Malware Analysis Report

2024-12-07 22:16

Sample ID 240809-pxhbqs1amm
Target 2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe
SHA256 2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc
Tags
remcos remotehost discovery rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc

Threat Level: Known bad

The file 2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe was found to be: Known bad.

Malicious Activity Summary

remcos remotehost discovery rat

Remcos

Loads dropped DLL

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-09 12:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-09 12:42

Reported

2024-08-09 12:44

Platform

win7-20240729-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe"

Signatures

Remcos

rat remcos

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\niveaukurven.ini C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe N/A
File opened for modification C:\Program Files (x86)\vocabulary.Med C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2296 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe
PID 2296 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe
PID 2296 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe
PID 2296 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe
PID 2296 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe
PID 2296 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe

"C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe"

C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe

"C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe"

Network

Country Destination Domain Proto
NL 91.92.242.99:80 91.92.242.99 tcp
NL 45.66.231.198:2404 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

C:\Users\Admin\AppData\Local\rijksdaalder.lnk

MD5 c3ed2a95da6fb5210a6df97b23abcec9
SHA1 1d1303142c967a2771b4e8c1e3bb32fbccc543bc
SHA256 2664015fecc017abb0e1c0f1a2fbb5ef07b1f1739b8da3a69b27f3f58ccbe379
SHA512 667e1130078e2d13f00dac44f8847129d7f0f893b666bd5b21d74a908551fa2902f323a33f80ed64f2790a25ab0e5df458db32123fb7d41c0addaa342856804a

\Users\Admin\AppData\Local\Temp\nszAA64.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

memory/2296-675-0x0000000077871000-0x0000000077972000-memory.dmp

memory/2296-676-0x0000000077870000-0x0000000077A19000-memory.dmp

memory/1328-677-0x0000000077870000-0x0000000077A19000-memory.dmp

memory/1328-678-0x00000000004A0000-0x0000000001502000-memory.dmp

memory/1328-683-0x00000000004A0000-0x0000000001502000-memory.dmp

memory/1328-684-0x00000000004A0000-0x0000000001502000-memory.dmp

memory/1328-685-0x00000000004A0000-0x0000000001502000-memory.dmp

memory/1328-686-0x00000000004A0000-0x0000000001502000-memory.dmp

memory/1328-687-0x00000000004A0000-0x0000000001502000-memory.dmp

memory/1328-688-0x00000000004A0000-0x0000000001502000-memory.dmp

memory/1328-689-0x00000000004A0000-0x0000000001502000-memory.dmp

memory/1328-690-0x00000000004A0000-0x0000000001502000-memory.dmp

memory/1328-691-0x00000000004A0000-0x0000000001502000-memory.dmp

memory/1328-692-0x00000000004A0000-0x0000000001502000-memory.dmp

memory/1328-693-0x00000000004A0000-0x0000000001502000-memory.dmp

memory/1328-694-0x00000000004A0000-0x0000000001502000-memory.dmp

memory/1328-695-0x00000000004A0000-0x0000000001502000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-09 12:42

Reported

2024-08-09 12:44

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe"

Signatures

Remcos

rat remcos

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\niveaukurven.ini C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe N/A
File opened for modification C:\Program Files (x86)\vocabulary.Med C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe

"C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe"

C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe

"C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 91.92.242.99:80 91.92.242.99 tcp
NL 45.66.231.198:2404 tcp
US 8.8.8.8:53 99.242.92.91.in-addr.arpa udp
US 8.8.8.8:53 198.231.66.45.in-addr.arpa udp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\rijksdaalder.lnk

MD5 98bd50a7d33108386e8f145f2cd21428
SHA1 fb44efd0821aec8f12d9decba036d74806b839dd
SHA256 dbaa6036031fcd6741b538daf4ded0e903119b99dc23feb085b26fb5c0e2fc40
SHA512 b6a8d77ef01a99c874995b5cc43555d35a39bcc90d5b22ff339c0575e1bec59a1f428e9e890e06fdf8f15480aa47412703f6e96f0418e9e470db50df64e41800

C:\Users\Admin\AppData\Local\Temp\nsw96B3.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

memory/4884-674-0x0000000077621000-0x0000000077741000-memory.dmp

memory/4884-675-0x0000000074275000-0x0000000074276000-memory.dmp

memory/2760-676-0x00000000776A8000-0x00000000776A9000-memory.dmp

memory/2760-677-0x00000000776C5000-0x00000000776C6000-memory.dmp

memory/2760-678-0x00000000004A0000-0x00000000016F4000-memory.dmp

memory/2760-682-0x0000000077621000-0x0000000077741000-memory.dmp

memory/2760-684-0x00000000004A0000-0x00000000016F4000-memory.dmp

memory/2760-685-0x00000000004A0000-0x00000000016F4000-memory.dmp

memory/2760-686-0x00000000004A0000-0x00000000016F4000-memory.dmp

memory/2760-687-0x00000000004A0000-0x00000000016F4000-memory.dmp

memory/2760-688-0x00000000004A0000-0x00000000016F4000-memory.dmp

memory/2760-689-0x00000000004A0000-0x00000000016F4000-memory.dmp

memory/2760-690-0x00000000004A0000-0x00000000016F4000-memory.dmp

memory/2760-691-0x00000000004A0000-0x00000000016F4000-memory.dmp

memory/2760-692-0x00000000004A0000-0x00000000016F4000-memory.dmp

memory/2760-693-0x00000000004A0000-0x00000000016F4000-memory.dmp

memory/2760-694-0x00000000004A0000-0x00000000016F4000-memory.dmp

memory/2760-695-0x00000000004A0000-0x00000000016F4000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-09 12:42

Reported

2024-08-09 12:44

Platform

win7-20240705-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 220

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-08-09 12:42

Reported

2024-08-09 12:44

Platform

win10v2004-20240802-en

Max time kernel

125s

Max time network

146s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2844 wrote to memory of 4680 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2844 wrote to memory of 4680 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2844 wrote to memory of 4680 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4680 -ip 4680

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 620

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.58.20.217.in-addr.arpa udp

Files

N/A