Analysis Overview
SHA256
d680f58a9803eb57e4564754e91fbad12f92a0850d14cb6e0b145d868edaa213
Threat Level: Known bad
The file 2976-34-0x0000000000400000-0x0000000000417000-memory.dmp was found to be: Known bad.
Malicious Activity Summary
Remcos family
Nirsoft
NirSoft MailPassView
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-11 08:18
Signatures
Remcos family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-11 08:18
Reported
2024-05-11 08:21
Platform
win7-20240508-en
Max time kernel
120s
Max time network
140s
Command Line
Signatures
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe | N/A |
Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
"C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe"
C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe /stext "C:\Users\Admin\AppData\Local\Temp\gpnbdkkjwffbfloxwfedmqpc"
C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe /stext "C:\Users\Admin\AppData\Local\Temp\jkauecvlsnxnprcbfqrfxvjtvug"
C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe /stext "C:\Users\Admin\AppData\Local\Temp\tmfffvgegvpssgynobdyahwcwjqrlc"
C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe /stext "C:\Users\Admin\AppData\Local\Temp\iipwyan"
C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe /stext "C:\Users\Admin\AppData\Local\Temp\skugytxdvwq"
C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe /stext "C:\Users\Admin\AppData\Local\Temp\veizzdiwjeipcu"
C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe /stext "C:\Users\Admin\AppData\Local\Temp\ptwqvkciebmiovonlztyrkmjlodtoxhrk"
C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe /stext "C:\Users\Admin\AppData\Local\Temp\anjjwc"
C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe /stext "C:\Users\Admin\AppData\Local\Temp\kqobxvydg"
Network
| Country | Destination | Domain | Proto |
| SE | 62.102.148.185:9771 | tcp | |
| SE | 62.102.148.185:9771 | tcp | |
| SE | 62.102.148.185:9771 | tcp | |
| SE | 62.102.148.185:9771 | tcp | |
| SE | 62.102.148.185:9771 | tcp |
Files
memory/3000-1-0x0000000000400000-0x0000000000457000-memory.dmp
memory/3000-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/3000-26-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2804-42-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1964-16-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2804-43-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2804-41-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2804-40-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1964-46-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1964-37-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3000-36-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2804-35-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2804-32-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2804-31-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2804-29-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2804-27-0x0000000000400000-0x000000000041E000-memory.dmp
memory/3000-24-0x0000000000400000-0x0000000000457000-memory.dmp
memory/1964-25-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1964-23-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1964-22-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1964-21-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3000-20-0x0000000000400000-0x0000000000457000-memory.dmp
memory/3000-6-0x0000000000400000-0x0000000000457000-memory.dmp
memory/3000-5-0x0000000000400000-0x0000000000457000-memory.dmp
memory/3000-3-0x0000000000400000-0x0000000000457000-memory.dmp
memory/1964-15-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1964-13-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1964-11-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3000-10-0x0000000000400000-0x0000000000457000-memory.dmp
memory/3000-50-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2804-51-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1616-73-0x0000000000400000-0x0000000000457000-memory.dmp
memory/1616-80-0x0000000000400000-0x0000000000457000-memory.dmp
memory/1428-81-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2404-105-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1428-102-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2404-98-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1616-96-0x0000000000400000-0x0000000000457000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iipwyan
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/2928-144-0x0000000000400000-0x0000000000457000-memory.dmp
memory/1108-152-0x0000000000400000-0x000000000041E000-memory.dmp
memory/772-149-0x0000000000400000-0x0000000000424000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-11 08:18
Reported
2024-05-11 08:21
Platform
win10v2004-20240508-en
Max time kernel
94s
Max time network
140s
Command Line
Signatures
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4304 set thread context of 2608 | N/A | C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe | C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe |
| PID 4304 set thread context of 1568 | N/A | C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe | C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe |
| PID 4304 set thread context of 408 | N/A | C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe | C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
"C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe"
C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe /stext "C:\Users\Admin\AppData\Local\Temp\nenhmphiwgzz"
C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe /stext "C:\Users\Admin\AppData\Local\Temp\ygsanisksordvad"
C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe
C:\Users\Admin\AppData\Local\Temp\2976-34-0x0000000000400000-0x0000000000417000-memory.exe /stext "C:\Users\Admin\AppData\Local\Temp\aaxsfaddgwkqxgzuxmu"
Network
| Country | Destination | Domain | Proto |
| SE | 62.102.148.185:9771 | tcp | |
| US | 8.8.8.8:53 | 185.148.102.62.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| BE | 2.17.196.106:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 106.196.17.2.in-addr.arpa | udp |
| SE | 62.102.148.185:9771 | tcp | |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.121.18.2.in-addr.arpa | udp |
| SE | 62.102.148.185:9771 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/2608-1-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2608-5-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2608-11-0x0000000000400000-0x0000000000457000-memory.dmp
memory/408-23-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1568-21-0x0000000000400000-0x0000000000424000-memory.dmp
memory/408-20-0x0000000000400000-0x000000000041E000-memory.dmp
memory/408-14-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1568-10-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2608-9-0x0000000000400000-0x0000000000457000-memory.dmp
memory/1568-8-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1568-7-0x0000000000400000-0x0000000000424000-memory.dmp
memory/408-19-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1568-3-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2608-26-0x0000000000400000-0x0000000000457000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nenhmphiwgzz
| MD5 | e2c3e1c6ab6bae4a7f568e5d17ba539a |
| SHA1 | 536259010db44571f4de092c992e4af328d3916c |
| SHA256 | 1b6b484d9695b66276a1470468cf3269a102af126968401719dba7d051aff88a |
| SHA512 | b047018ee243294d03b229129541bd185fa58e5d3d965bb3f7d3a58b43a18221cd5ddeedc63c48974e781c0a114b7cb84a03d823f2be27a5524e58ec5b599cf9 |