Malware Analysis Report

2024-11-13 18:50

Sample ID 240713-r8971axdkd
Target 5d0fc271f0606b92ab5c9ad53a790cb0N.exe
SHA256 5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b
Tags
remcos spacolombia2707raptor persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b

Threat Level: Known bad

The file 5d0fc271f0606b92ab5c9ad53a790cb0N.exe was found to be: Known bad.

Malicious Activity Summary

remcos spacolombia2707raptor persistence rat

Remcos

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-13 14:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-13 14:53

Reported

2024-07-13 14:55

Platform

win7-20240705-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe"

Signatures

Remcos

rat remcos

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pzpgzqlkyf = "C:\\Users\\Admin\\AppData\\Roaming\\Pzpgzqlkyf.exe" C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2900 set thread context of 3160 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2900 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe
PID 2900 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe
PID 2900 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe
PID 2900 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe
PID 2900 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe
PID 2900 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe
PID 2900 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe
PID 2900 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe
PID 2900 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe
PID 2900 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe
PID 2900 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe
PID 2900 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe
PID 2900 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe

"C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe"

C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe

"C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 areaseguras.con-ip.com udp
US 86.104.72.183:2707 areaseguras.con-ip.com tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

memory/2900-0-0x0000000073ECE000-0x0000000073ECF000-memory.dmp

memory/2900-1-0x0000000000B50000-0x0000000000D28000-memory.dmp

memory/2900-2-0x0000000004A10000-0x0000000004BD8000-memory.dmp

memory/2900-3-0x0000000073EC0000-0x00000000745AE000-memory.dmp

memory/2900-4-0x0000000004F00000-0x000000000515C000-memory.dmp

memory/2900-5-0x0000000004F00000-0x0000000005155000-memory.dmp

memory/2900-8-0x0000000004F00000-0x0000000005155000-memory.dmp

memory/2900-26-0x0000000004F00000-0x0000000005155000-memory.dmp

memory/2900-32-0x0000000004F00000-0x0000000005155000-memory.dmp

memory/2900-54-0x0000000004F00000-0x0000000005155000-memory.dmp

memory/2900-60-0x0000000004F00000-0x0000000005155000-memory.dmp

memory/2900-6-0x0000000004F00000-0x0000000005155000-memory.dmp

memory/2900-58-0x0000000004F00000-0x0000000005155000-memory.dmp

memory/2900-56-0x0000000004F00000-0x0000000005155000-memory.dmp

memory/2900-52-0x0000000004F00000-0x0000000005155000-memory.dmp

memory/2900-50-0x0000000004F00000-0x0000000005155000-memory.dmp

memory/2900-48-0x0000000004F00000-0x0000000005155000-memory.dmp

memory/2900-46-0x0000000004F00000-0x0000000005155000-memory.dmp

memory/2900-44-0x0000000004F00000-0x0000000005155000-memory.dmp

memory/2900-42-0x0000000004F00000-0x0000000005155000-memory.dmp

memory/2900-40-0x0000000004F00000-0x0000000005155000-memory.dmp

memory/2900-38-0x0000000004F00000-0x0000000005155000-memory.dmp

memory/2900-36-0x0000000004F00000-0x0000000005155000-memory.dmp

memory/2900-34-0x0000000004F00000-0x0000000005155000-memory.dmp

memory/2900-30-0x0000000004F00000-0x0000000005155000-memory.dmp

memory/2900-28-0x0000000004F00000-0x0000000005155000-memory.dmp

memory/2900-24-0x0000000004F00000-0x0000000005155000-memory.dmp

memory/2900-22-0x0000000004F00000-0x0000000005155000-memory.dmp

memory/2900-20-0x0000000004F00000-0x0000000005155000-memory.dmp

memory/2900-18-0x0000000004F00000-0x0000000005155000-memory.dmp

memory/2900-16-0x0000000004F00000-0x0000000005155000-memory.dmp

memory/2900-14-0x0000000004F00000-0x0000000005155000-memory.dmp

memory/2900-12-0x0000000004F00000-0x0000000005155000-memory.dmp

memory/2900-10-0x0000000004F00000-0x0000000005155000-memory.dmp

memory/2900-68-0x0000000004F00000-0x0000000005155000-memory.dmp

memory/2900-66-0x0000000004F00000-0x0000000005155000-memory.dmp

memory/2900-64-0x0000000004F00000-0x0000000005155000-memory.dmp

memory/2900-62-0x0000000004F00000-0x0000000005155000-memory.dmp

memory/2900-4868-0x0000000004CF0000-0x0000000004D3C000-memory.dmp

memory/2900-4867-0x0000000004C50000-0x0000000004CEA000-memory.dmp

memory/2900-4869-0x0000000073EC0000-0x00000000745AE000-memory.dmp

memory/2900-4870-0x0000000004D40000-0x0000000004D94000-memory.dmp

memory/2900-4885-0x0000000073EC0000-0x00000000745AE000-memory.dmp

memory/3160-4886-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3160-4903-0x0000000000400000-0x0000000000482000-memory.dmp

C:\Users\Admin\AppData\Roaming\loggsdSSC\logs.dat

MD5 9b71cd6be5731b37fe929fbc6d9954e9
SHA1 98678cc973534bb9270f3950a35b939a74fc5959
SHA256 0ad5b1e88f1c0e9279280aef14e5805230fd6b948049c79e434151622c58b00f
SHA512 cd245f90b0921b917bd47cc8766788e49963096a6e2517df6d5d14b27c533514fce4aa516d1fd0c6bee4b15aef974c9de73d38663db87084b921c70cd7816554

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-13 14:53

Reported

2024-07-13 14:55

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe"

Signatures

Remcos

rat remcos

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pzpgzqlkyf = "C:\\Users\\Admin\\AppData\\Roaming\\Pzpgzqlkyf.exe" C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3408 set thread context of 4616 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3408 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe
PID 3408 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe
PID 3408 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe
PID 3408 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe
PID 3408 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe
PID 3408 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe
PID 3408 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe
PID 3408 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe
PID 3408 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe
PID 3408 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe
PID 3408 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe
PID 3408 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe

"C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe"

C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe

"C:\Users\Admin\AppData\Local\Temp\5d0fc271f0606b92ab5c9ad53a790cb0N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 areaseguras.con-ip.com udp
US 86.104.72.183:2707 areaseguras.con-ip.com tcp
US 8.8.8.8:53 183.72.104.86.in-addr.arpa udp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/3408-0-0x0000000074E0E000-0x0000000074E0F000-memory.dmp

memory/3408-1-0x00000000006A0000-0x0000000000878000-memory.dmp

memory/3408-2-0x0000000074E00000-0x00000000755B0000-memory.dmp

memory/3408-3-0x00000000051A0000-0x0000000005368000-memory.dmp

memory/3408-4-0x0000000005470000-0x00000000056CC000-memory.dmp

memory/3408-16-0x0000000005470000-0x00000000056C5000-memory.dmp

memory/3408-14-0x0000000005470000-0x00000000056C5000-memory.dmp

memory/3408-30-0x0000000005470000-0x00000000056C5000-memory.dmp

memory/3408-36-0x0000000005470000-0x00000000056C5000-memory.dmp

memory/3408-54-0x0000000005470000-0x00000000056C5000-memory.dmp

memory/3408-60-0x0000000005470000-0x00000000056C5000-memory.dmp

memory/3408-68-0x0000000005470000-0x00000000056C5000-memory.dmp

memory/3408-66-0x0000000005470000-0x00000000056C5000-memory.dmp

memory/3408-64-0x0000000005470000-0x00000000056C5000-memory.dmp

memory/3408-62-0x0000000005470000-0x00000000056C5000-memory.dmp

memory/3408-58-0x0000000005470000-0x00000000056C5000-memory.dmp

memory/3408-56-0x0000000005470000-0x00000000056C5000-memory.dmp

memory/3408-52-0x0000000005470000-0x00000000056C5000-memory.dmp

memory/3408-51-0x0000000005470000-0x00000000056C5000-memory.dmp

memory/3408-48-0x0000000005470000-0x00000000056C5000-memory.dmp

memory/3408-46-0x0000000005470000-0x00000000056C5000-memory.dmp

memory/3408-42-0x0000000005470000-0x00000000056C5000-memory.dmp

memory/3408-40-0x0000000005470000-0x00000000056C5000-memory.dmp

memory/3408-38-0x0000000005470000-0x00000000056C5000-memory.dmp

memory/3408-34-0x0000000005470000-0x00000000056C5000-memory.dmp

memory/3408-44-0x0000000005470000-0x00000000056C5000-memory.dmp

memory/3408-32-0x0000000005470000-0x00000000056C5000-memory.dmp

memory/3408-28-0x0000000005470000-0x00000000056C5000-memory.dmp

memory/3408-26-0x0000000005470000-0x00000000056C5000-memory.dmp

memory/3408-24-0x0000000005470000-0x00000000056C5000-memory.dmp

memory/3408-20-0x0000000005470000-0x00000000056C5000-memory.dmp

memory/3408-18-0x0000000005470000-0x00000000056C5000-memory.dmp

memory/3408-12-0x0000000005470000-0x00000000056C5000-memory.dmp

memory/3408-8-0x0000000005470000-0x00000000056C5000-memory.dmp

memory/3408-6-0x0000000005470000-0x00000000056C5000-memory.dmp

memory/3408-22-0x0000000005470000-0x00000000056C5000-memory.dmp

memory/3408-10-0x0000000005470000-0x00000000056C5000-memory.dmp

memory/3408-5-0x0000000005470000-0x00000000056C5000-memory.dmp

memory/3408-4867-0x0000000074E00000-0x00000000755B0000-memory.dmp

memory/3408-4868-0x00000000056D0000-0x000000000576A000-memory.dmp

memory/3408-4869-0x0000000005770000-0x00000000057BC000-memory.dmp

memory/3408-4870-0x0000000005FF0000-0x0000000006594000-memory.dmp

memory/3408-4871-0x0000000005850000-0x00000000058A4000-memory.dmp

memory/3408-4877-0x0000000074E00000-0x00000000755B0000-memory.dmp

memory/4616-4878-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4616-4895-0x0000000000400000-0x0000000000482000-memory.dmp

C:\Users\Admin\AppData\Roaming\loggsdSSC\logs.dat

MD5 79e83c104dfc5dea72274727ba189bf1
SHA1 0e26ea42a148c624ac349ddc3f965fb005f5373d
SHA256 2a4d946b280cb3103096c3791bbb8c4e2d117fe436cda497507ec1edecea64c0
SHA512 c18b939a524865196c2ee99a487909757178bdfdc7086010bd9d8d056610038860dadefb6d5e3bfda2e4643de4fa4f3ef3f4decd9bcb6636063c069ce5ddebfe