Malware Analysis Report

2024-11-13 18:48

Sample ID 240725-2lfd8azamq
Target 6a11096f0dc9b60eefa9efaea9bfac5fcba2ece13b40f5a0d203bf91e2bdab54
SHA256 6a11096f0dc9b60eefa9efaea9bfac5fcba2ece13b40f5a0d203bf91e2bdab54
Tags
remotehost remcos discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6a11096f0dc9b60eefa9efaea9bfac5fcba2ece13b40f5a0d203bf91e2bdab54

Threat Level: Known bad

The file 6a11096f0dc9b60eefa9efaea9bfac5fcba2ece13b40f5a0d203bf91e2bdab54 was found to be: Known bad.

Malicious Activity Summary

remotehost remcos discovery

Remcos family

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-25 22:39

Signatures

Remcos family

remcos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-25 22:39

Reported

2024-07-25 22:46

Platform

win7-20240704-en

Max time kernel

298s

Max time network

295s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6a11096f0dc9b60eefa9efaea9bfac5fcba2ece13b40f5a0d203bf91e2bdab54.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6a11096f0dc9b60eefa9efaea9bfac5fcba2ece13b40f5a0d203bf91e2bdab54.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a11096f0dc9b60eefa9efaea9bfac5fcba2ece13b40f5a0d203bf91e2bdab54.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6a11096f0dc9b60eefa9efaea9bfac5fcba2ece13b40f5a0d203bf91e2bdab54.exe

"C:\Users\Admin\AppData\Local\Temp\6a11096f0dc9b60eefa9efaea9bfac5fcba2ece13b40f5a0d203bf91e2bdab54.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 sembe.duckdns.org udp
BE 194.187.251.115:14645 sembe.duckdns.org tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\note\nots.dat

MD5 29186b8f5d6df81ae7fe5e295a82e549
SHA1 97a6982dc6cf405bebffdebb4258a954541290c9
SHA256 d46b100155834058949277e5d0aad552fbccb92867ede15e6be290c7caac5f6d
SHA512 f220e3257cb89ccec6e22321e2866be95a7ef070e36ad3f85baa4de4a89683fd0707d333c2b8806d109b3beea493f075f3f5c84660cf159e84de50076ea8e305

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-25 22:39

Reported

2024-07-25 22:45

Platform

win10-20240404-en

Max time kernel

298s

Max time network

276s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6a11096f0dc9b60eefa9efaea9bfac5fcba2ece13b40f5a0d203bf91e2bdab54.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6a11096f0dc9b60eefa9efaea9bfac5fcba2ece13b40f5a0d203bf91e2bdab54.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a11096f0dc9b60eefa9efaea9bfac5fcba2ece13b40f5a0d203bf91e2bdab54.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6a11096f0dc9b60eefa9efaea9bfac5fcba2ece13b40f5a0d203bf91e2bdab54.exe

"C:\Users\Admin\AppData\Local\Temp\6a11096f0dc9b60eefa9efaea9bfac5fcba2ece13b40f5a0d203bf91e2bdab54.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 sembe.duckdns.org udp
BE 194.187.251.115:14645 sembe.duckdns.org tcp
US 8.8.8.8:53 115.251.187.194.in-addr.arpa udp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\note\nots.dat

MD5 db6213ed1ffb63c9b64b3fa4b3d0b944
SHA1 53dfb7f6364a275ec9e4983a089f48224d565f19
SHA256 961c43da5aa5a03cd7527cb6903cdb664e8b5b07e66cb5860ec74b82089a5687
SHA512 2805c181a1c8ee4c87ccc76df276b7835893a54476ca8101a114b806a8e6097372954b182252ffe44b4600c616f6382e340a5334959b39eeaeb0fda5b9eb37fe