Analysis Overview
SHA256
6a11096f0dc9b60eefa9efaea9bfac5fcba2ece13b40f5a0d203bf91e2bdab54
Threat Level: Known bad
The file 6a11096f0dc9b60eefa9efaea9bfac5fcba2ece13b40f5a0d203bf91e2bdab54 was found to be: Known bad.
Malicious Activity Summary
Remcos family
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-25 22:39
Signatures
Remcos family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-25 22:39
Reported
2024-07-25 22:46
Platform
win7-20240704-en
Max time kernel
298s
Max time network
295s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6a11096f0dc9b60eefa9efaea9bfac5fcba2ece13b40f5a0d203bf91e2bdab54.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6a11096f0dc9b60eefa9efaea9bfac5fcba2ece13b40f5a0d203bf91e2bdab54.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\6a11096f0dc9b60eefa9efaea9bfac5fcba2ece13b40f5a0d203bf91e2bdab54.exe
"C:\Users\Admin\AppData\Local\Temp\6a11096f0dc9b60eefa9efaea9bfac5fcba2ece13b40f5a0d203bf91e2bdab54.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sembe.duckdns.org | udp |
| BE | 194.187.251.115:14645 | sembe.duckdns.org | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\note\nots.dat
| MD5 | 29186b8f5d6df81ae7fe5e295a82e549 |
| SHA1 | 97a6982dc6cf405bebffdebb4258a954541290c9 |
| SHA256 | d46b100155834058949277e5d0aad552fbccb92867ede15e6be290c7caac5f6d |
| SHA512 | f220e3257cb89ccec6e22321e2866be95a7ef070e36ad3f85baa4de4a89683fd0707d333c2b8806d109b3beea493f075f3f5c84660cf159e84de50076ea8e305 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-25 22:39
Reported
2024-07-25 22:45
Platform
win10-20240404-en
Max time kernel
298s
Max time network
276s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6a11096f0dc9b60eefa9efaea9bfac5fcba2ece13b40f5a0d203bf91e2bdab54.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6a11096f0dc9b60eefa9efaea9bfac5fcba2ece13b40f5a0d203bf91e2bdab54.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\6a11096f0dc9b60eefa9efaea9bfac5fcba2ece13b40f5a0d203bf91e2bdab54.exe
"C:\Users\Admin\AppData\Local\Temp\6a11096f0dc9b60eefa9efaea9bfac5fcba2ece13b40f5a0d203bf91e2bdab54.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sembe.duckdns.org | udp |
| BE | 194.187.251.115:14645 | sembe.duckdns.org | tcp |
| US | 8.8.8.8:53 | 115.251.187.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\note\nots.dat
| MD5 | db6213ed1ffb63c9b64b3fa4b3d0b944 |
| SHA1 | 53dfb7f6364a275ec9e4983a089f48224d565f19 |
| SHA256 | 961c43da5aa5a03cd7527cb6903cdb664e8b5b07e66cb5860ec74b82089a5687 |
| SHA512 | 2805c181a1c8ee4c87ccc76df276b7835893a54476ca8101a114b806a8e6097372954b182252ffe44b4600c616f6382e340a5334959b39eeaeb0fda5b9eb37fe |