Analysis Overview
SHA256
d32356d6005e4b696a0145ec295b706c008c42f48beba21f6203094faf060229
Threat Level: Known bad
The file d32356d6005e4b696a0145ec295b706c008c42f48beba21f6203094faf060229.exe was found to be: Known bad.
Malicious Activity Summary
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Remcos family
Unsigned PE
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-04-06 01:41
Signatures
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Remcos family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-06 01:41
Reported
2024-04-06 01:44
Platform
win7-20240319-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d32356d6005e4b696a0145ec295b706c008c42f48beba21f6203094faf060229.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\d32356d6005e4b696a0145ec295b706c008c42f48beba21f6203094faf060229.exe
"C:\Users\Admin\AppData\Local\Temp\d32356d6005e4b696a0145ec295b706c008c42f48beba21f6203094faf060229.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rxms.duckdns.org | udp |
| US | 89.117.23.25:57832 | rxms.duckdns.org | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
Files
C:\ProgramData\remcos\logs.dat
| MD5 | 4db50aea32779f50c14d12721ba024e6 |
| SHA1 | e8db90f99fa825424b713da183419a0cc045bd86 |
| SHA256 | 50b3e408b398ea6e38e63153aafc2e5e3bf9b83546e4db41203cb240e259dc4c |
| SHA512 | 335a1903873c218daba44930815a6ec6a3faf47a8dd76b3261b4fca82e0e178df206b13db4afe3fece4750ba01c52e5f13d73b3b3a56afc2b848c0acb9c1e7d0 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-06 01:41
Reported
2024-04-06 01:44
Platform
win10v2004-20240226-en
Max time kernel
159s
Max time network
158s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d32356d6005e4b696a0145ec295b706c008c42f48beba21f6203094faf060229.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\d32356d6005e4b696a0145ec295b706c008c42f48beba21f6203094faf060229.exe
"C:\Users\Admin\AppData\Local\Temp\d32356d6005e4b696a0145ec295b706c008c42f48beba21f6203094faf060229.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rxms.duckdns.org | udp |
| US | 89.117.23.25:57832 | rxms.duckdns.org | tcp |
| US | 8.8.8.8:53 | 25.23.117.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
Files
C:\ProgramData\remcos\logs.dat
| MD5 | 63069d3d36053cfec1fc68f51a26e26f |
| SHA1 | 44fd4a3056a71674d9ee46aca3b298b9c14ced68 |
| SHA256 | 60a1d1d331864be70a0d010ea2505883c6a194e8c9e13759728d770cc1e50157 |
| SHA512 | 3cb9dd4f6df4dc05e8ca01544e868c400f98ee7f40e549218d3b75d01e68ca41c86785f89382adc033853fd3e05116678b320387356e56ffa25c96603911b044 |