Analysis Overview
SHA256
553bd8b6c13d775bbaa9c5b2d9c02ee8df0e232180dfd17c5f7a67188bb3e218
Threat Level: Known bad
The file PAMELA+2023+ORGANIZERpdf.tar was found to be: Known bad.
Malicious Activity Summary
Remcos
Blocklisted process makes network request
Adds Run key to start application
Suspicious use of NtCreateThreadExHideFromDebugger
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-08 13:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-08 13:54
Reported
2024-08-08 13:57
Platform
win7-20240708-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Remcos
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\*ChromeUpdate = "rundll32.exe C:\\Users\\Admin\\Documents\\FirefoxData.dll,EntryPoint" | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TaxDocuments.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\TaxDocuments.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\TaxDocuments.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\TaxDocuments.exe
"C:\Users\Admin\AppData\Local\Temp\TaxDocuments.exe"
C:\Users\Admin\AppData\Local\Temp\TaxDocuments.exe
"C:\Users\Admin\AppData\Local\Temp\TaxDocuments.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*ChromeUpdate" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\FirefoxData.dll",EntryPoint /f & exit
C:\Windows\SysWOW64\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*ChromeUpdate" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\FirefoxData.dll",EntryPoint /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | privmerkt.com | udp |
| BE | 172.111.244.2:6042 | privmerkt.com | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
Files
memory/1816-0-0x0000000011000000-0x0000000011369000-memory.dmp
memory/1816-1-0x0000000010000000-0x0000000010207000-memory.dmp
memory/1816-2-0x0000000010026000-0x0000000010040000-memory.dmp
memory/2656-8-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2656-7-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2656-5-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2656-3-0x00000000001B0000-0x0000000000232000-memory.dmp
memory/1816-11-0x0000000010000000-0x0000000010207000-memory.dmp
memory/1816-10-0x0000000010000000-0x0000000010207000-memory.dmp
memory/2656-16-0x00000000001B0000-0x0000000000232000-memory.dmp
memory/2656-15-0x00000000001B0000-0x0000000000232000-memory.dmp
memory/1816-14-0x0000000002370000-0x00000000026D9000-memory.dmp
memory/2656-17-0x0000000011000000-0x0000000011369000-memory.dmp
memory/2656-13-0x00000000001B0000-0x0000000000232000-memory.dmp
memory/2656-12-0x00000000001B0000-0x0000000000232000-memory.dmp
memory/2656-18-0x00000000001B0000-0x0000000000232000-memory.dmp
memory/2656-19-0x00000000001B0000-0x0000000000232000-memory.dmp
memory/2656-20-0x00000000001B0000-0x0000000000232000-memory.dmp
memory/2656-21-0x00000000001B0000-0x0000000000232000-memory.dmp
memory/1816-24-0x0000000011000000-0x0000000011369000-memory.dmp
memory/2656-25-0x00000000001B0000-0x0000000000232000-memory.dmp
memory/2656-26-0x00000000001B0000-0x0000000000232000-memory.dmp
memory/2656-27-0x00000000001B0000-0x0000000000232000-memory.dmp
memory/2656-28-0x00000000001B0000-0x0000000000232000-memory.dmp
memory/2656-30-0x00000000001B0000-0x0000000000232000-memory.dmp
memory/2656-31-0x00000000001B0000-0x0000000000232000-memory.dmp
memory/2656-33-0x00000000001B0000-0x0000000000232000-memory.dmp
memory/2656-32-0x00000000001B0000-0x0000000000232000-memory.dmp
memory/2656-34-0x00000000001B0000-0x0000000000232000-memory.dmp
memory/2656-35-0x00000000001B0000-0x0000000000232000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-08 13:54
Reported
2024-08-08 13:57
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Remcos
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*ChromeUpdate = "rundll32.exe C:\\Users\\Admin\\Documents\\FirefoxData.dll,EntryPoint" | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TaxDocuments.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\TaxDocuments.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\TaxDocuments.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\TaxDocuments.exe
"C:\Users\Admin\AppData\Local\Temp\TaxDocuments.exe"
C:\Users\Admin\AppData\Local\Temp\TaxDocuments.exe
"C:\Users\Admin\AppData\Local\Temp\TaxDocuments.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*ChromeUpdate" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\FirefoxData.dll",EntryPoint /f & exit
C:\Windows\SysWOW64\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*ChromeUpdate" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\FirefoxData.dll",EntryPoint /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | privmerkt.com | udp |
| BE | 172.111.244.2:6042 | privmerkt.com | tcp |
| US | 8.8.8.8:53 | 2.244.111.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.125.209.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
memory/2300-0-0x0000000011000000-0x0000000011369000-memory.dmp
memory/2300-2-0x0000000010026000-0x0000000010040000-memory.dmp
memory/2300-1-0x0000000010000000-0x0000000010207000-memory.dmp
memory/2300-3-0x0000000010000000-0x0000000010207000-memory.dmp
memory/2300-8-0x0000000010000000-0x0000000010207000-memory.dmp
memory/2300-7-0x0000000010000000-0x0000000010207000-memory.dmp
memory/4940-4-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/4940-9-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4940-11-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4940-12-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4940-10-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4940-13-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4940-14-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4940-15-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4940-16-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2300-19-0x0000000011000000-0x0000000011369000-memory.dmp
memory/4940-20-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4940-21-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4940-22-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4940-23-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4940-24-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4940-26-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4940-25-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4940-29-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4940-30-0x0000000000400000-0x0000000000482000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-08-08 13:54
Reported
2024-08-08 13:57
Platform
win7-20240729-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Remcos
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\*ChromeUpdate = "rundll32.exe C:\\Users\\Admin\\Documents\\FirefoxData.dll,EntryPoint" | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\msimg32.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\msimg32.dll,#1
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*ChromeUpdate" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\FirefoxData.dll",EntryPoint /f & exit
C:\Windows\SysWOW64\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*ChromeUpdate" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\FirefoxData.dll",EntryPoint /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | privmerkt.com | udp |
| BE | 172.111.244.2:6042 | privmerkt.com | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
Files
memory/2680-1-0x0000000010026000-0x0000000010040000-memory.dmp
memory/2680-0-0x0000000010000000-0x0000000010207000-memory.dmp
memory/2828-3-0x0000000000150000-0x00000000001D2000-memory.dmp
memory/2828-17-0x0000000000150000-0x00000000001D2000-memory.dmp
memory/2828-14-0x0000000000150000-0x00000000001D2000-memory.dmp
memory/2828-13-0x0000000000150000-0x00000000001D2000-memory.dmp
memory/2680-12-0x0000000010000000-0x0000000010207000-memory.dmp
memory/2680-10-0x0000000010000000-0x0000000010207000-memory.dmp
memory/2828-8-0x0000000000090000-0x0000000000091000-memory.dmp
memory/2828-6-0x0000000000090000-0x0000000000091000-memory.dmp
memory/2828-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2828-16-0x0000000000150000-0x00000000001D2000-memory.dmp
memory/2828-18-0x0000000000150000-0x00000000001D2000-memory.dmp
memory/2828-19-0x0000000000150000-0x00000000001D2000-memory.dmp
memory/2828-20-0x0000000000150000-0x00000000001D2000-memory.dmp
memory/2828-21-0x0000000000150000-0x00000000001D2000-memory.dmp
memory/2828-25-0x0000000000150000-0x00000000001D2000-memory.dmp
memory/2828-24-0x0000000000150000-0x00000000001D2000-memory.dmp
memory/2828-26-0x0000000000150000-0x00000000001D2000-memory.dmp
memory/2828-28-0x0000000000150000-0x00000000001D2000-memory.dmp
memory/2828-29-0x0000000000150000-0x00000000001D2000-memory.dmp
memory/2828-32-0x0000000000150000-0x00000000001D2000-memory.dmp
memory/2828-33-0x0000000000150000-0x00000000001D2000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-08-08 13:54
Reported
2024-08-08 13:57
Platform
win10v2004-20240802-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Remcos
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*ChromeUpdate = "rundll32.exe C:\\Users\\Admin\\Documents\\FirefoxData.dll,EntryPoint" | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\msimg32.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\msimg32.dll,#1
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*ChromeUpdate" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\FirefoxData.dll",EntryPoint /f & exit
C:\Windows\SysWOW64\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*ChromeUpdate" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\FirefoxData.dll",EntryPoint /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | privmerkt.com | udp |
| BE | 172.111.244.2:6042 | privmerkt.com | tcp |
| US | 8.8.8.8:53 | 2.244.111.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/2776-1-0x0000000010026000-0x0000000010040000-memory.dmp
memory/2776-0-0x0000000010000000-0x0000000010207000-memory.dmp
memory/2776-2-0x0000000010000000-0x0000000010207000-memory.dmp
memory/444-3-0x00000000008B0000-0x00000000008B1000-memory.dmp
memory/2776-6-0x0000000010000000-0x0000000010207000-memory.dmp
memory/2776-8-0x0000000010000000-0x0000000010207000-memory.dmp
memory/444-7-0x0000000000820000-0x00000000008A2000-memory.dmp
memory/444-9-0x0000000000820000-0x00000000008A2000-memory.dmp
memory/444-10-0x0000000000820000-0x00000000008A2000-memory.dmp
memory/444-11-0x0000000000820000-0x00000000008A2000-memory.dmp
memory/444-12-0x0000000000820000-0x00000000008A2000-memory.dmp
memory/444-13-0x0000000000820000-0x00000000008A2000-memory.dmp
memory/444-14-0x0000000000820000-0x00000000008A2000-memory.dmp
memory/444-15-0x0000000000820000-0x00000000008A2000-memory.dmp
memory/444-17-0x0000000000820000-0x00000000008A2000-memory.dmp
memory/444-18-0x0000000000820000-0x00000000008A2000-memory.dmp
memory/444-19-0x0000000000820000-0x00000000008A2000-memory.dmp
memory/444-20-0x0000000000820000-0x00000000008A2000-memory.dmp
memory/444-21-0x0000000000820000-0x00000000008A2000-memory.dmp
memory/444-22-0x0000000000820000-0x00000000008A2000-memory.dmp
memory/444-23-0x0000000000820000-0x00000000008A2000-memory.dmp
memory/444-24-0x0000000000820000-0x00000000008A2000-memory.dmp
memory/444-25-0x0000000000820000-0x00000000008A2000-memory.dmp
memory/444-26-0x0000000000820000-0x00000000008A2000-memory.dmp
memory/444-27-0x0000000000820000-0x00000000008A2000-memory.dmp
memory/444-28-0x0000000000820000-0x00000000008A2000-memory.dmp