Malware Analysis Report

2025-01-02 03:05

Sample ID 240815-edb1hatana
Target 9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030_payload.exe
SHA256 230763e5035c2f42d9eefcbe525b5d70f688bca4d279ffee4a94d37a3253747f
Tags
remotehost remcos discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

230763e5035c2f42d9eefcbe525b5d70f688bca4d279ffee4a94d37a3253747f

Threat Level: Known bad

The file 9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030_payload.exe was found to be: Known bad.

Malicious Activity Summary

remotehost remcos discovery

Remcos family

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-15 03:49

Signatures

Remcos family

remcos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 03:49

Reported

2024-08-15 03:51

Platform

win7-20240705-en

Max time kernel

147s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030_payload.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030_payload.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030_payload.exe

"C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030_payload.exe"

Network

Country Destination Domain Proto
US 212.162.149.42:7118 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 03:49

Reported

2024-08-15 03:51

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030_payload.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030_payload.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030_payload.exe

"C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030_payload.exe"

Network

Country Destination Domain Proto
US 212.162.149.42:7118 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 42.149.162.212.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp

Files

N/A