Malware Analysis Report

2024-12-07 22:23

Sample ID 240409-q6y7aaca61
Target wininit (1).exe
SHA256 c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929
Tags
remcos remotehost rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929

Threat Level: Known bad

The file wininit (1).exe was found to be: Known bad.

Malicious Activity Summary

remcos remotehost rat

Remcos

Drops startup file

Executes dropped EXE

Suspicious use of SetThreadContext

AutoIT Executable

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: MapViewOfSection

Suspicious use of SendNotifyMessage

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-09 13:53

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-09 13:53

Reported

2024-04-09 13:55

Platform

win7-20240221-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\wininit (1).exe"

Signatures

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wininit (1).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wininit (1).exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wininit (1).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wininit (1).exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\wininit (1).exe

"C:\Users\Admin\AppData\Local\Temp\wininit (1).exe"

Network

N/A

Files

memory/2952-10-0x0000000000160000-0x0000000000164000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-09 13:53

Reported

2024-04-09 13:56

Platform

win10v2004-20240226-en

Max time kernel

166s

Max time network

182s

Command Line

"C:\Users\Admin\AppData\Local\Temp\wininit (1).exe"

Signatures

Remcos

rat remcos

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\excel.vbs C:\Users\Admin\AppData\Local\directory\excel.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\directory\excel.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4604 set thread context of 4328 N/A C:\Users\Admin\AppData\Local\directory\excel.exe C:\Windows\SysWOW64\svchost.exe

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\directory\excel.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\wininit (1).exe

"C:\Users\Admin\AppData\Local\Temp\wininit (1).exe"

C:\Users\Admin\AppData\Local\directory\excel.exe

"C:\Users\Admin\AppData\Local\Temp\wininit (1).exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\wininit (1).exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 239.249.30.184.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 shgoini.com udp
US 107.175.229.143:30902 shgoini.com tcp
US 8.8.8.8:53 143.229.175.107.in-addr.arpa udp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

memory/2552-10-0x0000000001050000-0x0000000001054000-memory.dmp

C:\Users\Admin\AppData\Local\directory\excel.exe

MD5 4f23f15830d3ba36d13baa6053263f6f
SHA1 4cc35ff93e851df631832ebdf202a77966c40edf
SHA256 6e5c4aad20824647559b2c511bed4f123a4e982978394dc75b544e5ec94cc269
SHA512 4a0549c6e2cc72cd7fbe38dae2110bca0e8a39be17b4adafb2418386e757a5626ef1aae6a4a07f22b92ba9f977fa2b180f5283957399802dfacb9ec36c7eb5db

C:\Users\Admin\AppData\Local\Temp\Thebit

MD5 a04675531940882479c988422f627c21
SHA1 48bb45a49c1600e8f16ffe612170787f841cd969
SHA256 011bee0b69f6d996fd2ddced3a417739375f6a3909ff46d23bcca2f0d14680d5
SHA512 f8f2e1c49d7a7153a8522488a259ff37927c6c133b2030fdf70728aa034b02f2fd704d2bba7ad6660eb0f6b3696108a26df1c479723330f49ea0e462c13ba24c

C:\Users\Admin\AppData\Local\Temp\saccule

MD5 7b4ee3164750a624febb01f867bdb208
SHA1 2c68f3bc9f02ef7229da72935b33053885ad19e0
SHA256 fc648d1008816e63cb562eec07b7ae56ab4c5be06da13282a213f9c9e6f3c2a5
SHA512 aa088d535f08520ba2299da40c2e5c6ee1375eb67ac9f2438f431bda1312d024e38793c1b074f08b0accf8bf89db630b46de5b9883036b84ab50b473bbc1dc41

memory/4328-28-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4328-29-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4328-30-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4328-31-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4328-32-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4328-33-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4328-34-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4328-35-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4328-38-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4328-39-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4328-40-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4328-41-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4328-42-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4328-43-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4328-44-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4328-45-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4328-46-0x0000000000400000-0x0000000000482000-memory.dmp