5836e6fb1198f5826ca8facdba529e79 |
| SHA1 | cc17afcef2c435265036b8520728963b91ae652c |
| SHA256 | f59b9e90acdbe2a0cc3e5e66bb3214adb7506fc775b8264e36e408a21decfba0 |
| SHA512 | f66d5d9e96911ffe7228d2db7b305ee404ba59d25fcde778d00a590417e3606b72dac0a91b7edb4e5d42f7a5a14990eaf4b5058e16ca5e12b49701c6168e3045 |
memory/1144-30-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1144-32-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1144-33-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1144-34-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1144-35-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1144-36-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1144-37-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1144-38-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1144-41-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1144-42-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1144-43-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1144-44-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1144-46-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1144-47-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1144-48-0x0000000000400000-0x0000000000482000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-02 08:20
Reported
2024-04-02 08:22
Platform
win10v2004-20240226-en
Max time kernel
148s
Max time network
147s
Command Line
Signatures
Remcos
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\excel.vbs | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1084 set thread context of 4164 | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | C:\Windows\SysWOW64\svchost.exe |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2776 wrote to memory of 1084 | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation.exe | C:\Users\Admin\AppData\Local\directory\excel.exe |
| PID 2776 wrote to memory of 1084 | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation.exe | C:\Users\Admin\AppData\Local\directory\excel.exe |
| PID 2776 wrote to memory of 1084 | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation.exe | C:\Users\Admin\AppData\Local\directory\excel.exe |
| PID 1084 wrote to memory of 4164 | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 1084 wrote to memory of 4164 | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 1084 wrote to memory of 4164 | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 1084 wrote to memory of 4164 | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | C:\Windows\SysWOW64\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
C:\Users\Admin\AppData\Local\directory\excel.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1304 --field-trial-handle=2256,i,18272763564106695635,11201593968620719822,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | shgoini.com | udp |
| US | 107.175.229.143:30902 | shgoini.com | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.229.175.107.in-addr.arpa | udp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.134.221.88.in-addr.arpa | udp |
Files
memory/2776-10-0x00000000020F0000-0x00000000020F4000-memory.dmp
C:\Users\Admin\AppData\Local\directory\excel.exe
| MD5 | eca43f94ca4669d37f24e5977d217791 |
| SHA1 | 1082e8add1f75eb71e280a5d2adc659c85ecb2d7 |
| SHA256 | 18a02d041dba1591ebf60550033fb7d38b8e0ed699b9941e6da868baed145235 |
| SHA512 | 69bf1cc274105ffaaf102ce221667c91de4e7958da70ba4622d8a16385da8fd93b4f479f81504d8bb57081f2e201df01c1054f06824e19cfa9c7226d4ce144dc |
C:\Users\Admin\AppData\Local\Temp\ambiparous
| MD5 | 5836e6fb1198f5826ca8facdba529e79 |
| SHA1 | cc17afcef2c435265036b8520728963b91ae652c |
| SHA256 | f59b9e90acdbe2a0cc3e5e66bb3214adb7506fc775b8264e36e408a21decfba0 |
| SHA512 | f66d5d9e96911ffe7228d2db7b305ee404ba59d25fcde778d00a590417e3606b72dac0a91b7edb4e5d42f7a5a14990eaf4b5058e16ca5e12b49701c6168e3045 |
C:\Users\Admin\AppData\Local\Temp\intersentimental
| MD5 | 33b3a37e1729538227a84e8aec307e27 |
| SHA1 | d888cf3906a4bc58ccc74cba9fe6f314d3be29dd |
| SHA256 | 61616629bc83442de66185fb8a8b3ed37d4fc690d473e28cf570527a5db7d456 |
| SHA512 | 7d1f025b2c18f6b1e7d1793897a17bc36f95a417d1764efc109144b0ffbb8c0a43ea216cab1e3d16935565bcd309ac8845e9df1805f99a1ac8d1f687ad52ef80 |
memory/4164-28-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4164-29-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4164-30-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4164-31-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4164-32-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4164-33-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4164-34-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4164-35-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4164-36-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4164-39-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4164-40-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4164-41-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4164-42-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4164-43-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4164-44-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4164-46-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4164-47-0x0000000000400000-0x0000000000482000-memory.dmp