Malware Analysis Report

2024-12-07 22:33

Sample ID 240409-cdnm7aah98
Target 0d1277800ce70608ae6223a3361f709c7c68743178ca51fe3a2409a610c76de5
SHA256 0d1277800ce70608ae6223a3361f709c7c68743178ca51fe3a2409a610c76de5
Tags
remcos remotehost rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0d1277800ce70608ae6223a3361f709c7c68743178ca51fe3a2409a610c76de5

Threat Level: Known bad

The file 0d1277800ce70608ae6223a3361f709c7c68743178ca51fe3a2409a610c76de5 was found to be: Known bad.

Malicious Activity Summary

remcos remotehost rat

Remcos

Executes dropped EXE

Drops startup file

Suspicious use of SetThreadContext

AutoIT Executable

Program crash

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of SendNotifyMessage

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-09 01:57

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-09 01:57

Reported

2024-04-09 02:00

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0d1277800ce70608ae6223a3361f709c7c68743178ca51fe3a2409a610c76de5.exe"

Signatures

Remcos

rat remcos

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\word.vbs C:\Users\Admin\AppData\Local\directory\word.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\directory\word.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2472 set thread context of 3912 N/A C:\Users\Admin\AppData\Local\directory\word.exe C:\Windows\SysWOW64\svchost.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\directory\word.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0d1277800ce70608ae6223a3361f709c7c68743178ca51fe3a2409a610c76de5.exe

"C:\Users\Admin\AppData\Local\Temp\0d1277800ce70608ae6223a3361f709c7c68743178ca51fe3a2409a610c76de5.exe"

C:\Users\Admin\AppData\Local\directory\word.exe

"C:\Users\Admin\AppData\Local\Temp\0d1277800ce70608ae6223a3361f709c7c68743178ca51fe3a2409a610c76de5.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\0d1277800ce70608ae6223a3361f709c7c68743178ca51fe3a2409a610c76de5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3912 -ip 3912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 32

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 96.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp

Files

memory/4076-10-0x0000000001400000-0x0000000001404000-memory.dmp

C:\Users\Admin\AppData\Local\directory\word.exe

MD5 e4eb65ab503f7d26e28d88b05e6d84ef
SHA1 89968248561b7f8793531b376ed22a3c73607c73
SHA256 7125fc7db0f722ec8d001aa6c10cd10e5c8e25ab3abbf9f771c33d448e96bb7c
SHA512 2899b5ff4b7659f664c66e0e4c63d5b151ae0a1b02dfe150ae9b25ed32ed441dcd1b3e5316e37459ae059b8fb016fbeaff41db60fca76bd360e50af99393b8be

C:\Users\Admin\AppData\Local\Temp\croc

MD5 ceea497fc0601e397a9b0dba479b6ad3
SHA1 b791fd1115d9517d7e9cb9a987db2307aa900f67
SHA256 a17f87f849572c5977fa38198d6697a248424f2559aed98136834e188ac2d3f2
SHA512 702cff5d69b609e25d75545f58352aecf7ed28730c012f3a4ce6113842ebcda3308bc05e7658c27a260dec0bebaf25cad2bda1bff476aa79b2bb0ed4ad561858

C:\Users\Admin\AppData\Local\Temp\Maianthemum

MD5 1680954b249062aa27483ac80d9d2016
SHA1 acb196e38638fa7332a450b8ed9c127f1d56acff
SHA256 3614592179f15f4bc0cba05bac8e9dd7e545e6f623bd71b841aaa665f82b16cb
SHA512 9c94ec10f0577953a6bbc994b1339d9e414622efd07e4a61f31c5213f588d7327bd772c225a7a127736b721ec026ff836cf4167f9467dbf6df819bdec6e2ed93

memory/3912-28-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3912-29-0x0000000000480000-0x0000000000480000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-09 01:57

Reported

2024-04-09 02:00

Platform

win11-20240221-en

Max time kernel

91s

Max time network

93s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0d1277800ce70608ae6223a3361f709c7c68743178ca51fe3a2409a610c76de5.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\0d1277800ce70608ae6223a3361f709c7c68743178ca51fe3a2409a610c76de5.exe

"C:\Users\Admin\AppData\Local\Temp\0d1277800ce70608ae6223a3361f709c7c68743178ca51fe3a2409a610c76de5.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/1448-10-0x0000000000CF0000-0x0000000000CF4000-memory.dmp