Analysis Overview
SHA256
f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b
Threat Level: Known bad
The file f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Remcos
Suspicious use of SetThreadContext
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-10 08:04
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-10 08:04
Reported
2024-04-10 08:06
Platform
win7-20240221-en
Max time kernel
149s
Max time network
141s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe\"" | C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe | N/A |
Remcos
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1848 set thread context of 1984 | N/A | C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe | C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe
"C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe"
C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe
"C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | veintisieteremc.duckdns.org | udp |
| CO | 179.13.3.249:1011 | veintisieteremc.duckdns.org | tcp |
| US | 8.8.8.8:53 | veintiochoremc.duckdns.org | udp |
| CO | 179.13.3.249:1011 | veintiochoremc.duckdns.org | tcp |
| CO | 179.13.3.249:1011 | veintiochoremc.duckdns.org | tcp |
| CO | 179.13.3.249:1011 | veintiochoremc.duckdns.org | tcp |
| US | 8.8.8.8:53 | veintisieteremc.duckdns.org | udp |
| CO | 179.13.3.249:1011 | veintisieteremc.duckdns.org | tcp |
| US | 8.8.8.8:53 | veintiochoremc.duckdns.org | udp |
| CO | 179.13.3.249:1011 | veintiochoremc.duckdns.org | tcp |
| CO | 179.13.3.249:1011 | veintiochoremc.duckdns.org | tcp |
Files
memory/1848-0-0x0000000000BD0000-0x0000000000D4A000-memory.dmp
memory/1848-1-0x0000000074230000-0x000000007491E000-memory.dmp
memory/1848-2-0x0000000000230000-0x000000000025C000-memory.dmp
memory/1848-3-0x0000000004CF0000-0x0000000004D30000-memory.dmp
memory/1848-4-0x0000000000270000-0x0000000000296000-memory.dmp
memory/1984-5-0x0000000000400000-0x0000000000421000-memory.dmp
memory/1984-6-0x0000000000400000-0x0000000000421000-memory.dmp
memory/1984-7-0x0000000000400000-0x0000000000421000-memory.dmp
memory/1984-8-0x0000000000400000-0x0000000000421000-memory.dmp
memory/1984-9-0x0000000000400000-0x0000000000421000-memory.dmp
memory/1984-10-0x0000000000400000-0x0000000000421000-memory.dmp
memory/1984-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1984-13-0x0000000000400000-0x0000000000421000-memory.dmp
memory/1848-15-0x0000000074230000-0x000000007491E000-memory.dmp
memory/1984-16-0x0000000000400000-0x0000000000421000-memory.dmp
memory/1984-17-0x0000000000400000-0x0000000000421000-memory.dmp
memory/1984-21-0x0000000000400000-0x0000000000421000-memory.dmp
memory/1984-20-0x0000000000400000-0x0000000000421000-memory.dmp
memory/1984-19-0x0000000000400000-0x0000000000421000-memory.dmp
memory/1984-24-0x0000000000400000-0x0000000000421000-memory.dmp
C:\Users\Admin\AppData\Roaming\remcos\logs.dat
| MD5 | 241b5f88af66fd809bff6b3bdd2eb825 |
| SHA1 | 582f58cb62c8d9716b58a676dd5677c984f94727 |
| SHA256 | 682e3f10247adc53b8b2267b15fe38370f9ad8d1aefa6b9affbd5fce7bf76f28 |
| SHA512 | 34640eea4bd99365183ad89c2281254a0e6b56ce505bb9d7ca6a2f8335ad4a02043185d38edee5b0d18d090223f06f1d13ac9657fde2b373e19d818c6f790ca3 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-10 08:04
Reported
2024-04-10 08:06
Platform
win10v2004-20240226-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe\"" | C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe | N/A |
Remcos
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3984 set thread context of 3968 | N/A | C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe | C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe
"C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe"
C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe
"C:\Users\Admin\AppData\Local\Temp\f6f0b9b8b7a2ee0a64f33c5df868a2ae646d9c5ca161b7031994db881ec2b11b.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | veintisieteremc.duckdns.org | udp |
| CO | 179.13.3.249:1011 | veintisieteremc.duckdns.org | tcp |
| US | 8.8.8.8:53 | veintiochoremc.duckdns.org | udp |
| CO | 179.13.3.249:1011 | veintiochoremc.duckdns.org | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| CO | 179.13.3.249:1011 | veintiochoremc.duckdns.org | tcp |
| CO | 179.13.3.249:1011 | veintiochoremc.duckdns.org | tcp |
| US | 8.8.8.8:53 | veintisieteremc.duckdns.org | udp |
| CO | 179.13.3.249:1011 | veintisieteremc.duckdns.org | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | veintiochoremc.duckdns.org | udp |
| CO | 179.13.3.249:1011 | veintiochoremc.duckdns.org | tcp |
| CO | 179.13.3.249:1011 | veintiochoremc.duckdns.org | tcp |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
Files
memory/3984-0-0x00000000001F0000-0x000000000036A000-memory.dmp
memory/3984-1-0x00000000753D0000-0x0000000075B80000-memory.dmp
memory/3984-2-0x0000000007DC0000-0x0000000007E5C000-memory.dmp
memory/3984-3-0x0000000004AC0000-0x0000000004AEC000-memory.dmp
memory/3984-4-0x0000000004C30000-0x0000000004C40000-memory.dmp
memory/3984-5-0x00000000051F0000-0x0000000005794000-memory.dmp
memory/3984-6-0x0000000004BA0000-0x0000000004BC6000-memory.dmp
memory/3968-7-0x0000000000400000-0x0000000000421000-memory.dmp
memory/3984-11-0x00000000753D0000-0x0000000075B80000-memory.dmp
memory/3968-10-0x0000000000400000-0x0000000000421000-memory.dmp
memory/3968-12-0x0000000000400000-0x0000000000421000-memory.dmp
memory/3968-15-0x0000000000400000-0x0000000000421000-memory.dmp
memory/3968-14-0x0000000000400000-0x0000000000421000-memory.dmp
memory/3968-18-0x0000000000400000-0x0000000000421000-memory.dmp
C:\Users\Admin\AppData\Roaming\remcos\logs.dat
| MD5 | 9b73606660fcd7d493c5eda092ca8cab |
| SHA1 | b6cefbdab7964eab88bcc0974b897772fc8c99c2 |
| SHA256 | f03e6f6295c8653ade43e06fa3b1af83effdcc7607feb35032af955b3a334434 |
| SHA512 | b81c54077a52c438aedf82a52a85dc8e808d2713028c93f8721134ea4aaa03fbbab3a192090d111ee1acc8a1f9bd467ba13f5f0c9d663ddebf47dda0ef2b290a |