Analysis Overview
SHA256
de06ee1f57bc4475cf0a9a7352b0ca51b31bee6aee54429982a6ab7bdf8795e9
Threat Level: Known bad
The file de06ee1f57bc4475cf0a9a7352b0ca51b31bee6aee54429982a6ab7bdf8795e9 was found to be: Known bad.
Malicious Activity Summary
Remcos
Remcos family
UAC bypass
Suspicious use of SetThreadContext
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-12 05:59
Signatures
Remcos family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-12 05:59
Reported
2024-08-12 06:02
Platform
win7-20240704-en
Max time kernel
148s
Max time network
146s
Command Line
Signatures
Remcos
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2208 set thread context of 3048 | N/A | C:\Users\Admin\AppData\Local\Temp\de06ee1f57bc4475cf0a9a7352b0ca51b31bee6aee54429982a6ab7bdf8795e9.exe | \??\c:\program files (x86)\internet explorer\iexplore.exe |
| PID 3048 set thread context of 2716 | N/A | \??\c:\program files (x86)\internet explorer\iexplore.exe | C:\Windows\SysWOW64\svchost.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\de06ee1f57bc4475cf0a9a7352b0ca51b31bee6aee54429982a6ab7bdf8795e9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\de06ee1f57bc4475cf0a9a7352b0ca51b31bee6aee54429982a6ab7bdf8795e9.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\de06ee1f57bc4475cf0a9a7352b0ca51b31bee6aee54429982a6ab7bdf8795e9.exe | N/A |
| N/A | N/A | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\de06ee1f57bc4475cf0a9a7352b0ca51b31bee6aee54429982a6ab7bdf8795e9.exe
"C:\Users\Admin\AppData\Local\Temp\de06ee1f57bc4475cf0a9a7352b0ca51b31bee6aee54429982a6ab7bdf8795e9.exe"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
\??\c:\program files (x86)\internet explorer\iexplore.exe
"c:\program files (x86)\internet explorer\iexplore.exe"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
Network
| Country | Destination | Domain | Proto |
| N/A | 192.168.1.252:2404 | tcp | |
| N/A | 192.168.1.252:2404 | tcp | |
| N/A | 192.168.1.252:2404 | tcp | |
| N/A | 192.168.1.252:2404 | tcp | |
| N/A | 192.168.1.252:2404 | tcp | |
| N/A | 192.168.1.252:2404 | tcp | |
| N/A | 192.168.1.252:2404 | tcp |
Files
memory/3048-2-0x00000000000D0000-0x0000000000152000-memory.dmp
memory/3048-0-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/3048-8-0x00000000000D0000-0x0000000000152000-memory.dmp
memory/3048-5-0x00000000000D0000-0x0000000000152000-memory.dmp
memory/3048-12-0x00000000000D0000-0x0000000000152000-memory.dmp
memory/3048-4-0x00000000000D0000-0x0000000000152000-memory.dmp
memory/2716-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2716-18-0x00000000000D0000-0x0000000000152000-memory.dmp
memory/3048-23-0x00000000000D0000-0x0000000000152000-memory.dmp
memory/3048-24-0x00000000000D0000-0x0000000000152000-memory.dmp
memory/3048-25-0x00000000000D0000-0x0000000000152000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | 217fba757f2fa02a22b31b6518d3d236 |
| SHA1 | 202708714296dad278c3647bb539b77930dd095a |
| SHA256 | 15dd6d4dcbd3c6455765efaa262ddcb2da6f1f998f67b512c1e24dcc70c7b88f |
| SHA512 | 3189f059b647407fb59dff3da01bf5fec50905c4b99d04e6e2d7efbf16e115c78ae2d458cc016e3cc8e592de82906eb19a890b3120eba92da628fe42e0045538 |
memory/3048-30-0x00000000000D0000-0x0000000000152000-memory.dmp
memory/3048-31-0x00000000000D0000-0x0000000000152000-memory.dmp
memory/3048-37-0x00000000000D0000-0x0000000000152000-memory.dmp
memory/3048-38-0x00000000000D0000-0x0000000000152000-memory.dmp
memory/3048-43-0x00000000000D0000-0x0000000000152000-memory.dmp
memory/3048-44-0x00000000000D0000-0x0000000000152000-memory.dmp
memory/3048-49-0x00000000000D0000-0x0000000000152000-memory.dmp
memory/3048-51-0x00000000000D0000-0x0000000000152000-memory.dmp
memory/3048-56-0x00000000000D0000-0x0000000000152000-memory.dmp
memory/3048-57-0x00000000000D0000-0x0000000000152000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-12 05:59
Reported
2024-08-12 06:02
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
Remcos
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2560 set thread context of 2284 | N/A | C:\Users\Admin\AppData\Local\Temp\de06ee1f57bc4475cf0a9a7352b0ca51b31bee6aee54429982a6ab7bdf8795e9.exe | \??\c:\program files (x86)\internet explorer\iexplore.exe |
| PID 2284 set thread context of 2204 | N/A | \??\c:\program files (x86)\internet explorer\iexplore.exe | C:\Windows\SysWOW64\svchost.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\de06ee1f57bc4475cf0a9a7352b0ca51b31bee6aee54429982a6ab7bdf8795e9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\de06ee1f57bc4475cf0a9a7352b0ca51b31bee6aee54429982a6ab7bdf8795e9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\de06ee1f57bc4475cf0a9a7352b0ca51b31bee6aee54429982a6ab7bdf8795e9.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\de06ee1f57bc4475cf0a9a7352b0ca51b31bee6aee54429982a6ab7bdf8795e9.exe | N/A |
| N/A | N/A | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\de06ee1f57bc4475cf0a9a7352b0ca51b31bee6aee54429982a6ab7bdf8795e9.exe
"C:\Users\Admin\AppData\Local\Temp\de06ee1f57bc4475cf0a9a7352b0ca51b31bee6aee54429982a6ab7bdf8795e9.exe"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
\??\c:\program files (x86)\internet explorer\iexplore.exe
"c:\program files (x86)\internet explorer\iexplore.exe"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
Network
| Country | Destination | Domain | Proto |
| N/A | 192.168.1.252:2404 | tcp | |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| N/A | 192.168.1.252:2404 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| N/A | 192.168.1.252:2404 | tcp | |
| N/A | 192.168.1.252:2404 | tcp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| N/A | 192.168.1.252:2404 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| N/A | 192.168.1.252:2404 | tcp | |
| N/A | 192.168.1.252:2404 | tcp |
Files
memory/2284-1-0x0000000000F30000-0x0000000000FB2000-memory.dmp
memory/2284-3-0x0000000000F30000-0x0000000000FB2000-memory.dmp
memory/2204-11-0x00000000008D0000-0x0000000000952000-memory.dmp
memory/2284-10-0x0000000000F30000-0x0000000000FB2000-memory.dmp
memory/2204-12-0x00000000008D0000-0x0000000000952000-memory.dmp
memory/2204-13-0x00000000008D0000-0x0000000000952000-memory.dmp
memory/2284-9-0x0000000000F30000-0x0000000000FB2000-memory.dmp
memory/2284-2-0x0000000000F30000-0x0000000000FB2000-memory.dmp
memory/2284-0-0x0000000000F30000-0x0000000000FB2000-memory.dmp
memory/2204-14-0x00000000008D0000-0x0000000000952000-memory.dmp
memory/2284-19-0x0000000000F30000-0x0000000000FB2000-memory.dmp
memory/2284-20-0x0000000000F30000-0x0000000000FB2000-memory.dmp
memory/2284-21-0x0000000000F30000-0x0000000000FB2000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | be8b5c3e8ad7421d6c648863d777a618 |
| SHA1 | 4def03839dd0eb8ce6fe702af89049e199bcb137 |
| SHA256 | 673db162f7da9aa5f25cb899e2f377a9d4c293b0a8959a4442e650be94b1c25e |
| SHA512 | 2ea1b8cde5a44bb1dae49f103b39a1b13e23c03344a00935744374241f74d668662d7890ed9dfa4c3ee8fc2546c7ee50ce04fe9303025f1727f67e1451ba1290 |
memory/2284-26-0x0000000000F30000-0x0000000000FB2000-memory.dmp
memory/2284-27-0x0000000000F30000-0x0000000000FB2000-memory.dmp
memory/2284-32-0x0000000000F30000-0x0000000000FB2000-memory.dmp
memory/2284-34-0x0000000000F30000-0x0000000000FB2000-memory.dmp
memory/2284-39-0x0000000000F30000-0x0000000000FB2000-memory.dmp
memory/2284-40-0x0000000000F30000-0x0000000000FB2000-memory.dmp
memory/2284-45-0x0000000000F30000-0x0000000000FB2000-memory.dmp
memory/2284-46-0x0000000000F30000-0x0000000000FB2000-memory.dmp
memory/2284-52-0x0000000000F30000-0x0000000000FB2000-memory.dmp
memory/2284-53-0x0000000000F30000-0x0000000000FB2000-memory.dmp