Analysis Overview
SHA256
02008689c84d7a0d37007710998077ffdf9bca35af2282ed74a41d0259c44688
Threat Level: Known bad
The file 1723532645c07b15c8e32eb5cfbedd5867a24a5c4846fc73caca1f402dd197c798ee584599595.dat-decoded.exe was found to be: Known bad.
Malicious Activity Summary
Remcos family
Remcos
Detected Nirsoft tools
NirSoft MailPassView
Credentials from Password Stores: Credentials from Web Browsers
NirSoft WebBrowserPassView
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-13 07:05
Signatures
Remcos family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-13 07:05
Reported
2024-08-13 07:07
Platform
win7-20240708-en
Max time kernel
147s
Max time network
143s
Command Line
Signatures
Credentials from Password Stores: Credentials from Web Browsers
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\1723532645c07b15c8e32eb5cfbedd5867a24a5c4846fc73caca1f402dd197c798ee584599595.dat-decoded.exe | N/A |
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1723532645c07b15c8e32eb5cfbedd5867a24a5c4846fc73caca1f402dd197c798ee584599595.dat-decoded.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1723532645c07b15c8e32eb5cfbedd5867a24a5c4846fc73caca1f402dd197c798ee584599595.dat-decoded.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1723532645c07b15c8e32eb5cfbedd5867a24a5c4846fc73caca1f402dd197c798ee584599595.dat-decoded.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1723532645c07b15c8e32eb5cfbedd5867a24a5c4846fc73caca1f402dd197c798ee584599595.dat-decoded.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1723532645c07b15c8e32eb5cfbedd5867a24a5c4846fc73caca1f402dd197c798ee584599595.dat-decoded.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1723532645c07b15c8e32eb5cfbedd5867a24a5c4846fc73caca1f402dd197c798ee584599595.dat-decoded.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1723532645c07b15c8e32eb5cfbedd5867a24a5c4846fc73caca1f402dd197c798ee584599595.dat-decoded.exe
"C:\Users\Admin\AppData\Local\Temp\1723532645c07b15c8e32eb5cfbedd5867a24a5c4846fc73caca1f402dd197c798ee584599595.dat-decoded.exe"
C:\Users\Admin\AppData\Local\Temp\1723532645c07b15c8e32eb5cfbedd5867a24a5c4846fc73caca1f402dd197c798ee584599595.dat-decoded.exe
C:\Users\Admin\AppData\Local\Temp\1723532645c07b15c8e32eb5cfbedd5867a24a5c4846fc73caca1f402dd197c798ee584599595.dat-decoded.exe /stext "C:\Users\Admin\AppData\Local\Temp\tojnxakhyyvltpwdjz"
C:\Users\Admin\AppData\Local\Temp\1723532645c07b15c8e32eb5cfbedd5867a24a5c4846fc73caca1f402dd197c798ee584599595.dat-decoded.exe
C:\Users\Admin\AppData\Local\Temp\1723532645c07b15c8e32eb5cfbedd5867a24a5c4846fc73caca1f402dd197c798ee584599595.dat-decoded.exe /stext "C:\Users\Admin\AppData\Local\Temp\diofxkujtgnqwvspakypd"
C:\Users\Admin\AppData\Local\Temp\1723532645c07b15c8e32eb5cfbedd5867a24a5c4846fc73caca1f402dd197c798ee584599595.dat-decoded.exe
C:\Users\Admin\AppData\Local\Temp\1723532645c07b15c8e32eb5cfbedd5867a24a5c4846fc73caca1f402dd197c798ee584599595.dat-decoded.exe /stext "C:\Users\Admin\AppData\Local\Temp\gkuqycfdhofdgjgtjvljgpkmz"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | serversw.duckdns.org | udp |
| US | 135.148.195.248:6875 | serversw.duckdns.org | tcp |
| US | 135.148.195.248:6875 | serversw.duckdns.org | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
Files
memory/2704-9-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2896-8-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2896-7-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2972-6-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2972-2-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2704-17-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2896-16-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2896-15-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2704-14-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2896-13-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2704-12-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2972-4-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2972-10-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2704-20-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2972-25-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tojnxakhyyvltpwdjz
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/2896-31-0x0000000000400000-0x0000000000462000-memory.dmp
memory/3000-32-0x0000000010000000-0x0000000010019000-memory.dmp
memory/3000-36-0x0000000010000000-0x0000000010019000-memory.dmp
memory/3000-35-0x0000000010000000-0x0000000010019000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nert\logs.dat
| MD5 | adc06264a248f00626c98b414e3b8592 |
| SHA1 | 8220ea90128d0a23a4c25f764a1466014086e3dc |
| SHA256 | b930bc0b0f33c9e67d4f3def284ccaa2bc877e129307522a57552d74ad0dbf9c |
| SHA512 | 6b3ed62743bf8749987040a04871654c7a54924f421012df18083e89c15458dcd87ed27a554850a3d7b9116bd846ec797393e55ee724d1b047ae5bfd79dcd560 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-13 07:05
Reported
2024-08-13 07:07
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
143s
Command Line
Signatures
Remcos
Credentials from Password Stores: Credentials from Web Browsers
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\1723532645c07b15c8e32eb5cfbedd5867a24a5c4846fc73caca1f402dd197c798ee584599595.dat-decoded.exe | N/A |
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1723532645c07b15c8e32eb5cfbedd5867a24a5c4846fc73caca1f402dd197c798ee584599595.dat-decoded.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1723532645c07b15c8e32eb5cfbedd5867a24a5c4846fc73caca1f402dd197c798ee584599595.dat-decoded.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1723532645c07b15c8e32eb5cfbedd5867a24a5c4846fc73caca1f402dd197c798ee584599595.dat-decoded.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1723532645c07b15c8e32eb5cfbedd5867a24a5c4846fc73caca1f402dd197c798ee584599595.dat-decoded.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1723532645c07b15c8e32eb5cfbedd5867a24a5c4846fc73caca1f402dd197c798ee584599595.dat-decoded.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1723532645c07b15c8e32eb5cfbedd5867a24a5c4846fc73caca1f402dd197c798ee584599595.dat-decoded.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1723532645c07b15c8e32eb5cfbedd5867a24a5c4846fc73caca1f402dd197c798ee584599595.dat-decoded.exe
"C:\Users\Admin\AppData\Local\Temp\1723532645c07b15c8e32eb5cfbedd5867a24a5c4846fc73caca1f402dd197c798ee584599595.dat-decoded.exe"
C:\Users\Admin\AppData\Local\Temp\1723532645c07b15c8e32eb5cfbedd5867a24a5c4846fc73caca1f402dd197c798ee584599595.dat-decoded.exe
C:\Users\Admin\AppData\Local\Temp\1723532645c07b15c8e32eb5cfbedd5867a24a5c4846fc73caca1f402dd197c798ee584599595.dat-decoded.exe /stext "C:\Users\Admin\AppData\Local\Temp\zwrnojikvdpoqwdjmozhqvszuizhhaijs"
C:\Users\Admin\AppData\Local\Temp\1723532645c07b15c8e32eb5cfbedd5867a24a5c4846fc73caca1f402dd197c798ee584599595.dat-decoded.exe
C:\Users\Admin\AppData\Local\Temp\1723532645c07b15c8e32eb5cfbedd5867a24a5c4846fc73caca1f402dd197c798ee584599595.dat-decoded.exe /stext "C:\Users\Admin\AppData\Local\Temp\kqxgh"
C:\Users\Admin\AppData\Local\Temp\1723532645c07b15c8e32eb5cfbedd5867a24a5c4846fc73caca1f402dd197c798ee584599595.dat-decoded.exe
C:\Users\Admin\AppData\Local\Temp\1723532645c07b15c8e32eb5cfbedd5867a24a5c4846fc73caca1f402dd197c798ee584599595.dat-decoded.exe /stext "C:\Users\Admin\AppData\Local\Temp\uscziudfx"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | serversw.duckdns.org | udp |
| US | 135.148.195.248:6875 | serversw.duckdns.org | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 135.148.195.248:6875 | serversw.duckdns.org | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.195.148.135.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
memory/4744-1-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1636-5-0x0000000000400000-0x0000000000462000-memory.dmp
memory/4744-6-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1636-3-0x0000000000400000-0x0000000000462000-memory.dmp
memory/4540-7-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1636-11-0x0000000000400000-0x0000000000462000-memory.dmp
memory/4744-17-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4744-16-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4540-14-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1636-13-0x0000000000400000-0x0000000000462000-memory.dmp
memory/4540-12-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4540-10-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4540-9-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4744-25-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zwrnojikvdpoqwdjmozhqvszuizhhaijs
| MD5 | c0ab2847671ed5375328c5127a02cc72 |
| SHA1 | dc2bcb51562fb17e5c8787833bc0181d88a5b75e |
| SHA256 | e961f466a0638bc99182d0056245e2d8bf1ccc13a189b802aada981f379e2384 |
| SHA512 | 0b8b634d21ac71e02cef86687bf84b6fcecfd24dafab8130f42ce8b4b3f308a2e1b1fa7bf8d37f2eda76efae2b30b8d39f41d808d771562d8545ed144241924f |
memory/436-32-0x0000000010000000-0x0000000010019000-memory.dmp
memory/436-29-0x0000000010000000-0x0000000010019000-memory.dmp
memory/436-33-0x0000000010000000-0x0000000010019000-memory.dmp
memory/436-34-0x0000000000400000-0x0000000000482000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nert\logs.dat
| MD5 | 5d7da4f83fe0500f6d83e7af5f51fbd9 |
| SHA1 | 42413de541e855ce55851aef1925149e20f7900f |
| SHA256 | acae286a52dd7f9d63023fd7284ca7de9decefe8faa97cdf40557816af162838 |
| SHA512 | a414bb799ce6e11891775386870b49af7cc48593a4ad9d8053c40822fb785901f3b7896a2ed0e6b35580d24656aaed72b8bc30a2945f09260f9ae7f902ee3ec3 |
memory/436-39-0x0000000000400000-0x0000000000482000-memory.dmp