Analysis Overview
SHA256
8dbaaf8394250340e282a70a69dad00c21424e68d56cfc46816c1d0c2a2a0bd6
Threat Level: Known bad
The file remcos_a.exe was found to be: Known bad.
Malicious Activity Summary
Remcos family
Program crash
Unsigned PE
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-07-13 00:04
Signatures
Remcos family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-13 00:04
Reported
2024-07-13 00:10
Platform
win10v2004-20240709-en
Max time kernel
93s
Max time network
204s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\remcos_a.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\remcos_a.exe
"C:\Users\Admin\AppData\Local\Temp\remcos_a.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2700 -ip 2700
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-13 00:04
Reported
2024-07-13 00:10
Platform
win11-20240709-en
Max time kernel
211s
Max time network
274s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\remcos_a.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\remcos_a.exe
"C:\Users\Admin\AppData\Local\Temp\remcos_a.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 944 -ip 944
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 628
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-13 00:04
Reported
2024-07-13 00:10
Platform
win10-20240404-en
Max time kernel
300s
Max time network
255s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\remcos_a.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\remcos_a.exe
"C:\Users\Admin\AppData\Local\Temp\remcos_a.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 632
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | f.f.f.f.d.b.b.8.0.9.8.2.0.9.0.8.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.252.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.117.168.52.in-addr.arpa | udp |