Malware Analysis Report

2024-11-13 18:50

Sample ID 240713-hax1casaqc
Target 5d0fc271f0606b92ab5c9ad53a790cb0N.exe
SHA256 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b
Tags
remcos spacolombia2707raptor persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b

Threat Level: Known bad

The file 5d0fc271f0606b92ab5c9ad53a790cb0N.exe was found to be: Known bad.

Malicious Activity Summary

remcos spacolombia2707raptor persistence rat

Remcos

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-13 06:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-13 06:32

Reported

2024-07-13 06:34

Platform

win7-20240705-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe"

Signatures

Remcos

rat remcos

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pzpgzqlkyf = "C:\\Users\\Admin\\AppData\\Roaming\\Pzpgzqlkyf.exe" C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2128 set thread context of 3184 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2128 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe
PID 2128 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe
PID 2128 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe
PID 2128 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe
PID 2128 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe
PID 2128 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe
PID 2128 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe
PID 2128 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe
PID 2128 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe
PID 2128 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe
PID 2128 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe
PID 2128 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe
PID 2128 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe

"C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe"

C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe

"C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 areaseguras.con-ip.com udp
US 86.104.72.183:2707 areaseguras.con-ip.com tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

memory/2128-0-0x000000007466E000-0x000000007466F000-memory.dmp

memory/2128-1-0x00000000010B0000-0x0000000001288000-memory.dmp

memory/2128-3-0x0000000004DF0000-0x0000000004FB8000-memory.dmp

memory/2128-2-0x0000000074660000-0x0000000074D4E000-memory.dmp

memory/2128-4-0x0000000005260000-0x00000000054BC000-memory.dmp

memory/2128-5-0x0000000005260000-0x00000000054B5000-memory.dmp

memory/2128-12-0x0000000005260000-0x00000000054B5000-memory.dmp

memory/2128-6-0x0000000005260000-0x00000000054B5000-memory.dmp

memory/2128-34-0x0000000005260000-0x00000000054B5000-memory.dmp

memory/2128-8-0x0000000005260000-0x00000000054B5000-memory.dmp

memory/2128-42-0x0000000005260000-0x00000000054B5000-memory.dmp

memory/2128-52-0x0000000005260000-0x00000000054B5000-memory.dmp

memory/2128-60-0x0000000005260000-0x00000000054B5000-memory.dmp

memory/2128-10-0x0000000005260000-0x00000000054B5000-memory.dmp

memory/2128-14-0x0000000005260000-0x00000000054B5000-memory.dmp

memory/2128-18-0x0000000005260000-0x00000000054B5000-memory.dmp

memory/2128-22-0x0000000005260000-0x00000000054B5000-memory.dmp

memory/2128-24-0x0000000005260000-0x00000000054B5000-memory.dmp

memory/2128-30-0x0000000005260000-0x00000000054B5000-memory.dmp

memory/2128-68-0x0000000005260000-0x00000000054B5000-memory.dmp

memory/2128-66-0x0000000005260000-0x00000000054B5000-memory.dmp

memory/2128-64-0x0000000005260000-0x00000000054B5000-memory.dmp

memory/2128-62-0x0000000005260000-0x00000000054B5000-memory.dmp

memory/2128-58-0x0000000005260000-0x00000000054B5000-memory.dmp

memory/2128-56-0x0000000005260000-0x00000000054B5000-memory.dmp

memory/2128-54-0x0000000005260000-0x00000000054B5000-memory.dmp

memory/2128-50-0x0000000005260000-0x00000000054B5000-memory.dmp

memory/2128-48-0x0000000005260000-0x00000000054B5000-memory.dmp

memory/2128-46-0x0000000005260000-0x00000000054B5000-memory.dmp

memory/2128-44-0x0000000005260000-0x00000000054B5000-memory.dmp

memory/2128-40-0x0000000005260000-0x00000000054B5000-memory.dmp

memory/2128-38-0x0000000005260000-0x00000000054B5000-memory.dmp

memory/2128-36-0x0000000005260000-0x00000000054B5000-memory.dmp

memory/2128-32-0x0000000005260000-0x00000000054B5000-memory.dmp

memory/2128-28-0x0000000005260000-0x00000000054B5000-memory.dmp

memory/2128-26-0x0000000005260000-0x00000000054B5000-memory.dmp

memory/2128-20-0x0000000005260000-0x00000000054B5000-memory.dmp

memory/2128-16-0x0000000005260000-0x00000000054B5000-memory.dmp

memory/2128-4867-0x0000000074660000-0x0000000074D4E000-memory.dmp

memory/2128-4868-0x0000000000B40000-0x0000000000BDA000-memory.dmp

memory/2128-4869-0x00000000005F0000-0x000000000063C000-memory.dmp

memory/2128-4870-0x0000000000D40000-0x0000000000D94000-memory.dmp

memory/2128-4884-0x0000000074660000-0x0000000074D4E000-memory.dmp

memory/3184-4886-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3184-4901-0x0000000000400000-0x0000000000482000-memory.dmp

C:\Users\Admin\AppData\Roaming\loggsdSSC\logs.dat

MD5 747914c9ae0818f2a44d54c155d886bc
SHA1 a0369df5650daca266a9f7830eccc9b8aece8026
SHA256 28b8aebb652b031a9dd0b0b01677f9474107dacc9f2fc16cd833c3a1680b857f
SHA512 8f862b0e13109e3d6f2a46a0ea7dd8750648d106150a318ec510d4a1678d715f779992e8936b056438068427162d33f03209498bc8694eae5e2639b0f9bad982

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-13 06:32

Reported

2024-07-13 06:34

Platform

win10v2004-20240709-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe"

Signatures

Remcos

rat remcos

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pzpgzqlkyf = "C:\\Users\\Admin\\AppData\\Roaming\\Pzpgzqlkyf.exe" C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1992 set thread context of 4412 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1992 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe
PID 1992 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe
PID 1992 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe
PID 1992 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe
PID 1992 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe
PID 1992 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe
PID 1992 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe
PID 1992 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe
PID 1992 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe
PID 1992 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe
PID 1992 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe
PID 1992 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe

"C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe"

C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe

"C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 areaseguras.con-ip.com udp
US 86.104.72.183:2707 areaseguras.con-ip.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 geoplugin.net udp
US 8.8.8.8:53 183.72.104.86.in-addr.arpa udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/1992-0-0x0000000074F5E000-0x0000000074F5F000-memory.dmp

memory/1992-1-0x00000000008B0000-0x0000000000A88000-memory.dmp

memory/1992-2-0x0000000074F50000-0x0000000075700000-memory.dmp

memory/1992-3-0x0000000005430000-0x00000000055F8000-memory.dmp

memory/1992-4-0x0000000005740000-0x000000000599C000-memory.dmp

memory/1992-12-0x0000000005740000-0x0000000005995000-memory.dmp

memory/1992-22-0x0000000005740000-0x0000000005995000-memory.dmp

memory/1992-16-0x0000000005740000-0x0000000005995000-memory.dmp

memory/1992-14-0x0000000005740000-0x0000000005995000-memory.dmp

memory/1992-10-0x0000000005740000-0x0000000005995000-memory.dmp

memory/1992-6-0x0000000005740000-0x0000000005995000-memory.dmp

memory/1992-8-0x0000000005740000-0x0000000005995000-memory.dmp

memory/1992-5-0x0000000005740000-0x0000000005995000-memory.dmp

memory/1992-18-0x0000000005740000-0x0000000005995000-memory.dmp

memory/1992-28-0x0000000005740000-0x0000000005995000-memory.dmp

memory/1992-58-0x0000000005740000-0x0000000005995000-memory.dmp

memory/1992-68-0x0000000005740000-0x0000000005995000-memory.dmp

memory/1992-66-0x0000000005740000-0x0000000005995000-memory.dmp

memory/1992-64-0x0000000005740000-0x0000000005995000-memory.dmp

memory/1992-62-0x0000000005740000-0x0000000005995000-memory.dmp

memory/1992-61-0x0000000005740000-0x0000000005995000-memory.dmp

memory/1992-56-0x0000000005740000-0x0000000005995000-memory.dmp

memory/1992-54-0x0000000005740000-0x0000000005995000-memory.dmp

memory/1992-50-0x0000000005740000-0x0000000005995000-memory.dmp

memory/1992-48-0x0000000005740000-0x0000000005995000-memory.dmp

memory/1992-46-0x0000000005740000-0x0000000005995000-memory.dmp

memory/1992-52-0x0000000005740000-0x0000000005995000-memory.dmp

memory/1992-44-0x0000000005740000-0x0000000005995000-memory.dmp

memory/1992-42-0x0000000005740000-0x0000000005995000-memory.dmp

memory/1992-38-0x0000000005740000-0x0000000005995000-memory.dmp

memory/1992-36-0x0000000005740000-0x0000000005995000-memory.dmp

memory/1992-34-0x0000000005740000-0x0000000005995000-memory.dmp

memory/1992-32-0x0000000005740000-0x0000000005995000-memory.dmp

memory/1992-30-0x0000000005740000-0x0000000005995000-memory.dmp

memory/1992-26-0x0000000005740000-0x0000000005995000-memory.dmp

memory/1992-24-0x0000000005740000-0x0000000005995000-memory.dmp

memory/1992-20-0x0000000005740000-0x0000000005995000-memory.dmp

memory/1992-40-0x0000000005740000-0x0000000005995000-memory.dmp

memory/1992-4867-0x0000000074F50000-0x0000000075700000-memory.dmp

memory/1992-4868-0x0000000005690000-0x000000000572A000-memory.dmp

memory/1992-4869-0x00000000059D0000-0x0000000005A1C000-memory.dmp

memory/1992-4870-0x0000000006340000-0x00000000068E4000-memory.dmp

memory/1992-4871-0x0000000005BA0000-0x0000000005BF4000-memory.dmp

memory/1992-4878-0x0000000074F50000-0x0000000075700000-memory.dmp

memory/4412-4877-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4412-4895-0x0000000000400000-0x0000000000482000-memory.dmp

C:\Users\Admin\AppData\Roaming\loggsdSSC\logs.dat

MD5 82c3adf6dd74b41775765e289e479b5e
SHA1 895191e89f044cb21afaab41e38355b91c231597
SHA256 6f0b216b78efa2d2e9162386e187a62038edf686552f00c77b32a0b85c8eb404
SHA512 76beeaaf3d3b01c02aa1e9dcd322d4a1d167438b140888cee7c7fc500124acdea59ab8b6f329adb36a907ad3b185093d69b69ba93410f959fcd0fd5a6a040ba1