Malware Analysis Report

2024-11-13 18:52

Sample ID 240519-bjg7xsae45
Target 2baa36ebea1ad309fa1083845b0510d4ea439bd52463c67dc1376a722c2e9fbb.zip
SHA256 2baa36ebea1ad309fa1083845b0510d4ea439bd52463c67dc1376a722c2e9fbb
Tags
remcos 22077 rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2baa36ebea1ad309fa1083845b0510d4ea439bd52463c67dc1376a722c2e9fbb

Threat Level: Known bad

The file 2baa36ebea1ad309fa1083845b0510d4ea439bd52463c67dc1376a722c2e9fbb.zip was found to be: Known bad.

Malicious Activity Summary

remcos 22077 rat

Remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-19 01:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 01:10

Reported

2024-05-19 01:13

Platform

win7-20240508-en

Max time kernel

149s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe"

Signatures

Remcos

rat remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1888 set thread context of 2924 N/A C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2604 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe
PID 2604 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe
PID 2604 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe
PID 2604 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe
PID 2604 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe
PID 2604 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe
PID 2604 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe
PID 2356 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe
PID 2356 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe
PID 2356 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe
PID 2356 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe
PID 2356 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe
PID 2356 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe
PID 2356 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe
PID 2632 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe
PID 2632 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe
PID 2632 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe
PID 2632 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe
PID 2632 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe
PID 2632 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe
PID 2632 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe
PID 1888 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2924 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2924 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2924 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2924 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2924 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe

"C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe"

C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe

"C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe" /VERYSILENT

C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe

"C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe"

C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe

C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
NO 195.54.170.36:22077 tcp
NO 195.54.170.36:22077 tcp
NO 195.54.170.36:22077 tcp
NO 195.54.170.36:22077 tcp
NO 195.54.170.36:22077 tcp

Files

memory/2604-0-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2604-3-0x0000000000400000-0x0000000000712000-memory.dmp

\Users\Admin\AppData\Roaming\UniversalInstaller.exe

MD5 9fb4770ced09aae3b437c1c6eb6d7334
SHA1 fe54b31b0db8665aa5b22bed147e8295afc88a03
SHA256 a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
SHA512 140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256

memory/2356-20-0x0000000000400000-0x0000000000712000-memory.dmp

C:\Users\Admin\AppData\Roaming\relay.dll

MD5 26f5bc7e93d04836018674ea346fcfc7
SHA1 3b7d74663bfc45388c403d2b4e242df5ee18e8f0
SHA256 2da4a73ab27ca87449151f119852b16280c64c8f7f4a1f3170a27875ae577163
SHA512 7e59b552b3c4b1b5278ad65f2da91bae9e1e429863b8f629ee8522ef330fe0973bb5c52bc69c4cb0b2af92274c2630246403debc9596f211921ed91ba736d7b9

C:\Users\Admin\AppData\Roaming\nighttime.xlsx

MD5 6c6f6a14e9d0a4a4cccf42c556fbd674
SHA1 171078d45ebc27f5a8e448dc451d4f94947d82e5
SHA256 3b5e6c71c2ffbfb6e2db0338d44df9c403aca7778f487543cc6a1cb07a9a21e3
SHA512 8757f66f912ffb888229dbf9d21243dc14888bf21c401818e467d5d12865c7430c48fa0a9c5e6b96db3305f8413f2fe1200dcd9e9325839758a8c6ecac09477e

C:\Users\Admin\AppData\Roaming\bigmouth.ai

MD5 2006f33bd138198426dd0029bfb59d78
SHA1 b6331330a0ac4eec341c1c9eeb6f2f8cd202d1e4
SHA256 33a2f64783b7ccd9f66145d9d7288bff62a4a89b5ee3c82f7f5fe8d1bf68581f
SHA512 9fd5b2280c80b953fa74a5e5a8278b85b229daca0dfce988d8dafa14bc6db8906811da3b4628f27336886de8495822a173c36a72cfd9b8a90fbd8327fed5b649

memory/2632-26-0x00000000740D0000-0x0000000074244000-memory.dmp

memory/2632-27-0x0000000076D00000-0x0000000076EA9000-memory.dmp

C:\Users\Admin\AppData\Roaming\UIxMarketPlugin.dll

MD5 d1ba9412e78bfc98074c5d724a1a87d6
SHA1 0572f98d78fb0b366b5a086c2a74cc68b771d368
SHA256 cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15
SHA512 8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f

memory/1888-43-0x0000000073EA0000-0x0000000074014000-memory.dmp

memory/1888-44-0x0000000076D00000-0x0000000076EA9000-memory.dmp

memory/1888-45-0x0000000073EA0000-0x0000000074014000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c41721ef

MD5 1437436fe8fbcaa1622b084a09e02034
SHA1 e313eb25c537421fcf8fbe34f3570bf827adb3b5
SHA256 33cd6347c80ddb24edbd9c16d7740ba7284a94230f7401997006da6516333cdc
SHA512 ebcc9b999e3d11940da7354dffcbcf0e89e75063f9114969691985adb2fd0cf204d9b1e88b2e0e940ac92e2702a04e651ae13d7578abd435b4b9ddbfa1f21f5a

memory/2924-48-0x0000000076D00000-0x0000000076EA9000-memory.dmp

memory/2924-94-0x0000000073EA0000-0x0000000074014000-memory.dmp

memory/2564-96-0x0000000076D00000-0x0000000076EA9000-memory.dmp

memory/2564-97-0x00000000000D0000-0x0000000000153000-memory.dmp

memory/2564-101-0x00000000000D0000-0x0000000000153000-memory.dmp

memory/2564-102-0x00000000000D0000-0x0000000000153000-memory.dmp

memory/2564-103-0x00000000000D0000-0x0000000000153000-memory.dmp

memory/2564-104-0x00000000000D0000-0x0000000000153000-memory.dmp

memory/2564-105-0x00000000000D0000-0x0000000000153000-memory.dmp

memory/2564-106-0x00000000000D0000-0x0000000000153000-memory.dmp

memory/2564-107-0x00000000000D0000-0x0000000000153000-memory.dmp

memory/2564-108-0x00000000000D0000-0x0000000000153000-memory.dmp

memory/2564-109-0x00000000000D0000-0x0000000000153000-memory.dmp

memory/2564-110-0x00000000000D0000-0x0000000000153000-memory.dmp

memory/2564-111-0x00000000000D0000-0x0000000000153000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 01:10

Reported

2024-05-19 01:13

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe"

Signatures

Remcos

rat remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2528 set thread context of 2068 N/A C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2072 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe
PID 2072 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe
PID 2072 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe
PID 3292 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe
PID 3292 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe
PID 3292 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe
PID 464 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe
PID 464 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe
PID 464 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe
PID 2528 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 2068 wrote to memory of 1048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2068 wrote to memory of 1048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2068 wrote to memory of 1048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2068 wrote to memory of 1048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2068 wrote to memory of 1048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe

"C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe"

C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe

"C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe" /VERYSILENT

C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe

"C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe"

C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe

C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
NO 195.54.170.36:22077 tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
NO 195.54.170.36:22077 tcp
NO 195.54.170.36:22077 tcp
US 8.8.8.8:53 45.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
NO 195.54.170.36:22077 tcp
NO 195.54.170.36:22077 tcp

Files

memory/2072-0-0x0000000000D40000-0x0000000000D41000-memory.dmp

memory/3292-4-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

memory/2072-3-0x0000000000400000-0x0000000000712000-memory.dmp

C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe

MD5 9fb4770ced09aae3b437c1c6eb6d7334
SHA1 fe54b31b0db8665aa5b22bed147e8295afc88a03
SHA256 a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
SHA512 140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256

memory/3292-20-0x0000000000400000-0x0000000000712000-memory.dmp

C:\Users\Admin\AppData\Roaming\relay.dll

MD5 26f5bc7e93d04836018674ea346fcfc7
SHA1 3b7d74663bfc45388c403d2b4e242df5ee18e8f0
SHA256 2da4a73ab27ca87449151f119852b16280c64c8f7f4a1f3170a27875ae577163
SHA512 7e59b552b3c4b1b5278ad65f2da91bae9e1e429863b8f629ee8522ef330fe0973bb5c52bc69c4cb0b2af92274c2630246403debc9596f211921ed91ba736d7b9

C:\Users\Admin\AppData\Roaming\nighttime.xlsx

MD5 6c6f6a14e9d0a4a4cccf42c556fbd674
SHA1 171078d45ebc27f5a8e448dc451d4f94947d82e5
SHA256 3b5e6c71c2ffbfb6e2db0338d44df9c403aca7778f487543cc6a1cb07a9a21e3
SHA512 8757f66f912ffb888229dbf9d21243dc14888bf21c401818e467d5d12865c7430c48fa0a9c5e6b96db3305f8413f2fe1200dcd9e9325839758a8c6ecac09477e

C:\Users\Admin\AppData\Roaming\bigmouth.ai

MD5 2006f33bd138198426dd0029bfb59d78
SHA1 b6331330a0ac4eec341c1c9eeb6f2f8cd202d1e4
SHA256 33a2f64783b7ccd9f66145d9d7288bff62a4a89b5ee3c82f7f5fe8d1bf68581f
SHA512 9fd5b2280c80b953fa74a5e5a8278b85b229daca0dfce988d8dafa14bc6db8906811da3b4628f27336886de8495822a173c36a72cfd9b8a90fbd8327fed5b649

memory/464-25-0x00000000748E0000-0x0000000074A5B000-memory.dmp

C:\Users\Admin\AppData\Roaming\UIxMarketPlugin.dll

MD5 d1ba9412e78bfc98074c5d724a1a87d6
SHA1 0572f98d78fb0b366b5a086c2a74cc68b771d368
SHA256 cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15
SHA512 8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f

memory/464-26-0x00007FFD8CE70000-0x00007FFD8D065000-memory.dmp

memory/2528-40-0x00000000740C0000-0x000000007423B000-memory.dmp

memory/2528-41-0x00007FFD8CE70000-0x00007FFD8D065000-memory.dmp

memory/2528-42-0x00000000740C0000-0x000000007423B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b5d5babe

MD5 90397ef652e54fb4722afac5098e95f1
SHA1 fa4a94b5a469b473781c440a76e9713e270f51a5
SHA256 3be32cbb167c6c860f8a6e910d4d4b02e152c139e02a74bd026369c74ff2f516
SHA512 020566e00bc760943e4fa5f2c8c3d62eff7cdd941fa2a6b1c5c8096a1062ad5fbb0e849e16675049efebdf2355e7c3013bbdb8d8b8dacc3a0408493726a71bac

memory/2068-45-0x00007FFD8CE70000-0x00007FFD8D065000-memory.dmp

memory/2068-47-0x00000000740C0000-0x000000007423B000-memory.dmp

memory/1048-49-0x00007FFD8CE70000-0x00007FFD8D065000-memory.dmp

memory/1048-50-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1048-52-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1048-53-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1048-54-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1048-55-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1048-56-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1048-57-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1048-58-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1048-59-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1048-60-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1048-61-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1048-62-0x0000000000400000-0x0000000000483000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-19 01:10

Reported

2024-05-19 01:13

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\devobj.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\devobj.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-19 01:10

Reported

2024-05-19 01:13

Platform

win10v2004-20240426-en

Max time kernel

130s

Max time network

102s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lmhsvc.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lmhsvc.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
NL 23.62.61.97:443 www.bing.com tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-19 01:10

Reported

2024-05-19 01:13

Platform

win10v2004-20240508-en

Max time kernel

139s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\tzsyncres.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\tzsyncres.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4604,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4404 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp

Files

N/A