Analysis Overview
SHA256
c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929
Threat Level: Known bad
The file wininit (1).exe was found to be: Known bad.
Malicious Activity Summary
Remcos
Drops startup file
Executes dropped EXE
AutoIT Executable
Suspicious use of SetThreadContext
Unsigned PE
Program crash
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-04-09 13:52
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-09 13:52
Reported
2024-04-09 13:57
Platform
win11-20240221-en
Max time kernel
298s
Max time network
289s
Command Line
Signatures
Remcos
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\excel.vbs | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 852 set thread context of 2292 | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | C:\Windows\SysWOW64\svchost.exe |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wininit (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wininit (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wininit (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wininit (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4920 wrote to memory of 852 | N/A | C:\Users\Admin\AppData\Local\Temp\wininit (1).exe | C:\Users\Admin\AppData\Local\directory\excel.exe |
| PID 4920 wrote to memory of 852 | N/A | C:\Users\Admin\AppData\Local\Temp\wininit (1).exe | C:\Users\Admin\AppData\Local\directory\excel.exe |
| PID 4920 wrote to memory of 852 | N/A | C:\Users\Admin\AppData\Local\Temp\wininit (1).exe | C:\Users\Admin\AppData\Local\directory\excel.exe |
| PID 852 wrote to memory of 2292 | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 852 wrote to memory of 2292 | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 852 wrote to memory of 2292 | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 852 wrote to memory of 2292 | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | C:\Windows\SysWOW64\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\wininit (1).exe
"C:\Users\Admin\AppData\Local\Temp\wininit (1).exe"
C:\Users\Admin\AppData\Local\directory\excel.exe
"C:\Users\Admin\AppData\Local\Temp\wininit (1).exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\wininit (1).exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 107.175.229.143:30902 | shgoini.com | tcp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
Files
memory/4920-10-0x0000000003AC0000-0x0000000003AC4000-memory.dmp
C:\Users\Admin\AppData\Local\directory\excel.exe
| MD5 | f31d9ee063f3c0e695119c2001526eba |
| SHA1 | 318f611a1cc6ea1acfd90e7c96a25c8a296cb98f |
| SHA256 | f123ce5c0da540eeb18ed45e16e3560e7d5071e857ae8cb6c551d1274232a298 |
| SHA512 | 6bfbdb053b3af17799a15a2eec16be828af3c7f05f9600e510e0d3d01b0c9cfee282cc309d2f615356aa0c45ab261a9bc62d363db5211a7cf778c069d69702a4 |
C:\Users\Admin\AppData\Local\Temp\Thebit
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2292-29-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2292-30-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2292-31-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2292-33-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2292-32-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2292-34-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2292-35-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2292-36-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2292-37-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2292-40-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2292-42-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2292-43-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2292-44-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2292-45-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2292-46-0x0000000000400000-0x0000000000482000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-09 13:52
Reported
2024-04-09 13:58
Platform
win7-20240221-en
Max time kernel
122s
Max time network
127s
Command Line
Signatures
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wininit (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wininit (1).exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wininit (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wininit (1).exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\wininit (1).exe
"C:\Users\Admin\AppData\Local\Temp\wininit (1).exe"
Network
Files
memory/2612-10-0x00000000002F0000-0x00000000002F4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-09 13:52
Reported
2024-04-09 13:57
Platform
win10-20240404-en
Max time kernel
194s
Max time network
255s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\excel.vbs | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\directory\excel.exe |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wininit (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wininit (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wininit (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wininit (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4684 wrote to memory of 3500 | N/A | C:\Users\Admin\AppData\Local\Temp\wininit (1).exe | C:\Users\Admin\AppData\Local\directory\excel.exe |
| PID 4684 wrote to memory of 3500 | N/A | C:\Users\Admin\AppData\Local\Temp\wininit (1).exe | C:\Users\Admin\AppData\Local\directory\excel.exe |
| PID 4684 wrote to memory of 3500 | N/A | C:\Users\Admin\AppData\Local\Temp\wininit (1).exe | C:\Users\Admin\AppData\Local\directory\excel.exe |
| PID 3500 wrote to memory of 1420 | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 3500 wrote to memory of 1420 | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 3500 wrote to memory of 1420 | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | C:\Windows\SysWOW64\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\wininit (1).exe
"C:\Users\Admin\AppData\Local\Temp\wininit (1).exe"
C:\Users\Admin\AppData\Local\directory\excel.exe
"C:\Users\Admin\AppData\Local\Temp\wininit (1).exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\wininit (1).exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 720
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
Files
memory/4684-10-0x0000000000A50000-0x0000000000A54000-memory.dmp
C:\Users\Admin\AppData\Local\directory\excel.exe
| MD5 | b782fcb7b21966d286adb631ce53d10c |
| SHA1 | af76491cc33150896ca45d1a86cc6d37c6c538f6 |
| SHA256 | c812d845a97b66335655d6eaa14abb172d26c7dcbca2630e62d6f8ddddcb77f8 |
| SHA512 | 60140a0f4a307cdc16ea28eade599d4cceb74993423f4258094a0a1025642e7af42dff28ceeca49257c19429b72ba4f9debf4aa50ef2e2213e0111c8fc38c2f6 |
C:\Users\Admin\AppData\Local\Temp\Thebit
| MD5 | a04675531940882479c988422f627c21 |
| SHA1 | 48bb45a49c1600e8f16ffe612170787f841cd969 |
| SHA256 | 011bee0b69f6d996fd2ddced3a417739375f6a3909ff46d23bcca2f0d14680d5 |
| SHA512 | f8f2e1c49d7a7153a8522488a259ff37927c6c133b2030fdf70728aa034b02f2fd704d2bba7ad6660eb0f6b3696108a26df1c479723330f49ea0e462c13ba24c |
C:\Users\Admin\AppData\Local\Temp\saccule
| MD5 | 7b4ee3164750a624febb01f867bdb208 |
| SHA1 | 2c68f3bc9f02ef7229da72935b33053885ad19e0 |
| SHA256 | fc648d1008816e63cb562eec07b7ae56ab4c5be06da13282a213f9c9e6f3c2a5 |
| SHA512 | aa088d535f08520ba2299da40c2e5c6ee1375eb67ac9f2438f431bda1312d024e38793c1b074f08b0accf8bf89db630b46de5b9883036b84ab50b473bbc1dc41 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-09 13:52
Reported
2024-04-09 13:58
Platform
win10v2004-20240226-en
Max time kernel
230s
Max time network
307s
Command Line
Signatures
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wininit (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wininit (1).exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wininit (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wininit (1).exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\wininit (1).exe
"C:\Users\Admin\AppData\Local\Temp\wininit (1).exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.179.234:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 234.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.17.178.52.in-addr.arpa | udp |
Files
memory/4896-10-0x0000000002600000-0x0000000002604000-memory.dmp