Analysis Overview
SHA256
b598665f15c6c098ecfc2c5185cb43946c0dfecd9e2f13f8f3d59b185eb73f02
Threat Level: Known bad
The file Purchase _Order_0000089.exe was found to be: Known bad.
Malicious Activity Summary
Remcos
NirSoft MailPassView
Detected Nirsoft tools
NirSoft WebBrowserPassView
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-23 06:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-23 06:56
Reported
2024-07-23 06:58
Platform
win10v2004-20240709-en
Max time kernel
58s
Max time network
38s
Command Line
Signatures
Remcos
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 756 set thread context of 2920 | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase _Order_0000089.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe |
| PID 2920 set thread context of 4596 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe |
| PID 2920 set thread context of 3460 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe |
| PID 2920 set thread context of 2436 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase _Order_0000089.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Purchase _Order_0000089.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase _Order_0000089.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
C:\Program Files (x86)\Windows Mail\wab.exe
"C:\Program Files (x86)\Windows Mail\wab.exe"
C:\Windows\System32\svchost.exe
"C:\Windows\System32\svchost.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /stext "C:\Users\Admin\AppData\Local\Temp\rvxapizbbhvecakbginhbfpymzu"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /stext "C:\Users\Admin\AppData\Local\Temp\bxckiakdppnjmpgnytaimskpvneysr"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /stext "C:\Users\Admin\AppData\Local\Temp\drhdjtvwlyfwpvurhencpxwgduvglcofhc"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 107.173.4.16:2560 | tcp | |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 107.173.4.16:2560 | tcp | |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 16.4.173.107.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
Files
memory/756-1-0x00007FFEFD103000-0x00007FFEFD105000-memory.dmp
memory/756-0-0x0000027E886D0000-0x0000027E886EE000-memory.dmp
memory/756-2-0x00007FFEFD100000-0x00007FFEFDBC1000-memory.dmp
memory/756-3-0x0000027EA2C10000-0x0000027EA2CE0000-memory.dmp
memory/2920-4-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2920-5-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2920-6-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2920-7-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2920-8-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2920-11-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2920-12-0x0000000000400000-0x0000000000482000-memory.dmp
memory/756-13-0x00007FFEFD100000-0x00007FFEFDBC1000-memory.dmp
memory/2920-14-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2920-15-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2920-16-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2920-17-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2920-19-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4596-20-0x0000000000400000-0x0000000000478000-memory.dmp
memory/3460-21-0x0000000000400000-0x0000000000462000-memory.dmp
memory/4596-25-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2436-24-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3460-34-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2436-33-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4596-32-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4596-30-0x0000000000400000-0x0000000000478000-memory.dmp
memory/3460-29-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2436-28-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2436-27-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3460-31-0x0000000000400000-0x0000000000462000-memory.dmp
memory/4596-39-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rvxapizbbhvecakbginhbfpymzu
| MD5 | 982ebb238759653970e22ee9fad24470 |
| SHA1 | 15fca6be8cc4a276c9f70a73f28c52c3b0eead15 |
| SHA256 | c8b9cad5602932ea51b923f39f4b2d9aedf1f4915880d89032ab6636acaf9bea |
| SHA512 | c8777edf0dd3e72e0cf3bb89db2bc7856fed0eeca7199806fec341e9168899e3b700c73a6b2e7cb0e8ccc5523116d6ecfde5c9ebcc83288a162dd1b0ea78201b |
memory/2920-41-0x0000000010000000-0x0000000010019000-memory.dmp
memory/2920-44-0x0000000010000000-0x0000000010019000-memory.dmp
memory/2920-45-0x0000000010000000-0x0000000010019000-memory.dmp
memory/2920-46-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2920-51-0x0000000000400000-0x0000000000482000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | 5d684acd522be8be840b07586a4a3d63 |
| SHA1 | bc3da7423ca20cd080cbc1a2c452ae685a4a11f2 |
| SHA256 | 8c935581b61b6bdeb5e487473de8ba42613b7d469cc1a8de26d53965fcaba167 |
| SHA512 | 0d667d1e1bf8b6476236518c02e745d0550fe05378c36e0767c107beee4a46bf022d56e768112604ad4312feeed3a1da3cdface8e30cc814690328782d6cb158 |
memory/2920-54-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2920-53-0x0000000000400000-0x0000000000482000-memory.dmp