Analysis Overview
SHA256
324b231b961f203f830af2a9eecfc3015e0e10a340309174392075aa555b2447
Threat Level: Known bad
The file a13294a6154bab3c3b03ad32b9752197ff24c1bf5ddefd4f50e01c2709f26f4a.zip was found to be: Known bad.
Malicious Activity Summary
Remcos
Nirsoft
NirSoft MailPassView
NirSoft WebBrowserPassView
Executes dropped EXE
Loads dropped DLL
Drops startup file
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
AutoIT Executable
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-02 09:59
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-02 09:59
Reported
2024-04-02 10:02
Platform
win7-20240221-en
Max time kernel
69s
Max time network
125s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a13294a6154bab3c3b03ad32b9752197ff24c1bf5ddefd4f50e01c2709f26f4a.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a13294a6154bab3c3b03ad32b9752197ff24c1bf5ddefd4f50e01c2709f26f4a.exe
"C:\Users\Admin\AppData\Local\Temp\a13294a6154bab3c3b03ad32b9752197ff24c1bf5ddefd4f50e01c2709f26f4a.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\Temp\a13294a6154bab3c3b03ad32b9752197ff24c1bf5ddefd4f50e01c2709f26f4a.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
Network
Files
memory/1704-10-0x0000000000160000-0x0000000000164000-memory.dmp
\Users\Admin\AppData\Local\directory\name.exe
| MD5 | 730fd6425490051551536c3b47fb4147 |
| SHA1 | 99a9202643cc0f1dcc4f34e0bde482817849e32a |
| SHA256 | 9df8d0802da3f328ed644ca93781c0b285e3d61d647f83511bfcb2bd56bc6415 |
| SHA512 | d0f027672b7f3690b6490e2f71c01d16f825c3db990839e2a7dcc480be95a3f7629e944b9c090e8d99308ee86d9728b512c09580e369c09ceb8755c5a604d553 |
C:\Users\Admin\AppData\Local\directory\name.exe
| MD5 | cf30a2c2e202adaa306fa4a47cd4e4c2 |
| SHA1 | 94a2bdf9d9faf109c28a78775b11437e0e101e6f |
| SHA256 | fd9d4682527e7e3d14cd04e589e6ad26c2c105ea3ca4bd29706dc15073783f46 |
| SHA512 | 21f6e36ee19ca0190d483d5b709a4d0d1750e85b3232b5fcf1cd244755f1b5d8dc2fb92b5c9166119a6037cd35fa578f449c6d4ea90d46cfbeac46ba7ce1e647 |
C:\Users\Admin\AppData\Local\directory\name.exe
| MD5 | b5e4caeeb145930dd17e4c741c2921a1 |
| SHA1 | be97202e6bd8b24f626741025b1ac9417ba481a4 |
| SHA256 | 08eedaec67807440e15962ee57777c7e6a74c123211aaffa05540f565266522d |
| SHA512 | 7d3910543360917499ce2a33148c449df4d39a167a4c6be227c785845005398f7e4020e2324960b12eb4192d4611c22b65f8cdbcf0bd28c7a65409dec7ec39d6 |
C:\Users\Admin\AppData\Local\Temp\translucently
| MD5 | 0f62f30f40f703c2032293d600a39023 |
| SHA1 | 45e35cf0dfef87762f778af26cd0d6da78ff20f5 |
| SHA256 | 84d10a4ef939181773c5ac65f779db2df4bc5a314911a10ad661385bbe7019a0 |
| SHA512 | e9e6780120688e712f84429f9a14d6b87278e821e21308f26a39750fe7a5acab158e1be13f35701c2c7c9c8748a1a3f6fb2306d787f6dad9911e332404be8e35 |
C:\Users\Admin\AppData\Local\Temp\orographically
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\directory\name.exe
| MD5 | d23949ef8b67fe75cc35178f29f085b5 |
| SHA1 | 3524ef80c9718c1799387858d09c42bfe3ce1dc2 |
| SHA256 | eb638067583763a999ab323a66dca1ad4fc71617372ca02dbb103692b319477e |
| SHA512 | bd6cd820ad4772a07bbe6c5034131a2cdd2706c98adf8f29d21e2ca0629c0803bb5c2d4c5146f1caf19173cdd8bd8e651029a6439777d72f3ae7799724abcef5 |
C:\Users\Admin\AppData\Local\Temp\aut6F37.tmp
| MD5 | 2644676ce90c118f0e67e0878d9ae0be |
| SHA1 | 35b4f91ebc96318e758120ce2bc7065b3a06fa8e |
| SHA256 | ffb28a12f62a2ae2553312ce4c90a126466ed7bf61eb61de1b4f32578d46308a |
| SHA512 | 8721eb5ac8abb321aa836036adef42f9b210cf07a70aefe9a50d9c9e2534d9936fd6c1781cc330a3b37b1316410262c7533ab57ed7cbd24dfc0a017a2937d5ff |
C:\Users\Admin\AppData\Local\Temp\orographically
| MD5 | 06ce9b88a2fc490c23d22c73dbc79600 |
| SHA1 | 17f0144dab89510931a68ad58686a23255e0f4c8 |
| SHA256 | d27a7b27b70ea26b82337c20adf7d7703c551560395e376576fd1f3d0ea124e3 |
| SHA512 | 9cb137c0b7c65721a50d53cf5068ce101c10634486e54a3efd925024bdb1b4371bc153997b3ce37adf4b6ff3891070e2c4a0d3c0d35797a9fcdb2693e16fbc74 |
C:\Users\Admin\AppData\Local\Temp\aut6F76.tmp
| MD5 | a1cd843e7f1a1d118f9a0a8f8558c1cf |
| SHA1 | cf756f78469d624158b76ebdc854c0c44a9e82b0 |
| SHA256 | 7967c3a8c810b9913992cd2d2178b2755e81a00b8252fba9ec15a149d3426893 |
| SHA512 | e6ec694edad780805f8fba079b2cb9c4f4693aa0bf7147f48c046cf6c4b24df8f67459cb04948683e45c347f68e1a25a70c04485cf48ee49988e8773171ccaf3 |
C:\Users\Admin\AppData\Local\directory\name.exe
| MD5 | 1c6597895cfee9a17e71278c16d41a37 |
| SHA1 | abc6fb83e0ea2467fe231ead090135aecf31c7ea |
| SHA256 | 4ee00ed260e31e3b4344db838c209d0c0465617774cf331c0a670b3342f51a72 |
| SHA512 | 01226760a07dce9ca3375378ad42341b69b60d07babbbd45e64ae75211c85897c94b9d5de2910fa004518656ff26185a9c0a6b07f243c6ac457f66bf18e9092a |
C:\Users\Admin\AppData\Local\directory\name.exe
| MD5 | 1cf40f2ce458c7d7a5a76e357f844307 |
| SHA1 | a0d615ae967203bd029235000880349b4f0f121a |
| SHA256 | 7867b9a6af5139ad9161ed2b3f3e319d30e3c14b05a0813c3f9d21be00c17985 |
| SHA512 | beb80bfea6ae20c92c2cca27bdbf85b9da9201955f05a060da32152847b12c5b0e814fdd107ab55ea950eb875cd8e42237b33d1e7887c8c95df27ba59248a5cc |
C:\Users\Admin\AppData\Local\directory\name.exe
| MD5 | 1ad88c3c736bd4fab5aab28b6424ede5 |
| SHA1 | 55098bfa6da7a31219b0503a7ec67346b7c01430 |
| SHA256 | 69483520a8ac36b557dabb04acec1c9fc41f3444ed1ea31947c7267cacae411f |
| SHA512 | 1648e5dac86b12c238bd5cad8b3ee656a150914128a753b6a8920887ff33e0d00a75545bfdc090f02c59c8ab17171caff0b5d32e61bd89a73c823a319089f124 |
C:\Users\Admin\AppData\Local\directory\name.exe
| MD5 | 4d0bf21e69e5a4be7492fba6ded307eb |
| SHA1 | d66bedfea650d0222de7d567483207e9cd04b072 |
| SHA256 | 6fccb7a65251c4672bc37c86a9d4131ec4a1081b9d5563b5ba18229de8f5c164 |
| SHA512 | 740cb476837b9411dc2d88099b9ff4c6e4d02503a6294b7dc426678bc516e89e412046428958474cda8dd67eea9f7b2dbce4902c9015843871c9f096da0b198a |
C:\Users\Admin\AppData\Local\directory\name.exe
| MD5 | 827f097336db11c79c25e8048c85eca7 |
| SHA1 | 4dc653c20a3300a93494194eac2f2c842cde4dd0 |
| SHA256 | ea696009ec8e26f4c721b5149408a4c63e13ffa17299c252c9684e8a72d4d943 |
| SHA512 | 53e777bc23f97a02716acc3210eaa8dde2d508cbe153670bfebe5fc805423f0747fc5604e334ca9d5aa8e3e87da4f3c71677bec445635776c82a97f8f849f0fc |
C:\Users\Admin\AppData\Local\directory\name.exe
| MD5 | d6e2932f1152f0ebda187e15ce4b5932 |
| SHA1 | 446684a1eec4868ac9f318f0438cc863b2084b51 |
| SHA256 | 0e75d9e44665797d526e20393e3d5da7151113066190490b956c162968d7926b |
| SHA512 | c1c745207467d268ce5a110d242a169a5a5d739e286b341fa700a81a70113f995d5d7c8601c43c28373a367dff42c815494037d10ba57f5b9061c639ccb9d897 |
C:\Users\Admin\AppData\Local\directory\name.exe
| MD5 | d26933ace3913bf1aa5176257906f79e |
| SHA1 | b1fe263fdda081e766541418f2e018e9f6ca3d3e |
| SHA256 | 2e375aeb4e52f330e8687f41c12fc2bdb7c617167f6c4d95effaaa05f5e265aa |
| SHA512 | 7cc4b3efeb6f74aa2025ba10d0a75268cf490d4b749312fa991b53831e2a05733248efab5f8aacfbd9f3113cea5bade89386dbba597d8904d2fb982184af84f2 |
C:\Users\Admin\AppData\Local\directory\name.exe
| MD5 | dc279b19ad95d156ce6f1d4cdb173a79 |
| SHA1 | 0b6bafe3eaeb3f2bc5161d11cc67b07ffd324a37 |
| SHA256 | 9bf25737da6f30885ebbb79cda8d120ab0d38e281c3d64f3c06f14ee94f270e3 |
| SHA512 | eceadc760f16f796d822562f50bc0e26d1371cfa6813af35d3530b262be702b1daf51cc5cbc1006c9d9e934eae2c66399a76e10019d82a183e9c02361af45e5e |
C:\Users\Admin\AppData\Local\directory\name.exe
| MD5 | 7f0fc877b795bf193fc41b60d226bf19 |
| SHA1 | 9dc04b5106cfa68d2451213ff3f15e2395c08f1d |
| SHA256 | ac9d47e5e4261ce813e9f0dc2346b72675e2401a39edd8119c5ad1861269bd13 |
| SHA512 | d1d0c9a47699f28e32dbf4001498675b09668ca6e93830c5c04b0c37ed598da6f72df9912d9506578579bd59e546faf36218e176aba1279fff1edfb7cc1ac518 |
C:\Users\Admin\AppData\Local\directory\name.exe
| MD5 | 0380c3f0c0633d5715fab21227eabbea |
| SHA1 | 3d6118b0046e2990d5cf88cfbfbfcf037faad70d |
| SHA256 | 1ccd4574539ab7ce541a78e46f7b60903bc12e377d141097dcf94cf96092e1b7 |
| SHA512 | 4b93aaa1e95d7c84b51487681551ada1c2da2b389ee470adde40e02e6c7a9ebea309796645917a38479bc1da758ae73f77d812cb3f14fb067cea59942cccdf29 |
C:\Users\Admin\AppData\Local\directory\name.exe
| MD5 | 86224519b71954d204d171775b1c12b2 |
| SHA1 | a9c81a66066f7f063d6c218525e0ee520d915241 |
| SHA256 | 9050da8414f4c0d04477cbb8d708a5662def6d52d702fa2dd686f1934c863b4f |
| SHA512 | 92c29ad429e95290ebb9bfe9699e7e2f9e57cb783a0c1df901bd7303773a3496542e0eee9919c0e7c5c637bcc3cd83d3a875d9b9ef7069dabdd625e5fc44846b |
C:\Users\Admin\AppData\Local\directory\name.exe
| MD5 | 787b15f927cae393dc56df467b869102 |
| SHA1 | 71034bfd589dd005f261cf6a90b7bd6188755e32 |
| SHA256 | a09e33a8cb8bed72a25a422317e00dd53bea3a2ed7a4088de5d3fb18eac1ba46 |
| SHA512 | 3b9d7d4bfe4147b1341c909eb42c7a58397ec063ec7c7b4b86a03cb49530da41dd526308729734634995f1e592e950418c021257204fa00ae3cfe0168a69ce8a |
C:\Users\Admin\AppData\Local\directory\name.exe
| MD5 | 97cb51d4be2694a169f1557461d29991 |
| SHA1 | c2f2bbf323a0c8598d59f913ba0a22fa299164e4 |
| SHA256 | 9e46370cc25778a545d68d1b8a44cb435bd77b6cc2dbc9444b65bc13f2b5b593 |
| SHA512 | 2018c8b32df78c69dbd54f63646cdbf83be6847a2b6665a45444d2797940f8d44e42de1004e04d185f77c8ba01a09a42d3c3cfcb2d7d6aae41afa6983ce75ab4 |
C:\Users\Admin\AppData\Local\directory\name.exe
| MD5 | 218b8f5407f1ad792ecc5133ff6fcc25 |
| SHA1 | fe944fc703a0369c15f6216767e1d20e097e781e |
| SHA256 | dc491f5ee8f17469938de8b8e536ddd532288ea432c4530b4087a87940615a01 |
| SHA512 | 94c60c84e4b0cccfb8200ab1267511b4b0ad5cdc3ae7ddef2f501896eeae6e2b02caa45b2babde7096b6dcabba5abd02a4bd7f2062fa2fcbd7337d8146b2250c |
C:\Users\Admin\AppData\Local\directory\name.exe
| MD5 | 414d8b4eb3639474710af3fa10e9eba9 |
| SHA1 | b6a19eae634eed8af5eed71edd2d689d961e69e2 |
| SHA256 | 0c04faa374c5f7d8a4611471275764fc0276c65f8d1eec953cb5bbbd7ea66a5a |
| SHA512 | 5566584c66e19b4d8a8e112d23a233a375db47d059337a2aa04b2d7a1ed035d370a22e6c7351b482a94ef05539ce424030722617c9647ed6cd741335db910609 |
C:\Users\Admin\AppData\Local\directory\name.exe
| MD5 | cb177d52255dde93a5baf20cf9c35b39 |
| SHA1 | 6cf2d3a3463477c8e5b64da87bbc1219a9498459 |
| SHA256 | 8e3ce74fcc0536bb16b3cc0280b1a1ce45d048e92c5582aa7f428c2000111d21 |
| SHA512 | c95e8665322d7fcdb2d1ac4b5542602e3a921e95ed05859906b29c2628fb0ea3d4075bd55a26dbf83f0d48f9d5a42c8cdb79905d99b42cfdd95136094cf620a1 |
C:\Users\Admin\AppData\Local\directory\name.exe
| MD5 | 9ee3cfb705030f8b3798634d8541ad2f |
| SHA1 | e049da4ffa3fa0c1b4842cf19c2d6b86f9f01f62 |
| SHA256 | 005ea841832ad8bb097a727300189282db1a5d3ac95a0f53e51554b86185edd3 |
| SHA512 | 58544306878a054f249339226a74367cdc9d7ce57d19c1382af3a80a2a3f0a6f9ee5c6dbfaaf8442bc494fd3c84c388a09d59f73f12364adf2e1d72851952590 |
C:\Users\Admin\AppData\Local\directory\name.exe
| MD5 | b385cd55f9b1f70fccac4ff167f714ed |
| SHA1 | 04a21629190318723dbc49a1fe8648fdf98cc3d6 |
| SHA256 | 0310ea6af1231510b878c6aa07e859509fafc94b859e375636b00278d8a9684d |
| SHA512 | 893b82f12a17536336b5620194c31a032cfc2e71939d111132224c7b11741b180c09035a91a97ead859fa1d4666ff321a35270a96d6abc21ac3c83459ee98371 |
C:\Users\Admin\AppData\Local\directory\name.exe
| MD5 | 6b9b307d55c1deec87ca3372ce2c42c6 |
| SHA1 | d638c64294fa32aa678ddca18b82f0dc60e5a0e3 |
| SHA256 | c008396f061d15511005f26d2b4d83f27713db8fd539a0a3022075594e51e845 |
| SHA512 | 5e681ac2e156294401aa60d537ad6aa85d9b66014fec011b708b3a24bfee53d1ed67dd4e95e3a1a61e9912f45b38b9d3ba1e68158dc50963218a52e3314275ef |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-02 09:59
Reported
2024-04-02 10:02
Platform
win10v2004-20240319-en
Max time kernel
149s
Max time network
158s
Command Line
Signatures
Remcos
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4524 set thread context of 4580 | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | C:\Users\Admin\AppData\Local\directory\name.exe |
| PID 4524 set thread context of 3112 | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | C:\Users\Admin\AppData\Local\directory\name.exe |
| PID 4524 set thread context of 2916 | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | C:\Users\Admin\AppData\Local\directory\name.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a13294a6154bab3c3b03ad32b9752197ff24c1bf5ddefd4f50e01c2709f26f4a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a13294a6154bab3c3b03ad32b9752197ff24c1bf5ddefd4f50e01c2709f26f4a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a13294a6154bab3c3b03ad32b9752197ff24c1bf5ddefd4f50e01c2709f26f4a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a13294a6154bab3c3b03ad32b9752197ff24c1bf5ddefd4f50e01c2709f26f4a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a13294a6154bab3c3b03ad32b9752197ff24c1bf5ddefd4f50e01c2709f26f4a.exe
"C:\Users\Admin\AppData\Local\Temp\a13294a6154bab3c3b03ad32b9752197ff24c1bf5ddefd4f50e01c2709f26f4a.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\Temp\a13294a6154bab3c3b03ad32b9752197ff24c1bf5ddefd4f50e01c2709f26f4a.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
C:\Users\Admin\AppData\Local\directory\name.exe /stext "C:\Users\Admin\AppData\Local\Temp\ctglbicyoxgcpcalzcislyqlpd"
C:\Users\Admin\AppData\Local\directory\name.exe
C:\Users\Admin\AppData\Local\directory\name.exe /stext "C:\Users\Admin\AppData\Local\Temp\ctglbicyoxgcpcalzcislyqlpd"
C:\Users\Admin\AppData\Local\directory\name.exe
C:\Users\Admin\AppData\Local\directory\name.exe /stext "C:\Users\Admin\AppData\Local\Temp\nvleuanscfypriopjmvtockcxjjam"
C:\Users\Admin\AppData\Local\directory\name.exe
C:\Users\Admin\AppData\Local\directory\name.exe /stext "C:\Users\Admin\AppData\Local\Temp\ppqxvlxuqnquboktaxqnzpflyyajnupm"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4592 --field-trial-handle=2148,i,1752153415760610784,11376271161549019716,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.66.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.34.115.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 107.175.229.139:8087 | tcp | |
| US | 8.8.8.8:53 | 139.229.175.107.in-addr.arpa | udp |
| US | 107.175.229.139:8087 | tcp | |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| IE | 94.245.104.56:443 | tcp | |
| GB | 51.140.242.104:443 | tcp | |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| GB | 51.11.108.188:443 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| GB | 13.105.221.15:443 | tcp | |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 40.173.79.40.in-addr.arpa | udp |
Files
memory/1948-10-0x0000000001460000-0x0000000001464000-memory.dmp
C:\Users\Admin\AppData\Local\directory\name.exe
| MD5 | b52951030928c184f7bb5af349b9a27d |
| SHA1 | 8dcceaa751fe3d06ba019de2e68f1f3a3a0b355f |
| SHA256 | 2424099047cf77475eadd43629b2551668585e5a3ff97896776914ee800cb0a4 |
| SHA512 | f571d285623b736432afa299c983ad4fefc7f86e0354ada444024d8ccd1289f2fc44232744128aebbd76bf21ac60a17b19d89f0fc6db2cd5f4ccfd53141bdf8f |
C:\Users\Admin\AppData\Local\directory\name.exe
| MD5 | ac87e2d4b76aa20f541d7e6aefc2c20c |
| SHA1 | 832b2fddf008336ec74d3ffded852878205bbb21 |
| SHA256 | 3c287c392f59566e449f799760101b68c34f36c0671c05b11992993131b4cebb |
| SHA512 | c8504253fc839d1031817990821878e032a6fa497829bc83125288c58e6380f32467ef1f2e5caca7751563edb8a3752e212f1d772e794a0ceda5a2b5dcaceb50 |
C:\Users\Admin\AppData\Local\Temp\orographically
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\translucently
| MD5 | 0f62f30f40f703c2032293d600a39023 |
| SHA1 | 45e35cf0dfef87762f778af26cd0d6da78ff20f5 |
| SHA256 | 84d10a4ef939181773c5ac65f779db2df4bc5a314911a10ad661385bbe7019a0 |
| SHA512 | e9e6780120688e712f84429f9a14d6b87278e821e21308f26a39750fe7a5acab158e1be13f35701c2c7c9c8748a1a3f6fb2306d787f6dad9911e332404be8e35 |
memory/4524-29-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4524-33-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4524-34-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4524-31-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4524-28-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4524-36-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4524-35-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4524-38-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4524-37-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4524-40-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4580-42-0x0000000000400000-0x0000000000478000-memory.dmp
memory/3112-44-0x0000000000400000-0x0000000000462000-memory.dmp
memory/3112-50-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2916-49-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4580-48-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Local\directory\name.exe
| MD5 | 8174c9d8f4be278d7c57b4df8d3c5462 |
| SHA1 | 0a80ef5846da1a71273cefc7a211b8bbd1234df4 |
| SHA256 | 280823e0faee3e31c3e41256a4aa0b6825c14ec700343214684b07f5228885e4 |
| SHA512 | ca5fe3cba87a8e8521021f6d95ad8d25ce1a4d9ce81c676cd2dc600aa654d893b5fe857309d39ce27f6adf19521b5872ad41764af7dcd92caa90b3aeadf013a6 |
C:\Users\Admin\AppData\Local\directory\name.exe
| MD5 | 93817dbd5d990412136abbeccb2a44d4 |
| SHA1 | c0b65133ccc0410a91819dfcb9f7f2803d13d49d |
| SHA256 | b5ffc366eb4b9c880a46dd2470c52e7eca64cb103b54c9397ffaab316d107c77 |
| SHA512 | 51b7a55c0b3f6d7017e1c98d56b4dba45f21d56cddb7763b6ce366592add9c02747637dfd3c0620adcc148f83e5d4a0e7d554990901ea680fd8046cd303daa67 |
C:\Users\Admin\AppData\Local\directory\name.exe
| MD5 | 2bb6989d2ed443d35059bbd3dc494a82 |
| SHA1 | cd96326bde9fa5019f9ef3c0156bf3d52e111ee7 |
| SHA256 | 6d06cb56c35a57b042ebd98fefcf260ffabc846980cd2ab47c91765703882645 |
| SHA512 | bd2c7e6888a9b081b114f074a91d096bc7a50a325d5d1269834a09264cdf3c5b5693090b490a5bb455ac5fafea26ee470bc491ae30a1631fb47605b0e79fa776 |
memory/2916-56-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2916-62-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2916-63-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2916-61-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3112-60-0x0000000000400000-0x0000000000462000-memory.dmp
memory/4580-55-0x0000000000400000-0x0000000000478000-memory.dmp
memory/3112-54-0x0000000000400000-0x0000000000462000-memory.dmp
C:\Users\Admin\AppData\Local\directory\name.exe
| MD5 | b1efa6410aa3ec031c46c854e88049eb |
| SHA1 | 092094b8e0232a5568203dd6d2bcba68aa13de63 |
| SHA256 | eed4c0bf0f88627a548714ab78fdd8172868cc83276d3d87183e4f478aeb6c45 |
| SHA512 | 8739d3773f26833defc0b3e1d4f91aaab3234e0db07f7f8b1e97f05294383cad62793c295495853dbdd096aadb81d289be063f634a704db8e0d641bf3125a0d6 |
memory/4580-71-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ctglbicyoxgcpcalzcislyqlpd
| MD5 | 51bdd8d5f186fd32bf22b3988240e19d |
| SHA1 | 37a83c9c1f636bd0e5a1b806804fc5323c80791d |
| SHA256 | 4dd5d2764bba141c582357273d5d7a869888908b4a1b52423a489d58bba597be |
| SHA512 | a477cb0dd68901641cea43100c952d1c253c32388492204b2387a333ad1d5bed0155f08f430f010ef53fe9592945def73c3d28e77293c58d951b652410e8c6f7 |
memory/4524-73-0x0000000010000000-0x0000000010019000-memory.dmp
memory/4524-77-0x0000000010000000-0x0000000010019000-memory.dmp
memory/4524-78-0x0000000010000000-0x0000000010019000-memory.dmp
memory/4524-80-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4524-79-0x0000000010000000-0x0000000010019000-memory.dmp
memory/3112-85-0x0000000000400000-0x0000000000462000-memory.dmp
memory/4524-84-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4524-87-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4524-88-0x0000000000400000-0x0000000000482000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | 25f4c1b2c91893a638a1ba59ef598c53 |
| SHA1 | caa6b0b5c14485f46b8f0f35022bb5422b42a789 |
| SHA256 | 07927dc12f121149bc695ce102b8276b936778ab953e940dd0b1053f1c274570 |
| SHA512 | 9788b07ef3b7006e1d568ff502f05ef32aa3fe421873b5200a277e33ad096e0cb8acc2599a2dcfb610fa23b6b28ecaa13fd17821b0416421368e1df91467153c |
memory/4524-90-0x0000000010000000-0x0000000010019000-memory.dmp
memory/4524-96-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4524-104-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4524-105-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4524-112-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4524-113-0x0000000000400000-0x0000000000482000-memory.dmp