Analysis Overview
SHA256
c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929
Threat Level: Known bad
The file c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929 was found to be: Known bad.
Malicious Activity Summary
Remcos
Drops startup file
Executes dropped EXE
AutoIT Executable
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-04-09 14:16
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-09 14:16
Reported
2024-04-09 14:18
Platform
win11-20240221-en
Max time kernel
149s
Max time network
156s
Command Line
Signatures
Remcos
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\excel.vbs | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1948 set thread context of 2732 | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | C:\Windows\SysWOW64\svchost.exe |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\excel.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe
"C:\Users\Admin\AppData\Local\Temp\c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe"
C:\Users\Admin\AppData\Local\directory\excel.exe
"C:\Users\Admin\AppData\Local\Temp\c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 107.175.229.143:30902 | shgoini.com | tcp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
Files
memory/2276-10-0x00000000027B0000-0x00000000027B4000-memory.dmp
C:\Users\Admin\AppData\Local\directory\excel.exe
| MD5 | 6e785bef0bc6d9d27b632a95c167f95e |
| SHA1 | be154cc572ba9fcc5e9d562106172e63ce49ef8c |
| SHA256 | 8e572214b3f185499a292d3b0720b4641a2f519195703d5462c64682decd4e96 |
| SHA512 | 7f13e223683b5aad76f8c337f8b5c9ee24666384b82077af03ece6c04b6d4a8a3879b5ce9ee5d4d4724cb9f27a2144a39f086b00114b7df11bd4b2b0dab21940 |
C:\Users\Admin\AppData\Local\Temp\saccule
| MD5 | 7b4ee3164750a624febb01f867bdb208 |
| SHA1 | 2c68f3bc9f02ef7229da72935b33053885ad19e0 |
| SHA256 | fc648d1008816e63cb562eec07b7ae56ab4c5be06da13282a213f9c9e6f3c2a5 |
| SHA512 | aa088d535f08520ba2299da40c2e5c6ee1375eb67ac9f2438f431bda1312d024e38793c1b074f08b0accf8bf89db630b46de5b9883036b84ab50b473bbc1dc41 |
C:\Users\Admin\AppData\Local\Temp\Thebit
| MD5 | a04675531940882479c988422f627c21 |
| SHA1 | 48bb45a49c1600e8f16ffe612170787f841cd969 |
| SHA256 | 011bee0b69f6d996fd2ddced3a417739375f6a3909ff46d23bcca2f0d14680d5 |
| SHA512 | f8f2e1c49d7a7153a8522488a259ff37927c6c133b2030fdf70728aa034b02f2fd704d2bba7ad6660eb0f6b3696108a26df1c479723330f49ea0e462c13ba24c |
memory/2732-28-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2732-29-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2732-30-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2732-31-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2732-32-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2732-33-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2732-34-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2732-35-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2732-36-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2732-38-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2732-39-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2732-40-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2732-41-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2732-42-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2732-43-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2732-44-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2732-45-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2732-46-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2732-47-0x0000000000400000-0x0000000000482000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-09 14:16
Reported
2024-04-09 14:18
Platform
win10v2004-20240226-en
Max time kernel
93s
Max time network
95s
Command Line
Signatures
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe
"C:\Users\Admin\AppData\Local\Temp\c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/1156-10-0x0000000000C20000-0x0000000000C24000-memory.dmp