Analysis Overview
SHA256
65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9
Threat Level: Known bad
The file 65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe was found to be: Known bad.
Malicious Activity Summary
Remcos
Command and Scripting Interpreter: PowerShell
Uses the VBS compiler for execution
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-15 01:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-15 01:19
Reported
2024-08-15 01:22
Platform
win7-20240708-en
Max time kernel
150s
Max time network
147s
Command Line
Signatures
Remcos
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2352 set thread context of 2624 | N/A | C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe
"C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hIGcKBg.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hIGcKBg" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA4B8.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ghost360.zapto.org | udp |
| NL | 45.66.231.219:4190 | ghost360.zapto.org | tcp |
| NL | 45.66.231.219:4190 | ghost360.zapto.org | tcp |
| NL | 45.66.231.219:4190 | ghost360.zapto.org | tcp |
| US | 8.8.8.8:53 | ghost360.zapto.org | udp |
| NL | 45.66.231.219:4190 | ghost360.zapto.org | tcp |
| NL | 45.66.231.219:4190 | ghost360.zapto.org | tcp |
| NL | 45.66.231.219:4190 | ghost360.zapto.org | tcp |
| US | 8.8.8.8:53 | ghost360.zapto.org | udp |
| NL | 45.66.231.219:4190 | ghost360.zapto.org | tcp |
Files
memory/2352-0-0x0000000074B8E000-0x0000000074B8F000-memory.dmp
memory/2352-1-0x00000000000E0000-0x00000000001E4000-memory.dmp
memory/2352-2-0x0000000074B80000-0x000000007526E000-memory.dmp
memory/2352-3-0x0000000000530000-0x000000000054E000-memory.dmp
memory/2352-4-0x00000000004B0000-0x00000000004C6000-memory.dmp
memory/2352-5-0x00000000059D0000-0x0000000005A90000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | e42664b753454e46fae5cb737bc9e3e1 |
| SHA1 | 27d79fd705c3e615aa4f6ead771cdaf922dead81 |
| SHA256 | 17ffbbcaa679b581d56fd19170608e5b22fd8a7b6f3ae3cdd52cc7ff4f3431ca |
| SHA512 | fffcaeafa6745fed60b6378900346d26122ef6582c33e76fc9f7e998df467e880c06f69d4fc85e9d99fed16c3a087c322dc4849c522b17d0742faf99b31c96cd |
C:\Users\Admin\AppData\Local\Temp\tmpA4B8.tmp
| MD5 | 4e2b41165ccb0bcb9e07b8e6e3c383c3 |
| SHA1 | 6f7abde67166122fd353662f3b0afa538a9c31b9 |
| SHA256 | 697d482b588c6ad0d2dd97dd64b4133cd6499c4deb1c9ac554d1cf27286a67ca |
| SHA512 | cdba8afe86d0044ce047d61125dc5d75c044d0333d3a3c187412f2b82f758c1fa4bac69efd827aaf2bfd2616936452ca327d516b6a89f9bb94e4fcf3036cde04 |
memory/2624-22-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-37-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-36-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-35-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-34-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2624-30-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-28-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-26-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2352-38-0x0000000074B80000-0x000000007526E000-memory.dmp
memory/2624-20-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-18-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-39-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-32-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-24-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-40-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-41-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-42-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-43-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-44-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-45-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-46-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-47-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-48-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-49-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-50-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-51-0x0000000000400000-0x0000000000482000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-15 01:19
Reported
2024-08-15 01:22
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Remcos
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe | N/A |
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2352 set thread context of 2540 | N/A | C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe
"C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hIGcKBg.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hIGcKBg" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAD47.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ghost360.zapto.org | udp |
| NL | 45.66.231.219:4190 | ghost360.zapto.org | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| NL | 45.66.231.219:4190 | ghost360.zapto.org | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| NL | 45.66.231.219:4190 | ghost360.zapto.org | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ghost360.zapto.org | udp |
| NL | 45.66.231.219:4190 | ghost360.zapto.org | tcp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| NL | 45.66.231.219:4190 | ghost360.zapto.org | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| NL | 45.66.231.219:4190 | ghost360.zapto.org | tcp |
| US | 8.8.8.8:53 | ghost360.zapto.org | udp |
Files
memory/2352-0-0x000000007530E000-0x000000007530F000-memory.dmp
memory/2352-1-0x00000000004F0000-0x00000000005F4000-memory.dmp
memory/2352-2-0x00000000054B0000-0x0000000005A54000-memory.dmp
memory/2352-3-0x0000000004FE0000-0x0000000005072000-memory.dmp
memory/2352-4-0x0000000005090000-0x000000000509A000-memory.dmp
memory/2352-5-0x00000000052D0000-0x000000000536C000-memory.dmp
memory/2352-6-0x0000000075300000-0x0000000075AB0000-memory.dmp
memory/2352-7-0x0000000005BD0000-0x0000000005BEE000-memory.dmp
memory/2352-8-0x0000000005BF0000-0x0000000005C06000-memory.dmp
memory/2352-9-0x0000000008C30000-0x0000000008CF0000-memory.dmp
memory/2568-14-0x0000000005060000-0x0000000005096000-memory.dmp
memory/2568-15-0x00000000057F0000-0x0000000005E18000-memory.dmp
memory/2568-16-0x0000000075300000-0x0000000075AB0000-memory.dmp
memory/2568-17-0x0000000075300000-0x0000000075AB0000-memory.dmp
memory/2568-18-0x0000000005750000-0x0000000005772000-memory.dmp
memory/2568-20-0x0000000005E90000-0x0000000005EF6000-memory.dmp
memory/2568-19-0x0000000005E20000-0x0000000005E86000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bi3plqm5.hwi.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\tmpAD47.tmp
| MD5 | 4ea3c8343528dd35ff30ec75e8c13adc |
| SHA1 | 5521edc9e2a0feb83777706026f80439d8f66bdc |
| SHA256 | f2eba2b381122c90b6d20f5a047f9c45120e53e8dfebc9c19af9c2246e24a356 |
| SHA512 | 899c2d63dba0425939850026adcc2c05b8f090b534ad4bb649688aca8af5f9bcf38f6c858918e8dc196a84baca937e8be8d2d0358f9d3da2a96ea6bfaed5e217 |
memory/2568-28-0x0000000006000000-0x0000000006354000-memory.dmp
memory/4724-27-0x0000000075300000-0x0000000075AB0000-memory.dmp
memory/4724-42-0x0000000075300000-0x0000000075AB0000-memory.dmp
memory/4724-43-0x0000000075300000-0x0000000075AB0000-memory.dmp
memory/2540-44-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2540-47-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2352-48-0x0000000075300000-0x0000000075AB0000-memory.dmp
memory/2540-45-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4724-50-0x0000000006380000-0x000000000639E000-memory.dmp
memory/4724-51-0x0000000006410000-0x000000000645C000-memory.dmp
memory/2540-49-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4724-53-0x0000000073DD0000-0x0000000073E1C000-memory.dmp
memory/2568-64-0x0000000073DD0000-0x0000000073E1C000-memory.dmp
memory/4724-63-0x0000000007300000-0x000000000731E000-memory.dmp
memory/4724-52-0x0000000007320000-0x0000000007352000-memory.dmp
memory/2568-74-0x0000000007810000-0x00000000078B3000-memory.dmp
memory/2568-76-0x0000000007950000-0x000000000796A000-memory.dmp
memory/2568-75-0x0000000007F90000-0x000000000860A000-memory.dmp
memory/4724-77-0x0000000007730000-0x000000000773A000-memory.dmp
memory/4724-78-0x0000000007940000-0x00000000079D6000-memory.dmp
memory/2568-79-0x0000000007B50000-0x0000000007B61000-memory.dmp
memory/2568-80-0x0000000007B80000-0x0000000007B8E000-memory.dmp
memory/2568-81-0x0000000007B90000-0x0000000007BA4000-memory.dmp
memory/4724-82-0x0000000007A00000-0x0000000007A1A000-memory.dmp
memory/4724-83-0x00000000079E0000-0x00000000079E8000-memory.dmp
memory/2568-90-0x0000000075300000-0x0000000075AB0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1258f46ccfc7b97bc472a9f9975ecb9d |
| SHA1 | 07827f5e6b4a0ed72d17aacb506535f4f406a479 |
| SHA256 | f785b51789835b87001dba882fee479e9e3fb351c6bdf97c076bb3d37a0e6738 |
| SHA512 | eb9aa3f524cf65b593e0323ac06635ad445f34f2f9c3d182560d653d208250b77e2535a8220e3916fb2717d3184bf876414273980fab16e84d791d54fadfdc26 |
memory/4724-89-0x0000000075300000-0x0000000075AB0000-memory.dmp
memory/2540-91-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2540-92-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2540-93-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2540-94-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2540-95-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2540-96-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2540-97-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2540-98-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2540-99-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2540-100-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2540-101-0x0000000000400000-0x0000000000482000-memory.dmp