Malware Analysis Report

2025-06-16 01:22

Sample ID 240410-jvcetaca6w
Target dcdc99a71af2d3db2cb3004dd3e91a4908d71a876179b447ed116742cff8ba3b
SHA256 dcdc99a71af2d3db2cb3004dd3e91a4908d71a876179b447ed116742cff8ba3b
Tags
remcos treintayocho rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dcdc99a71af2d3db2cb3004dd3e91a4908d71a876179b447ed116742cff8ba3b

Threat Level: Known bad

The file dcdc99a71af2d3db2cb3004dd3e91a4908d71a876179b447ed116742cff8ba3b was found to be: Known bad.

Malicious Activity Summary

remcos treintayocho rat

Remcos

Blocklisted process makes network request

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

NSIS installer

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-10 07:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-04-10 07:58

Reported

2024-04-10 08:01

Platform

win7-20240319-en

Max time kernel

118s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\whatnot\failure\cgi-bin\33.opends60.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\whatnot\failure\cgi-bin\33.opends60.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-04-10 07:58

Reported

2024-04-10 08:01

Platform

win10v2004-20240226-en

Max time kernel

93s

Max time network

95s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$TEMP\whatnot\failure\cgi-bin\edbgps.dll

Signatures

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{69A69350-671F-4FEC-8E84-5353BAAB806E}\NumMethods\ = "15" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{299666F8-849F-474D-9368-707902441FB6}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ED73A477-7B78-4150-B50F-1E8197C79AD0}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3E94238-1B83-4223-BACD-F112B2E63168} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F1BF669A-48C5-44F9-A9B2-28585B6C1FE6} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F1BF669A-48C5-44F9-A9B2-28585B6C1FE6}\ProxyStubClsid32\ = "{11D95AF6-D32C-425D-B060-2B573E46FB6D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ED73A477-7B78-4150-B50F-1E8197C79AD0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ED73A477-7B78-4150-B50F-1E8197C79AD0}\ProxyStubClsid32\ = "{11D95AF6-D32C-425D-B060-2B573E46FB6D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{93079278-5272-4EDA-BBE0-D16723DE2845}\ProxyStubClsid32\ = "{11D95AF6-D32C-425D-B060-2B573E46FB6D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E622C3C9-67B4-4ACF-A912-3B48ECD5333B}\ProxyStubClsid32\ = "{11D95AF6-D32C-425D-B060-2B573E46FB6D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11D95AF6-D32C-425D-B060-2B573E46FB6D} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A17F2213-0FB6-4F25-BD47-34B95C2E4AEE}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EC88F6E0-7E6C-4D36-BFB2-51A0D9AAA9EF}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{299666F8-849F-474D-9368-707902441FB6}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A17F2213-0FB6-4F25-BD47-34B95C2E4AEE}\ProxyStubClsid32\ = "{11D95AF6-D32C-425D-B060-2B573E46FB6D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ED73A477-7B78-4150-B50F-1E8197C79AD0}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{617AD585-925B-4891-80C2-67AA19A21A3B}\ = "IEmbeddedNativeExecutionModel" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C8EEEFA6-7297-4A4E-A4C8-8BF188F9B533}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{617AD585-925B-4891-80C2-67AA19A21A3B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3E94238-1B83-4223-BACD-F112B2E63168}\ = "IEmbeddedRemoteNativeDebugPort" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ED73A477-7B78-4150-B50F-1E8197C79AD0}\NumMethods\ = "4" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{93079278-5272-4EDA-BBE0-D16723DE2845}\NumMethods\ = "14" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1C8E3A10-1F09-4E6B-929F-FC464C1CA6B2}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E8D33E4A-9A08-4E72-845F-7627A063115E}\ = "IEmbeddedNativeProcess" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4C587BD8-A9B0-4C41-AF85-FF6A164D40E9}\ = "IEmbeddedNativeProcessCallback" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4C587BD8-A9B0-4C41-AF85-FF6A164D40E9}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EFFD432C-9154-4069-89EB-48DB8D38A4E8}\ProxyStubClsid32\ = "{11D95AF6-D32C-425D-B060-2B573E46FB6D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7B4F8FD3-38A9-4087-8C82-2B52F275A571}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EC88F6E0-7E6C-4D36-BFB2-51A0D9AAA9EF}\ = "IEmbeddedCodeLocationHierarchy" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4C587BD8-A9B0-4C41-AF85-FF6A164D40E9}\NumMethods\ = "4" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E622C3C9-67B4-4ACF-A912-3B48ECD5333B}\NumMethods\ = "16" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1C8E3A10-1F09-4E6B-929F-FC464C1CA6B2}\NumMethods\ = "4" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A31B4892-9236-44DE-98DB-89AE61EF8685}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EFFD432C-9154-4069-89EB-48DB8D38A4E8}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{537333ED-714D-408E-83D4-A8908A76E022} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4C587BD8-A9B0-4C41-AF85-FF6A164D40E9} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E622C3C9-67B4-4ACF-A912-3B48ECD5333B}\ = "IEmbeddedLexicalScopeHierarchy" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{299666F8-849F-474D-9368-707902441FB6}\NumMethods\ = "15" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7B4F8FD3-38A9-4087-8C82-2B52F275A571}\ = "IEmbeddedConnectivityLayer" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2B715021-C455-4DAC-B154-D6DC8C5CDEAD}\ProxyStubClsid32\ = "{11D95AF6-D32C-425D-B060-2B573E46FB6D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E622C3C9-67B4-4ACF-A912-3B48ECD5333B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EFFD432C-9154-4069-89EB-48DB8D38A4E8} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4C587BD8-A9B0-4C41-AF85-FF6A164D40E9}\ProxyStubClsid32\ = "{11D95AF6-D32C-425D-B060-2B573E46FB6D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF7AA070-61A3-4167-87C1-D82D6A2CF8A6}\NumMethods\ = "6" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{617AD585-925B-4891-80C2-67AA19A21A3B} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{93079278-5272-4EDA-BBE0-D16723DE2845} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3E94238-1B83-4223-BACD-F112B2E63168}\NumMethods\ = "4" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E8D33E4A-9A08-4E72-845F-7627A063115E}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{299666F8-849F-474D-9368-707902441FB6}\ = "IEmbeddedRegisterHierarchy" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11D95AF6-D32C-425D-B060-2B573E46FB6D}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D3C81844-B3CA-4BDC-9C5E-1B5CCEA0976B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4C0C734A-FC33-4EF2-B9EE-EFECB9B41B5F}\NumMethods\ = "16" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EFFD432C-9154-4069-89EB-48DB8D38A4E8}\ = "IEmbeddedRPC" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4C0C734A-FC33-4EF2-B9EE-EFECB9B41B5F}\ProxyStubClsid32\ = "{11D95AF6-D32C-425D-B060-2B573E46FB6D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E622C3C9-67B4-4ACF-A912-3B48ECD5333B}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A17F2213-0FB6-4F25-BD47-34B95C2E4AEE}\ = "IEmbeddedRPCCallback" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{617AD585-925B-4891-80C2-67AA19A21A3B}\NumMethods\ = "7" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4E58998-5BED-4413-A082-813F064AB68D}\ = "IEmbeddedNativeRemoteLayer" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{93079278-5272-4EDA-BBE0-D16723DE2845}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E8D33E4A-9A08-4E72-845F-7627A063115E}\ProxyStubClsid32\ = "{11D95AF6-D32C-425D-B060-2B573E46FB6D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{69A69350-671F-4FEC-8E84-5353BAAB806E} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EC88F6E0-7E6C-4D36-BFB2-51A0D9AAA9EF}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C5051BE6-804A-47B8-8FFE-2E80C41DE490}\NumMethods\ = "5" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{617AD585-925B-4891-80C2-67AA19A21A3B}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2712 wrote to memory of 1444 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2712 wrote to memory of 1444 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2712 wrote to memory of 1444 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$TEMP\whatnot\failure\cgi-bin\edbgps.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\$TEMP\whatnot\failure\cgi-bin\edbgps.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 202.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-04-10 07:58

Reported

2024-04-10 08:01

Platform

win10v2004-20240226-en

Max time kernel

113s

Max time network

159s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\whatnot\failure\cgi-bin\hxvzui.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\whatnot\failure\cgi-bin\hxvzui.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=3112,i,1786399861560734457,5606877702857066305,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
GB 172.217.16.234:443 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 9.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-10 07:58

Reported

2024-04-10 08:01

Platform

win10v2004-20240226-en

Max time kernel

163s

Max time network

166s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dcdc99a71af2d3db2cb3004dd3e91a4908d71a876179b447ed116742cff8ba3b.exe"

Signatures

Remcos

rat remcos

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\msfeedssync.job C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4072 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\dcdc99a71af2d3db2cb3004dd3e91a4908d71a876179b447ed116742cff8ba3b.exe C:\Windows\SysWOW64\rundll32.exe
PID 4072 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\dcdc99a71af2d3db2cb3004dd3e91a4908d71a876179b447ed116742cff8ba3b.exe C:\Windows\SysWOW64\rundll32.exe
PID 4072 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\dcdc99a71af2d3db2cb3004dd3e91a4908d71a876179b447ed116742cff8ba3b.exe C:\Windows\SysWOW64\rundll32.exe
PID 112 wrote to memory of 3176 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3176 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3176 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3176 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3176 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3176 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3176 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3176 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3176 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dcdc99a71af2d3db2cb3004dd3e91a4908d71a876179b447ed116742cff8ba3b.exe

"C:\Users\Admin\AppData\Local\Temp\dcdc99a71af2d3db2cb3004dd3e91a4908d71a876179b447ed116742cff8ba3b.exe"

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe PartiShikari,Hurley

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4104 --field-trial-handle=2256,i,9172343514068348080,519219714517961765,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 treintayochorem.duckdns.org udp
CO 179.13.3.249:1010 treintayochorem.duckdns.org tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
CO 179.13.3.249:1010 treintayochorem.duckdns.org tcp
CO 179.13.3.249:1010 treintayochorem.duckdns.org tcp
US 8.8.8.8:53 treintayochorem.duckdns.org udp
CO 179.13.3.249:1010 treintayochorem.duckdns.org tcp
CO 179.13.3.249:1010 treintayochorem.duckdns.org tcp

Files

C:\Users\Admin\AppData\Local\Temp\PartiShikari.DLL

MD5 8aec2b9bf7b0156601b5738445c89afb
SHA1 72a3cf230083d1b882181bda3320ee5592a058d2
SHA256 e288f1292df61e692e2ba9f2a163bcaa620403b30fad40155c37edc9c9e53f76
SHA512 a92939475c2d0ac2331428d42628fc035ef98b3bb7ff9c154d99b441a38e11419de74fea0b07765de695dc02f0610ac9aba2ce7f82d500703b87f5f1183fe9ba

C:\Users\Admin\AppData\Local\Temp\Capercaillie

MD5 b9239ef2ea3c8a042259de2001a1b447
SHA1 3f599a1247c4c58ac20674cfba24e1383cee9072
SHA256 f6506d4b516addd8550689bb0d55ecf0731f3740e76c3e27c714e877f941da32
SHA512 2d3026f0c5beea03cf3ce3bb6f07c8e9084d8b149df2ed954cd4b10583305571a57bc48a4aa1f32ec54db12fde81c752ffc758cec686bbfea92c99648ced473e

memory/112-15-0x0000000000690000-0x0000000000692000-memory.dmp

memory/112-16-0x00000000744E0000-0x00000000745A8000-memory.dmp

memory/112-17-0x00000000772D0000-0x0000000077333000-memory.dmp

memory/112-18-0x00007FFEF9F90000-0x00007FFEFA185000-memory.dmp

memory/3128-20-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3128-21-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3128-22-0x0000000000B00000-0x0000000000B06000-memory.dmp

memory/3128-23-0x00007FFEF9F90000-0x00007FFEFA185000-memory.dmp

memory/112-28-0x00000000744E0000-0x00000000745A8000-memory.dmp

memory/3128-33-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3128-32-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3128-35-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3128-36-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3128-39-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Roaming\remcos\logs.dat

MD5 0fecbd4fb03bd196b6fe8f1635cc3d60
SHA1 4e49aa717c54e92bab10b915346628a4565f8491
SHA256 9532d794eaa39c875a944113cce517f9286f3de39dba5083d965902353d6a215
SHA512 ea8e043c3508a446b5969ea3ed37e9dbf6b94c8a4b5b327a02f673c648f06a2ffb09913641e9270ed401f7dc06628077cbc277e85d8961db1b9e8c7725d96d6c

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-10 07:58

Reported

2024-04-10 08:01

Platform

win7-20240221-en

Max time kernel

118s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\PartiShikari.dll,#1

Signatures

Remcos

rat remcos

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1504 wrote to memory of 484 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1504 wrote to memory of 484 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1504 wrote to memory of 484 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1504 wrote to memory of 484 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1504 wrote to memory of 484 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1504 wrote to memory of 484 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1504 wrote to memory of 484 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 484 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 484 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 484 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 484 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 484 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 484 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 484 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 484 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 484 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 484 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 484 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 484 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 484 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 484 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 484 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 484 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 484 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 484 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 484 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 484 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 484 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 484 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 484 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 484 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 484 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 484 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 484 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 484 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 484 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 484 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 484 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 484 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 484 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 484 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 484 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 484 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 484 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 484 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 484 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 484 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 484 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 484 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 484 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 484 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 484 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 2484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 2484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 2484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 2484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 1976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 1976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 1976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 1976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\PartiShikari.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\PartiShikari.dll,#1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "COPY /Y /B "" "C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\msfeedssync.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "COPY /Y /B "" "C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\msfeedssync.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "COPY /Y /B "" "C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\msfeedssync.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "COPY /Y /B "" "C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\msfeedssync.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "COPY /Y /B "" "C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\msfeedssync.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "COPY /Y /B "" "C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\msfeedssync.exe""

Network

N/A

Files

memory/484-1-0x0000000000140000-0x0000000000142000-memory.dmp

memory/484-0-0x00000000752E0000-0x0000000075338000-memory.dmp

memory/484-2-0x0000000076E50000-0x0000000076E85000-memory.dmp

memory/484-3-0x0000000077B80000-0x0000000077D29000-memory.dmp

memory/2456-4-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2456-5-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2456-6-0x0000000000090000-0x0000000000096000-memory.dmp

memory/2456-7-0x0000000077B80000-0x0000000077D29000-memory.dmp

memory/484-12-0x00000000752E0000-0x0000000075338000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-04-10 07:58

Reported

2024-04-10 08:01

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\whatnot\failure\cgi-bin\33.opends60.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\whatnot\failure\cgi-bin\33.opends60.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 136.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-04-10 07:58

Reported

2024-04-10 08:01

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\whatnot\failure\cgi-bin\69.opends60.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\whatnot\failure\cgi-bin\69.opends60.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 64.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-04-10 07:58

Reported

2024-04-10 08:01

Platform

win7-20240221-en

Max time kernel

119s

Max time network

121s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$TEMP\whatnot\failure\cgi-bin\edbgps.dll

Signatures

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11D95AF6-D32C-425D-B060-2B573E46FB6D}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E8D33E4A-9A08-4E72-845F-7627A063115E}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A31B4892-9236-44DE-98DB-89AE61EF8685}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7B4F8FD3-38A9-4087-8C82-2B52F275A571}\ = "IEmbeddedConnectivityLayer" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7B4F8FD3-38A9-4087-8C82-2B52F275A571}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ED73A477-7B78-4150-B50F-1E8197C79AD0}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{69A69350-671F-4FEC-8E84-5353BAAB806E}\ = "IEmbeddedSymbolProvider" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B843AD9-F235-4121-A0B1-DD766AF1A333} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C5051BE6-804A-47B8-8FFE-2E80C41DE490}\NumMethods\ = "5" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11D95AF6-D32C-425D-B060-2B573E46FB6D} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EFFD432C-9154-4069-89EB-48DB8D38A4E8} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EFFD432C-9154-4069-89EB-48DB8D38A4E8}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AF7AA070-61A3-4167-87C1-D82D6A2CF8A6}\ = "IEmbeddedNativeDumpProcess" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ED73A477-7B78-4150-B50F-1E8197C79AD0}\ProxyStubClsid32\ = "{11D95AF6-D32C-425D-B060-2B573E46FB6D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3E94238-1B83-4223-BACD-F112B2E63168} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4C0C734A-FC33-4EF2-B9EE-EFECB9B41B5F}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A31B4892-9236-44DE-98DB-89AE61EF8685} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{537333ED-714D-408E-83D4-A8908A76E022}\ = "IEmbeddedObjectBinder" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E8D33E4A-9A08-4E72-845F-7627A063115E}\ProxyStubClsid32\ = "{11D95AF6-D32C-425D-B060-2B573E46FB6D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299666F8-849F-474D-9368-707902441FB6}\NumMethods\ = "15" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4E58998-5BED-4413-A082-813F064AB68D}\NumMethods\ = "13" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4C0C734A-FC33-4EF2-B9EE-EFECB9B41B5F}\ProxyStubClsid32\ = "{11D95AF6-D32C-425D-B060-2B573E46FB6D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D3C81844-B3CA-4BDC-9C5E-1B5CCEA0976B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D3C81844-B3CA-4BDC-9C5E-1B5CCEA0976B}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{537333ED-714D-408E-83D4-A8908A76E022}\ProxyStubClsid32\ = "{11D95AF6-D32C-425D-B060-2B573E46FB6D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E8D33E4A-9A08-4E72-845F-7627A063115E}\ = "IEmbeddedNativeProcess" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3E94238-1B83-4223-BACD-F112B2E63168}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C8EEEFA6-7297-4A4E-A4C8-8BF188F9B533} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4C587BD8-A9B0-4C41-AF85-FF6A164D40E9} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A31B4892-9236-44DE-98DB-89AE61EF8685}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A31B4892-9236-44DE-98DB-89AE61EF8685}\ProxyStubClsid32\ = "{11D95AF6-D32C-425D-B060-2B573E46FB6D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B843AD9-F235-4121-A0B1-DD766AF1A333}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B843AD9-F235-4121-A0B1-DD766AF1A333}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AF7AA070-61A3-4167-87C1-D82D6A2CF8A6}\ProxyStubClsid32\ = "{11D95AF6-D32C-425D-B060-2B573E46FB6D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{617AD585-925B-4891-80C2-67AA19A21A3B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C8EEEFA6-7297-4A4E-A4C8-8BF188F9B533}\ = "IEmbeddedRemoteCorDebugPort" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4C0C734A-FC33-4EF2-B9EE-EFECB9B41B5F}\ = "IEnumFrameCallBack" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A17F2213-0FB6-4F25-BD47-34B95C2E4AEE}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2B715021-C455-4DAC-B154-D6DC8C5CDEAD}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4E58998-5BED-4413-A082-813F064AB68D} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F1BF669A-48C5-44F9-A9B2-28585B6C1FE6}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{537333ED-714D-408E-83D4-A8908A76E022} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1C8E3A10-1F09-4E6B-929F-FC464C1CA6B2}\ProxyStubClsid32\ = "{11D95AF6-D32C-425D-B060-2B573E46FB6D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7B4F8FD3-38A9-4087-8C82-2B52F275A571} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{93079278-5272-4EDA-BBE0-D16723DE2845}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1C8E3A10-1F09-4E6B-929F-FC464C1CA6B2}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4C587BD8-A9B0-4C41-AF85-FF6A164D40E9}\NumMethods\ = "4" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B843AD9-F235-4121-A0B1-DD766AF1A333}\ = "IEmbeddedDisassemblyStream" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299666F8-849F-474D-9368-707902441FB6}\ = "IEmbeddedRegisterHierarchy" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D3C81844-B3CA-4BDC-9C5E-1B5CCEA0976B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{93079278-5272-4EDA-BBE0-D16723DE2845}\ = "IEmbeddedExpressionEvaluator" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3E94238-1B83-4223-BACD-F112B2E63168}\NumMethods\ = "4" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{69A69350-671F-4FEC-8E84-5353BAAB806E}\ProxyStubClsid32\ = "{11D95AF6-D32C-425D-B060-2B573E46FB6D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11D95AF6-D32C-425D-B060-2B573E46FB6D}\ = "PSFactoryBuffer" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A17F2213-0FB6-4F25-BD47-34B95C2E4AEE}\ = "IEmbeddedRPCCallback" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{617AD585-925B-4891-80C2-67AA19A21A3B}\NumMethods\ = "7" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4E58998-5BED-4413-A082-813F064AB68D}\ = "IEmbeddedNativeRemoteLayer" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F1BF669A-48C5-44F9-A9B2-28585B6C1FE6}\NumMethods\ = "6" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C8EEEFA6-7297-4A4E-A4C8-8BF188F9B533}\ProxyStubClsid32\ = "{11D95AF6-D32C-425D-B060-2B573E46FB6D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{69A69350-671F-4FEC-8E84-5353BAAB806E} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E8D33E4A-9A08-4E72-845F-7627A063115E} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{69A69350-671F-4FEC-8E84-5353BAAB806E}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2908 wrote to memory of 1724 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2908 wrote to memory of 1724 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2908 wrote to memory of 1724 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2908 wrote to memory of 1724 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2908 wrote to memory of 1724 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2908 wrote to memory of 1724 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2908 wrote to memory of 1724 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$TEMP\whatnot\failure\cgi-bin\edbgps.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\$TEMP\whatnot\failure\cgi-bin\edbgps.dll

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-04-10 07:58

Reported

2024-04-10 08:01

Platform

win7-20231129-en

Max time kernel

118s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\whatnot\failure\cgi-bin\hxvzui.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\whatnot\failure\cgi-bin\hxvzui.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-10 07:58

Reported

2024-04-10 08:02

Platform

win10v2004-20240226-en

Max time kernel

166s

Max time network

175s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\PartiShikari.dll,#1

Signatures

Remcos

rat remcos

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\msfeedssync.job C:\Windows\SysWOW64\notepad.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\notepad.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1900 wrote to memory of 5088 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1900 wrote to memory of 5088 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1900 wrote to memory of 5088 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5088 wrote to memory of 5028 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 5028 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 5028 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 5028 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 5028 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 5028 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 5028 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 5028 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 5028 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 4808 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 4808 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 4808 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 4808 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 4808 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 4808 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 4808 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 4808 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 4808 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 4620 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 4620 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 4620 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 4620 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 4620 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 4620 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 4620 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 4620 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 4620 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 1404 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 1404 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 1404 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 1404 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 1404 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 1404 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 1404 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 1404 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 1404 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 2024 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 2024 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 2024 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 2024 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 2024 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 2024 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 2024 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 2024 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 2024 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 1636 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\notepad.exe
PID 5088 wrote to memory of 1636 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\notepad.exe
PID 5088 wrote to memory of 1636 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\notepad.exe
PID 5088 wrote to memory of 1636 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\notepad.exe
PID 5088 wrote to memory of 1636 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\notepad.exe
PID 5088 wrote to memory of 1636 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\notepad.exe
PID 5088 wrote to memory of 1636 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\notepad.exe
PID 5088 wrote to memory of 1636 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\notepad.exe
PID 5088 wrote to memory of 1636 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\notepad.exe
PID 5088 wrote to memory of 1636 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\notepad.exe
PID 5088 wrote to memory of 1636 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\notepad.exe
PID 5088 wrote to memory of 1636 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\notepad.exe
PID 5088 wrote to memory of 1636 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\notepad.exe
PID 5088 wrote to memory of 1636 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\notepad.exe
PID 5088 wrote to memory of 1636 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\notepad.exe
PID 5088 wrote to memory of 1636 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\notepad.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\PartiShikari.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\PartiShikari.dll,#1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 33.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 treintayochorem.duckdns.org udp
CO 179.13.3.249:1010 treintayochorem.duckdns.org tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
CO 179.13.3.249:1010 treintayochorem.duckdns.org tcp
CO 179.13.3.249:1010 treintayochorem.duckdns.org tcp
US 8.8.8.8:53 treintayochorem.duckdns.org udp
CO 179.13.3.249:1010 treintayochorem.duckdns.org tcp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp
CO 179.13.3.249:1010 treintayochorem.duckdns.org tcp

Files

memory/5088-0-0x0000000001240000-0x0000000001242000-memory.dmp

memory/5088-1-0x00000000748E0000-0x00000000749A8000-memory.dmp

memory/5088-2-0x0000000074E10000-0x0000000074E73000-memory.dmp

memory/5088-3-0x00007FFA818B0000-0x00007FFA81AA5000-memory.dmp

memory/5088-9-0x00000000748E0000-0x00000000749A8000-memory.dmp

memory/1636-10-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1636-11-0x00007FFA818B0000-0x00007FFA81AA5000-memory.dmp

memory/1636-16-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1636-18-0x0000000000580000-0x0000000000586000-memory.dmp

memory/1636-21-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1636-23-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1636-24-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1636-27-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Roaming\remcos\logs.dat

MD5 bd390322d86739b0572f0c4341ce9b1a
SHA1 2cce2128cd9f54639e60928060709cc3f13d08da
SHA256 7fdb5d06505a55fb098f9b17b09070c1e389068ab2eaa9a14a91c627855e7603
SHA512 4645f3689edb6a82a5d1493c98fab55eaff48ac46b5aa6d824bc64f108c5c771b7445412cc3d7ed9fe85dac0fa75375e03738379811ef6be88d7da99bec8835c

Analysis: behavioral7

Detonation Overview

Submitted

2024-04-10 07:58

Reported

2024-04-10 08:01

Platform

win7-20240221-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\whatnot\failure\cgi-bin\69.opends60.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\whatnot\failure\cgi-bin\69.opends60.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-04-10 07:58

Reported

2024-04-10 08:01

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\whatnot\failure\cgi-bin\79.opends60.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\whatnot\failure\cgi-bin\79.opends60.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4000 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 92.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-04-10 07:58

Reported

2024-04-10 08:02

Platform

win10v2004-20240226-en

Max time kernel

170s

Max time network

176s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\whatnot\failure\cgi-bin\sbsdiasymreader.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4700 wrote to memory of 368 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4700 wrote to memory of 368 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4700 wrote to memory of 368 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\whatnot\failure\cgi-bin\sbsdiasymreader.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\whatnot\failure\cgi-bin\sbsdiasymreader.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 218.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-10 07:58

Reported

2024-04-10 08:01

Platform

win7-20240221-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dcdc99a71af2d3db2cb3004dd3e91a4908d71a876179b447ed116742cff8ba3b.exe"

Signatures

Remcos

rat remcos

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\msfeedssync.job C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2224 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\dcdc99a71af2d3db2cb3004dd3e91a4908d71a876179b447ed116742cff8ba3b.exe C:\Windows\SysWOW64\rundll32.exe
PID 2224 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\dcdc99a71af2d3db2cb3004dd3e91a4908d71a876179b447ed116742cff8ba3b.exe C:\Windows\SysWOW64\rundll32.exe
PID 2224 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\dcdc99a71af2d3db2cb3004dd3e91a4908d71a876179b447ed116742cff8ba3b.exe C:\Windows\SysWOW64\rundll32.exe
PID 2224 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\dcdc99a71af2d3db2cb3004dd3e91a4908d71a876179b447ed116742cff8ba3b.exe C:\Windows\SysWOW64\rundll32.exe
PID 2224 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\dcdc99a71af2d3db2cb3004dd3e91a4908d71a876179b447ed116742cff8ba3b.exe C:\Windows\SysWOW64\rundll32.exe
PID 2224 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\dcdc99a71af2d3db2cb3004dd3e91a4908d71a876179b447ed116742cff8ba3b.exe C:\Windows\SysWOW64\rundll32.exe
PID 2224 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\dcdc99a71af2d3db2cb3004dd3e91a4908d71a876179b447ed116742cff8ba3b.exe C:\Windows\SysWOW64\rundll32.exe
PID 1140 wrote to memory of 2388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dcdc99a71af2d3db2cb3004dd3e91a4908d71a876179b447ed116742cff8ba3b.exe

"C:\Users\Admin\AppData\Local\Temp\dcdc99a71af2d3db2cb3004dd3e91a4908d71a876179b447ed116742cff8ba3b.exe"

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe PartiShikari,Hurley

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 treintayochorem.duckdns.org udp
CO 179.13.3.249:1010 treintayochorem.duckdns.org tcp
CO 179.13.3.249:1010 treintayochorem.duckdns.org tcp
CO 179.13.3.249:1010 treintayochorem.duckdns.org tcp
US 8.8.8.8:53 treintayochorem.duckdns.org udp
CO 179.13.3.249:1010 treintayochorem.duckdns.org tcp
US 8.8.8.8:53 treintayochorem.duckdns.org udp
CO 179.13.3.249:1010 treintayochorem.duckdns.org tcp

Files

C:\Users\Admin\AppData\Local\Temp\PartiShikari.DLL

MD5 8aec2b9bf7b0156601b5738445c89afb
SHA1 72a3cf230083d1b882181bda3320ee5592a058d2
SHA256 e288f1292df61e692e2ba9f2a163bcaa620403b30fad40155c37edc9c9e53f76
SHA512 a92939475c2d0ac2331428d42628fc035ef98b3bb7ff9c154d99b441a38e11419de74fea0b07765de695dc02f0610ac9aba2ce7f82d500703b87f5f1183fe9ba

C:\Users\Admin\AppData\Local\Temp\Capercaillie

MD5 b9239ef2ea3c8a042259de2001a1b447
SHA1 3f599a1247c4c58ac20674cfba24e1383cee9072
SHA256 f6506d4b516addd8550689bb0d55ecf0731f3740e76c3e27c714e877f941da32
SHA512 2d3026f0c5beea03cf3ce3bb6f07c8e9084d8b149df2ed954cd4b10583305571a57bc48a4aa1f32ec54db12fde81c752ffc758cec686bbfea92c99648ced473e

memory/1140-16-0x0000000000160000-0x0000000000162000-memory.dmp

memory/1140-15-0x00000000747E0000-0x0000000074838000-memory.dmp

memory/1140-17-0x0000000076F80000-0x0000000076FB5000-memory.dmp

memory/1140-18-0x00000000773D0000-0x0000000077579000-memory.dmp

memory/2388-19-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2388-20-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2388-21-0x0000000000090000-0x0000000000096000-memory.dmp

memory/2388-22-0x00000000773D0000-0x0000000077579000-memory.dmp

memory/1140-27-0x00000000747E0000-0x0000000074838000-memory.dmp

memory/2388-31-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2388-32-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2388-34-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2388-35-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2388-38-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Roaming\remcos\logs.dat

MD5 ab8c8d63a017b92cf79f086a1c1a8d59
SHA1 c546960cb2b53bab3056a059e6649450be9e9d3a
SHA256 b7d9594af6a781d1bd73eec61fcd3835365f3bab2d9a6dbd0e99ef6fb44be5f3
SHA512 3b0ededd6834a0e19d8e6bb1d82713ef9381d4d1274252e5875a78183bb288f9fa80598fa1e323a8dc5503cabaf261c40019cbd3effa152b1a74550b8040348a

Analysis: behavioral9

Detonation Overview

Submitted

2024-04-10 07:58

Reported

2024-04-10 08:01

Platform

win7-20240220-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\whatnot\failure\cgi-bin\79.opends60.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\whatnot\failure\cgi-bin\79.opends60.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-04-10 07:58

Reported

2024-04-10 08:01

Platform

win7-20240221-en

Max time kernel

117s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\whatnot\failure\cgi-bin\sbsdiasymreader.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1540 wrote to memory of 2692 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1540 wrote to memory of 2692 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1540 wrote to memory of 2692 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1540 wrote to memory of 2692 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1540 wrote to memory of 2692 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1540 wrote to memory of 2692 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1540 wrote to memory of 2692 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\whatnot\failure\cgi-bin\sbsdiasymreader.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\whatnot\failure\cgi-bin\sbsdiasymreader.dll,#1

Network

N/A

Files

N/A