Analysis Overview
SHA256
30c92411897d709b710f248d4460739edce37e03d88c75e7f61064eaa138b767
Threat Level: Known bad
The file Tax_Document.zip was found to be: Known bad.
Malicious Activity Summary
Remcos
Unsigned PE
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-04-23 17:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-23 17:19
Reported
2024-04-23 17:39
Platform
win10-20240404-en
Max time kernel
1198s
Max time network
1192s
Command Line
Signatures
Remcos
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Tax Document\TAX DOCUMENTS.pdf.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Tax Document\TAX DOCUMENTS.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Tax Document\TAX DOCUMENTS.pdf.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 78.142.18.109:2401 | tcp | |
| US | 8.8.8.8:53 | 109.18.142.78.in-addr.arpa | udp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/4920-0-0x0000000000120000-0x00000000001A0000-memory.dmp
memory/4920-1-0x0000000000060000-0x00000000000D6000-memory.dmp
memory/4920-3-0x0000000000120000-0x00000000001A0000-memory.dmp
memory/4920-4-0x0000000000120000-0x00000000001A0000-memory.dmp
memory/4920-6-0x0000000000120000-0x00000000001A0000-memory.dmp
memory/4920-7-0x0000000000120000-0x00000000001A0000-memory.dmp
memory/4920-8-0x0000000000120000-0x00000000001A0000-memory.dmp
memory/4920-9-0x0000000000120000-0x00000000001A0000-memory.dmp
memory/4920-10-0x0000000000120000-0x00000000001A0000-memory.dmp
memory/4920-11-0x0000000000120000-0x00000000001A0000-memory.dmp
memory/4920-13-0x0000000000120000-0x00000000001A0000-memory.dmp
memory/4920-16-0x00000000025D0000-0x0000000002627000-memory.dmp
memory/4920-20-0x0000000000120000-0x00000000001A0000-memory.dmp
C:\ProgramData\taxinfor\logs.dat
| MD5 | 1e3ffa1ef4c535056a23585c5c96b4ec |
| SHA1 | b3a07778c4224635fd494a6b95579d0d1730e16c |
| SHA256 | 23efc42bd18a49a9978edacdf78dc90b3c0ed180fc0af40032c2bf575d48decd |
| SHA512 | dd6c567180a13850cdc1204b8a8647a50a5657402021f1a1e73d653223a5be25402fee8d0ab29d6b527a4448c7c1ee1310e96a99e05bfad85e0fbb675f74563c |
memory/4920-23-0x0000000000120000-0x00000000001A0000-memory.dmp
memory/4920-24-0x0000000000120000-0x00000000001A0000-memory.dmp
memory/4920-34-0x0000000000120000-0x00000000001A0000-memory.dmp
memory/4920-35-0x0000000000120000-0x00000000001A0000-memory.dmp
memory/4920-45-0x0000000000120000-0x00000000001A0000-memory.dmp
memory/4920-46-0x0000000000120000-0x00000000001A0000-memory.dmp
memory/4920-57-0x0000000000120000-0x00000000001A0000-memory.dmp
memory/4920-58-0x0000000000120000-0x00000000001A0000-memory.dmp
memory/4920-68-0x0000000000120000-0x00000000001A0000-memory.dmp
memory/4920-69-0x0000000000120000-0x00000000001A0000-memory.dmp
memory/4920-112-0x0000000000120000-0x00000000001A0000-memory.dmp
memory/4920-123-0x0000000000120000-0x00000000001A0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-23 17:19
Reported
2024-04-23 17:39
Platform
win10v2004-20240412-en
Max time kernel
1199s
Max time network
1201s
Command Line
Signatures
Remcos
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Tax Document\TAX DOCUMENTS.pdf.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Tax Document\TAX DOCUMENTS.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Tax Document\TAX DOCUMENTS.pdf.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 78.142.18.109:2401 | tcp | |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 109.18.142.78.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 17.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 156.33.209.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.173.246.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.32.209.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 15.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/2356-0-0x0000000000060000-0x00000000000E0000-memory.dmp
memory/2356-1-0x0000000000550000-0x00000000005C6000-memory.dmp
memory/2356-2-0x0000000000060000-0x00000000000E0000-memory.dmp
memory/2356-3-0x0000000000060000-0x00000000000E0000-memory.dmp
memory/2356-4-0x0000000000060000-0x00000000000E0000-memory.dmp
memory/2356-6-0x0000000000060000-0x00000000000E0000-memory.dmp
memory/2356-7-0x0000000000060000-0x00000000000E0000-memory.dmp
memory/2356-8-0x0000000000060000-0x00000000000E0000-memory.dmp
memory/2356-9-0x0000000000060000-0x00000000000E0000-memory.dmp
memory/2356-10-0x0000000000060000-0x00000000000E0000-memory.dmp
memory/2356-14-0x0000000000060000-0x00000000000E0000-memory.dmp
memory/2356-16-0x00000000005D0000-0x0000000000666000-memory.dmp
memory/2356-20-0x0000000000060000-0x00000000000E0000-memory.dmp
C:\ProgramData\taxinfor\logs.dat
| MD5 | e95d16d5ff109f8662bec8c497f67824 |
| SHA1 | a4bdb6c227cdd7851d3e96796c1616b0b0098abb |
| SHA256 | 8d3f71044b9781207b07b87fbb60dfe7bd9381ed6bd8ebd79998648ca7bab40c |
| SHA512 | 97abc52679cf7d9997dfadc6caa2b8e4f1c831b4e06c2d0a1e0c63a69ca8fdbe307f755461f456c27aa75062bd30da3da6686e79c688f878401614a9b1047d68 |
memory/2356-22-0x0000000000060000-0x00000000000E0000-memory.dmp
memory/2356-23-0x0000000000060000-0x00000000000E0000-memory.dmp
memory/2356-33-0x0000000000060000-0x00000000000E0000-memory.dmp
memory/2356-34-0x0000000000060000-0x00000000000E0000-memory.dmp
memory/2356-44-0x0000000000060000-0x00000000000E0000-memory.dmp
memory/2356-45-0x0000000000060000-0x00000000000E0000-memory.dmp
memory/2356-55-0x0000000000060000-0x00000000000E0000-memory.dmp
memory/2356-67-0x0000000000060000-0x00000000000E0000-memory.dmp
memory/2356-68-0x0000000000060000-0x00000000000E0000-memory.dmp
memory/2356-77-0x0000000000060000-0x00000000000E0000-memory.dmp
memory/2356-78-0x0000000000060000-0x00000000000E0000-memory.dmp
memory/2356-88-0x0000000000060000-0x00000000000E0000-memory.dmp
memory/2356-89-0x0000000000060000-0x00000000000E0000-memory.dmp
memory/2356-99-0x0000000000060000-0x00000000000E0000-memory.dmp
memory/2356-100-0x0000000000060000-0x00000000000E0000-memory.dmp
memory/2356-110-0x0000000000060000-0x00000000000E0000-memory.dmp
memory/2356-111-0x0000000000060000-0x00000000000E0000-memory.dmp
memory/2356-122-0x0000000000060000-0x00000000000E0000-memory.dmp
memory/2356-123-0x0000000000060000-0x00000000000E0000-memory.dmp
memory/2356-132-0x0000000000060000-0x00000000000E0000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-23 17:19
Reported
2024-04-23 17:39
Platform
win11-20240412-en
Max time kernel
1199s
Max time network
1192s
Command Line
Signatures
Remcos
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Tax Document\TAX DOCUMENTS.pdf.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Tax Document\TAX DOCUMENTS.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Tax Document\TAX DOCUMENTS.pdf.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 78.142.18.109:2401 | tcp | |
| US | 8.8.8.8:53 | 109.18.142.78.in-addr.arpa | udp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 52.111.227.13:443 | tcp |
Files
memory/4032-0-0x0000000002760000-0x00000000027E0000-memory.dmp
memory/4032-1-0x00000000024A0000-0x0000000002516000-memory.dmp
memory/4032-2-0x0000000002760000-0x00000000027E0000-memory.dmp
memory/4032-3-0x0000000002760000-0x00000000027E0000-memory.dmp
memory/4032-4-0x0000000002760000-0x00000000027E0000-memory.dmp
memory/4032-6-0x0000000002760000-0x00000000027E0000-memory.dmp
memory/4032-7-0x0000000002760000-0x00000000027E0000-memory.dmp
memory/4032-8-0x0000000002760000-0x00000000027E0000-memory.dmp
memory/4032-9-0x0000000002760000-0x00000000027E0000-memory.dmp
memory/4032-10-0x0000000002760000-0x00000000027E0000-memory.dmp
memory/4032-11-0x0000000002760000-0x00000000027E0000-memory.dmp
memory/4032-13-0x0000000002760000-0x00000000027E0000-memory.dmp
memory/4032-16-0x00000000005F0000-0x00000000006B2000-memory.dmp
memory/4032-20-0x0000000002760000-0x00000000027E0000-memory.dmp
C:\ProgramData\taxinfor\logs.dat
| MD5 | 1e3ffa1ef4c535056a23585c5c96b4ec |
| SHA1 | b3a07778c4224635fd494a6b95579d0d1730e16c |
| SHA256 | 23efc42bd18a49a9978edacdf78dc90b3c0ed180fc0af40032c2bf575d48decd |
| SHA512 | dd6c567180a13850cdc1204b8a8647a50a5657402021f1a1e73d653223a5be25402fee8d0ab29d6b527a4448c7c1ee1310e96a99e05bfad85e0fbb675f74563c |
memory/4032-23-0x0000000002760000-0x00000000027E0000-memory.dmp
memory/4032-24-0x0000000002760000-0x00000000027E0000-memory.dmp
memory/4032-33-0x0000000002760000-0x00000000027E0000-memory.dmp
memory/4032-34-0x0000000002760000-0x00000000027E0000-memory.dmp
memory/4032-45-0x0000000002760000-0x00000000027E0000-memory.dmp
memory/4032-46-0x0000000002760000-0x00000000027E0000-memory.dmp
memory/4032-57-0x0000000002760000-0x00000000027E0000-memory.dmp
memory/4032-58-0x0000000002760000-0x00000000027E0000-memory.dmp
memory/4032-61-0x00000000005F0000-0x00000000006B2000-memory.dmp
memory/4032-64-0x00000000005F0000-0x00000000006B2000-memory.dmp
memory/4032-68-0x0000000002760000-0x00000000027E0000-memory.dmp
memory/4032-69-0x0000000002760000-0x00000000027E0000-memory.dmp
memory/4032-79-0x0000000002760000-0x00000000027E0000-memory.dmp
memory/4032-80-0x0000000002760000-0x00000000027E0000-memory.dmp
memory/4032-86-0x00000000005F0000-0x00000000006B2000-memory.dmp
memory/4032-90-0x0000000002760000-0x00000000027E0000-memory.dmp
memory/4032-91-0x0000000002760000-0x00000000027E0000-memory.dmp
memory/4032-100-0x0000000002760000-0x00000000027E0000-memory.dmp
memory/4032-101-0x0000000002760000-0x00000000027E0000-memory.dmp
memory/4032-112-0x0000000002760000-0x00000000027E0000-memory.dmp
memory/4032-113-0x0000000002760000-0x00000000027E0000-memory.dmp