Malware Analysis Report

2024-12-07 22:32

Sample ID 240409-nqnphahb71
Target tmp
SHA256 c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929
Tags
remcos remotehost rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929

Threat Level: Known bad

The file tmp was found to be: Known bad.

Malicious Activity Summary

remcos remotehost rat

Remcos

Drops startup file

Loads dropped DLL

Executes dropped EXE

Suspicious use of SetThreadContext

AutoIT Executable

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of SendNotifyMessage

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-09 11:36

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-09 11:36

Reported

2024-04-09 11:38

Platform

win7-20240221-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

Signatures

Remcos

rat remcos

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\excel.vbs C:\Users\Admin\AppData\Local\directory\excel.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\directory\excel.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2960 set thread context of 2552 N/A C:\Users\Admin\AppData\Local\directory\excel.exe C:\Windows\SysWOW64\svchost.exe

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\directory\excel.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1964 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\directory\excel.exe
PID 1964 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\directory\excel.exe
PID 1964 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\directory\excel.exe
PID 1964 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\directory\excel.exe
PID 1964 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\directory\excel.exe
PID 1964 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\directory\excel.exe
PID 1964 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\directory\excel.exe
PID 2960 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\directory\excel.exe C:\Windows\SysWOW64\svchost.exe
PID 2960 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\directory\excel.exe C:\Windows\SysWOW64\svchost.exe
PID 2960 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\directory\excel.exe C:\Windows\SysWOW64\svchost.exe
PID 2960 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\directory\excel.exe C:\Windows\SysWOW64\svchost.exe
PID 2960 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\directory\excel.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Users\Admin\AppData\Local\directory\excel.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 shgoini.com udp
US 107.175.229.143:30902 shgoini.com tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

memory/1964-10-0x00000000001B0000-0x00000000001B4000-memory.dmp

\Users\Admin\AppData\Local\directory\excel.exe

MD5 eea22ca96e4c6cf50dbfa45ba038ca5d
SHA1 f205a1adc28b0b22b64afadd9d6c47da1f765ba7
SHA256 27986689d31cda7612a587a2c78c8d38588a2c1a7fc75b7ec70148f967d5c54f
SHA512 39d9aae6395697ef137c838577153fe85486307b60c0c30fe70814d678b67943e61964f38f6d582157dd6f01d3aa6aebdb9541b78f04157fc1e9e60054812f1a

C:\Users\Admin\AppData\Local\Temp\saccule

MD5 7b4ee3164750a624febb01f867bdb208
SHA1 2c68f3bc9f02ef7229da72935b33053885ad19e0
SHA256 fc648d1008816e63cb562eec07b7ae56ab4c5be06da13282a213f9c9e6f3c2a5
SHA512 aa088d535f08520ba2299da40c2e5c6ee1375eb67ac9f2438f431bda1312d024e38793c1b074f08b0accf8bf89db630b46de5b9883036b84ab50b473bbc1dc41

C:\Users\Admin\AppData\Local\Temp\Thebit

MD5 a04675531940882479c988422f627c21
SHA1 48bb45a49c1600e8f16ffe612170787f841cd969
SHA256 011bee0b69f6d996fd2ddced3a417739375f6a3909ff46d23bcca2f0d14680d5
SHA512 f8f2e1c49d7a7153a8522488a259ff37927c6c133b2030fdf70728aa034b02f2fd704d2bba7ad6660eb0f6b3696108a26df1c479723330f49ea0e462c13ba24c

memory/2552-30-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2552-32-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2552-33-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2552-34-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2552-35-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2552-36-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2552-37-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2552-38-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2552-41-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2552-42-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2552-43-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2552-44-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2552-46-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2552-47-0x0000000000400000-0x0000000000482000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-09 11:36

Reported

2024-04-09 11:38

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

Signatures

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3996 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
GB 142.250.187.202:443 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 233.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp

Files

memory/5004-10-0x0000000000950000-0x0000000000954000-memory.dmp