Analysis Overview
SHA256
04c8c64580324331a7c2c86d8191c20abac992ffc8b81f5b432e6f6bb5974a2c
Threat Level: Known bad
The file 145f990406000a1e944fef609e608edd4f6a347d4038e880599bcc1fb6c709b7.zip was found to be: Known bad.
Malicious Activity Summary
Remcos
Drops startup file
Executes dropped EXE
Suspicious use of SetThreadContext
AutoIT Executable
Unsigned PE
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-04-02 13:33
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-02 13:33
Reported
2024-04-02 13:36
Platform
win7-20231129-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
Network
Files
memory/2392-10-0x00000000003D0000-0x00000000003D4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-02 13:33
Reported
2024-04-02 13:37
Platform
win10v2004-20240226-en
Max time kernel
183s
Max time network
180s
Command Line
Signatures
Remcos
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\excel.vbs | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 956 set thread context of 440 | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | C:\Windows\SysWOW64\svchost.exe |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
C:\Users\Admin\AppData\Local\directory\excel.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
C:\Users\Admin\AppData\Local\directory\excel.exe
"C:\Users\Admin\AppData\Local\directory\excel.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\directory\excel.exe"
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.66.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | shgoini.com | udp |
| US | 107.175.229.143:30902 | shgoini.com | tcp |
| US | 8.8.8.8:53 | 143.229.175.107.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 219.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.71.105.51.in-addr.arpa | udp |
Files
memory/3956-10-0x0000000003AF0000-0x0000000003AF4000-memory.dmp
C:\Users\Admin\AppData\Local\directory\excel.exe
| MD5 | 0f3d2c4ea88d4642a53ad36dd393141e |
| SHA1 | 0a36a0acc8586a5f4e60195b8491da35b73367d3 |
| SHA256 | 35724ab95db9c562617c22641138f080e8a3d46304b3afa956a21e689f88fc21 |
| SHA512 | 7a798697fab124bc7ea27933db28d0fe3f04b3a1e1cdba9683eea07ddcd53efaff263176d573473fa5942028b70da67971884645683aefe6800c61e60e1e2035 |
C:\Users\Admin\AppData\Local\Temp\ambiparous
| MD5 | 5836e6fb1198f5826ca8facdba529e79 |
| SHA1 | cc17afcef2c435265036b8520728963b91ae652c |
| SHA256 | f59b9e90acdbe2a0cc3e5e66bb3214adb7506fc775b8264e36e408a21decfba0 |
| SHA512 | f66d5d9e96911ffe7228d2db7b305ee404ba59d25fcde778d00a590417e3606b72dac0a91b7edb4e5d42f7a5a14990eaf4b5058e16ca5e12b49701c6168e3045 |
C:\Users\Admin\AppData\Local\Temp\intersentimental
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\intersentimental
| MD5 | 33b3a37e1729538227a84e8aec307e27 |
| SHA1 | d888cf3906a4bc58ccc74cba9fe6f314d3be29dd |
| SHA256 | 61616629bc83442de66185fb8a8b3ed37d4fc690d473e28cf570527a5db7d456 |
| SHA512 | 7d1f025b2c18f6b1e7d1793897a17bc36f95a417d1764efc109144b0ffbb8c0a43ea216cab1e3d16935565bcd309ac8845e9df1805f99a1ac8d1f687ad52ef80 |
C:\Users\Admin\AppData\Local\Temp\aut823C.tmp
| MD5 | 4b2fdf0a8c6c482408eefdf707f502de |
| SHA1 | 4873e42b6576980be696af1540e6e546600d48c2 |
| SHA256 | c1812737b6c166b63bc12a406b1227bc536d954bb8d986defed0f7468d73f4af |
| SHA512 | cf4f95e4346886bd29bb87fa21aa3503491d50089e5492719642ea6adc1c5df52f72f20f13512513e7923cd57ed808f26c6e3322f0e7ba6e0e77d65e28af83e7 |
C:\Users\Admin\AppData\Local\Temp\aut820C.tmp
| MD5 | ee36aa87dc445775e3bb981279766e33 |
| SHA1 | 77e9cf67e60020f6957e826be88b1fb74c6f8903 |
| SHA256 | 3e5fc13dccb76f873514e7296fa5f739cc8f49fe46a0f464fe96f0573ea4c625 |
| SHA512 | 47f76b25b13f8f70cfdc8565a3ecf3569c968776e241e77f075045de7ebb06adb899e9bfe8b9ada1f40bb0b175ba8cf626f1d9862e86a5e293c3229362698ad6 |
memory/440-42-0x0000000000400000-0x0000000000482000-memory.dmp
memory/440-41-0x0000000000400000-0x0000000000482000-memory.dmp
memory/440-43-0x0000000000400000-0x0000000000482000-memory.dmp
memory/440-44-0x0000000000400000-0x0000000000482000-memory.dmp
memory/440-45-0x0000000000400000-0x0000000000482000-memory.dmp
memory/440-46-0x0000000000400000-0x0000000000482000-memory.dmp
memory/440-47-0x0000000000400000-0x0000000000482000-memory.dmp
memory/440-48-0x0000000000400000-0x0000000000482000-memory.dmp
memory/440-49-0x0000000000400000-0x0000000000482000-memory.dmp
memory/440-51-0x0000000000400000-0x0000000000482000-memory.dmp
memory/440-52-0x0000000000400000-0x0000000000482000-memory.dmp
memory/440-53-0x0000000000400000-0x0000000000482000-memory.dmp
memory/440-54-0x0000000000400000-0x0000000000482000-memory.dmp
memory/440-55-0x0000000000400000-0x0000000000482000-memory.dmp
memory/440-56-0x0000000000400000-0x0000000000482000-memory.dmp
memory/440-57-0x0000000000400000-0x0000000000482000-memory.dmp