Analysis Overview
SHA256
45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85
Threat Level: Known bad
The file 45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe was found to be: Known bad.
Malicious Activity Summary
Remcos
Nirsoft
NirSoft WebBrowserPassView
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
NirSoft MailPassView
Detects executables referencing many email and collaboration clients. Observed in information stealers
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Detects executables built or packed with MPress PE compressor
Drops startup file
Executes dropped EXE
Accesses Microsoft Outlook accounts
AutoIT Executable
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-09 01:21
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-09 01:21
Reported
2024-04-09 01:24
Platform
win7-20240221-en
Max time kernel
121s
Max time network
126s
Command Line
Signatures
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe
"C:\Users\Admin\AppData\Local\Temp\45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe"
Network
Files
memory/2768-10-0x0000000000120000-0x0000000000124000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-09 01:21
Reported
2024-04-09 01:24
Platform
win10v2004-20240226-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
Remcos
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables built or packed with MPress PE compressor
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables referencing many email and collaboration clients. Observed in information stealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\brawlis.vbs | C:\Users\Admin\AppData\Local\reindulgence\brawlis.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\reindulgence\brawlis.exe | N/A |
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\SysWOW64\svchost.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 372 set thread context of 1276 | N/A | C:\Users\Admin\AppData\Local\reindulgence\brawlis.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 1276 set thread context of 1960 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 1276 set thread context of 4112 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 1276 set thread context of 4304 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\SysWOW64\svchost.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\reindulgence\brawlis.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\reindulgence\brawlis.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\reindulgence\brawlis.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\reindulgence\brawlis.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\reindulgence\brawlis.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe
"C:\Users\Admin\AppData\Local\Temp\45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe"
C:\Users\Admin\AppData\Local\reindulgence\brawlis.exe
"C:\Users\Admin\AppData\Local\Temp\45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\dgcrtrgwdgqtteucsixwvtlp"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\nbpkukryroiyekigjtkpggggqjb"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\qvuuvccrfwalgqektdxrjlsxzqsclt"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 107.175.229.139:8087 | tcp | |
| US | 107.175.229.139:8087 | tcp | |
| US | 8.8.8.8:53 | 139.229.175.107.in-addr.arpa | udp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.173.189.20.in-addr.arpa | udp |
Files
memory/740-10-0x0000000001260000-0x0000000001264000-memory.dmp
C:\Users\Admin\AppData\Local\reindulgence\brawlis.exe
| MD5 | f087017470a46c265fbeb26b312179f6 |
| SHA1 | 56cfbb3a2d47efbb9681fcc0f759625637b1fe80 |
| SHA256 | 368510b9ebaa1d5f76d67683d2636f29dd1a56d91daae008c1d2ebcf318d4601 |
| SHA512 | 770d2d4325be02c5bf2d6bf0c78c2ffc95bb6831dd94649a88bc20678c4dfe4e99e698b068fb3e1ffbadb91873303d80a19667f3c5320fbc69e8973fca2ad11c |
C:\Users\Admin\AppData\Local\Temp\orographically
| MD5 | 17db3ee54b8207f5415603d856255c9d |
| SHA1 | a480c3d3f948e61b258b18732b99732f62fe93e5 |
| SHA256 | e138b8344f3c0b7d400d452da5662e5625365f71ca955034f8b6ddf05b4a3c37 |
| SHA512 | 7a4fc990c68c73f9729e2b56d337a8888094bad6766ad9c9f0cc3faaa89fa289189660bed466adca97039431f9d4ff179227b9f8e1dce2ea6b42b1ea09d50cef |
C:\Users\Admin\AppData\Local\Temp\vitraillist
| MD5 | 7e652071f4c1e8a16bbcc9fe126774f0 |
| SHA1 | e6eed67590573d8427f648e2952e88005fba1efd |
| SHA256 | 132f9d86d77df4cc036a745abc0a419412a35b9977005bb0a19258d8a629bbf2 |
| SHA512 | 469fd55d6f2ffe4f2d2117db33e68f879878013958677d72f27eeaf953611e504bfb8ff89a44558308c10f3f2e204157f5cb50fb78c94b674e410bf84c741ddb |
memory/1276-28-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1276-29-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1276-30-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1276-32-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1276-31-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1276-34-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1276-35-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1276-36-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1276-37-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1276-38-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1276-39-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1276-40-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1276-42-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1276-43-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1276-44-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1960-45-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4112-46-0x0000000000400000-0x0000000000462000-memory.dmp
memory/4112-50-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1960-49-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1960-54-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4304-52-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4304-57-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4112-59-0x0000000000400000-0x0000000000462000-memory.dmp
memory/4304-58-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4112-55-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1960-51-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4304-63-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1960-65-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1276-67-0x0000000010000000-0x0000000010019000-memory.dmp
memory/1276-71-0x0000000010000000-0x0000000010019000-memory.dmp
memory/1276-72-0x0000000010000000-0x0000000010019000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dgcrtrgwdgqtteucsixwvtlp
| MD5 | 32a7b06ba8a0426235849b55b563b06b |
| SHA1 | 47157e4608ac7375544e6a59c7353f5bea8167f5 |
| SHA256 | 14bb01cde2127abdc8cbef51092d1327d4fc63d40b47ca4621947c0dd8475e52 |
| SHA512 | 0a610acf3ee1abcbb198d0d52de567d8c40d3460897ad9cb53d1a9cc463935b13c13e880b23716a429d8680794d24e1d1ecfce2f386e3861798bd03bbf1f8cf6 |
memory/1276-73-0x0000000010000000-0x0000000010019000-memory.dmp
memory/1276-74-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1276-78-0x0000000000400000-0x0000000000482000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | e74b066793e3af8e4c57c8754e02ebc0 |
| SHA1 | 5f84cdf56cf1fd1401b04c5e15cdeef686a87997 |
| SHA256 | 0720417adf2d52aa80b560e2929884fcb9de41ae5e9e7dfb887b0fbecad5bf53 |
| SHA512 | 26a217742e0430623a0085720dcdec22f56ec4d195425e5189e3b84fcac010b5fa445f29d6627d086430c4529430401470ce191b52aa739f07b1f6f30caa5f82 |
memory/1276-80-0x0000000010000000-0x0000000010019000-memory.dmp
memory/1276-82-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1276-83-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1276-90-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1276-91-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1276-98-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1276-99-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1276-106-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1276-107-0x0000000000400000-0x0000000000482000-memory.dmp