Analysis Overview
SHA256
391ac1ceedd3c960f32890f834a86ba1570ee5a0cc12dcef1714d43bb29fc457
Threat Level: Known bad
The file 통관용_AG-C016-24_ATLANTIC GOLD_NORTH WESTpdf.exe was found to be: Known bad.
Malicious Activity Summary
Remcos
Credentials from Password Stores: Credentials from Web Browsers
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
UPX packed file
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
AutoIT Executable
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-09 09:09
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-09 09:09
Reported
2024-08-09 09:12
Platform
win7-20240704-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Remcos
Credentials from Password Stores: Credentials from Web Browsers
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\SysWOW64\svchost.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2552 set thread context of 2360 | N/A | C:\Users\Admin\AppData\Local\Temp\통관용_AG-C016-24_ATLANTIC GOLD_NORTH WESTpdf.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 2360 set thread context of 2768 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 2360 set thread context of 2776 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 2360 set thread context of 2852 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\SysWOW64\svchost.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\통관용_AG-C016-24_ATLANTIC GOLD_NORTH WESTpdf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\통관용_AG-C016-24_ATLANTIC GOLD_NORTH WESTpdf.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\통관용_AG-C016-24_ATLANTIC GOLD_NORTH WESTpdf.exe
"C:\Users\Admin\AppData\Local\Temp\통관용_AG-C016-24_ATLANTIC GOLD_NORTH WESTpdf.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\통관용_AG-C016-24_ATLANTIC GOLD_NORTH WESTpdf.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\elnexuxjfnvovwwualsaibisdchmagxtt"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\pftwy"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\zhghzxsep"
Network
| Country | Destination | Domain | Proto |
| LT | 194.169.175.190:2404 | tcp | |
| LT | 194.169.175.190:2404 | tcp | |
| LT | 194.169.175.190:2404 | tcp |
Files
memory/2552-0-0x0000000000D20000-0x0000000000F0B000-memory.dmp
memory/2552-12-0x0000000000210000-0x0000000000214000-memory.dmp
memory/2360-13-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2360-15-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2360-16-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2552-17-0x0000000000D20000-0x0000000000F0B000-memory.dmp
memory/2360-18-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2360-19-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2360-20-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2360-21-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2360-23-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2360-22-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2360-24-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2768-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2776-30-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2768-27-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2776-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2768-38-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2852-41-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2776-37-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2768-36-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2776-35-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2776-34-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2768-33-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2852-45-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2852-44-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2852-43-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2852-46-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2768-51-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\elnexuxjfnvovwwualsaibisdchmagxtt
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/2360-53-0x0000000010000000-0x0000000010019000-memory.dmp
memory/2360-56-0x0000000010000000-0x0000000010019000-memory.dmp
memory/2360-57-0x0000000010000000-0x0000000010019000-memory.dmp
memory/2360-58-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2776-59-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2360-60-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2360-61-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2360-62-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2360-63-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2360-65-0x0000000000400000-0x0000000000482000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-09 09:09
Reported
2024-08-09 09:12
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Remcos
Credentials from Password Stores: Credentials from Web Browsers
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\SysWOW64\svchost.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2884 set thread context of 3524 | N/A | C:\Users\Admin\AppData\Local\Temp\통관용_AG-C016-24_ATLANTIC GOLD_NORTH WESTpdf.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 3524 set thread context of 4368 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 3524 set thread context of 2592 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 3524 set thread context of 1372 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\SysWOW64\svchost.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\통관용_AG-C016-24_ATLANTIC GOLD_NORTH WESTpdf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\통관용_AG-C016-24_ATLANTIC GOLD_NORTH WESTpdf.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\통관용_AG-C016-24_ATLANTIC GOLD_NORTH WESTpdf.exe
"C:\Users\Admin\AppData\Local\Temp\통관용_AG-C016-24_ATLANTIC GOLD_NORTH WESTpdf.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\통관용_AG-C016-24_ATLANTIC GOLD_NORTH WESTpdf.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\idfgocxtkionrxscpwdphadgzgbe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\lfkypvhnyqgstmggygqisfxpintflow"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\lfkypvhnyqgstmggygqisfxpintflow"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\vzqjqnsouzyeesdkprkkvrkgjcdomzuswn"
Network
| Country | Destination | Domain | Proto |
| LT | 194.169.175.190:2404 | tcp | |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.175.169.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| LT | 194.169.175.190:2404 | tcp | |
| LT | 194.169.175.190:2404 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.171.59.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
memory/2884-0-0x0000000000050000-0x000000000023B000-memory.dmp
memory/2884-12-0x0000000000C80000-0x0000000000C84000-memory.dmp
memory/3524-13-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3524-14-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3524-15-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3524-18-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3524-19-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2884-17-0x0000000000050000-0x000000000023B000-memory.dmp
memory/3524-20-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3524-22-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3524-21-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3524-23-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3524-25-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4368-32-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1372-41-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2592-42-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1372-40-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2592-39-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1372-38-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2592-33-0x0000000000400000-0x0000000000462000-memory.dmp
memory/4368-37-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1372-36-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4368-29-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1372-34-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2592-28-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2592-31-0x0000000000400000-0x0000000000462000-memory.dmp
memory/4368-26-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4368-47-0x0000000000400000-0x0000000000478000-memory.dmp
memory/3524-54-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3524-53-0x0000000010000000-0x0000000010019000-memory.dmp
memory/3524-52-0x0000000010000000-0x0000000010019000-memory.dmp
memory/3524-49-0x0000000010000000-0x0000000010019000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\idfgocxtkionrxscpwdphadgzgbe
| MD5 | 16f4f7c4051f4bbdaa93a1ca80690065 |
| SHA1 | 750cacbdd2d089a88119374560d6ac004954e90e |
| SHA256 | 6c4559e4413cccaeab73cad48ffd804506c95566e4d6a3f5ae64017a33ea6ec2 |
| SHA512 | cb0f68d393ad03a5c802a2978ff7b12e20911bac5e27200c2df16d5d3f63dfc2387c0cd1a9075d8e4ba9ae804a6b61225575e2f42b3ef024e863d5b172417964 |
memory/3524-55-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3524-56-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3524-57-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3524-58-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3524-59-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3524-60-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3524-61-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3524-62-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3524-63-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3524-64-0x0000000000400000-0x0000000000482000-memory.dmp