Analysis Overview
SHA256
0f1d1af792a1caad8e0dc9a9057d7a3b06ed85f34672cdfec64aab4785c97383
Threat Level: Known bad
The file 0f1d1af792a1caad8e0dc9a9057d7a3b06ed85f34672cdfec64aab4785c97383.exe was found to be: Known bad.
Malicious Activity Summary
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Remcos family
Unsigned PE
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-04-06 01:03
Signatures
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Remcos family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-06 01:03
Reported
2024-04-06 01:05
Platform
win7-20240221-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0f1d1af792a1caad8e0dc9a9057d7a3b06ed85f34672cdfec64aab4785c97383.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\0f1d1af792a1caad8e0dc9a9057d7a3b06ed85f34672cdfec64aab4785c97383.exe
"C:\Users\Admin\AppData\Local\Temp\0f1d1af792a1caad8e0dc9a9057d7a3b06ed85f34672cdfec64aab4785c97383.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rzaz.duckdns.org | udp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
Files
C:\ProgramData\remcos\logs.dat
| MD5 | ceb6e07aa15ff2aeb1a637c5e935b618 |
| SHA1 | e322003300ea5c0c7500bc4c1f2125b93952f34a |
| SHA256 | 03d0d7eb1a1b81dfc25556d0bcbc8764eca443c0afa081f9045da042ef81298d |
| SHA512 | c372350896afcd3b899a07369c4949874ecf453573e2b5ec73e3e2e35545ed0cf6b0af9384858c5c9c0bb7b357573b1fe62dd6e89e70d5c86a51b6059b23b58f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-06 01:03
Reported
2024-04-06 01:05
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0f1d1af792a1caad8e0dc9a9057d7a3b06ed85f34672cdfec64aab4785c97383.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\0f1d1af792a1caad8e0dc9a9057d7a3b06ed85f34672cdfec64aab4785c97383.exe
"C:\Users\Admin\AppData\Local\Temp\0f1d1af792a1caad8e0dc9a9057d7a3b06ed85f34672cdfec64aab4785c97383.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rzaz.duckdns.org | udp |
| US | 89.117.23.22:57834 | rzaz.duckdns.org | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.23.117.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.173.189.20.in-addr.arpa | udp |
Files
C:\ProgramData\remcos\logs.dat
| MD5 | 686adedd45b8e3e10492c91035bae251 |
| SHA1 | f90461c3a23e244a568dc0437308fb40dc6c43b7 |
| SHA256 | e07b44df4b082aed9692ab753678033a49f191a84a8355655745c4a37881230b |
| SHA512 | 4662623e6880cae30ea5255ffe0711cd87e1a3c42334cfbac9f9b045592bf1eb4282933d15756f9d332af11354982251c9486c68f11dcecae2b5d6ccdb5527f9 |