Analysis Overview
SHA256
4eaacedcb5c204340fb5b45bbf5b625f8951efdb4a4035b9b621d07880bd0002
Threat Level: Known bad
The file SecuriteInfo.com.Trojan.PackedNET.3021.26937.12766.exe was found to be: Known bad.
Malicious Activity Summary
Remcos
Suspicious use of SetThreadContext
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-16 08:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-16 08:32
Reported
2024-08-16 08:34
Platform
win7-20240704-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Remcos
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2544 set thread context of 2484 | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.3021.26937.12766.exe | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.3021.26937.12766.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.3021.26937.12766.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.3021.26937.12766.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.3021.26937.12766.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.3021.26937.12766.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.3021.26937.12766.exe"
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.3021.26937.12766.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.3021.26937.12766.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | magaji.duckdns.org | udp |
| MY | 103.186.117.57:2404 | magaji.duckdns.org | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
Files
memory/2544-0-0x00000000745EE000-0x00000000745EF000-memory.dmp
memory/2544-1-0x0000000000900000-0x0000000000A02000-memory.dmp
memory/2544-2-0x00000000745E0000-0x0000000074CCE000-memory.dmp
memory/2544-3-0x0000000005B90000-0x0000000005C82000-memory.dmp
memory/2544-4-0x00000000003C0000-0x00000000003DE000-memory.dmp
memory/2544-5-0x00000000745EE000-0x00000000745EF000-memory.dmp
memory/2544-6-0x00000000745E0000-0x0000000074CCE000-memory.dmp
memory/2544-7-0x0000000000430000-0x0000000000446000-memory.dmp
memory/2544-8-0x0000000000580000-0x0000000000640000-memory.dmp
memory/2484-10-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2484-9-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2484-19-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2484-21-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2484-22-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2484-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2484-16-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2484-15-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2484-14-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2484-26-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2484-23-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2484-12-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2484-13-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2484-11-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2544-27-0x00000000745E0000-0x0000000074CCE000-memory.dmp
memory/2484-28-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2484-29-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2484-30-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2484-31-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2484-36-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2484-37-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2484-38-0x0000000000400000-0x0000000000482000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | 9b0461db3d4b2a0439050be05bb47e4f |
| SHA1 | eed97e78e09ed7af0ac45469cf76d565c9230cd3 |
| SHA256 | abc9b6b912fbaaa118ee03a6cfdd8a6a575b3c1f78a81d523cd1b71386c990ce |
| SHA512 | e490c67ac6679328c2473a3270d3800a84a7184a05255c79bb3018fb012fe785b775d0e9da5dfa1b471dd68ea4e69da1754609734e11c9af21b81b3c15cb4bc8 |
memory/2484-45-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2484-46-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2484-53-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2484-54-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2484-61-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2484-62-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2484-69-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2484-70-0x0000000000400000-0x0000000000482000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-16 08:32
Reported
2024-08-16 08:34
Platform
win10v2004-20240802-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Remcos
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 216 set thread context of 3136 | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.3021.26937.12766.exe | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.3021.26937.12766.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.3021.26937.12766.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.3021.26937.12766.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.3021.26937.12766.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.3021.26937.12766.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.3021.26937.12766.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.3021.26937.12766.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.3021.26937.12766.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.3021.26937.12766.exe"
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.3021.26937.12766.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.3021.26937.12766.exe"
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.3021.26937.12766.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.3021.26937.12766.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | magaji.duckdns.org | udp |
| MY | 103.186.117.57:2404 | magaji.duckdns.org | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 57.117.186.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
memory/216-0-0x0000000074E0E000-0x0000000074E0F000-memory.dmp
memory/216-1-0x0000000000810000-0x0000000000912000-memory.dmp
memory/216-2-0x00000000058F0000-0x0000000005E94000-memory.dmp
memory/216-3-0x0000000005340000-0x00000000053D2000-memory.dmp
memory/216-5-0x0000000074E00000-0x00000000755B0000-memory.dmp
memory/216-4-0x0000000005300000-0x000000000530A000-memory.dmp
memory/216-6-0x00000000055E0000-0x000000000567C000-memory.dmp
memory/216-7-0x00000000080E0000-0x00000000081D2000-memory.dmp
memory/216-8-0x00000000058C0000-0x00000000058DE000-memory.dmp
memory/216-9-0x0000000074E0E000-0x0000000074E0F000-memory.dmp
memory/216-10-0x0000000074E00000-0x00000000755B0000-memory.dmp
memory/216-11-0x00000000058E0000-0x00000000058F6000-memory.dmp
memory/216-12-0x000000000A620000-0x000000000A6E0000-memory.dmp
memory/3136-13-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3136-14-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3136-16-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3136-17-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3136-21-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3136-18-0x0000000000400000-0x0000000000482000-memory.dmp
memory/216-22-0x0000000074E00000-0x00000000755B0000-memory.dmp
memory/3136-23-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3136-25-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3136-24-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3136-26-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3136-28-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3136-31-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3136-32-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3136-33-0x0000000000400000-0x0000000000482000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | 58fdb7e002e268cac58791febeb3fade |
| SHA1 | dc85e71bb57ac901eb79e8dc4723b823fca8627f |
| SHA256 | e160293481755f25bcf306141b22af46fdab008076b4c3d782f8b228d731ae12 |
| SHA512 | c0ca83158826cf7cc03cae3add29feb76ccb08fe97f24bba1213e3952001d29bf06745c60ccbcb0f83ec42fa52ec63fd27f953a1f53580962b4ad52a9c0aadcb |
memory/3136-40-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3136-41-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3136-48-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3136-49-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3136-56-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3136-57-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3136-64-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3136-65-0x0000000000400000-0x0000000000482000-memory.dmp