Analysis Overview
SHA256
2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc
Threat Level: Known bad
The file 2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe was found to be: Known bad.
Malicious Activity Summary
Remcos
Loads dropped DLL
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-09 12:42
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-09 12:42
Reported
2024-08-09 12:44
Platform
win7-20240729-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
Remcos
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2296 set thread context of 1328 | N/A | C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe | C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\niveaukurven.ini | C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe | N/A |
| File opened for modification | C:\Program Files (x86)\vocabulary.Med | C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe
"C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe"
C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe
"C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 91.92.242.99:80 | 91.92.242.99 | tcp |
| NL | 45.66.231.198:2404 | tcp | |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
Files
C:\Users\Admin\AppData\Local\rijksdaalder.lnk
| MD5 | c3ed2a95da6fb5210a6df97b23abcec9 |
| SHA1 | 1d1303142c967a2771b4e8c1e3bb32fbccc543bc |
| SHA256 | 2664015fecc017abb0e1c0f1a2fbb5ef07b1f1739b8da3a69b27f3f58ccbe379 |
| SHA512 | 667e1130078e2d13f00dac44f8847129d7f0f893b666bd5b21d74a908551fa2902f323a33f80ed64f2790a25ab0e5df458db32123fb7d41c0addaa342856804a |
\Users\Admin\AppData\Local\Temp\nszAA64.tmp\System.dll
| MD5 | 0d7ad4f45dc6f5aa87f606d0331c6901 |
| SHA1 | 48df0911f0484cbe2a8cdd5362140b63c41ee457 |
| SHA256 | 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca |
| SHA512 | c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9 |
memory/2296-675-0x0000000077871000-0x0000000077972000-memory.dmp
memory/2296-676-0x0000000077870000-0x0000000077A19000-memory.dmp
memory/1328-677-0x0000000077870000-0x0000000077A19000-memory.dmp
memory/1328-678-0x00000000004A0000-0x0000000001502000-memory.dmp
memory/1328-683-0x00000000004A0000-0x0000000001502000-memory.dmp
memory/1328-684-0x00000000004A0000-0x0000000001502000-memory.dmp
memory/1328-685-0x00000000004A0000-0x0000000001502000-memory.dmp
memory/1328-686-0x00000000004A0000-0x0000000001502000-memory.dmp
memory/1328-687-0x00000000004A0000-0x0000000001502000-memory.dmp
memory/1328-688-0x00000000004A0000-0x0000000001502000-memory.dmp
memory/1328-689-0x00000000004A0000-0x0000000001502000-memory.dmp
memory/1328-690-0x00000000004A0000-0x0000000001502000-memory.dmp
memory/1328-691-0x00000000004A0000-0x0000000001502000-memory.dmp
memory/1328-692-0x00000000004A0000-0x0000000001502000-memory.dmp
memory/1328-693-0x00000000004A0000-0x0000000001502000-memory.dmp
memory/1328-694-0x00000000004A0000-0x0000000001502000-memory.dmp
memory/1328-695-0x00000000004A0000-0x0000000001502000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-09 12:42
Reported
2024-08-09 12:44
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
148s
Command Line
Signatures
Remcos
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4884 set thread context of 2760 | N/A | C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe | C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\niveaukurven.ini | C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe | N/A |
| File opened for modification | C:\Program Files (x86)\vocabulary.Med | C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe
"C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe"
C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe
"C:\Users\Admin\AppData\Local\Temp\2bda6048a888003443cd18df65f75441974ea3dfa04d524c957b0d7c268654dc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 91.92.242.99:80 | 91.92.242.99 | tcp |
| NL | 45.66.231.198:2404 | tcp | |
| US | 8.8.8.8:53 | 99.242.92.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.231.66.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\rijksdaalder.lnk
| MD5 | 98bd50a7d33108386e8f145f2cd21428 |
| SHA1 | fb44efd0821aec8f12d9decba036d74806b839dd |
| SHA256 | dbaa6036031fcd6741b538daf4ded0e903119b99dc23feb085b26fb5c0e2fc40 |
| SHA512 | b6a8d77ef01a99c874995b5cc43555d35a39bcc90d5b22ff339c0575e1bec59a1f428e9e890e06fdf8f15480aa47412703f6e96f0418e9e470db50df64e41800 |
C:\Users\Admin\AppData\Local\Temp\nsw96B3.tmp\System.dll
| MD5 | 0d7ad4f45dc6f5aa87f606d0331c6901 |
| SHA1 | 48df0911f0484cbe2a8cdd5362140b63c41ee457 |
| SHA256 | 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca |
| SHA512 | c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9 |
memory/4884-674-0x0000000077621000-0x0000000077741000-memory.dmp
memory/4884-675-0x0000000074275000-0x0000000074276000-memory.dmp
memory/2760-676-0x00000000776A8000-0x00000000776A9000-memory.dmp
memory/2760-677-0x00000000776C5000-0x00000000776C6000-memory.dmp
memory/2760-678-0x00000000004A0000-0x00000000016F4000-memory.dmp
memory/2760-682-0x0000000077621000-0x0000000077741000-memory.dmp
memory/2760-684-0x00000000004A0000-0x00000000016F4000-memory.dmp
memory/2760-685-0x00000000004A0000-0x00000000016F4000-memory.dmp
memory/2760-686-0x00000000004A0000-0x00000000016F4000-memory.dmp
memory/2760-687-0x00000000004A0000-0x00000000016F4000-memory.dmp
memory/2760-688-0x00000000004A0000-0x00000000016F4000-memory.dmp
memory/2760-689-0x00000000004A0000-0x00000000016F4000-memory.dmp
memory/2760-690-0x00000000004A0000-0x00000000016F4000-memory.dmp
memory/2760-691-0x00000000004A0000-0x00000000016F4000-memory.dmp
memory/2760-692-0x00000000004A0000-0x00000000016F4000-memory.dmp
memory/2760-693-0x00000000004A0000-0x00000000016F4000-memory.dmp
memory/2760-694-0x00000000004A0000-0x00000000016F4000-memory.dmp
memory/2760-695-0x00000000004A0000-0x00000000016F4000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-08-09 12:42
Reported
2024-08-09 12:44
Platform
win7-20240705-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 220
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-08-09 12:42
Reported
2024-08-09 12:44
Platform
win10v2004-20240802-en
Max time kernel
125s
Max time network
146s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2844 wrote to memory of 4680 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2844 wrote to memory of 4680 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2844 wrote to memory of 4680 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4680 -ip 4680
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 620
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.58.20.217.in-addr.arpa | udp |