Analysis Overview
SHA256
b598665f15c6c098ecfc2c5185cb43946c0dfecd9e2f13f8f3d59b185eb73f02
Threat Level: Known bad
The file Purchase _Order_0000089.exe was found to be: Known bad.
Malicious Activity Summary
Remcos
NirSoft MailPassView
NirSoft WebBrowserPassView
Detected Nirsoft tools
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-23 06:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-23 06:56
Reported
2024-07-23 06:58
Platform
win10v2004-20240709-en
Max time kernel
58s
Max time network
38s
Command Line
Signatures
Remcos
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 756 set thread context of 2920 | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase _Order_0000089.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe |
| PID 2920 set thread context of 4596 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe |
| PID 2920 set thread context of 3460 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe |
| PID 2920 set thread context of 2436 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase _Order_0000089.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Purchase _Order_0000089.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase _Order_0000089.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
C:\Program Files (x86)\Windows Mail\wab.exe
"C:\Program Files (x86)\Windows Mail\wab.exe"
C:\Windows\System32\svchost.exe
"C:\Windows\System32\svchost.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /stext "C:\Users\Admin\AppData\Local\Temp\rvxapizbbhvecakbginhbfpymzu"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /stext "C:\Users\Admin\AppData\Local\Temp\bxckiakdppnjmpgnytaimskpvneysr"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /stext "C:\Users\Admin\AppData\Local\Temp\drhdjtvwlyfwpvurhencpxwgduvglcofhc"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 107.173.4.16:2560 | tcp | |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 107.173.4.16:2560 | tcp | |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 16.4.173.107.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
Files
memory/756-1-0x00007FFEFD103000-0x00007FFEFD105000-memory.dmp
memory/756-0-0x0000027E886D0000-0x0000027E886EE000-memory.dmp
memory/756-2-0x00007FFEFD100000-0x00007FFEFDBC1000-memory.dmp
memory/756-3-0x0000027EA2C10000-0x0000027EA2CE0000-memory.dmp
memory/2920-4-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2920-5-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2920-6-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2920-7-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2920-8-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2920-11-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2920-12-0x0000000000400000-0x0000000000482000-memory.dmp
memory/756-13-0x00007FFEFD100000-0x00007FFEFDBC1000-memory.dmp
memory/2920-14-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2920-15-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2920-16-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2920-17-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2920-19-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4596-20-0x0000000000400000-0x0000000000478000-memory.dmp
memory/3460-21-0x0000000000400000-0x0000000000462000-memory.dmp
memory/4596-25-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2436-24-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3460-34-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2436-33-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4596-32-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4596-30-0x0000000000400000-0x0000000000478000-memory.dmp
memory/3460-29-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2436-28-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2436-27-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3460-31-0x0000000000400000-0x0000000000462000-memory.dmp
memory/4596-39-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rvxapizbbhvecakbginhbfpymzu
| MD5 | 982ebb238759653970e22ee9fad24470 |
| SHA1 | 15fca6be8cc4a276c9f70a73f28c52c3b0eead15 |
| SHA256 | c8b9cad5602932ea51b923f39f4b2d9aedf1f4915880d89032ab6636acaf9bea |
| SHA512 | c8777edf0dd3e72e0cf3bb89db2bc7856fed0eeca7199806fec341e9168899e3b700c73a6b2e7cb0e8ccc5523116d6ecfde5c9ebcc83288a162dd1b0ea78201b |
memory/2920-41-0x0000000010000000-0x0000000010019000-memory.dmp
memory/2920-44-0x0000000010000000-0x0000000010019000-memory.dmp
memory/2920-45-0x0000000010000000-0x0000000010019000-memory.dmp
memory/2920-46-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2920-51-0x0000000000400000-0x0000000000482000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | 5d684acd522be8be840b07586a4a3d63 |
| SHA1 | bc3da7423ca20cd080cbc1a2c452ae685a4a11f2 |
| SHA256 | 8c935581b61b6bdeb5e487473de8ba42613b7d469cc1a8de26d53965fcaba167 |
| SHA512 | 0d667d1e1bf8b6476236518c02e745d0550fe05378c36e0767c107beee4a46bf022d56e768112604ad4312feeed3a1da3cdface8e30cc814690328782d6cb158 |
memory/2920-54-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2920-53-0x0000000000400000-0x0000000000482000-memory.dmp