Analysis Overview
SHA256
264d6866d534205d35dcbbb2e5f031440f5580ae97d0eec657477f957039126a
Threat Level: Known bad
The file TSTS 0005A.rar was found to be: Known bad.
Malicious Activity Summary
Remcos
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-05 11:41
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-05 11:41
Reported
2024-04-05 11:43
Platform
win7-20240221-en
Max time kernel
148s
Max time network
144s
Command Line
Signatures
Remcos
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2276 set thread context of 2784 | N/A | C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe | C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
"C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vcEDbAjawlTHE.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vcEDbAjawlTHE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp48A4.tmp"
C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
"C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sembe.duckdns.org | udp |
| BE | 194.187.251.115:14645 | sembe.duckdns.org | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
Files
memory/2276-0-0x00000000002C0000-0x00000000003A8000-memory.dmp
memory/2276-1-0x00000000742A0000-0x000000007498E000-memory.dmp
memory/2276-2-0x0000000004340000-0x0000000004380000-memory.dmp
memory/2276-3-0x00000000002A0000-0x00000000002B0000-memory.dmp
memory/2276-4-0x0000000000420000-0x000000000042C000-memory.dmp
memory/2276-5-0x00000000054D0000-0x0000000005590000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp48A4.tmp
| MD5 | b0dbfda50a11ba2f398c2de3049cddab |
| SHA1 | 4c7ec19e990cefcf6182c3c9580ed70dac7ec655 |
| SHA256 | ce16e075234483ce823675820b1544d16148e4340e852a1b049df30dfd51a995 |
| SHA512 | fcf7d79e2bedc6d05bc1548d36d5a1c67c094e4c71d6e8c1a211e011e95969f1ddd0b7d6b6e7781735507c00832684bb4d3f1faffde66ab1188cf0defde74075 |
memory/2784-13-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2784-15-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2784-17-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2784-18-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2784-20-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2784-22-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2784-24-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2784-26-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2784-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2784-29-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2276-31-0x00000000742A0000-0x000000007498E000-memory.dmp
memory/2784-32-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1980-34-0x000000006E880000-0x000000006EE2B000-memory.dmp
memory/1980-36-0x0000000001D20000-0x0000000001D60000-memory.dmp
memory/1980-38-0x0000000001D20000-0x0000000001D60000-memory.dmp
memory/2784-37-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2784-40-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1980-39-0x0000000001D20000-0x0000000001D60000-memory.dmp
memory/2784-33-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2784-41-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1980-42-0x000000006E880000-0x000000006EE2B000-memory.dmp
memory/2784-43-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2784-44-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2784-45-0x0000000000400000-0x0000000000482000-memory.dmp
C:\Users\Admin\AppData\Roaming\notess\logs.dat
| MD5 | 8d35c03abb01c9c58fd94dd704e98326 |
| SHA1 | c53104898af6d9cd4c7906004e6aaef533a1c0b8 |
| SHA256 | 37df8bcee1574b291aab1e384ceb719d07bd7a70cc781904a33bf365db17569b |
| SHA512 | 0e7bb997411a9f64f283ec4b7a0d793e09a5f38da3d5e4ba7a6c8e954b053bf208925b5ded8f8e9fe0872bd27e8e231c6e075195ab5435cac1759adfc892876c |
memory/2784-53-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2784-54-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2784-55-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2784-62-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2784-70-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2784-71-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2784-78-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2784-79-0x0000000000400000-0x0000000000482000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-05 11:41
Reported
2024-04-05 11:43
Platform
win10v2004-20240226-en
Max time kernel
148s
Max time network
145s
Command Line
Signatures
Remcos
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3168 set thread context of 4196 | N/A | C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe | C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
"C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vcEDbAjawlTHE.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vcEDbAjawlTHE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6D12.tmp"
C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
"C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe"
C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
"C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe"
C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
"C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.136.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sembe.duckdns.org | udp |
| BE | 194.187.251.115:14645 | sembe.duckdns.org | tcp |
| US | 8.8.8.8:53 | 115.251.187.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.1.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.136.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
memory/3168-0-0x00000000008F0000-0x00000000009D8000-memory.dmp
memory/3168-1-0x0000000074850000-0x0000000075000000-memory.dmp
memory/3168-2-0x0000000005A20000-0x0000000005FC4000-memory.dmp
memory/3168-3-0x0000000005470000-0x0000000005502000-memory.dmp
memory/3168-4-0x00000000056E0000-0x00000000056F0000-memory.dmp
memory/3168-5-0x0000000005570000-0x000000000557A000-memory.dmp
memory/3168-6-0x0000000005620000-0x0000000005630000-memory.dmp
memory/3168-7-0x00000000056C0000-0x00000000056CC000-memory.dmp
memory/3168-8-0x0000000006B70000-0x0000000006C30000-memory.dmp
memory/3168-9-0x00000000091F0000-0x000000000928C000-memory.dmp
memory/3520-14-0x0000000002E70000-0x0000000002EA6000-memory.dmp
memory/3520-15-0x0000000074850000-0x0000000075000000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp6D12.tmp
| MD5 | 35bfb4553ad9189205d20be5cc976305 |
| SHA1 | 485c545ce3701f27694fe4df829b2557ed4f0f48 |
| SHA256 | dfa9b03022019b6b2fb30b73957c1bfdecb4b569345d932cf6fc7549e5aa5a7c |
| SHA512 | fb48e2e0fe181865ee5bb481d7825bb6bb1e52feac2dc16f869d8c58458d432b0a4a0b1a62c05effb1a41c2d1d98d68a55771784bb590a8380ff0880082c0e5a |
memory/3520-18-0x0000000005AA0000-0x00000000060C8000-memory.dmp
memory/3520-19-0x0000000005460000-0x0000000005470000-memory.dmp
memory/3520-17-0x0000000005460000-0x0000000005470000-memory.dmp
memory/3520-20-0x00000000056D0000-0x00000000056F2000-memory.dmp
memory/4196-24-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4196-21-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4196-26-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3520-23-0x00000000058E0000-0x0000000005946000-memory.dmp
memory/3520-22-0x0000000005870000-0x00000000058D6000-memory.dmp
memory/4196-27-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3168-30-0x0000000074850000-0x0000000075000000-memory.dmp
memory/4196-29-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4196-37-0x0000000000400000-0x0000000000482000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_431gzdhd.le1.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4196-38-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3520-28-0x0000000006180000-0x00000000064D4000-memory.dmp
memory/4196-43-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3520-44-0x00000000067A0000-0x00000000067BE000-memory.dmp
memory/3520-45-0x0000000006830000-0x000000000687C000-memory.dmp
memory/3520-47-0x0000000007720000-0x0000000007752000-memory.dmp
memory/3520-46-0x000000007F050000-0x000000007F060000-memory.dmp
memory/3520-48-0x0000000071EF0000-0x0000000071F3C000-memory.dmp
memory/3520-58-0x0000000006D50000-0x0000000006D6E000-memory.dmp
memory/3520-59-0x0000000007970000-0x0000000007A13000-memory.dmp
memory/3520-61-0x0000000007AC0000-0x0000000007ADA000-memory.dmp
memory/3520-60-0x0000000008110000-0x000000000878A000-memory.dmp
memory/3520-63-0x0000000007B30000-0x0000000007B3A000-memory.dmp
memory/4196-62-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4196-64-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3520-65-0x0000000007D40000-0x0000000007DD6000-memory.dmp
memory/3520-66-0x0000000007CC0000-0x0000000007CD1000-memory.dmp
memory/4196-67-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3520-68-0x0000000007CF0000-0x0000000007CFE000-memory.dmp
memory/3520-71-0x0000000007D00000-0x0000000007D14000-memory.dmp
memory/3520-72-0x0000000007E00000-0x0000000007E1A000-memory.dmp
memory/3520-73-0x0000000007DE0000-0x0000000007DE8000-memory.dmp
memory/3520-76-0x0000000074850000-0x0000000075000000-memory.dmp
memory/4196-81-0x0000000000400000-0x0000000000482000-memory.dmp
C:\Users\Admin\AppData\Roaming\notess\logs.dat
| MD5 | 4cbbe1ca599b5a09cecc9bad75c441ff |
| SHA1 | 6fceb677d32c976de9311404b616001a8dfdcef5 |
| SHA256 | 75dec0166b55f5ddc0641dbb14257ee904d33426c5a4f15b8e481c52d3b92d99 |
| SHA512 | f7f5f27de2c9ded88b091392849df65ad8a7547c47f279c16c77a01ab745c90e13006fe1787304f094b01943900630cee39e22f9df1f3b4c1a987ec72e490081 |
memory/4196-83-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4196-84-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4196-91-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4196-92-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4196-99-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4196-100-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4196-107-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4196-108-0x0000000000400000-0x0000000000482000-memory.dmp