Analysis Overview
SHA256
02008689c84d7a0d37007710998077ffdf9bca35af2282ed74a41d0259c44688
Threat Level: Known bad
The file 02008689c84d7a0d37007710998077ffdf9bca35af2282ed74a41d0259c44688 was found to be: Known bad.
Malicious Activity Summary
Remcos family
Remcos
NirSoft WebBrowserPassView
Detected Nirsoft tools
Credentials from Password Stores: Credentials from Web Browsers
NirSoft MailPassView
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of SetWindowsHookEx
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-13 07:07
Signatures
Remcos family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-13 07:07
Reported
2024-08-13 07:10
Platform
win7-20240708-en
Max time kernel
147s
Max time network
141s
Command Line
Signatures
Credentials from Password Stores: Credentials from Web Browsers
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\02008689c84d7a0d37007710998077ffdf9bca35af2282ed74a41d0259c44688.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2528 set thread context of 2456 | N/A | C:\Users\Admin\AppData\Local\Temp\02008689c84d7a0d37007710998077ffdf9bca35af2282ed74a41d0259c44688.exe | C:\Users\Admin\AppData\Local\Temp\02008689c84d7a0d37007710998077ffdf9bca35af2282ed74a41d0259c44688.exe |
| PID 2528 set thread context of 2252 | N/A | C:\Users\Admin\AppData\Local\Temp\02008689c84d7a0d37007710998077ffdf9bca35af2282ed74a41d0259c44688.exe | C:\Users\Admin\AppData\Local\Temp\02008689c84d7a0d37007710998077ffdf9bca35af2282ed74a41d0259c44688.exe |
| PID 2528 set thread context of 2900 | N/A | C:\Users\Admin\AppData\Local\Temp\02008689c84d7a0d37007710998077ffdf9bca35af2282ed74a41d0259c44688.exe | C:\Users\Admin\AppData\Local\Temp\02008689c84d7a0d37007710998077ffdf9bca35af2282ed74a41d0259c44688.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\02008689c84d7a0d37007710998077ffdf9bca35af2282ed74a41d0259c44688.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\02008689c84d7a0d37007710998077ffdf9bca35af2282ed74a41d0259c44688.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\02008689c84d7a0d37007710998077ffdf9bca35af2282ed74a41d0259c44688.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\02008689c84d7a0d37007710998077ffdf9bca35af2282ed74a41d0259c44688.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\02008689c84d7a0d37007710998077ffdf9bca35af2282ed74a41d0259c44688.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\02008689c84d7a0d37007710998077ffdf9bca35af2282ed74a41d0259c44688.exe | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\02008689c84d7a0d37007710998077ffdf9bca35af2282ed74a41d0259c44688.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\02008689c84d7a0d37007710998077ffdf9bca35af2282ed74a41d0259c44688.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\02008689c84d7a0d37007710998077ffdf9bca35af2282ed74a41d0259c44688.exe
"C:\Users\Admin\AppData\Local\Temp\02008689c84d7a0d37007710998077ffdf9bca35af2282ed74a41d0259c44688.exe"
C:\Users\Admin\AppData\Local\Temp\02008689c84d7a0d37007710998077ffdf9bca35af2282ed74a41d0259c44688.exe
C:\Users\Admin\AppData\Local\Temp\02008689c84d7a0d37007710998077ffdf9bca35af2282ed74a41d0259c44688.exe /stext "C:\Users\Admin\AppData\Local\Temp\jwdytjvyzomzo"
C:\Users\Admin\AppData\Local\Temp\02008689c84d7a0d37007710998077ffdf9bca35af2282ed74a41d0259c44688.exe
C:\Users\Admin\AppData\Local\Temp\02008689c84d7a0d37007710998077ffdf9bca35af2282ed74a41d0259c44688.exe /stext "C:\Users\Admin\AppData\Local\Temp\tyrqlcganweercej"
C:\Users\Admin\AppData\Local\Temp\02008689c84d7a0d37007710998077ffdf9bca35af2282ed74a41d0259c44688.exe
C:\Users\Admin\AppData\Local\Temp\02008689c84d7a0d37007710998077ffdf9bca35af2282ed74a41d0259c44688.exe /stext "C:\Users\Admin\AppData\Local\Temp\eswbmurujexjbiavemo"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | serversw.duckdns.org | udp |
| US | 135.148.195.248:6875 | serversw.duckdns.org | tcp |
| US | 135.148.195.248:6875 | serversw.duckdns.org | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
Files
memory/2252-2-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2456-1-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2900-9-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2900-15-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2252-14-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2900-13-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2456-12-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2900-11-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2900-18-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2252-8-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2456-7-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2456-4-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2252-6-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2456-23-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jwdytjvyzomzo
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/2252-29-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2528-30-0x0000000010000000-0x0000000010019000-memory.dmp
memory/2528-33-0x0000000010000000-0x0000000010019000-memory.dmp
memory/2528-34-0x0000000010000000-0x0000000010019000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nert\logs.dat
| MD5 | 128365401aa4f2ef95f3d72b61443afb |
| SHA1 | d3d39dec70a1dd2ad82038fd9a1c390569b319d9 |
| SHA256 | 63415296ea348d8b08edf6f872653be4af9a66bcb3fe9d8fae0896f50e6be9f8 |
| SHA512 | a9e41231e7669cfebae5261f83ce1467619c4f199b7ce352821880467132af38470208ea65aa2ab0071d54c6614feebb995051d9f24553c2ad5faecb3c701c15 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-13 07:07
Reported
2024-08-13 07:10
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
132s
Command Line
Signatures
Remcos
Credentials from Password Stores: Credentials from Web Browsers
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\02008689c84d7a0d37007710998077ffdf9bca35af2282ed74a41d0259c44688.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4344 set thread context of 5036 | N/A | C:\Users\Admin\AppData\Local\Temp\02008689c84d7a0d37007710998077ffdf9bca35af2282ed74a41d0259c44688.exe | C:\Users\Admin\AppData\Local\Temp\02008689c84d7a0d37007710998077ffdf9bca35af2282ed74a41d0259c44688.exe |
| PID 4344 set thread context of 3044 | N/A | C:\Users\Admin\AppData\Local\Temp\02008689c84d7a0d37007710998077ffdf9bca35af2282ed74a41d0259c44688.exe | C:\Users\Admin\AppData\Local\Temp\02008689c84d7a0d37007710998077ffdf9bca35af2282ed74a41d0259c44688.exe |
| PID 4344 set thread context of 2760 | N/A | C:\Users\Admin\AppData\Local\Temp\02008689c84d7a0d37007710998077ffdf9bca35af2282ed74a41d0259c44688.exe | C:\Users\Admin\AppData\Local\Temp\02008689c84d7a0d37007710998077ffdf9bca35af2282ed74a41d0259c44688.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\02008689c84d7a0d37007710998077ffdf9bca35af2282ed74a41d0259c44688.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\02008689c84d7a0d37007710998077ffdf9bca35af2282ed74a41d0259c44688.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\02008689c84d7a0d37007710998077ffdf9bca35af2282ed74a41d0259c44688.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\02008689c84d7a0d37007710998077ffdf9bca35af2282ed74a41d0259c44688.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\02008689c84d7a0d37007710998077ffdf9bca35af2282ed74a41d0259c44688.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\02008689c84d7a0d37007710998077ffdf9bca35af2282ed74a41d0259c44688.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\02008689c84d7a0d37007710998077ffdf9bca35af2282ed74a41d0259c44688.exe
"C:\Users\Admin\AppData\Local\Temp\02008689c84d7a0d37007710998077ffdf9bca35af2282ed74a41d0259c44688.exe"
C:\Users\Admin\AppData\Local\Temp\02008689c84d7a0d37007710998077ffdf9bca35af2282ed74a41d0259c44688.exe
C:\Users\Admin\AppData\Local\Temp\02008689c84d7a0d37007710998077ffdf9bca35af2282ed74a41d0259c44688.exe /stext "C:\Users\Admin\AppData\Local\Temp\quisspqiczlddbhzaubioktoxsct"
C:\Users\Admin\AppData\Local\Temp\02008689c84d7a0d37007710998077ffdf9bca35af2282ed74a41d0259c44688.exe
C:\Users\Admin\AppData\Local\Temp\02008689c84d7a0d37007710998077ffdf9bca35af2282ed74a41d0259c44688.exe /stext "C:\Users\Admin\AppData\Local\Temp\awnksiajyhdqghvdjfwkrxffgzmutiiw"
C:\Users\Admin\AppData\Local\Temp\02008689c84d7a0d37007710998077ffdf9bca35af2282ed74a41d0259c44688.exe
C:\Users\Admin\AppData\Local\Temp\02008689c84d7a0d37007710998077ffdf9bca35af2282ed74a41d0259c44688.exe /stext "C:\Users\Admin\AppData\Local\Temp\cqav"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | serversw.duckdns.org | udp |
| US | 135.148.195.248:6875 | serversw.duckdns.org | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.195.148.135.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 135.148.195.248:6875 | serversw.duckdns.org | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
memory/3044-3-0x0000000000400000-0x0000000000462000-memory.dmp
memory/5036-1-0x0000000000400000-0x0000000000478000-memory.dmp
memory/5036-9-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2760-10-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3044-20-0x0000000000400000-0x0000000000462000-memory.dmp
memory/3044-19-0x0000000000400000-0x0000000000462000-memory.dmp
memory/3044-24-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2760-15-0x0000000000400000-0x0000000000424000-memory.dmp
memory/5036-13-0x0000000000400000-0x0000000000478000-memory.dmp
memory/5036-12-0x0000000000400000-0x0000000000478000-memory.dmp
memory/5036-5-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2760-11-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2760-7-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3044-6-0x0000000000400000-0x0000000000462000-memory.dmp
memory/5036-26-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\quisspqiczlddbhzaubioktoxsct
| MD5 | a7e181f6aa185be0ab0ca68b30406fe6 |
| SHA1 | 58c86162658dc609615b8b6400f85c92506dfdc8 |
| SHA256 | c3071dc55b94db225d9c0f2c1b21c7e8f27dbfd168b85b7d618d8d19950e7ff2 |
| SHA512 | 49969eb10e0bf7925940eb7374451f811658ef9ccfb83b86fb337c4d06c3ba17eb0181f598d9e0ec9ca25bfaf644209ac47b73d62ac924e73d03a4dcf8f8dd0f |
memory/4344-29-0x0000000010000000-0x0000000010019000-memory.dmp
memory/4344-33-0x0000000010000000-0x0000000010019000-memory.dmp
memory/4344-32-0x0000000010000000-0x0000000010019000-memory.dmp
memory/4344-34-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4344-35-0x0000000000400000-0x0000000000482000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nert\logs.dat
| MD5 | 0a5991f701aa2d19ce1beba959860b3b |
| SHA1 | feaf5014c24517476f055c071024f31077d9b037 |
| SHA256 | 4dd59ac1429046bd5b7182bab23c1a842ce6ee896dc90cc8fc1628bfe73c59a9 |
| SHA512 | 1cadcd971fe7dfafa9897599d482fe405b58b931664a946174d8eca17841dd517543435e0c169627d073f7644aa0f40b80319eee6d99ce9a58bbbdfe23312859 |
memory/4344-41-0x0000000000400000-0x0000000000482000-memory.dmp