365a7e6b041a733d992488fbd11d3a06ce19de1a94c11a16f5cc8f287b7c3011

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 01:34 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49630168d264eaf442a51ac629b22598afb6d9e127a7c2313f5fa13be41c95dc.exe
Size

482KB
MD5

ccab8be1b5d0ec4ede3ecb02a9551180
SHA1

f170b1ad7d2aaee7d81c820d5a9d20877b7cca9c
SHA256

49630168d264eaf442a51ac629b22598afb6d9e127a7c2313f5fa13be41c95dc
SHA512

c2861c1cd105a8682926671beb0b622ca8c536e6c94f96876c96aecd794aabaa15c01fedb3e66210246d15096836e2f1cecf878a336fa8029c9ac07c39f508e4
SSDEEP

6144:bTz+c6KHYBhDc1RGJdv//NkUn+N5Bkf/0TELRvIZPjbsAOZZmAX4cr2T4:bTlrYw1RUh3NFn+N5WfIQIjbs/Zm5T4

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	49630168d264eaf442a51ac629b22598afb6d9e127a7c2313f5fa13be41c95dc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2880	49630168d264eaf442a51ac629b22598afb6d9e127a7c2313f5fa13be41c95dc.exe

C:\Users\Admin\AppData\Local\Temp\49630168d264eaf442a51ac629b22598afb6d9e127a7c2313f5fa13be41c95dc.exe
"C:\Users\Admin\AppData\Local\Temp\49630168d264eaf442a51ac629b22598afb6d9e127a7c2313f5fa13be41c95dc.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2880

Network

DNS

closen.kozow.com

49630168d264eaf442a51ac629b22598afb6d9e127a7c2313f5fa13be41c95dc.exe

Remote address:

8.8.8.8:53

Request

closen.kozow.com

IN A

Response

closen.kozow.com

IN A

192.3.101.17
DNS

17.101.3.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

17.101.3.192.in-addr.arpa

IN PTR

Response

17.101.3.192.in-addr.arpa

IN PTR

192-3-101-17-hostcolocrossingcom
DNS

geoplugin.net

49630168d264eaf442a51ac629b22598afb6d9e127a7c2313f5fa13be41c95dc.exe

Remote address:

8.8.8.8:53

Request

geoplugin.net

IN A

Response

geoplugin.net

IN A

178.237.33.50
GET

http://geoplugin.net/json.gp

49630168d264eaf442a51ac629b22598afb6d9e127a7c2313f5fa13be41c95dc.exe

Remote address:

178.237.33.50:80

Request

GET /json.gp HTTP/1.1
Host: geoplugin.net
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

date: Mon, 09 Sep 2024 01:34:47 GMT
server: Apache
content-length: 955
content-type: application/json; charset=utf-8
cache-control: public, max-age=300
access-control-allow-origin: *
DNS

13.86.106.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.86.106.20.in-addr.arpa

IN PTR

Response
DNS

50.33.237.178.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.33.237.178.in-addr.arpa

IN PTR

Response

50.33.237.178.in-addr.arpa

IN CNAME

50.32/27.178.237.178.in-addr.arpa
DNS

76.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

76.32.126.40.in-addr.arpa

IN PTR

Response
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR

Response
DNS

157.123.68.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

157.123.68.40.in-addr.arpa

IN PTR

Response
DNS

217.135.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.135.221.88.in-addr.arpa

IN PTR

Response

217.135.221.88.in-addr.arpa

IN PTR

a88-221-135-217deploystaticakamaitechnologiescom
DNS

81.144.22.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

81.144.22.2.in-addr.arpa

IN PTR

Response

81.144.22.2.in-addr.arpa

IN PTR

a2-22-144-81deploystaticakamaitechnologiescom
DNS

19.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.229.111.52.in-addr.arpa

IN PTR

Response
DNS

19.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.229.111.52.in-addr.arpa

IN PTR
DNS

19.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.229.111.52.in-addr.arpa

IN PTR
DNS

19.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.229.111.52.in-addr.arpa

IN PTR
DNS

19.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.229.111.52.in-addr.arpa

IN PTR

192.3.101.17:2404

closen.kozow.com

49630168d264eaf442a51ac629b22598afb6d9e127a7c2313f5fa13be41c95dc.exe

4.6kB
932 B
17
18
178.237.33.50:80

http://geoplugin.net/json.gp

http

49630168d264eaf442a51ac629b22598afb6d9e127a7c2313f5fa13be41c95dc.exe

623 B
1.3kB
12
3

HTTP Request

GET http://geoplugin.net/json.gp

HTTP Response

200

8.8.8.8:53

closen.kozow.com

dns

49630168d264eaf442a51ac629b22598afb6d9e127a7c2313f5fa13be41c95dc.exe

62 B
78 B
1
1

DNS Request

closen.kozow.com

DNS Response

192.3.101.17
8.8.8.8:53

17.101.3.192.in-addr.arpa

dns

71 B
119 B
1
1

DNS Request

17.101.3.192.in-addr.arpa
8.8.8.8:53

geoplugin.net

dns

49630168d264eaf442a51ac629b22598afb6d9e127a7c2313f5fa13be41c95dc.exe

59 B
75 B
1
1

DNS Request

geoplugin.net

DNS Response

178.237.33.50
8.8.8.8:53

13.86.106.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

13.86.106.20.in-addr.arpa
8.8.8.8:53

50.33.237.178.in-addr.arpa

dns

72 B
155 B
1
1

DNS Request

50.33.237.178.in-addr.arpa
8.8.8.8:53

76.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

76.32.126.40.in-addr.arpa
8.8.8.8:53

18.31.95.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

18.31.95.13.in-addr.arpa
8.8.8.8:53

157.123.68.40.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

157.123.68.40.in-addr.arpa
8.8.8.8:53

217.135.221.88.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

217.135.221.88.in-addr.arpa
8.8.8.8:53

81.144.22.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

81.144.22.2.in-addr.arpa
8.8.8.8:53

19.229.111.52.in-addr.arpa

dns

360 B
158 B
5
1

DNS Request

19.229.111.52.in-addr.arpa

DNS Request

19.229.111.52.in-addr.arpa

DNS Request

19.229.111.52.in-addr.arpa

DNS Request

19.229.111.52.in-addr.arpa

DNS Request

19.229.111.52.in-addr.arpa
8.8.8.8:53

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
18d2db63a5b71f8414d10a119386a4b1

SHA1
354b9a8f4237b7149f122197ec64f518ffe1cfcc

SHA256
cc65c6f3de5f2c0a7bffebf2dca5de0e31072186ac3980c921dda69be2a88c4b

SHA512
226cb01354a41da316a93d49c0e918175063778a865d7c66ff5aefe76c37ef4b2fd6d4c3c03447a933d587e0d9f11007a1846998c9774e08ab6baf8bb2146e8b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.