Analysis Overview
SHA256
d941acbebee5cadc37d5860d07e296eb2334b6f00e5ee1c5f4edf832511bc34e
Threat Level: Known bad
The file crowdstrike-hotfix(1).zip was found to be: Known bad.
Malicious Activity Summary
Remcos
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-20 13:09
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-20 13:09
Reported
2024-07-20 20:31
Platform
win7-20240704-en
Max time kernel
1800s
Max time network
1788s
Command Line
Signatures
Remcos
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2280 set thread context of 2556 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\SysWOW64\cmd.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
Network
| Country | Destination | Domain | Proto |
| FR | 213.5.130.58:443 | tcp |
Files
memory/2280-0-0x0000000073ED0000-0x0000000074044000-memory.dmp
memory/2280-1-0x0000000076DD0000-0x0000000076F79000-memory.dmp
memory/2280-12-0x0000000073EE2000-0x0000000073EE4000-memory.dmp
memory/2280-13-0x0000000073ED0000-0x0000000074044000-memory.dmp
memory/2280-14-0x0000000073ED0000-0x0000000074044000-memory.dmp
memory/2280-16-0x0000000000400000-0x000000000064B000-memory.dmp
memory/2280-22-0x0000000061E00000-0x0000000061ECA000-memory.dmp
memory/2556-25-0x0000000073ED0000-0x0000000074044000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3fd9d65e
| MD5 | 93a4ad254e087866dd80f1d251915d78 |
| SHA1 | 11da31511e0ec5ea0d3977d81b12546c9da2e0f6 |
| SHA256 | 5566d99730c3c2fbc2afaadda7047ead225c3cd56c1bb0aa48ebf4cb26310862 |
| SHA512 | 4dcc457966f09a62d098b03b67c40ab6b274bb6e41851713f9a6542514b76abf7ca9d3a762967ed3f677f66d44b4ff6f17b8e0678b975ba8cd5667441d5f49b1 |
memory/2280-23-0x0000000050310000-0x0000000050349000-memory.dmp
memory/2280-21-0x0000000057800000-0x0000000057812000-memory.dmp
memory/2280-20-0x0000000050120000-0x000000005030D000-memory.dmp
memory/2280-19-0x0000000057000000-0x000000005703F000-memory.dmp
memory/2280-18-0x0000000059800000-0x000000005986E000-memory.dmp
memory/2280-17-0x0000000050000000-0x0000000050116000-memory.dmp
memory/2556-26-0x0000000076DD0000-0x0000000076F79000-memory.dmp
memory/2556-71-0x0000000073ED0000-0x0000000074044000-memory.dmp
memory/2556-72-0x0000000073ED0000-0x0000000074044000-memory.dmp
memory/2556-74-0x0000000073ED0000-0x0000000074044000-memory.dmp
memory/1740-75-0x0000000076DD0000-0x0000000076F79000-memory.dmp
memory/1740-76-0x0000000000400000-0x0000000000483000-memory.dmp
memory/1740-79-0x0000000000400000-0x0000000000483000-memory.dmp
memory/1740-81-0x0000000000400000-0x0000000000483000-memory.dmp
memory/1740-82-0x0000000000400000-0x0000000000483000-memory.dmp
memory/1740-83-0x0000000000400000-0x0000000000483000-memory.dmp
memory/1740-84-0x0000000000400000-0x0000000000483000-memory.dmp
memory/1740-85-0x0000000000400000-0x0000000000483000-memory.dmp
memory/1740-86-0x0000000000400000-0x0000000000483000-memory.dmp
memory/1740-87-0x0000000000400000-0x0000000000483000-memory.dmp
memory/1740-88-0x0000000000400000-0x0000000000483000-memory.dmp
memory/1740-89-0x0000000000400000-0x0000000000483000-memory.dmp
memory/1740-90-0x0000000000400000-0x0000000000483000-memory.dmp
memory/1740-91-0x0000000000400000-0x0000000000483000-memory.dmp
memory/1740-92-0x0000000000400000-0x0000000000483000-memory.dmp
memory/1740-93-0x0000000000400000-0x0000000000483000-memory.dmp
memory/1740-94-0x0000000000400000-0x0000000000483000-memory.dmp
memory/1740-95-0x0000000000400000-0x0000000000483000-memory.dmp
memory/1740-96-0x0000000000400000-0x0000000000483000-memory.dmp
memory/1740-97-0x0000000000400000-0x0000000000483000-memory.dmp
memory/1740-98-0x0000000000400000-0x0000000000483000-memory.dmp
memory/1740-99-0x0000000000400000-0x0000000000483000-memory.dmp
memory/1740-100-0x0000000000400000-0x0000000000483000-memory.dmp
memory/1740-102-0x0000000000400000-0x0000000000483000-memory.dmp
memory/1740-103-0x0000000000400000-0x0000000000483000-memory.dmp
memory/1740-104-0x0000000000400000-0x0000000000483000-memory.dmp
memory/1740-106-0x0000000000400000-0x0000000000483000-memory.dmp
memory/1740-108-0x0000000000400000-0x0000000000483000-memory.dmp
memory/1740-109-0x0000000000400000-0x0000000000483000-memory.dmp
memory/1740-110-0x0000000000400000-0x0000000000483000-memory.dmp
memory/1740-111-0x0000000000400000-0x0000000000483000-memory.dmp
memory/1740-112-0x0000000000400000-0x0000000000483000-memory.dmp
memory/1740-113-0x0000000000400000-0x0000000000483000-memory.dmp
memory/1740-114-0x0000000000400000-0x0000000000483000-memory.dmp
memory/1740-115-0x0000000000400000-0x0000000000483000-memory.dmp
memory/1740-116-0x0000000000400000-0x0000000000483000-memory.dmp
memory/1740-117-0x0000000000400000-0x0000000000483000-memory.dmp
memory/1740-118-0x0000000000400000-0x0000000000483000-memory.dmp
memory/1740-119-0x0000000000400000-0x0000000000483000-memory.dmp
memory/1740-120-0x0000000000400000-0x0000000000483000-memory.dmp
memory/1740-121-0x0000000000400000-0x0000000000483000-memory.dmp
memory/1740-122-0x0000000000400000-0x0000000000483000-memory.dmp
memory/1740-123-0x0000000000400000-0x0000000000483000-memory.dmp
memory/1740-124-0x0000000000400000-0x0000000000483000-memory.dmp
memory/1740-125-0x0000000000400000-0x0000000000483000-memory.dmp
memory/1740-126-0x0000000000400000-0x0000000000483000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-20 13:09
Reported
2024-07-20 20:31
Platform
win10-20240404-en
Max time kernel
1799s
Max time network
1780s
Command Line
Signatures
Remcos
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3104 set thread context of 3416 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\SysWOW64\cmd.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3104 wrote to memory of 3416 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3104 wrote to memory of 3416 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3104 wrote to memory of 3416 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3104 wrote to memory of 3416 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3416 wrote to memory of 2696 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\explorer.exe |
| PID 3416 wrote to memory of 2696 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\explorer.exe |
| PID 3416 wrote to memory of 2696 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\explorer.exe |
| PID 3416 wrote to memory of 2696 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\explorer.exe |
| PID 3416 wrote to memory of 2696 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
Network
| Country | Destination | Domain | Proto |
| FR | 213.5.130.58:443 | tcp | |
| US | 8.8.8.8:53 | 58.130.5.213.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
Files
memory/3104-0-0x0000000072B60000-0x0000000072CDB000-memory.dmp
memory/3104-1-0x00007FFED7BA0000-0x00007FFED7D7B000-memory.dmp
memory/3104-12-0x0000000072B72000-0x0000000072B74000-memory.dmp
memory/3104-13-0x0000000072B60000-0x0000000072CDB000-memory.dmp
memory/3104-14-0x0000000072B60000-0x0000000072CDB000-memory.dmp
memory/3104-16-0x0000000000400000-0x000000000064B000-memory.dmp
memory/3416-24-0x0000000072B60000-0x0000000072CDB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bd356813
| MD5 | 94b1e2e7fe605703c19b2781138034c3 |
| SHA1 | 84e50a55327a09be4dbea7a6ae534bc902d07b7e |
| SHA256 | 0442811a1b67539e0a0e31022f732d585b4a729a6de4fa0c1f0a6fdcbe79257a |
| SHA512 | 2f851bc10ea2699fd650400fb4bf50a92571d8e7d2c0d219d46fa0874c9525f720d5de771b702ebcc3b35654ff92d26789502650ff9e954bd77076dd54a02727 |
memory/3104-23-0x0000000061E00000-0x0000000061ECA000-memory.dmp
memory/3104-22-0x0000000050310000-0x0000000050349000-memory.dmp
memory/3104-21-0x0000000050120000-0x000000005030D000-memory.dmp
memory/3104-20-0x0000000057800000-0x0000000057812000-memory.dmp
memory/3104-19-0x0000000057000000-0x000000005703F000-memory.dmp
memory/3104-18-0x0000000059800000-0x000000005986E000-memory.dmp
memory/3104-17-0x0000000050000000-0x0000000050116000-memory.dmp
memory/3416-26-0x00007FFED7BA0000-0x00007FFED7D7B000-memory.dmp
memory/3416-28-0x0000000072B60000-0x0000000072CDB000-memory.dmp
memory/3416-29-0x0000000072B60000-0x0000000072CDB000-memory.dmp
memory/3416-31-0x0000000072B60000-0x0000000072CDB000-memory.dmp
memory/2696-32-0x00007FFED7BA0000-0x00007FFED7D7B000-memory.dmp
memory/2696-33-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2696-35-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2696-37-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2696-38-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2696-39-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2696-40-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2696-41-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2696-42-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2696-43-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2696-44-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2696-45-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2696-46-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2696-47-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2696-48-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2696-49-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2696-50-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2696-51-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2696-52-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2696-53-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2696-54-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2696-55-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2696-56-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2696-67-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2696-69-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2696-70-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2696-71-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2696-74-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2696-77-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2696-78-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2696-79-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2696-81-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2696-82-0x0000000000400000-0x0000000000483000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-20 13:09
Reported
2024-07-20 20:32
Platform
win10v2004-20240709-en
Max time kernel
1799s
Max time network
1781s
Command Line
Signatures
Remcos
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4968 set thread context of 3272 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\SysWOW64\cmd.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4968 wrote to memory of 3272 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4968 wrote to memory of 3272 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4968 wrote to memory of 3272 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4968 wrote to memory of 3272 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3272 wrote to memory of 2700 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\explorer.exe |
| PID 3272 wrote to memory of 2700 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\explorer.exe |
| PID 3272 wrote to memory of 2700 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\explorer.exe |
| PID 3272 wrote to memory of 2700 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\explorer.exe |
| PID 3272 wrote to memory of 2700 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| FR | 213.5.130.58:443 | tcp | |
| US | 8.8.8.8:53 | 58.130.5.213.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.173.189.20.in-addr.arpa | udp |
Files
memory/4968-0-0x0000000073FA0000-0x000000007411B000-memory.dmp
memory/4968-1-0x00007FF884FF0000-0x00007FF8851E5000-memory.dmp
memory/4968-12-0x0000000073FB2000-0x0000000073FB4000-memory.dmp
memory/4968-13-0x0000000073FA0000-0x000000007411B000-memory.dmp
memory/4968-14-0x0000000073FA0000-0x000000007411B000-memory.dmp
memory/4968-23-0x0000000061E00000-0x0000000061ECA000-memory.dmp
memory/4968-22-0x0000000050310000-0x0000000050349000-memory.dmp
memory/3272-24-0x0000000073FA0000-0x000000007411B000-memory.dmp
memory/4968-21-0x0000000050120000-0x000000005030D000-memory.dmp
memory/4968-20-0x0000000057800000-0x0000000057812000-memory.dmp
memory/4968-19-0x0000000050000000-0x0000000050116000-memory.dmp
memory/4968-18-0x0000000059800000-0x000000005986E000-memory.dmp
memory/4968-17-0x0000000057000000-0x000000005703F000-memory.dmp
memory/4968-16-0x0000000000400000-0x000000000064B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\596aebec
| MD5 | d336ae369f45f8461508cdb1459e180c |
| SHA1 | 5c04503b2b72984cae4db54b5ea7f9eaa9649190 |
| SHA256 | 328fce3e2e726eceff313cb3619e1acaf675c91fb06a06337965d44c4bdaf26e |
| SHA512 | e5918e7cac038ccc7dff9d7c25447cb5e52b54305befcc5a8b21a518c3cecb95eb0d97f35ea7883af998abb87d1a730e988691c51189d649de791275a213e302 |
memory/3272-26-0x00007FF884FF0000-0x00007FF8851E5000-memory.dmp
memory/3272-29-0x0000000073FA0000-0x000000007411B000-memory.dmp
memory/3272-28-0x0000000073FA0000-0x000000007411B000-memory.dmp
memory/3272-31-0x0000000073FA0000-0x000000007411B000-memory.dmp
memory/2700-32-0x00007FF884FF0000-0x00007FF8851E5000-memory.dmp
memory/2700-33-0x0000000000C00000-0x0000000000C83000-memory.dmp
memory/2700-36-0x0000000000283000-0x000000000028B000-memory.dmp
memory/2700-37-0x0000000000C00000-0x0000000000C83000-memory.dmp
memory/2700-39-0x0000000000C00000-0x0000000000C83000-memory.dmp
memory/2700-40-0x0000000000C00000-0x0000000000C83000-memory.dmp
memory/2700-41-0x0000000000C00000-0x0000000000C83000-memory.dmp
memory/2700-42-0x0000000000C00000-0x0000000000C83000-memory.dmp
memory/2700-43-0x0000000000C00000-0x0000000000C83000-memory.dmp
memory/2700-44-0x0000000000C00000-0x0000000000C83000-memory.dmp
memory/2700-45-0x0000000000C00000-0x0000000000C83000-memory.dmp
memory/2700-46-0x0000000000C00000-0x0000000000C83000-memory.dmp
memory/2700-47-0x0000000000C00000-0x0000000000C83000-memory.dmp
memory/2700-48-0x0000000000C00000-0x0000000000C83000-memory.dmp
memory/2700-49-0x0000000000C00000-0x0000000000C83000-memory.dmp
memory/2700-50-0x0000000000C00000-0x0000000000C83000-memory.dmp
memory/2700-51-0x0000000000C00000-0x0000000000C83000-memory.dmp
memory/2700-53-0x0000000000C00000-0x0000000000C83000-memory.dmp
memory/2700-54-0x0000000000C00000-0x0000000000C83000-memory.dmp
memory/2700-55-0x0000000000C00000-0x0000000000C83000-memory.dmp
memory/2700-56-0x0000000000C00000-0x0000000000C83000-memory.dmp
memory/2700-57-0x0000000000C00000-0x0000000000C83000-memory.dmp
memory/2700-59-0x0000000000C00000-0x0000000000C83000-memory.dmp
memory/2700-60-0x0000000000C00000-0x0000000000C83000-memory.dmp
memory/2700-61-0x0000000000C00000-0x0000000000C83000-memory.dmp
memory/2700-62-0x0000000000C00000-0x0000000000C83000-memory.dmp
memory/2700-63-0x0000000000C00000-0x0000000000C83000-memory.dmp
memory/2700-64-0x0000000000C00000-0x0000000000C83000-memory.dmp
memory/2700-75-0x0000000000C00000-0x0000000000C83000-memory.dmp
memory/2700-79-0x0000000000C00000-0x0000000000C83000-memory.dmp
memory/2700-82-0x0000000000C00000-0x0000000000C83000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-07-20 13:09
Reported
2024-07-20 13:16
Platform
win11-20240709-en
Max time kernel
421s
Max time network
422s
Command Line
Signatures
Remcos
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5848 set thread context of 4248 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\SysWOW64\cmd.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5848 wrote to memory of 4248 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 5848 wrote to memory of 4248 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 5848 wrote to memory of 4248 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 5848 wrote to memory of 4248 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4248 wrote to memory of 4100 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\explorer.exe |
| PID 4248 wrote to memory of 4100 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\explorer.exe |
| PID 4248 wrote to memory of 4100 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\explorer.exe |
| PID 4248 wrote to memory of 4100 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\explorer.exe |
| PID 4248 wrote to memory of 4100 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
Network
| Country | Destination | Domain | Proto |
| FR | 213.5.130.58:443 | tcp | |
| US | 8.8.8.8:53 | 58.130.5.213.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
Files
memory/5848-0-0x0000000074120000-0x000000007429D000-memory.dmp
memory/5848-1-0x00007FFD2EF00000-0x00007FFD2F109000-memory.dmp
memory/5848-12-0x0000000074132000-0x0000000074134000-memory.dmp
memory/5848-13-0x0000000074120000-0x000000007429D000-memory.dmp
memory/5848-14-0x0000000074120000-0x000000007429D000-memory.dmp
memory/5848-22-0x0000000061E00000-0x0000000061ECA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\f45dd40d
| MD5 | e677bc4258b90087c676f4aa15dfea63 |
| SHA1 | 3321ea06efcce547921e99bc803978712a00ebe0 |
| SHA256 | 72d802975b8b0c078c139859f2f924b1bf5dc3249cfeafa337631d53767bdc8c |
| SHA512 | f63900d1d819cd56fb33c28c73bce0603dde8214c5817cf25ade7c4b53aa207cde865113fb2d876dd9906ad8a7389c1ea995f2429a7c62c67c7371672241b945 |
memory/4248-24-0x0000000074120000-0x000000007429D000-memory.dmp
memory/5848-23-0x0000000050310000-0x0000000050349000-memory.dmp
memory/5848-21-0x0000000050120000-0x000000005030D000-memory.dmp
memory/5848-20-0x0000000057800000-0x0000000057812000-memory.dmp
memory/5848-19-0x0000000057000000-0x000000005703F000-memory.dmp
memory/5848-18-0x0000000059800000-0x000000005986E000-memory.dmp
memory/5848-16-0x0000000000400000-0x000000000064B000-memory.dmp
memory/5848-17-0x0000000050000000-0x0000000050116000-memory.dmp
memory/4248-26-0x00007FFD2EF00000-0x00007FFD2F109000-memory.dmp
memory/4248-28-0x0000000074120000-0x000000007429D000-memory.dmp
memory/4248-29-0x0000000074120000-0x000000007429D000-memory.dmp
memory/4248-31-0x0000000074120000-0x000000007429D000-memory.dmp
memory/4100-32-0x00007FFD2EF00000-0x00007FFD2F109000-memory.dmp
memory/4100-33-0x00000000008E0000-0x0000000000963000-memory.dmp
memory/4100-36-0x00000000008E0000-0x0000000000963000-memory.dmp
memory/4100-38-0x00000000008E0000-0x0000000000963000-memory.dmp
memory/4100-39-0x00000000008E0000-0x0000000000963000-memory.dmp
memory/4100-40-0x00000000008E0000-0x0000000000963000-memory.dmp
memory/4100-41-0x00000000008E0000-0x0000000000963000-memory.dmp
memory/4100-42-0x00000000008E0000-0x0000000000963000-memory.dmp
memory/4100-43-0x00000000008E0000-0x0000000000963000-memory.dmp
memory/4100-44-0x00000000008E0000-0x0000000000963000-memory.dmp
memory/4100-45-0x00000000008E0000-0x0000000000963000-memory.dmp
memory/4100-50-0x00000000008E0000-0x0000000000963000-memory.dmp
memory/4100-51-0x00000000008E0000-0x0000000000963000-memory.dmp
memory/4100-52-0x00000000008E0000-0x0000000000963000-memory.dmp
memory/4100-56-0x00000000008E0000-0x0000000000963000-memory.dmp
memory/4100-57-0x00000000008E0000-0x0000000000963000-memory.dmp
memory/4100-58-0x00000000008E0000-0x0000000000963000-memory.dmp
memory/4100-59-0x00000000008E0000-0x0000000000963000-memory.dmp
memory/4100-60-0x00000000008E0000-0x0000000000963000-memory.dmp
memory/4100-63-0x00000000008E0000-0x0000000000963000-memory.dmp
memory/4100-64-0x00000000008E0000-0x0000000000963000-memory.dmp
memory/4100-68-0x00000000008E0000-0x0000000000963000-memory.dmp
memory/4100-71-0x00000000008E0000-0x0000000000963000-memory.dmp