Analysis Overview
SHA256
da556b674b032459bffc75b38d9a46495a772724ae48eb3fd67673504442fa75
Threat Level: Known bad
The file da556b674b032459bffc75b38d9a46495a772724ae48eb3fd67673504442fa75.exe was found to be: Known bad.
Malicious Activity Summary
Remcos
Drops startup file
Executes dropped EXE
AutoIT Executable
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-04-03 13:49
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-03 13:49
Reported
2024-04-03 13:51
Platform
win7-20240221-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\da556b674b032459bffc75b38d9a46495a772724ae48eb3fd67673504442fa75.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\da556b674b032459bffc75b38d9a46495a772724ae48eb3fd67673504442fa75.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\da556b674b032459bffc75b38d9a46495a772724ae48eb3fd67673504442fa75.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\da556b674b032459bffc75b38d9a46495a772724ae48eb3fd67673504442fa75.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\da556b674b032459bffc75b38d9a46495a772724ae48eb3fd67673504442fa75.exe
"C:\Users\Admin\AppData\Local\Temp\da556b674b032459bffc75b38d9a46495a772724ae48eb3fd67673504442fa75.exe"
Network
Files
memory/2492-10-0x0000000000220000-0x0000000000224000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-03 13:49
Reported
2024-04-03 13:51
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
Remcos
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Laddonia.vbs | C:\Users\Admin\AppData\Local\Dalymore\Laddonia.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Dalymore\Laddonia.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\da556b674b032459bffc75b38d9a46495a772724ae48eb3fd67673504442fa75.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\da556b674b032459bffc75b38d9a46495a772724ae48eb3fd67673504442fa75.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Dalymore\Laddonia.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Dalymore\Laddonia.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\da556b674b032459bffc75b38d9a46495a772724ae48eb3fd67673504442fa75.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\da556b674b032459bffc75b38d9a46495a772724ae48eb3fd67673504442fa75.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Dalymore\Laddonia.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Dalymore\Laddonia.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4872 wrote to memory of 4008 | N/A | C:\Users\Admin\AppData\Local\Temp\da556b674b032459bffc75b38d9a46495a772724ae48eb3fd67673504442fa75.exe | C:\Users\Admin\AppData\Local\Dalymore\Laddonia.exe |
| PID 4872 wrote to memory of 4008 | N/A | C:\Users\Admin\AppData\Local\Temp\da556b674b032459bffc75b38d9a46495a772724ae48eb3fd67673504442fa75.exe | C:\Users\Admin\AppData\Local\Dalymore\Laddonia.exe |
| PID 4872 wrote to memory of 4008 | N/A | C:\Users\Admin\AppData\Local\Temp\da556b674b032459bffc75b38d9a46495a772724ae48eb3fd67673504442fa75.exe | C:\Users\Admin\AppData\Local\Dalymore\Laddonia.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\da556b674b032459bffc75b38d9a46495a772724ae48eb3fd67673504442fa75.exe
"C:\Users\Admin\AppData\Local\Temp\da556b674b032459bffc75b38d9a46495a772724ae48eb3fd67673504442fa75.exe"
C:\Users\Admin\AppData\Local\Dalymore\Laddonia.exe
"C:\Users\Admin\AppData\Local\Temp\da556b674b032459bffc75b38d9a46495a772724ae48eb3fd67673504442fa75.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.110.86.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 107.175.229.139:8087 | tcp | |
| US | 107.175.229.139:8087 | tcp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 107.175.229.139:8087 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 107.175.229.139:8087 | tcp | |
| US | 107.175.229.139:8087 | tcp | |
| US | 107.175.229.139:8087 | tcp | |
| US | 107.175.229.139:8087 | tcp | |
| US | 107.175.229.139:8087 | tcp | |
| US | 107.175.229.139:8087 | tcp | |
| US | 107.175.229.139:8087 | tcp | |
| US | 107.175.229.139:8087 | tcp | |
| US | 107.175.229.139:8087 | tcp | |
| US | 8.8.8.8:53 | 218.110.86.104.in-addr.arpa | udp |
| US | 107.175.229.139:8087 | tcp | |
| US | 107.175.229.139:8087 | tcp | |
| US | 107.175.229.139:8087 | tcp | |
| US | 107.175.229.139:8087 | tcp | |
| US | 107.175.229.139:8087 | tcp | |
| US | 107.175.229.139:8087 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 107.175.229.139:8087 | tcp | |
| US | 107.175.229.139:8087 | tcp | |
| US | 107.175.229.139:8087 | tcp | |
| US | 107.175.229.139:8087 | tcp | |
| US | 107.175.229.139:8087 | tcp | |
| US | 107.175.229.139:8087 | tcp | |
| US | 107.175.229.139:8087 | tcp | |
| US | 107.175.229.139:8087 | tcp | |
| US | 107.175.229.139:8087 | tcp | |
| US | 107.175.229.139:8087 | tcp | |
| US | 107.175.229.139:8087 | tcp | |
| US | 107.175.229.139:8087 | tcp | |
| US | 107.175.229.139:8087 | tcp | |
| US | 107.175.229.139:8087 | tcp | |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
| US | 107.175.229.139:8087 | tcp |
Files
memory/4872-10-0x00000000027F0000-0x00000000027F4000-memory.dmp
C:\Users\Admin\AppData\Local\Dalymore\Laddonia.exe
| MD5 | 38f3c76a53fc5c38e864d22114d3681e |
| SHA1 | 77cd891a1faa7c61258b51c79e9035ba41d7fa3d |
| SHA256 | 54a47c85cc67aebc790c14ba70a96cf668148fb8dbd9b57cbfa87fa02596aa00 |
| SHA512 | c2bf831d47ca4b2686dca1155a69246d0193d8db33f4feb5e3099d5c1e92c1d40a42e8ea8f3364496945c2d3344d72752dccd3f3962f7ae48134e0360754447a |
C:\Users\Admin\AppData\Local\Temp\uncolorable
| MD5 | 3ea15c6ae80a4381148d6d754aa5bef0 |
| SHA1 | f7bb1d88b47edd40d1b6b6306c360afe188802ff |
| SHA256 | f49ee0a3104ae84b4f0c02dec84a126c5b9602b55eae52fe9d80efbcf4e6aa7c |
| SHA512 | 52124d9f68afd4fb25e6eb7cad03c5ea147e0bbafec84c2ae1c8d7b71142b74399e594ae9a6e5ffb60e741b760f198f05808bb331d6ec977f0ea584cbd829866 |
C:\Users\Admin\AppData\Local\Temp\acceptancy
| MD5 | dc89e41ce316d7ceb23763dbcd54ba9a |
| SHA1 | 6f26cc5f16de21e427bd003ff38cce2a1784a87d |
| SHA256 | a2762a36dece9e211a90b2a3bded0def88401206f04e895d6cc8947c51ccc36c |
| SHA512 | 488fb772a6dde9b48819dc29ba169271d736787631550c8a64f7ba6c9d52e0e4901305f9ef9822c843d4ffab1c0176397bea6e119de1739bc82bb4120e6625e9 |
memory/4008-29-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-28-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-31-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-33-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-34-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-35-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-36-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-38-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-39-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-41-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-42-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-43-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-45-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-46-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-47-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-49-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-50-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-51-0x0000000000400000-0x0000000000482000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | 3f72758f80b004d6c99f2c3d4e50d2e8 |
| SHA1 | c306ae7a830400f70ff562dac759f4c77097d04d |
| SHA256 | b5fb7fa2f187c851b0198843901d9652a379a27ce183a4a5fa624b8d6a8d7283 |
| SHA512 | 818fa57ec618ce44296caca947a8ea35d69ec8feee87358831c63a684c12195de252128c9b7f7aa683e1419f7f163f5d2ada6e67988c338bf3cac349d205bd00 |
memory/4008-53-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-54-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-55-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-57-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-58-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-59-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-61-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-62-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-64-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-65-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-67-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-68-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-69-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-70-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-72-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-73-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-75-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-76-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-78-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-79-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-80-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-82-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-83-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-84-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-86-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-87-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-89-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-90-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-91-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-93-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-94-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-95-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-97-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-98-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-100-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-101-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-102-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-104-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-105-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-106-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-108-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-109-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-111-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-112-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-114-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4008-115-0x0000000000400000-0x0000000000482000-memory.dmp