Analysis Overview
SHA256
6b21cf5ebc20615576167925b27adad49dd095dbca80a7a47101fa824295057c
Threat Level: Known bad
The file 6b21cf5ebc20615576167925b27adad49dd095dbca80a7a47101fa824295057c.exe was found to be: Known bad.
Malicious Activity Summary
Remcos
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-09 01:18
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-09 01:18
Reported
2024-08-09 01:20
Platform
win7-20240708-en
Max time kernel
148s
Max time network
142s
Command Line
Signatures
Remcos
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Adobe\Adobe.exe | N/A |
| N/A | N/A | C:\ProgramData\Adobe\Adobe.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6b21cf5ebc20615576167925b27adad49dd095dbca80a7a47101fa824295057c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6b21cf5ebc20615576167925b27adad49dd095dbca80a7a47101fa824295057c.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe-OTOIRK = "\"C:\\ProgramData\\Adobe\\Adobe.exe\"" | C:\Users\Admin\AppData\Local\Temp\6b21cf5ebc20615576167925b27adad49dd095dbca80a7a47101fa824295057c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe-OTOIRK = "\"C:\\ProgramData\\Adobe\\Adobe.exe\"" | C:\Users\Admin\AppData\Local\Temp\6b21cf5ebc20615576167925b27adad49dd095dbca80a7a47101fa824295057c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe-OTOIRK = "\"C:\\ProgramData\\Adobe\\Adobe.exe\"" | C:\ProgramData\Adobe\Adobe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe-OTOIRK = "\"C:\\ProgramData\\Adobe\\Adobe.exe\"" | C:\ProgramData\Adobe\Adobe.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 824 set thread context of 2800 | N/A | C:\Users\Admin\AppData\Local\Temp\6b21cf5ebc20615576167925b27adad49dd095dbca80a7a47101fa824295057c.exe | C:\Users\Admin\AppData\Local\Temp\6b21cf5ebc20615576167925b27adad49dd095dbca80a7a47101fa824295057c.exe |
| PID 2736 set thread context of 1692 | N/A | C:\ProgramData\Adobe\Adobe.exe | C:\ProgramData\Adobe\Adobe.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6b21cf5ebc20615576167925b27adad49dd095dbca80a7a47101fa824295057c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6b21cf5ebc20615576167925b27adad49dd095dbca80a7a47101fa824295057c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Adobe\Adobe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Adobe\Adobe.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6b21cf5ebc20615576167925b27adad49dd095dbca80a7a47101fa824295057c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6b21cf5ebc20615576167925b27adad49dd095dbca80a7a47101fa824295057c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6b21cf5ebc20615576167925b27adad49dd095dbca80a7a47101fa824295057c.exe | N/A |
| N/A | N/A | C:\ProgramData\Adobe\Adobe.exe | N/A |
| N/A | N/A | C:\ProgramData\Adobe\Adobe.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6b21cf5ebc20615576167925b27adad49dd095dbca80a7a47101fa824295057c.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Adobe\Adobe.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6b21cf5ebc20615576167925b27adad49dd095dbca80a7a47101fa824295057c.exe
"C:\Users\Admin\AppData\Local\Temp\6b21cf5ebc20615576167925b27adad49dd095dbca80a7a47101fa824295057c.exe"
C:\Users\Admin\AppData\Local\Temp\6b21cf5ebc20615576167925b27adad49dd095dbca80a7a47101fa824295057c.exe
"C:\Users\Admin\AppData\Local\Temp\6b21cf5ebc20615576167925b27adad49dd095dbca80a7a47101fa824295057c.exe"
C:\ProgramData\Adobe\Adobe.exe
"C:\ProgramData\Adobe\Adobe.exe"
C:\ProgramData\Adobe\Adobe.exe
"C:\ProgramData\Adobe\Adobe.exe"
Network
| Country | Destination | Domain | Proto |
| DE | 104.250.180.178:7902 | tcp | |
| DE | 104.250.180.178:7902 | tcp | |
| DE | 104.250.180.178:7902 | tcp | |
| DE | 104.250.180.178:7902 | tcp | |
| DE | 104.250.180.178:7902 | tcp | |
| DE | 104.250.180.178:7902 | tcp |
Files
memory/824-0-0x0000000074CBE000-0x0000000074CBF000-memory.dmp
memory/824-1-0x0000000000D50000-0x0000000000E64000-memory.dmp
memory/824-2-0x0000000006E60000-0x0000000006F46000-memory.dmp
memory/824-3-0x0000000074CB0000-0x000000007539E000-memory.dmp
memory/824-4-0x0000000000380000-0x000000000039A000-memory.dmp
memory/824-5-0x00000000003F0000-0x00000000003FE000-memory.dmp
memory/824-6-0x0000000000400000-0x0000000000416000-memory.dmp
memory/824-7-0x00000000055A0000-0x0000000005660000-memory.dmp
memory/2800-10-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2800-26-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2800-30-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2800-28-0x0000000000400000-0x0000000000482000-memory.dmp
memory/824-31-0x0000000074CB0000-0x000000007539E000-memory.dmp
memory/2800-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2800-41-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2736-43-0x00000000010D0000-0x00000000011E4000-memory.dmp
memory/2736-42-0x0000000074CBE000-0x0000000074CBF000-memory.dmp
C:\ProgramData\Adobe\Adobe.exe
| MD5 | 27bff21251401bdc53507869909489ac |
| SHA1 | 9799ac564ccff08975c682be7f9f300bafb452c7 |
| SHA256 | 6b21cf5ebc20615576167925b27adad49dd095dbca80a7a47101fa824295057c |
| SHA512 | eb6269a0355fa5fef9f34cc13d81ad44c5a44b9a81dfdbe0f88ccc2474988239d1384adb6745abe8e572f1a9a5478dea99d220864e4182b906448dfe4086e5ba |
memory/2800-22-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2800-20-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2800-18-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2800-17-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2800-14-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2800-12-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2800-9-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2736-44-0x0000000074CB0000-0x000000007539E000-memory.dmp
memory/1692-61-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1692-66-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1692-65-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1692-64-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2736-67-0x0000000074CB0000-0x000000007539E000-memory.dmp
memory/1692-68-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1692-69-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1692-70-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1692-71-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1692-72-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1692-73-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1692-74-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1692-75-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1692-76-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1692-77-0x0000000000400000-0x0000000000482000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-09 01:18
Reported
2024-08-09 01:20
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Remcos
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\6b21cf5ebc20615576167925b27adad49dd095dbca80a7a47101fa824295057c.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Adobe\Adobe.exe | N/A |
| N/A | N/A | C:\ProgramData\Adobe\Adobe.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe-OTOIRK = "\"C:\\ProgramData\\Adobe\\Adobe.exe\"" | C:\Users\Admin\AppData\Local\Temp\6b21cf5ebc20615576167925b27adad49dd095dbca80a7a47101fa824295057c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe-OTOIRK = "\"C:\\ProgramData\\Adobe\\Adobe.exe\"" | C:\Users\Admin\AppData\Local\Temp\6b21cf5ebc20615576167925b27adad49dd095dbca80a7a47101fa824295057c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe-OTOIRK = "\"C:\\ProgramData\\Adobe\\Adobe.exe\"" | C:\ProgramData\Adobe\Adobe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe-OTOIRK = "\"C:\\ProgramData\\Adobe\\Adobe.exe\"" | C:\ProgramData\Adobe\Adobe.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3372 set thread context of 1284 | N/A | C:\Users\Admin\AppData\Local\Temp\6b21cf5ebc20615576167925b27adad49dd095dbca80a7a47101fa824295057c.exe | C:\Users\Admin\AppData\Local\Temp\6b21cf5ebc20615576167925b27adad49dd095dbca80a7a47101fa824295057c.exe |
| PID 1232 set thread context of 2760 | N/A | C:\ProgramData\Adobe\Adobe.exe | C:\ProgramData\Adobe\Adobe.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6b21cf5ebc20615576167925b27adad49dd095dbca80a7a47101fa824295057c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Adobe\Adobe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Adobe\Adobe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6b21cf5ebc20615576167925b27adad49dd095dbca80a7a47101fa824295057c.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6b21cf5ebc20615576167925b27adad49dd095dbca80a7a47101fa824295057c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6b21cf5ebc20615576167925b27adad49dd095dbca80a7a47101fa824295057c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6b21cf5ebc20615576167925b27adad49dd095dbca80a7a47101fa824295057c.exe | N/A |
| N/A | N/A | C:\ProgramData\Adobe\Adobe.exe | N/A |
| N/A | N/A | C:\ProgramData\Adobe\Adobe.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6b21cf5ebc20615576167925b27adad49dd095dbca80a7a47101fa824295057c.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Adobe\Adobe.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6b21cf5ebc20615576167925b27adad49dd095dbca80a7a47101fa824295057c.exe
"C:\Users\Admin\AppData\Local\Temp\6b21cf5ebc20615576167925b27adad49dd095dbca80a7a47101fa824295057c.exe"
C:\Users\Admin\AppData\Local\Temp\6b21cf5ebc20615576167925b27adad49dd095dbca80a7a47101fa824295057c.exe
"C:\Users\Admin\AppData\Local\Temp\6b21cf5ebc20615576167925b27adad49dd095dbca80a7a47101fa824295057c.exe"
C:\ProgramData\Adobe\Adobe.exe
"C:\ProgramData\Adobe\Adobe.exe"
C:\ProgramData\Adobe\Adobe.exe
"C:\ProgramData\Adobe\Adobe.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| DE | 104.250.180.178:7902 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| DE | 104.250.180.178:7902 | tcp | |
| DE | 104.250.180.178:7902 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| DE | 104.250.180.178:7902 | tcp | |
| DE | 104.250.180.178:7902 | tcp | |
| DE | 104.250.180.178:7902 | tcp |
Files
memory/3372-0-0x0000000074A1E000-0x0000000074A1F000-memory.dmp
memory/3372-1-0x0000000000BD0000-0x0000000000CE4000-memory.dmp
memory/3372-2-0x0000000007C30000-0x0000000007D16000-memory.dmp
memory/3372-3-0x000000000B4D0000-0x000000000BA74000-memory.dmp
memory/3372-4-0x000000000B0C0000-0x000000000B152000-memory.dmp
memory/3372-5-0x0000000074A10000-0x00000000751C0000-memory.dmp
memory/3372-6-0x0000000005700000-0x000000000570A000-memory.dmp
memory/3372-7-0x0000000005A40000-0x0000000005ADC000-memory.dmp
memory/3372-8-0x0000000005A10000-0x0000000005A2A000-memory.dmp
memory/3372-9-0x00000000064E0000-0x00000000064EE000-memory.dmp
memory/3372-10-0x00000000064F0000-0x0000000006506000-memory.dmp
memory/3372-11-0x0000000006550000-0x0000000006610000-memory.dmp
memory/1284-12-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1284-13-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1284-15-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1284-16-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3372-18-0x0000000074A10000-0x00000000751C0000-memory.dmp
C:\ProgramData\Adobe\Adobe.exe
| MD5 | 27bff21251401bdc53507869909489ac |
| SHA1 | 9799ac564ccff08975c682be7f9f300bafb452c7 |
| SHA256 | 6b21cf5ebc20615576167925b27adad49dd095dbca80a7a47101fa824295057c |
| SHA512 | eb6269a0355fa5fef9f34cc13d81ad44c5a44b9a81dfdbe0f88ccc2474988239d1384adb6745abe8e572f1a9a5478dea99d220864e4182b906448dfe4086e5ba |
memory/1232-29-0x000000007431E000-0x000000007431F000-memory.dmp
memory/1284-30-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1232-31-0x0000000074310000-0x0000000074AC0000-memory.dmp
memory/2760-35-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2760-36-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2760-37-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1232-38-0x0000000074310000-0x0000000074AC0000-memory.dmp
memory/2760-39-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2760-40-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2760-41-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2760-42-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2760-43-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2760-44-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2760-45-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2760-46-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2760-47-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2760-48-0x0000000000400000-0x0000000000482000-memory.dmp