Analysis Overview
SHA256
bf19328d703ff4ad6b67c9cd584147ed69ce2e82932350334f1705aad63316b4
Threat Level: Known bad
The file 1712325245744004f5902f018d98f993f0a4fa06e5ebff0611e82b883bf6f5430dc03cd13b963.dat-decoded.exe was found to be: Known bad.
Malicious Activity Summary
Remcos family
Remcos
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-04-05 13:55
Signatures
Remcos family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-05 13:55
Reported
2024-04-05 13:57
Platform
win7-20240215-en
Max time kernel
147s
Max time network
143s
Command Line
Signatures
Remcos
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2240 set thread context of 3012 | N/A | C:\Users\Admin\AppData\Local\Temp\1712325245744004f5902f018d98f993f0a4fa06e5ebff0611e82b883bf6f5430dc03cd13b963.dat-decoded.exe | C:\Windows\SysWOW64\svchost.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1712325245744004f5902f018d98f993f0a4fa06e5ebff0611e82b883bf6f5430dc03cd13b963.dat-decoded.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1712325245744004f5902f018d98f993f0a4fa06e5ebff0611e82b883bf6f5430dc03cd13b963.dat-decoded.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1712325245744004f5902f018d98f993f0a4fa06e5ebff0611e82b883bf6f5430dc03cd13b963.dat-decoded.exe
"C:\Users\Admin\AppData\Local\Temp\1712325245744004f5902f018d98f993f0a4fa06e5ebff0611e82b883bf6f5430dc03cd13b963.dat-decoded.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\System32\svchost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rxms.duckdns.org | udp |
| US | 89.117.23.25:57832 | rxms.duckdns.org | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
Files
memory/3012-0-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/3012-2-0x0000000000150000-0x00000000001D2000-memory.dmp
memory/3012-4-0x0000000000150000-0x00000000001D2000-memory.dmp
memory/3012-5-0x0000000000150000-0x00000000001D2000-memory.dmp
memory/3012-7-0x0000000000150000-0x00000000001D2000-memory.dmp
memory/3012-8-0x0000000000150000-0x00000000001D2000-memory.dmp
memory/3012-9-0x0000000000150000-0x00000000001D2000-memory.dmp
memory/3012-10-0x0000000000150000-0x00000000001D2000-memory.dmp
memory/3012-11-0x0000000000150000-0x00000000001D2000-memory.dmp
memory/3012-12-0x0000000000150000-0x00000000001D2000-memory.dmp
memory/3012-16-0x0000000000150000-0x00000000001D2000-memory.dmp
memory/3012-17-0x0000000000150000-0x00000000001D2000-memory.dmp
memory/3012-21-0x0000000000150000-0x00000000001D2000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | 2a1efddc929c9fd966b0c9854872b89b |
| SHA1 | 7d1e29e1d181f56ef679879c2743d6f8821746d0 |
| SHA256 | 0b4b6e516eecdd94f0fcea2b8bfd669a71301ebc63ed6410aaf234c1d2102550 |
| SHA512 | 4d5b1638b8933b2b2ebff8f9f92f24115c8db4d7e3e5724f05a5b7d470877a2bf294eb253105ffda716934894e5acbdadfff10730fcaf5ab5153c1e37c8f8175 |
memory/3012-25-0x0000000000150000-0x00000000001D2000-memory.dmp
memory/3012-26-0x0000000000150000-0x00000000001D2000-memory.dmp
memory/3012-33-0x0000000000150000-0x00000000001D2000-memory.dmp
memory/3012-34-0x0000000000150000-0x00000000001D2000-memory.dmp
memory/3012-41-0x0000000000150000-0x00000000001D2000-memory.dmp
memory/3012-49-0x0000000000150000-0x00000000001D2000-memory.dmp
memory/3012-50-0x0000000000150000-0x00000000001D2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-05 13:55
Reported
2024-04-05 13:57
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Remcos
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4584 set thread context of 4624 | N/A | C:\Users\Admin\AppData\Local\Temp\1712325245744004f5902f018d98f993f0a4fa06e5ebff0611e82b883bf6f5430dc03cd13b963.dat-decoded.exe | \??\c:\program files (x86)\internet explorer\iexplore.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1712325245744004f5902f018d98f993f0a4fa06e5ebff0611e82b883bf6f5430dc03cd13b963.dat-decoded.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4584 wrote to memory of 4624 | N/A | C:\Users\Admin\AppData\Local\Temp\1712325245744004f5902f018d98f993f0a4fa06e5ebff0611e82b883bf6f5430dc03cd13b963.dat-decoded.exe | \??\c:\program files (x86)\internet explorer\iexplore.exe |
| PID 4584 wrote to memory of 4624 | N/A | C:\Users\Admin\AppData\Local\Temp\1712325245744004f5902f018d98f993f0a4fa06e5ebff0611e82b883bf6f5430dc03cd13b963.dat-decoded.exe | \??\c:\program files (x86)\internet explorer\iexplore.exe |
| PID 4584 wrote to memory of 4624 | N/A | C:\Users\Admin\AppData\Local\Temp\1712325245744004f5902f018d98f993f0a4fa06e5ebff0611e82b883bf6f5430dc03cd13b963.dat-decoded.exe | \??\c:\program files (x86)\internet explorer\iexplore.exe |
| PID 4584 wrote to memory of 4624 | N/A | C:\Users\Admin\AppData\Local\Temp\1712325245744004f5902f018d98f993f0a4fa06e5ebff0611e82b883bf6f5430dc03cd13b963.dat-decoded.exe | \??\c:\program files (x86)\internet explorer\iexplore.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\1712325245744004f5902f018d98f993f0a4fa06e5ebff0611e82b883bf6f5430dc03cd13b963.dat-decoded.exe
"C:\Users\Admin\AppData\Local\Temp\1712325245744004f5902f018d98f993f0a4fa06e5ebff0611e82b883bf6f5430dc03cd13b963.dat-decoded.exe"
\??\c:\program files (x86)\internet explorer\iexplore.exe
"c:\program files (x86)\internet explorer\iexplore.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rxms.duckdns.org | udp |
| US | 89.117.23.25:57832 | rxms.duckdns.org | tcp |
| US | 8.8.8.8:53 | 152.136.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.23.117.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.136.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.136.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.16.208.104.in-addr.arpa | udp |
Files
memory/4624-0-0x0000000000D40000-0x0000000000DC2000-memory.dmp
memory/4624-1-0x0000000000D40000-0x0000000000DC2000-memory.dmp
memory/4624-2-0x0000000000D40000-0x0000000000DC2000-memory.dmp
memory/4624-4-0x0000000000D40000-0x0000000000DC2000-memory.dmp
memory/4624-6-0x0000000000D40000-0x0000000000DC2000-memory.dmp
memory/4624-7-0x0000000000D40000-0x0000000000DC2000-memory.dmp
memory/4624-8-0x0000000000D40000-0x0000000000DC2000-memory.dmp
memory/4624-9-0x0000000000D40000-0x0000000000DC2000-memory.dmp
memory/4624-10-0x0000000000D40000-0x0000000000DC2000-memory.dmp
memory/4624-11-0x0000000000D40000-0x0000000000DC2000-memory.dmp
memory/4624-15-0x0000000000D40000-0x0000000000DC2000-memory.dmp
memory/4624-16-0x0000000000D40000-0x0000000000DC2000-memory.dmp
memory/4624-20-0x0000000000D40000-0x0000000000DC2000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | 2419cdf9e257b34b8f021929ab31fb20 |
| SHA1 | 37d8f6cb76083292f611e4f42c37db6eade442d3 |
| SHA256 | 52f38af681bc1baf3cfb5c06cd4e08e6a5088f2f806f7431b6a8b00f40bf15f0 |
| SHA512 | 4b06b652fce10051cb6b196eb8fce3bd2fce75caa81c3f51ccfcdc1e455283d0efcfc8d9628cbeb128289246f43ffe3d7e3098629849355422dca929266a23b4 |
memory/4624-24-0x0000000000D40000-0x0000000000DC2000-memory.dmp
memory/4624-25-0x0000000000D40000-0x0000000000DC2000-memory.dmp
memory/4624-32-0x0000000000D40000-0x0000000000DC2000-memory.dmp
memory/4624-33-0x0000000000D40000-0x0000000000DC2000-memory.dmp
memory/4624-40-0x0000000000D40000-0x0000000000DC2000-memory.dmp
memory/4624-41-0x0000000000D40000-0x0000000000DC2000-memory.dmp