Analysis Overview
SHA256
867e3c9147ef41bc4edff6002959c37c785d919b13edbd7e8ed150ea51f9f15d
Threat Level: Known bad
The file 867e3c9147ef41bc4edff6002959c37c785d919b13edbd7e8ed150ea51f9f15d was found to be: Known bad.
Malicious Activity Summary
Remcos
Drops startup file
Loads dropped DLL
Executes dropped EXE
AutoIT Executable
Unsigned PE
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-04-08 06:26
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-08 06:26
Reported
2024-04-08 06:28
Platform
win7-20240221-en
Max time kernel
149s
Max time network
123s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b.vbs | C:\Users\Admin\AppData\Local\directory\b.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\867e3c9147ef41bc4edff6002959c37c785d919b13edbd7e8ed150ea51f9f15d.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\867e3c9147ef41bc4edff6002959c37c785d919b13edbd7e8ed150ea51f9f15d.exe
"C:\Users\Admin\AppData\Local\Temp\867e3c9147ef41bc4edff6002959c37c785d919b13edbd7e8ed150ea51f9f15d.exe"
C:\Users\Admin\AppData\Local\directory\b.exe
"C:\Users\Admin\AppData\Local\Temp\867e3c9147ef41bc4edff6002959c37c785d919b13edbd7e8ed150ea51f9f15d.exe"
C:\Users\Admin\AppData\Local\directory\b.exe
"C:\Users\Admin\AppData\Local\directory\b.exe"
C:\Users\Admin\AppData\Local\directory\b.exe
"C:\Users\Admin\AppData\Local\directory\b.exe"
C:\Users\Admin\AppData\Local\directory\b.exe
"C:\Users\Admin\AppData\Local\directory\b.exe"
C:\Users\Admin\AppData\Local\directory\b.exe
"C:\Users\Admin\AppData\Local\directory\b.exe"
C:\Users\Admin\AppData\Local\directory\b.exe
"C:\Users\Admin\AppData\Local\directory\b.exe"
C:\Users\Admin\AppData\Local\directory\b.exe
"C:\Users\Admin\AppData\Local\directory\b.exe"
C:\Users\Admin\AppData\Local\directory\b.exe
"C:\Users\Admin\AppData\Local\directory\b.exe"
C:\Users\Admin\AppData\Local\directory\b.exe
"C:\Users\Admin\AppData\Local\directory\b.exe"
C:\Users\Admin\AppData\Local\directory\b.exe
"C:\Users\Admin\AppData\Local\directory\b.exe"
C:\Users\Admin\AppData\Local\directory\b.exe
"C:\Users\Admin\AppData\Local\directory\b.exe"
C:\Users\Admin\AppData\Local\directory\b.exe
"C:\Users\Admin\AppData\Local\directory\b.exe"
C:\Users\Admin\AppData\Local\directory\b.exe
"C:\Users\Admin\AppData\Local\directory\b.exe"
C:\Users\Admin\AppData\Local\directory\b.exe
"C:\Users\Admin\AppData\Local\directory\b.exe"
C:\Users\Admin\AppData\Local\directory\b.exe
"C:\Users\Admin\AppData\Local\directory\b.exe"
C:\Users\Admin\AppData\Local\directory\b.exe
"C:\Users\Admin\AppData\Local\directory\b.exe"
C:\Users\Admin\AppData\Local\directory\b.exe
"C:\Users\Admin\AppData\Local\directory\b.exe"
C:\Users\Admin\AppData\Local\directory\b.exe
"C:\Users\Admin\AppData\Local\directory\b.exe"
C:\Users\Admin\AppData\Local\directory\b.exe
"C:\Users\Admin\AppData\Local\directory\b.exe"
C:\Users\Admin\AppData\Local\directory\b.exe
"C:\Users\Admin\AppData\Local\directory\b.exe"
C:\Users\Admin\AppData\Local\directory\b.exe
"C:\Users\Admin\AppData\Local\directory\b.exe"
C:\Users\Admin\AppData\Local\directory\b.exe
"C:\Users\Admin\AppData\Local\directory\b.exe"
C:\Users\Admin\AppData\Local\directory\b.exe
"C:\Users\Admin\AppData\Local\directory\b.exe"
C:\Users\Admin\AppData\Local\directory\b.exe
"C:\Users\Admin\AppData\Local\directory\b.exe"
C:\Users\Admin\AppData\Local\directory\b.exe
"C:\Users\Admin\AppData\Local\directory\b.exe"
C:\Users\Admin\AppData\Local\directory\b.exe
"C:\Users\Admin\AppData\Local\directory\b.exe"
C:\Users\Admin\AppData\Local\directory\b.exe
"C:\Users\Admin\AppData\Local\directory\b.exe"
C:\Users\Admin\AppData\Local\directory\b.exe
"C:\Users\Admin\AppData\Local\directory\b.exe"
C:\Users\Admin\AppData\Local\directory\b.exe
"C:\Users\Admin\AppData\Local\directory\b.exe"
C:\Users\Admin\AppData\Local\directory\b.exe
"C:\Users\Admin\AppData\Local\directory\b.exe"
C:\Users\Admin\AppData\Local\directory\b.exe
"C:\Users\Admin\AppData\Local\directory\b.exe"
C:\Users\Admin\AppData\Local\directory\b.exe
"C:\Users\Admin\AppData\Local\directory\b.exe"
C:\Users\Admin\AppData\Local\directory\b.exe
"C:\Users\Admin\AppData\Local\directory\b.exe"
C:\Users\Admin\AppData\Local\directory\b.exe
"C:\Users\Admin\AppData\Local\directory\b.exe"
C:\Users\Admin\AppData\Local\directory\b.exe
"C:\Users\Admin\AppData\Local\directory\b.exe"
C:\Users\Admin\AppData\Local\directory\b.exe
"C:\Users\Admin\AppData\Local\directory\b.exe"
C:\Users\Admin\AppData\Local\directory\b.exe
"C:\Users\Admin\AppData\Local\directory\b.exe"
C:\Users\Admin\AppData\Local\directory\b.exe
"C:\Users\Admin\AppData\Local\directory\b.exe"
C:\Users\Admin\AppData\Local\directory\b.exe
"C:\Users\Admin\AppData\Local\directory\b.exe"
C:\Users\Admin\AppData\Local\directory\b.exe
"C:\Users\Admin\AppData\Local\directory\b.exe"
C:\Users\Admin\AppData\Local\directory\b.exe
"C:\Users\Admin\AppData\Local\directory\b.exe"
C:\Users\Admin\AppData\Local\directory\b.exe
"C:\Users\Admin\AppData\Local\directory\b.exe"
C:\Users\Admin\AppData\Local\directory\b.exe
"C:\Users\Admin\AppData\Local\directory\b.exe"
C:\Users\Admin\AppData\Local\directory\b.exe
"C:\Users\Admin\AppData\Local\directory\b.exe"
Network
Files
memory/3020-10-0x0000000000120000-0x0000000000124000-memory.dmp
\Users\Admin\AppData\Local\directory\b.exe
| MD5 | 242f742492fc010286dcd61022e5ae77 |
| SHA1 | 7113390e2f1c9162c8657fa338553cf31091847d |
| SHA256 | 692842a7eed1dd4aa20ae1c919ee50457b5ef70994d8028976ca224eeaba5276 |
| SHA512 | d041b2e53d1cde21ac6da196f082864e61130298942d0eb306b2dd4d3ccf4b8e2b354e4528b5069274985a7d7bb49f25a13a8cc5f53bcb8097ff7fad21d62e78 |
C:\Users\Admin\AppData\Local\Temp\harrowment
| MD5 | b6abb946c8fafd3c39c65d0018f08292 |
| SHA1 | 66252a9190a46ec0f39a19c7eb9eff714ebc1f02 |
| SHA256 | e70f501e004d971117243365f226ffe8fb691bcc1383be3dd2271df7a8301045 |
| SHA512 | d7d1355ae50b1d27fbe939ae10c38fd08343504e5c1b45a28bfc3478ce87fb6bf0009b7434ebdcd521c767d96939f40c7ff54f13e1fa676fdb940adf24bf2b12 |
C:\Users\Admin\AppData\Local\Temp\selectee
| MD5 | 90a853c50ee02062c0ba5e4df26e55f4 |
| SHA1 | e0625192e1c47f4cc6ad0eec8a093705444f968d |
| SHA256 | 709d2fcf79f4d1f8646d42916fda954a52ba88bc4b930b0642afb7b991027b21 |
| SHA512 | 2279913280b84a2e26423fa9bbc4064b6fd21f92ba99fcc9c41e83a869c7af3b1fb55032af3fff3cb9c8eb23bfb73692b6d4a888741c707ca12cad1553c3e525 |
C:\Users\Admin\AppData\Local\Temp\selectee
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\aut8ED8.tmp
| MD5 | 8b8caa1bc13e1fa4add88483fd5b23ef |
| SHA1 | da2e21643cf2eec771f06700c633818944f51722 |
| SHA256 | 31f4c7fe44b3dd27b08a6e50d9fed38bc1d3abeb690a94d0cb51c25b9a7ad11b |
| SHA512 | 7d0e854c5edbc3772f33fdc4ab323d9ed97046904a4b680789e4c640bb1b7d10d6781d4a8e948b16844c3258f34d08051839db33647cc16a990ef25820987cd9 |
C:\Users\Admin\AppData\Local\Temp\aut8EA9.tmp
| MD5 | 3693bf7b439ce662ad87eff62d63d8bd |
| SHA1 | 1a097472889d7e04f22b94b290785281b21d6748 |
| SHA256 | 408e6a5eca386ec47859acacd9e1f009075f4d640c847f5ec58b126322cfd645 |
| SHA512 | e9458fd40250a5ce4507c652f434112e97dd3e7bec821c101e74cf3a0a70dcf0e940d45aae863c2909a4d03d7de72b47f3f43fb26bb73e2fccbe59c21978f79e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-08 06:26
Reported
2024-04-08 06:28
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
Remcos
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b.vbs | C:\Users\Admin\AppData\Local\directory\b.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\b.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\867e3c9147ef41bc4edff6002959c37c785d919b13edbd7e8ed150ea51f9f15d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\867e3c9147ef41bc4edff6002959c37c785d919b13edbd7e8ed150ea51f9f15d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\b.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\867e3c9147ef41bc4edff6002959c37c785d919b13edbd7e8ed150ea51f9f15d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\867e3c9147ef41bc4edff6002959c37c785d919b13edbd7e8ed150ea51f9f15d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\b.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\867e3c9147ef41bc4edff6002959c37c785d919b13edbd7e8ed150ea51f9f15d.exe
"C:\Users\Admin\AppData\Local\Temp\867e3c9147ef41bc4edff6002959c37c785d919b13edbd7e8ed150ea51f9f15d.exe"
C:\Users\Admin\AppData\Local\directory\b.exe
"C:\Users\Admin\AppData\Local\Temp\867e3c9147ef41bc4edff6002959c37c785d919b13edbd7e8ed150ea51f9f15d.exe"
C:\Users\Admin\AppData\Local\directory\b.exe
"C:\Users\Admin\AppData\Local\directory\b.exe"
C:\Users\Admin\AppData\Local\directory\b.exe
"C:\Users\Admin\AppData\Local\directory\b.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | shgoini.com | udp |
| US | 107.175.229.143:30902 | shgoini.com | tcp |
| US | 8.8.8.8:53 | 143.229.175.107.in-addr.arpa | udp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
memory/4000-10-0x0000000004140000-0x0000000004144000-memory.dmp
C:\Users\Admin\AppData\Local\directory\b.exe
| MD5 | 87236bd2af1398cae32160ad646717bb |
| SHA1 | 3a85bdfb168b3b48e3e89203ac08fc12923c4758 |
| SHA256 | f50b38395b0f806599cb3e0269e74339c4f0bf4ada4bf3e5439b790ee5fcba41 |
| SHA512 | 545b5788f841a7c3b45ae95a435a0f6d6bd9ae0c5e1a43a81ecba7afe9f8ef74c52334f539420869aa115f68b0b68185b8252992ebec317774ed8fe95590ff1f |
C:\Users\Admin\AppData\Local\Temp\harrowment
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\harrowment
| MD5 | 19b6459254edc377b42419ec10f33583 |
| SHA1 | bbb5a7d798ba384d9517c1cbbc6b73370a4c9aed |
| SHA256 | 39673e497d0d046623d32e248a18d178e56e4987acd8b9de84bb6289b5fd1a09 |
| SHA512 | c17b977b15f2119c4e858bdc9c97ace101a050ff15817ff0f184706c3025d771309248b5cf34617baf368c1d137337b4bf3bfa3f021728bc991ac5adfc9bf436 |
C:\Users\Admin\AppData\Local\Temp\aut92E9.tmp
| MD5 | 3693bf7b439ce662ad87eff62d63d8bd |
| SHA1 | 1a097472889d7e04f22b94b290785281b21d6748 |
| SHA256 | 408e6a5eca386ec47859acacd9e1f009075f4d640c847f5ec58b126322cfd645 |
| SHA512 | e9458fd40250a5ce4507c652f434112e97dd3e7bec821c101e74cf3a0a70dcf0e940d45aae863c2909a4d03d7de72b47f3f43fb26bb73e2fccbe59c21978f79e |
C:\Users\Admin\AppData\Local\Temp\harrowment
| MD5 | b6abb946c8fafd3c39c65d0018f08292 |
| SHA1 | 66252a9190a46ec0f39a19c7eb9eff714ebc1f02 |
| SHA256 | e70f501e004d971117243365f226ffe8fb691bcc1383be3dd2271df7a8301045 |
| SHA512 | d7d1355ae50b1d27fbe939ae10c38fd08343504e5c1b45a28bfc3478ce87fb6bf0009b7434ebdcd521c767d96939f40c7ff54f13e1fa676fdb940adf24bf2b12 |
C:\Users\Admin\AppData\Local\Temp\selectee
| MD5 | 90a853c50ee02062c0ba5e4df26e55f4 |
| SHA1 | e0625192e1c47f4cc6ad0eec8a093705444f968d |
| SHA256 | 709d2fcf79f4d1f8646d42916fda954a52ba88bc4b930b0642afb7b991027b21 |
| SHA512 | 2279913280b84a2e26423fa9bbc4064b6fd21f92ba99fcc9c41e83a869c7af3b1fb55032af3fff3cb9c8eb23bfb73692b6d4a888741c707ca12cad1553c3e525 |
C:\Users\Admin\AppData\Local\Temp\aut9367.tmp
| MD5 | 8b8caa1bc13e1fa4add88483fd5b23ef |
| SHA1 | da2e21643cf2eec771f06700c633818944f51722 |
| SHA256 | 31f4c7fe44b3dd27b08a6e50d9fed38bc1d3abeb690a94d0cb51c25b9a7ad11b |
| SHA512 | 7d0e854c5edbc3772f33fdc4ab323d9ed97046904a4b680789e4c640bb1b7d10d6781d4a8e948b16844c3258f34d08051839db33647cc16a990ef25820987cd9 |
memory/4536-54-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4536-55-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4536-56-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4536-57-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4536-58-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4536-59-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4536-62-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4536-63-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4536-64-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4536-65-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4536-66-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4536-67-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4536-69-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4536-70-0x0000000000400000-0x0000000000482000-memory.dmp