Analysis Overview
SHA256
013bbe786abfe4beb88648d3dfdc4ac5acb727205752f2c531d5f7a07cd82c73
Threat Level: Known bad
The file 8a458f8bf9b11144c594cbbc7c3792cb.bin was found to be: Known bad.
Malicious Activity Summary
Remcos
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-11 03:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-11 03:11
Reported
2024-05-11 03:13
Platform
win7-20240221-en
Max time kernel
149s
Max time network
145s
Command Line
Signatures
Remcos
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1968 set thread context of 2564 | N/A | C:\Users\Admin\AppData\Local\Temp\64e4751715440a03a26ed06092966a7c120379495d0718d569df43faac5bd0d7.exe | C:\Program Files (x86)\Windows Media Player\wmplayer.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\64e4751715440a03a26ed06092966a7c120379495d0718d569df43faac5bd0d7.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\64e4751715440a03a26ed06092966a7c120379495d0718d569df43faac5bd0d7.exe
"C:\Users\Admin\AppData\Local\Temp\64e4751715440a03a26ed06092966a7c120379495d0718d569df43faac5bd0d7.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 66.63.162.155:1608 | tcp | |
| US | 66.63.162.155:1608 | tcp | |
| US | 66.63.162.155:1608 | tcp | |
| US | 66.63.162.155:1608 | tcp | |
| US | 66.63.162.155:1608 | tcp | |
| US | 66.63.162.155:1608 | tcp | |
| US | 66.63.162.155:1608 | tcp |
Files
memory/1968-0-0x000007FEF5363000-0x000007FEF5364000-memory.dmp
memory/1968-1-0x00000000000C0000-0x00000000000D8000-memory.dmp
memory/1968-2-0x000007FEF5360000-0x000007FEF5D4C000-memory.dmp
memory/1968-3-0x000007FEF5360000-0x000007FEF5D4C000-memory.dmp
memory/1968-4-0x000000001B540000-0x000000001B614000-memory.dmp
memory/2284-5-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2284-7-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2284-9-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2284-19-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2284-17-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2284-15-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2284-13-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2284-11-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2564-38-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2564-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1968-43-0x000007FEF5360000-0x000007FEF5D4C000-memory.dmp
memory/2564-40-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2564-42-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2564-41-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2564-44-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2564-45-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2564-46-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2564-47-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2564-48-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2564-49-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2564-50-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2564-51-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2564-52-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2564-53-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2564-54-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2564-55-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2564-56-0x0000000000400000-0x0000000000482000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-11 03:11
Reported
2024-05-11 03:13
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
Remcos
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4972 set thread context of 3868 | N/A | C:\Users\Admin\AppData\Local\Temp\64e4751715440a03a26ed06092966a7c120379495d0718d569df43faac5bd0d7.exe | C:\Program Files (x86)\Windows Mail\wab.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\64e4751715440a03a26ed06092966a7c120379495d0718d569df43faac5bd0d7.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\64e4751715440a03a26ed06092966a7c120379495d0718d569df43faac5bd0d7.exe
"C:\Users\Admin\AppData\Local\Temp\64e4751715440a03a26ed06092966a7c120379495d0718d569df43faac5bd0d7.exe"
C:\Program Files (x86)\Windows Mail\wab.exe
"C:\Program Files (x86)\Windows Mail\wab.exe"
C:\Program Files (x86)\Windows Mail\wab.exe
"C:\Program Files (x86)\Windows Mail\wab.exe"
Network
| Country | Destination | Domain | Proto |
| US | 66.63.162.155:1608 | tcp | |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 66.63.162.155:1608 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.121.18.2.in-addr.arpa | udp |
| US | 66.63.162.155:1608 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 66.63.162.155:1608 | tcp | |
| US | 66.63.162.155:1608 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 66.63.162.155:1608 | tcp | |
| US | 66.63.162.155:1608 | tcp |
Files
memory/4972-0-0x00007FFAFCB13000-0x00007FFAFCB15000-memory.dmp
memory/4972-1-0x00000240B55C0000-0x00000240B55D8000-memory.dmp
memory/4972-2-0x00007FFAFCB10000-0x00007FFAFD5D1000-memory.dmp
memory/4972-3-0x00007FFAFCB10000-0x00007FFAFD5D1000-memory.dmp
memory/4972-4-0x00000240D04E0000-0x00000240D05B4000-memory.dmp
memory/3868-6-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3868-5-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3868-7-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3868-8-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3868-9-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3868-10-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4972-11-0x00007FFAFCB10000-0x00007FFAFD5D1000-memory.dmp
memory/3868-12-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3868-13-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3868-14-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3868-15-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3868-16-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3868-17-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3868-18-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3868-19-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3868-20-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3868-21-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3868-22-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3868-23-0x0000000000400000-0x0000000000482000-memory.dmp