Analysis Overview
SHA256
93170e9a2c087944860460abec7500792bc4ee4ea0b50888d3ccb53f60b0ab13
Threat Level: Known bad
The file incognito.exe was found to be: Known bad.
Malicious Activity Summary
Remcos family
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-06 06:47
Signatures
Remcos family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 06:47
Reported
2024-08-06 06:50
Platform
win11-20240802-en
Max time kernel
94s
Max time network
95s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\incognito.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\incognito.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\incognito.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\incognito.exe
"C:\Users\Admin\AppData\Local\Temp\incognito.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
Network
| Country | Destination | Domain | Proto |
| N/A | 192.168.1.6:2404 | tcp | |
| N/A | 192.168.1.6:2404 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |