Analysis Overview
SHA256
06143ca53b8647a8091f968f56c3fd1d9129e597aeb8d92f402c5c3c0089c88c
Threat Level: Known bad
The file 06143ca53b8647a8091f968f56c3fd1d9129e597aeb8d92f402c5c3c0089c88c was found to be: Known bad.
Malicious Activity Summary
Remcos
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-16 10:52
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-16 10:52
Reported
2024-08-16 10:55
Platform
win7-20240705-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Remcos
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3040 set thread context of 2264 | N/A | C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe | C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe
"C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\CqcHNIR.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CqcHNIR" /XML "C:\Users\Admin\AppData\Local\Temp\tmp58AB.tmp"
C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe
"C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe"
C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe
"C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe"
Network
| Country | Destination | Domain | Proto |
| US | 212.162.149.42:7118 | tcp | |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
Files
memory/3040-0-0x0000000074AAE000-0x0000000074AAF000-memory.dmp
memory/3040-1-0x0000000001050000-0x0000000001140000-memory.dmp
memory/3040-2-0x0000000074AA0000-0x000000007518E000-memory.dmp
memory/3040-3-0x0000000004D30000-0x0000000004E00000-memory.dmp
memory/3040-4-0x0000000000570000-0x000000000057E000-memory.dmp
memory/3040-5-0x0000000074AAE000-0x0000000074AAF000-memory.dmp
memory/3040-6-0x0000000074AA0000-0x000000007518E000-memory.dmp
memory/3040-7-0x0000000000580000-0x000000000058E000-memory.dmp
memory/3040-8-0x0000000004E00000-0x0000000004EBE000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 733c5eb5c4bfe5cad63bd73ce0206941 |
| SHA1 | e8677d809317e466788496b9651d9a741773884e |
| SHA256 | 464efb62a7fbfc56c232db5f9daa4d82381a0e6ffd3ca1224e4520edb67d1783 |
| SHA512 | 909bd3210934306143a1e7a102287ec60d047827150802ea10cb840c6c1301b32f13df4ace11ed9efbb7a3439d4022f065a66c1b92479c1f8134ae831984f222 |
C:\Users\Admin\AppData\Local\Temp\tmp58AB.tmp
| MD5 | 54691e245d55a1c5016aecf27062f6d8 |
| SHA1 | e97bc566bf9270d02a43fd763b3f1e6b8f37673e |
| SHA256 | 8ec546d595546c776755a0a71c4ed61351dfca33fa658c77e6e20adb605d5b69 |
| SHA512 | 27073c1e24a7e369fce18395cc7936efa906baec9332627a683062af1b0ea2d525323679480380207924e059695c435e34e74da887f175b070350dd95cafd966 |
memory/2264-21-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2264-38-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2264-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2264-41-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2264-40-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2264-39-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2264-35-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2264-33-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2264-31-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2264-29-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2264-27-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2264-25-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2264-23-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3040-42-0x0000000074AA0000-0x000000007518E000-memory.dmp
memory/2264-43-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2264-44-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2264-45-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2264-48-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2264-49-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2264-51-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2264-50-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2264-53-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2264-52-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2264-55-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2264-54-0x0000000000400000-0x000000000047F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-16 10:52
Reported
2024-08-16 10:55
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
159s
Command Line
Signatures
Remcos
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3152 set thread context of 2288 | N/A | C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe | C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe
"C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\CqcHNIR.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CqcHNIR" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF52D.tmp"
C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe
"C:\Users\Admin\AppData\Local\Temp\9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 212.162.149.42:7118 | tcp | |
| US | 8.8.8.8:53 | 42.149.162.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
Files
memory/3152-0-0x000000007516E000-0x000000007516F000-memory.dmp
memory/3152-1-0x0000000000460000-0x0000000000550000-memory.dmp
memory/3152-2-0x00000000054D0000-0x0000000005A74000-memory.dmp
memory/3152-3-0x0000000004FC0000-0x0000000005052000-memory.dmp
memory/3152-4-0x0000000075160000-0x0000000075910000-memory.dmp
memory/3152-5-0x00000000051B0000-0x00000000051BA000-memory.dmp
memory/3152-6-0x00000000062F0000-0x000000000638C000-memory.dmp
memory/3152-7-0x0000000006BF0000-0x00000000070BC000-memory.dmp
memory/3152-8-0x0000000006720000-0x00000000067F0000-memory.dmp
memory/3152-9-0x0000000005360000-0x000000000536E000-memory.dmp
memory/3152-10-0x000000007516E000-0x000000007516F000-memory.dmp
memory/3152-11-0x0000000075160000-0x0000000075910000-memory.dmp
memory/3152-12-0x00000000054B0000-0x00000000054BE000-memory.dmp
memory/3152-13-0x0000000006450000-0x000000000650E000-memory.dmp
memory/3160-18-0x0000000004F30000-0x0000000004F66000-memory.dmp
memory/3160-19-0x0000000075160000-0x0000000075910000-memory.dmp
memory/3160-20-0x0000000005670000-0x0000000005C98000-memory.dmp
memory/3160-21-0x0000000075160000-0x0000000075910000-memory.dmp
memory/4252-22-0x0000000075160000-0x0000000075910000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpF52D.tmp
| MD5 | e62ca9bcb91670073a4a40027b002ec7 |
| SHA1 | 7e16482b6ac970b1bf21dd7f5b7bb70c60ba6f42 |
| SHA256 | 282f6d3b0e662ff4ca27fdaff198614650425b4ae4514b41e4baaee4a9c16100 |
| SHA512 | 4175c28585f85a909df8463a4acf636b3eca0d7c6a030b22abf174e7d91294fcf76b6d62b118c6f7fb1e9777e689e52be943332a946e202a325b6a7b2e9e636d |
memory/3160-31-0x0000000005EE0000-0x0000000005F46000-memory.dmp
memory/3160-30-0x0000000005E00000-0x0000000005E66000-memory.dmp
memory/4252-45-0x0000000075160000-0x0000000075910000-memory.dmp
memory/3160-47-0x0000000075160000-0x0000000075910000-memory.dmp
memory/2288-49-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2288-51-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2288-50-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3152-54-0x0000000075160000-0x0000000075910000-memory.dmp
memory/4252-53-0x0000000075160000-0x0000000075910000-memory.dmp
memory/2288-48-0x0000000000400000-0x000000000047F000-memory.dmp
memory/4252-46-0x0000000006060000-0x00000000063B4000-memory.dmp
memory/4252-55-0x0000000006530000-0x000000000654E000-memory.dmp
memory/4252-56-0x0000000006570000-0x00000000065BC000-memory.dmp
memory/3160-29-0x0000000005D50000-0x0000000005D72000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m4w043ew.slb.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2288-58-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2288-57-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2288-59-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3160-63-0x00000000759F0000-0x0000000075A3C000-memory.dmp
memory/3160-62-0x0000000006AB0000-0x0000000006AE2000-memory.dmp
memory/4252-74-0x00000000759F0000-0x0000000075A3C000-memory.dmp
memory/3160-73-0x0000000006AF0000-0x0000000006B0E000-memory.dmp
memory/3160-84-0x00000000074D0000-0x0000000007573000-memory.dmp
memory/3160-85-0x0000000007E50000-0x00000000084CA000-memory.dmp
memory/3160-86-0x0000000007810000-0x000000000782A000-memory.dmp
memory/4252-87-0x00000000078D0000-0x00000000078DA000-memory.dmp
memory/3160-88-0x0000000007A90000-0x0000000007B26000-memory.dmp
memory/4252-89-0x0000000007A60000-0x0000000007A71000-memory.dmp
memory/3160-90-0x0000000007A40000-0x0000000007A4E000-memory.dmp
memory/4252-91-0x0000000007AA0000-0x0000000007AB4000-memory.dmp
memory/4252-92-0x0000000007BA0000-0x0000000007BBA000-memory.dmp
memory/3160-93-0x0000000007B30000-0x0000000007B38000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 571aa8ebdaba4a41ea4f6d0c594aa5f8 |
| SHA1 | f2ad6dfee4528d6db8045962e2a113a306bd4517 |
| SHA256 | ae583a0f6cf875e4ae4af7547c65303e9607791fadffb6b9bf773bcbd2c615c5 |
| SHA512 | 23d283622d8cfe6a073103f703cefac5776e81989b41fa3008a052f8d9401412b2149239d269ec14f080d4ecd680780ace305eb795d2929c718529942b8559d3 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
memory/3160-100-0x0000000075160000-0x0000000075910000-memory.dmp
memory/4252-99-0x0000000075160000-0x0000000075910000-memory.dmp
memory/2288-101-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2288-102-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2288-103-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2288-104-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2288-105-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2288-106-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2288-107-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2288-108-0x0000000000400000-0x000000000047F000-memory.dmp