Analysis Overview
SHA256
c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929
Threat Level: Known bad
The file wininit (1).exe was found to be: Known bad.
Malicious Activity Summary
Remcos
Drops startup file
Executes dropped EXE
Suspicious use of SetThreadContext
AutoIT Executable
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-04-09 13:53
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-09 13:53
Reported
2024-04-09 13:55
Platform
win7-20240221-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wininit (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wininit (1).exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wininit (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wininit (1).exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\wininit (1).exe
"C:\Users\Admin\AppData\Local\Temp\wininit (1).exe"
Network
Files
memory/2952-10-0x0000000000160000-0x0000000000164000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-09 13:53
Reported
2024-04-09 13:56
Platform
win10v2004-20240226-en
Max time kernel
166s
Max time network
182s
Command Line
Signatures
Remcos
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\excel.vbs | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4604 set thread context of 4328 | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | C:\Windows\SysWOW64\svchost.exe |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wininit (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wininit (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wininit (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wininit (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2552 wrote to memory of 4604 | N/A | C:\Users\Admin\AppData\Local\Temp\wininit (1).exe | C:\Users\Admin\AppData\Local\directory\excel.exe |
| PID 2552 wrote to memory of 4604 | N/A | C:\Users\Admin\AppData\Local\Temp\wininit (1).exe | C:\Users\Admin\AppData\Local\directory\excel.exe |
| PID 2552 wrote to memory of 4604 | N/A | C:\Users\Admin\AppData\Local\Temp\wininit (1).exe | C:\Users\Admin\AppData\Local\directory\excel.exe |
| PID 4604 wrote to memory of 4328 | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 4604 wrote to memory of 4328 | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 4604 wrote to memory of 4328 | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 4604 wrote to memory of 4328 | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | C:\Windows\SysWOW64\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\wininit (1).exe
"C:\Users\Admin\AppData\Local\Temp\wininit (1).exe"
C:\Users\Admin\AppData\Local\directory\excel.exe
"C:\Users\Admin\AppData\Local\Temp\wininit (1).exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\wininit (1).exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 239.249.30.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | shgoini.com | udp |
| US | 107.175.229.143:30902 | shgoini.com | tcp |
| US | 8.8.8.8:53 | 143.229.175.107.in-addr.arpa | udp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.173.189.20.in-addr.arpa | udp |
Files
memory/2552-10-0x0000000001050000-0x0000000001054000-memory.dmp
C:\Users\Admin\AppData\Local\directory\excel.exe
| MD5 | 4f23f15830d3ba36d13baa6053263f6f |
| SHA1 | 4cc35ff93e851df631832ebdf202a77966c40edf |
| SHA256 | 6e5c4aad20824647559b2c511bed4f123a4e982978394dc75b544e5ec94cc269 |
| SHA512 | 4a0549c6e2cc72cd7fbe38dae2110bca0e8a39be17b4adafb2418386e757a5626ef1aae6a4a07f22b92ba9f977fa2b180f5283957399802dfacb9ec36c7eb5db |
C:\Users\Admin\AppData\Local\Temp\Thebit
| MD5 | a04675531940882479c988422f627c21 |
| SHA1 | 48bb45a49c1600e8f16ffe612170787f841cd969 |
| SHA256 | 011bee0b69f6d996fd2ddced3a417739375f6a3909ff46d23bcca2f0d14680d5 |
| SHA512 | f8f2e1c49d7a7153a8522488a259ff37927c6c133b2030fdf70728aa034b02f2fd704d2bba7ad6660eb0f6b3696108a26df1c479723330f49ea0e462c13ba24c |
C:\Users\Admin\AppData\Local\Temp\saccule
| MD5 | 7b4ee3164750a624febb01f867bdb208 |
| SHA1 | 2c68f3bc9f02ef7229da72935b33053885ad19e0 |
| SHA256 | fc648d1008816e63cb562eec07b7ae56ab4c5be06da13282a213f9c9e6f3c2a5 |
| SHA512 | aa088d535f08520ba2299da40c2e5c6ee1375eb67ac9f2438f431bda1312d024e38793c1b074f08b0accf8bf89db630b46de5b9883036b84ab50b473bbc1dc41 |
memory/4328-28-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4328-29-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4328-30-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4328-31-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4328-32-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4328-33-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4328-34-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4328-35-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4328-38-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4328-39-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4328-40-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4328-41-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4328-42-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4328-43-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4328-44-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4328-45-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4328-46-0x0000000000400000-0x0000000000482000-memory.dmp