Analysis Overview
SHA256
d3ab0c4ddfbdbce6b1f200436de1c9d1f94567b06a420dc453d02460452cebca
Threat Level: Known bad
The file 15c127b849650f0c43f5681f8399a090N.exe was found to be: Known bad.
Malicious Activity Summary
Remcos
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-13 03:05
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-13 03:05
Reported
2024-08-13 03:07
Platform
win7-20240708-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Remcos
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Adobe\Adobe.exe | N/A |
| N/A | N/A | C:\ProgramData\Adobe\Adobe.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\15c127b849650f0c43f5681f8399a090N.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe-OTOIRK = "\"C:\\ProgramData\\Adobe\\Adobe.exe\"" | C:\ProgramData\Adobe\Adobe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe-OTOIRK = "\"C:\\ProgramData\\Adobe\\Adobe.exe\"" | C:\Users\Admin\AppData\Local\Temp\15c127b849650f0c43f5681f8399a090N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe-OTOIRK = "\"C:\\ProgramData\\Adobe\\Adobe.exe\"" | C:\Users\Admin\AppData\Local\Temp\15c127b849650f0c43f5681f8399a090N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe-OTOIRK = "\"C:\\ProgramData\\Adobe\\Adobe.exe\"" | C:\ProgramData\Adobe\Adobe.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2520 set thread context of 2112 | N/A | C:\Users\Admin\AppData\Local\Temp\15c127b849650f0c43f5681f8399a090N.exe | C:\Users\Admin\AppData\Local\Temp\15c127b849650f0c43f5681f8399a090N.exe |
| PID 2760 set thread context of 2740 | N/A | C:\ProgramData\Adobe\Adobe.exe | C:\ProgramData\Adobe\Adobe.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Adobe\Adobe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Adobe\Adobe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\15c127b849650f0c43f5681f8399a090N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\15c127b849650f0c43f5681f8399a090N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\15c127b849650f0c43f5681f8399a090N.exe
"C:\Users\Admin\AppData\Local\Temp\15c127b849650f0c43f5681f8399a090N.exe"
C:\Users\Admin\AppData\Local\Temp\15c127b849650f0c43f5681f8399a090N.exe
"C:\Users\Admin\AppData\Local\Temp\15c127b849650f0c43f5681f8399a090N.exe"
C:\ProgramData\Adobe\Adobe.exe
"C:\ProgramData\Adobe\Adobe.exe"
C:\ProgramData\Adobe\Adobe.exe
"C:\ProgramData\Adobe\Adobe.exe"
Network
| Country | Destination | Domain | Proto |
| DE | 104.250.180.178:7902 | tcp | |
| DE | 104.250.180.178:7902 | tcp | |
| DE | 104.250.180.178:7902 | tcp | |
| DE | 104.250.180.178:7902 | tcp | |
| DE | 104.250.180.178:7902 | tcp |
Files
memory/2520-0-0x00000000744EE000-0x00000000744EF000-memory.dmp
memory/2520-1-0x0000000001180000-0x000000000126E000-memory.dmp
memory/2520-2-0x00000000744E0000-0x0000000074BCE000-memory.dmp
memory/2520-3-0x0000000000450000-0x000000000046A000-memory.dmp
memory/2520-4-0x0000000000470000-0x000000000047E000-memory.dmp
memory/2520-5-0x0000000000480000-0x0000000000496000-memory.dmp
memory/2520-6-0x0000000004DD0000-0x0000000004E90000-memory.dmp
memory/2112-7-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2112-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2112-19-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2112-17-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2112-24-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2112-15-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2112-13-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2112-11-0x0000000000400000-0x0000000000482000-memory.dmp
\ProgramData\Adobe\Adobe.exe
| MD5 | 15c127b849650f0c43f5681f8399a090 |
| SHA1 | efe8542f6e4612a1bddd0f3e29c99f4b70cbc9b3 |
| SHA256 | d3ab0c4ddfbdbce6b1f200436de1c9d1f94567b06a420dc453d02460452cebca |
| SHA512 | b3df32ed3caad831ae02bb7ed72d34747f1e76ec505d3a49a2dceef0207acbcd08c5aea4241ec777035b1896c80df084b85807a51a9fa1dbb6750bc547000bf0 |
memory/2760-33-0x00000000001B0000-0x000000000029E000-memory.dmp
memory/2760-34-0x00000000744E0000-0x0000000074BCE000-memory.dmp
memory/2520-26-0x00000000744E0000-0x0000000074BCE000-memory.dmp
memory/2112-9-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2112-8-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2112-22-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2760-35-0x0000000001F00000-0x0000000001F16000-memory.dmp
memory/2740-57-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2740-56-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2740-55-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2740-52-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2760-58-0x00000000744E0000-0x0000000074BCE000-memory.dmp
memory/2740-59-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2740-60-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2740-61-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2740-62-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2740-63-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2740-64-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2740-65-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2740-66-0x0000000000400000-0x0000000000482000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-13 03:05
Reported
2024-08-13 03:07
Platform
win10v2004-20240802-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Remcos
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\15c127b849650f0c43f5681f8399a090N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Adobe\Adobe.exe | N/A |
| N/A | N/A | C:\ProgramData\Adobe\Adobe.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe-OTOIRK = "\"C:\\ProgramData\\Adobe\\Adobe.exe\"" | C:\Users\Admin\AppData\Local\Temp\15c127b849650f0c43f5681f8399a090N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe-OTOIRK = "\"C:\\ProgramData\\Adobe\\Adobe.exe\"" | C:\Users\Admin\AppData\Local\Temp\15c127b849650f0c43f5681f8399a090N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe-OTOIRK = "\"C:\\ProgramData\\Adobe\\Adobe.exe\"" | C:\ProgramData\Adobe\Adobe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe-OTOIRK = "\"C:\\ProgramData\\Adobe\\Adobe.exe\"" | C:\ProgramData\Adobe\Adobe.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4536 set thread context of 376 | N/A | C:\Users\Admin\AppData\Local\Temp\15c127b849650f0c43f5681f8399a090N.exe | C:\Users\Admin\AppData\Local\Temp\15c127b849650f0c43f5681f8399a090N.exe |
| PID 1432 set thread context of 4524 | N/A | C:\ProgramData\Adobe\Adobe.exe | C:\ProgramData\Adobe\Adobe.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\15c127b849650f0c43f5681f8399a090N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\15c127b849650f0c43f5681f8399a090N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Adobe\Adobe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Adobe\Adobe.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\15c127b849650f0c43f5681f8399a090N.exe
"C:\Users\Admin\AppData\Local\Temp\15c127b849650f0c43f5681f8399a090N.exe"
C:\Users\Admin\AppData\Local\Temp\15c127b849650f0c43f5681f8399a090N.exe
"C:\Users\Admin\AppData\Local\Temp\15c127b849650f0c43f5681f8399a090N.exe"
C:\ProgramData\Adobe\Adobe.exe
"C:\ProgramData\Adobe\Adobe.exe"
C:\ProgramData\Adobe\Adobe.exe
"C:\ProgramData\Adobe\Adobe.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| DE | 104.250.180.178:7902 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 104.250.180.178:7902 | tcp | |
| DE | 104.250.180.178:7902 | tcp | |
| DE | 104.250.180.178:7902 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| DE | 104.250.180.178:7902 | tcp |
Files
memory/4536-0-0x0000000074FAE000-0x0000000074FAF000-memory.dmp
memory/4536-1-0x00000000006C0000-0x00000000007AE000-memory.dmp
memory/4536-2-0x00000000057F0000-0x0000000005D94000-memory.dmp
memory/4536-3-0x0000000005180000-0x0000000005212000-memory.dmp
memory/4536-4-0x0000000005250000-0x000000000525A000-memory.dmp
memory/4536-5-0x0000000074FA0000-0x0000000075750000-memory.dmp
memory/4536-6-0x00000000057C0000-0x00000000057DA000-memory.dmp
memory/4536-7-0x0000000006480000-0x000000000648E000-memory.dmp
memory/4536-8-0x0000000006490000-0x00000000064A6000-memory.dmp
memory/4536-9-0x0000000008A30000-0x0000000008AF0000-memory.dmp
memory/4536-10-0x0000000008B90000-0x0000000008C2C000-memory.dmp
memory/376-11-0x0000000000400000-0x0000000000482000-memory.dmp
memory/376-12-0x0000000000400000-0x0000000000482000-memory.dmp
memory/376-14-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4536-16-0x0000000074FA0000-0x0000000075750000-memory.dmp
memory/376-15-0x0000000000400000-0x0000000000482000-memory.dmp
C:\ProgramData\Adobe\Adobe.exe
| MD5 | 15c127b849650f0c43f5681f8399a090 |
| SHA1 | efe8542f6e4612a1bddd0f3e29c99f4b70cbc9b3 |
| SHA256 | d3ab0c4ddfbdbce6b1f200436de1c9d1f94567b06a420dc453d02460452cebca |
| SHA512 | b3df32ed3caad831ae02bb7ed72d34747f1e76ec505d3a49a2dceef0207acbcd08c5aea4241ec777035b1896c80df084b85807a51a9fa1dbb6750bc547000bf0 |
memory/376-28-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1432-29-0x000000007406E000-0x000000007406F000-memory.dmp
memory/1432-30-0x0000000074060000-0x0000000074810000-memory.dmp
memory/4524-36-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4524-35-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4524-34-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1432-37-0x0000000074060000-0x0000000074810000-memory.dmp
memory/4524-38-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4524-39-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4524-40-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4524-41-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4524-42-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4524-43-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4524-44-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4524-45-0x0000000000400000-0x0000000000482000-memory.dmp