Analysis Overview
SHA256
d340b977be533b8eb83e5e5833a643097202b32c7f9e4fdfacb327c0213a7bc6
Threat Level: Known bad
The file NOTIFICACION DE DEMANDA DE LA ALCALDIA DE INIRIDA - JULIO 18 DEL 2024.bin.zip was found to be: Known bad.
Malicious Activity Summary
Remcos
Adds Run key to start application
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-19 17:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-19 17:26
Reported
2024-07-19 17:29
Platform
win7-20240705-en
Max time kernel
148s
Max time network
144s
Command Line
Signatures
Remcos
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nuuuio = "C:\\Users\\Admin\\Pictures\\NONOUTUNMMap\\FirefoxUp.exe" | C:\Users\Admin\AppData\Local\Temp\NOTIFICACION DE DEMANDA DE LA ALCALDIA DE INIRIDA - JULIO 18 DEL 2024.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NOTIFICACION DE DEMANDA DE LA ALCALDIA DE INIRIDA - JULIO 18 DEL 2024.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\NOTIFICACION DE DEMANDA DE LA ALCALDIA DE INIRIDA - JULIO 18 DEL 2024.exe
"C:\Users\Admin\AppData\Local\Temp\NOTIFICACION DE DEMANDA DE LA ALCALDIA DE INIRIDA - JULIO 18 DEL 2024.exe"
C:\Users\Admin\AppData\Local\Temp\NOTIFICACION DE DEMANDA DE LA ALCALDIA DE INIRIDA - JULIO 18 DEL 2024.exe
"C:\Users\Admin\AppData\Local\Temp\NOTIFICACION DE DEMANDA DE LA ALCALDIA DE INIRIDA - JULIO 18 DEL 2024.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | jesusgabrielahumadalora09.con-ip.com | udp |
| CO | 181.141.40.50:1880 | jesusgabrielahumadalora09.con-ip.com | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
Files
memory/2512-1-0x0000000000412000-0x000000000042C000-memory.dmp
memory/2512-0-0x0000000000400000-0x0000000000A28000-memory.dmp
memory/2512-2-0x0000000000400000-0x0000000000A28000-memory.dmp
memory/2512-3-0x0000000000400000-0x0000000000A28000-memory.dmp
memory/2532-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2532-8-0x00000000000C0000-0x0000000000142000-memory.dmp
memory/2532-4-0x00000000000C0000-0x0000000000142000-memory.dmp
memory/2532-10-0x00000000000C0000-0x0000000000142000-memory.dmp
memory/2532-14-0x00000000000C0000-0x0000000000142000-memory.dmp
memory/2532-16-0x0000000000400000-0x0000000000A28000-memory.dmp
memory/2512-15-0x0000000000400000-0x0000000000A28000-memory.dmp
memory/2532-11-0x00000000000C0000-0x0000000000142000-memory.dmp
memory/2532-17-0x00000000000C0000-0x0000000000142000-memory.dmp
memory/2532-18-0x00000000000C0000-0x0000000000142000-memory.dmp
memory/2532-19-0x00000000000C0000-0x0000000000142000-memory.dmp
memory/2532-20-0x00000000000C0000-0x0000000000142000-memory.dmp
memory/2532-26-0x00000000000C0000-0x0000000000142000-memory.dmp
memory/2532-25-0x00000000000C0000-0x0000000000142000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | 6151f1a4460ec2cb9eafea3229ffff2a |
| SHA1 | ea0f44cfde4c383ce2e86a1dd96aa1aed596e3e1 |
| SHA256 | 9a507c510653dabd3df0d93be9ad55fd5465e2e286f2d0b91a31621a5a86ac38 |
| SHA512 | 8b268d67e57202e1553c8f65188a9695c1fdcf1d767fa1046f79b2ad245ebb4fdfc7e726efa9a164405516e44ed9407c9ff8fc7001d0d0333c51d121c1fbc904 |
memory/2532-33-0x00000000000C0000-0x0000000000142000-memory.dmp
memory/2532-34-0x00000000000C0000-0x0000000000142000-memory.dmp
memory/2532-42-0x00000000000C0000-0x0000000000142000-memory.dmp
memory/2532-41-0x00000000000C0000-0x0000000000142000-memory.dmp
memory/2532-49-0x00000000000C0000-0x0000000000142000-memory.dmp
memory/2532-50-0x00000000000C0000-0x0000000000142000-memory.dmp
memory/2532-57-0x00000000000C0000-0x0000000000142000-memory.dmp
memory/2532-58-0x00000000000C0000-0x0000000000142000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-19 17:26
Reported
2024-07-19 17:29
Platform
win10v2004-20240709-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Remcos
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nuuuio = "C:\\Users\\Admin\\Pictures\\NONOUTUNMMap\\FirefoxUp.exe" | C:\Users\Admin\AppData\Local\Temp\NOTIFICACION DE DEMANDA DE LA ALCALDIA DE INIRIDA - JULIO 18 DEL 2024.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NOTIFICACION DE DEMANDA DE LA ALCALDIA DE INIRIDA - JULIO 18 DEL 2024.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\NOTIFICACION DE DEMANDA DE LA ALCALDIA DE INIRIDA - JULIO 18 DEL 2024.exe
"C:\Users\Admin\AppData\Local\Temp\NOTIFICACION DE DEMANDA DE LA ALCALDIA DE INIRIDA - JULIO 18 DEL 2024.exe"
C:\Users\Admin\AppData\Local\Temp\NOTIFICACION DE DEMANDA DE LA ALCALDIA DE INIRIDA - JULIO 18 DEL 2024.exe
"C:\Users\Admin\AppData\Local\Temp\NOTIFICACION DE DEMANDA DE LA ALCALDIA DE INIRIDA - JULIO 18 DEL 2024.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jesusgabrielahumadalora09.con-ip.com | udp |
| CO | 181.141.40.50:1880 | jesusgabrielahumadalora09.con-ip.com | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.40.141.181.in-addr.arpa | udp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
memory/1700-0-0x0000000000400000-0x0000000000A28000-memory.dmp
memory/1700-1-0x0000000000412000-0x000000000042C000-memory.dmp
memory/1700-2-0x0000000000400000-0x0000000000A28000-memory.dmp
memory/4000-3-0x00000000000D0000-0x0000000000152000-memory.dmp
memory/4000-4-0x00000000000D0000-0x0000000000152000-memory.dmp
memory/4000-5-0x00000000000D0000-0x0000000000152000-memory.dmp
memory/4000-11-0x0000000000400000-0x0000000000A28000-memory.dmp
memory/1700-10-0x0000000000400000-0x0000000000A28000-memory.dmp
memory/4000-9-0x00000000000D0000-0x0000000000152000-memory.dmp
memory/4000-6-0x00000000000D0000-0x0000000000152000-memory.dmp
memory/4000-12-0x00000000000D0000-0x0000000000152000-memory.dmp
memory/4000-13-0x00000000000D0000-0x0000000000152000-memory.dmp
memory/4000-14-0x00000000000D0000-0x0000000000152000-memory.dmp
memory/4000-15-0x00000000000D0000-0x0000000000152000-memory.dmp
memory/4000-20-0x00000000000D0000-0x0000000000152000-memory.dmp
memory/4000-19-0x00000000000D0000-0x0000000000152000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | fd176d6ef74570d8fff8b9702f741e9e |
| SHA1 | 429dfb8304f407b1fa9eb1d3fb91d2e9bcafd695 |
| SHA256 | 33b63a8805fd312eadac24b712265f05c129ddc4a2a873d8b7d8e33a2f8bfdb8 |
| SHA512 | a3e4919d1b577b5c89515b80524b4271610427f4b7b406d5abd264bbcd3bfb6b021efc7b8b921811f8f57b75b9f7af7ee333b39ea57475af8a5c0d7a29adf606 |
memory/4000-27-0x00000000000D0000-0x0000000000152000-memory.dmp
memory/4000-28-0x00000000000D0000-0x0000000000152000-memory.dmp
memory/4000-35-0x00000000000D0000-0x0000000000152000-memory.dmp
memory/4000-36-0x00000000000D0000-0x0000000000152000-memory.dmp
memory/4000-43-0x00000000000D0000-0x0000000000152000-memory.dmp
memory/4000-51-0x00000000000D0000-0x0000000000152000-memory.dmp
memory/4000-52-0x00000000000D0000-0x0000000000152000-memory.dmp