Analysis Overview
SHA256
2d35feecb9b427d2f48f6fd0dd5ef71eb7ba75fe024d7c6f9067490bbabc3c17
Threat Level: Known bad
The file 2d35feecb9b427d2f48f6fd0dd5ef71eb7ba75fe024d7c6f9067490bbabc3c17.exe was found to be: Known bad.
Malicious Activity Summary
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Remcos family
Unsigned PE
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-04-06 01:09
Signatures
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Remcos family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-06 01:09
Reported
2024-04-06 01:11
Platform
win7-20240319-en
Max time kernel
148s
Max time network
146s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2d35feecb9b427d2f48f6fd0dd5ef71eb7ba75fe024d7c6f9067490bbabc3c17.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2d35feecb9b427d2f48f6fd0dd5ef71eb7ba75fe024d7c6f9067490bbabc3c17.exe
"C:\Users\Admin\AppData\Local\Temp\2d35feecb9b427d2f48f6fd0dd5ef71eb7ba75fe024d7c6f9067490bbabc3c17.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rxmz.duckdns.org | udp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
Files
C:\ProgramData\remcos\logs.dat
| MD5 | cf54b4317eb351fdb7042bfc6c0f47c7 |
| SHA1 | f9247ec81c3a30c210b919b02b069ce5a9a190b6 |
| SHA256 | 2e1a12bd61147a60468c32d19e32c49039e1e436f024a884530278509da755a2 |
| SHA512 | 217291bfff991f152ecf592f5809be73ff3602213eb99ac52ec5ea09f0d82be1a45dcb7c0ebaf775ecfad2ec39c6a71fb2c7944fb148169a82e35ac0b9729bcc |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-06 01:09
Reported
2024-04-06 01:11
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2d35feecb9b427d2f48f6fd0dd5ef71eb7ba75fe024d7c6f9067490bbabc3c17.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2d35feecb9b427d2f48f6fd0dd5ef71eb7ba75fe024d7c6f9067490bbabc3c17.exe
"C:\Users\Admin\AppData\Local\Temp\2d35feecb9b427d2f48f6fd0dd5ef71eb7ba75fe024d7c6f9067490bbabc3c17.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1032 --field-trial-handle=2700,i,14629483171127516024,12350888228055326066,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.136.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rxmz.duckdns.org | udp |
| US | 89.117.23.22:57833 | rxmz.duckdns.org | tcp |
| US | 8.8.8.8:53 | 22.23.117.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.136.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.136.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| DE | 142.250.186.106:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 106.186.250.142.in-addr.arpa | udp |
Files
C:\ProgramData\remcos\logs.dat
| MD5 | 62fb6a1604d0951925351710f8923e4b |
| SHA1 | 07185e2521bef234e616e51c6143a5a16cedd0d1 |
| SHA256 | c4fd5788bb1fea9cc73fda38f35faf7f29b02a1df64320ed1c788789b38b8b0a |
| SHA512 | 095895f6ef4d70c96b54796bdb691e2c842e79b9035e0610f0dcf62c5043c33a089a8d828b32f22deb7daf94b20af132ce97ff0180ff89b90f8a581808105c3a |