Analysis Overview
SHA256
d3ab0c4ddfbdbce6b1f200436de1c9d1f94567b06a420dc453d02460452cebca
Threat Level: Known bad
The file d3ab0c4ddfbdbce6b1f200436de1c9d1f94567b06a420dc453d02460452cebca.exe was found to be: Known bad.
Malicious Activity Summary
Remcos
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-10 01:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-10 01:44
Reported
2024-08-10 01:47
Platform
win7-20240729-en
Max time kernel
148s
Max time network
142s
Command Line
Signatures
Remcos
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Adobe\Adobe.exe | N/A |
| N/A | N/A | C:\ProgramData\Adobe\Adobe.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d3ab0c4ddfbdbce6b1f200436de1c9d1f94567b06a420dc453d02460452cebca.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe-OTOIRK = "\"C:\\ProgramData\\Adobe\\Adobe.exe\"" | C:\Users\Admin\AppData\Local\Temp\d3ab0c4ddfbdbce6b1f200436de1c9d1f94567b06a420dc453d02460452cebca.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe-OTOIRK = "\"C:\\ProgramData\\Adobe\\Adobe.exe\"" | C:\Users\Admin\AppData\Local\Temp\d3ab0c4ddfbdbce6b1f200436de1c9d1f94567b06a420dc453d02460452cebca.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe-OTOIRK = "\"C:\\ProgramData\\Adobe\\Adobe.exe\"" | C:\ProgramData\Adobe\Adobe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe-OTOIRK = "\"C:\\ProgramData\\Adobe\\Adobe.exe\"" | C:\ProgramData\Adobe\Adobe.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2616 set thread context of 2300 | N/A | C:\Users\Admin\AppData\Local\Temp\d3ab0c4ddfbdbce6b1f200436de1c9d1f94567b06a420dc453d02460452cebca.exe | C:\Users\Admin\AppData\Local\Temp\d3ab0c4ddfbdbce6b1f200436de1c9d1f94567b06a420dc453d02460452cebca.exe |
| PID 2924 set thread context of 2660 | N/A | C:\ProgramData\Adobe\Adobe.exe | C:\ProgramData\Adobe\Adobe.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d3ab0c4ddfbdbce6b1f200436de1c9d1f94567b06a420dc453d02460452cebca.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d3ab0c4ddfbdbce6b1f200436de1c9d1f94567b06a420dc453d02460452cebca.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Adobe\Adobe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Adobe\Adobe.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d3ab0c4ddfbdbce6b1f200436de1c9d1f94567b06a420dc453d02460452cebca.exe
"C:\Users\Admin\AppData\Local\Temp\d3ab0c4ddfbdbce6b1f200436de1c9d1f94567b06a420dc453d02460452cebca.exe"
C:\Users\Admin\AppData\Local\Temp\d3ab0c4ddfbdbce6b1f200436de1c9d1f94567b06a420dc453d02460452cebca.exe
"C:\Users\Admin\AppData\Local\Temp\d3ab0c4ddfbdbce6b1f200436de1c9d1f94567b06a420dc453d02460452cebca.exe"
C:\ProgramData\Adobe\Adobe.exe
"C:\ProgramData\Adobe\Adobe.exe"
C:\ProgramData\Adobe\Adobe.exe
"C:\ProgramData\Adobe\Adobe.exe"
Network
| Country | Destination | Domain | Proto |
| DE | 104.250.180.178:7902 | tcp | |
| DE | 104.250.180.178:7902 | tcp | |
| DE | 104.250.180.178:7902 | tcp | |
| DE | 104.250.180.178:7902 | tcp | |
| DE | 104.250.180.178:7902 | tcp | |
| DE | 104.250.180.178:7902 | tcp |
Files
memory/2616-0-0x000000007454E000-0x000000007454F000-memory.dmp
memory/2616-1-0x0000000000FF0000-0x00000000010DE000-memory.dmp
memory/2616-2-0x0000000074540000-0x0000000074C2E000-memory.dmp
memory/2616-3-0x00000000004D0000-0x00000000004EA000-memory.dmp
memory/2616-4-0x0000000000530000-0x000000000053E000-memory.dmp
memory/2616-5-0x0000000000540000-0x0000000000556000-memory.dmp
memory/2616-6-0x00000000050B0000-0x0000000005170000-memory.dmp
memory/2300-7-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2300-9-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2300-17-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2300-15-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2300-13-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2300-11-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2300-10-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2300-25-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2300-23-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2300-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2300-19-0x0000000000400000-0x0000000000482000-memory.dmp
C:\ProgramData\Adobe\Adobe.exe
| MD5 | 15c127b849650f0c43f5681f8399a090 |
| SHA1 | efe8542f6e4612a1bddd0f3e29c99f4b70cbc9b3 |
| SHA256 | d3ab0c4ddfbdbce6b1f200436de1c9d1f94567b06a420dc453d02460452cebca |
| SHA512 | b3df32ed3caad831ae02bb7ed72d34747f1e76ec505d3a49a2dceef0207acbcd08c5aea4241ec777035b1896c80df084b85807a51a9fa1dbb6750bc547000bf0 |
memory/2924-35-0x0000000074540000-0x0000000074C2E000-memory.dmp
memory/2924-34-0x0000000001220000-0x000000000130E000-memory.dmp
memory/2616-28-0x0000000074540000-0x0000000074C2E000-memory.dmp
memory/2924-36-0x00000000006F0000-0x0000000000706000-memory.dmp
memory/2660-53-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2660-58-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2660-57-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2660-56-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2924-59-0x0000000074540000-0x0000000074C2E000-memory.dmp
memory/2660-60-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2660-61-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2660-62-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2660-63-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2660-64-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2660-65-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2660-66-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2660-67-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2660-68-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2660-69-0x0000000000400000-0x0000000000482000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-10 01:44
Reported
2024-08-10 01:45
Platform
win10v2004-20240802-en
Max time kernel
31s
Max time network
41s
Command Line
Signatures
Remcos
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\d3ab0c4ddfbdbce6b1f200436de1c9d1f94567b06a420dc453d02460452cebca.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Adobe\Adobe.exe | N/A |
| N/A | N/A | C:\ProgramData\Adobe\Adobe.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe-OTOIRK = "\"C:\\ProgramData\\Adobe\\Adobe.exe\"" | C:\Users\Admin\AppData\Local\Temp\d3ab0c4ddfbdbce6b1f200436de1c9d1f94567b06a420dc453d02460452cebca.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe-OTOIRK = "\"C:\\ProgramData\\Adobe\\Adobe.exe\"" | C:\Users\Admin\AppData\Local\Temp\d3ab0c4ddfbdbce6b1f200436de1c9d1f94567b06a420dc453d02460452cebca.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe-OTOIRK = "\"C:\\ProgramData\\Adobe\\Adobe.exe\"" | C:\ProgramData\Adobe\Adobe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe-OTOIRK = "\"C:\\ProgramData\\Adobe\\Adobe.exe\"" | C:\ProgramData\Adobe\Adobe.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3008 set thread context of 4676 | N/A | C:\Users\Admin\AppData\Local\Temp\d3ab0c4ddfbdbce6b1f200436de1c9d1f94567b06a420dc453d02460452cebca.exe | C:\Users\Admin\AppData\Local\Temp\d3ab0c4ddfbdbce6b1f200436de1c9d1f94567b06a420dc453d02460452cebca.exe |
| PID 3088 set thread context of 3092 | N/A | C:\ProgramData\Adobe\Adobe.exe | C:\ProgramData\Adobe\Adobe.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d3ab0c4ddfbdbce6b1f200436de1c9d1f94567b06a420dc453d02460452cebca.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d3ab0c4ddfbdbce6b1f200436de1c9d1f94567b06a420dc453d02460452cebca.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Adobe\Adobe.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d3ab0c4ddfbdbce6b1f200436de1c9d1f94567b06a420dc453d02460452cebca.exe
"C:\Users\Admin\AppData\Local\Temp\d3ab0c4ddfbdbce6b1f200436de1c9d1f94567b06a420dc453d02460452cebca.exe"
C:\Users\Admin\AppData\Local\Temp\d3ab0c4ddfbdbce6b1f200436de1c9d1f94567b06a420dc453d02460452cebca.exe
"C:\Users\Admin\AppData\Local\Temp\d3ab0c4ddfbdbce6b1f200436de1c9d1f94567b06a420dc453d02460452cebca.exe"
C:\ProgramData\Adobe\Adobe.exe
"C:\ProgramData\Adobe\Adobe.exe"
C:\ProgramData\Adobe\Adobe.exe
"C:\ProgramData\Adobe\Adobe.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| DE | 104.250.180.178:7902 | tcp |
Files
memory/3008-0-0x000000007521E000-0x000000007521F000-memory.dmp
memory/3008-1-0x00000000009C0000-0x0000000000AAE000-memory.dmp
memory/3008-2-0x0000000005A30000-0x0000000005FD4000-memory.dmp
memory/3008-3-0x0000000005520000-0x00000000055B2000-memory.dmp
memory/3008-4-0x00000000054B0000-0x00000000054BA000-memory.dmp
memory/3008-5-0x0000000075210000-0x00000000759C0000-memory.dmp
memory/3008-6-0x0000000005790000-0x00000000057AA000-memory.dmp
memory/3008-7-0x00000000058E0000-0x00000000058EE000-memory.dmp
memory/3008-8-0x00000000058F0000-0x0000000005906000-memory.dmp
memory/3008-9-0x0000000008D40000-0x0000000008E00000-memory.dmp
memory/3008-10-0x0000000008EA0000-0x0000000008F3C000-memory.dmp
memory/4676-12-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4676-11-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4676-14-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4676-16-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3008-15-0x0000000075210000-0x00000000759C0000-memory.dmp
C:\ProgramData\Adobe\Adobe.exe
| MD5 | 15c127b849650f0c43f5681f8399a090 |
| SHA1 | efe8542f6e4612a1bddd0f3e29c99f4b70cbc9b3 |
| SHA256 | d3ab0c4ddfbdbce6b1f200436de1c9d1f94567b06a420dc453d02460452cebca |
| SHA512 | b3df32ed3caad831ae02bb7ed72d34747f1e76ec505d3a49a2dceef0207acbcd08c5aea4241ec777035b1896c80df084b85807a51a9fa1dbb6750bc547000bf0 |
memory/3088-29-0x0000000074A2E000-0x0000000074A2F000-memory.dmp
memory/4676-28-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3088-30-0x0000000074A20000-0x00000000751D0000-memory.dmp
memory/3092-35-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3092-36-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3088-37-0x0000000074A20000-0x00000000751D0000-memory.dmp
memory/3092-34-0x0000000000400000-0x0000000000482000-memory.dmp