Analysis Overview
SHA256
898ac001d0f6c52c1001c640d9860287fdf30a648d580e9f5dd15e2ef84ab18e
Threat Level: Known bad
The file Remcos 2022.exe was found to be: Known bad.
Malicious Activity Summary
njRAT/Bladabindi
Modifies Windows Firewall
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
System Location Discovery: System Language Discovery
Unsigned PE
Event Triggered Execution: Netsh Helper DLL
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Checks SCSI registry key(s)
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-28 01:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-28 01:00
Reported
2024-09-28 01:01
Platform
win7-20240903-en
Max time kernel
17s
Max time network
17s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos 2022.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos 2022.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos 2022.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos 2022.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos 2022.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos 2022.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos 2022.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Remcos 2022.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos 2022.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos 2022.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos 2022.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos 2022.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos 2022.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Remcos 2022.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos 2022.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/Remcos 2022.exe" "%temp%\Profile Remcos\Update_Lock_Remcos.exe" /Y
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f
C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\Profile Remcos\Update_Lock_Remcos.exe:Zone.Identifier
C:\Users\Admin\AppData\Local\Temp\taskhost.exe
"C:\Users\Admin\AppData\Local\Temp\taskhost.exe"
C:\Users\Admin\AppData\Local\Temp\taskhost.exe
"C:\Users\Admin\AppData\Local\Temp\taskhost.exe"
C:\Users\Admin\AppData\Local\Temp\taskhost.exe
"C:\Users\Admin\AppData\Local\Temp\taskhost.exe"
C:\Users\Admin\AppData\Local\Temp\taskhost.exe
"C:\Users\Admin\AppData\Local\Temp\taskhost.exe"
C:\Users\Admin\AppData\Local\Temp\taskhost.exe
"C:\Users\Admin\AppData\Local\Temp\taskhost.exe"
C:\Users\Admin\AppData\Local\Temp\taskhost.exe
"C:\Users\Admin\AppData\Local\Temp\taskhost.exe"
C:\Users\Admin\AppData\Local\Temp\taskhost.exe
"C:\Users\Admin\AppData\Local\Temp\taskhost.exe"
Network
Files
memory/2400-0-0x0000000074B8E000-0x0000000074B8F000-memory.dmp
memory/2400-1-0x0000000001150000-0x00000000022FE000-memory.dmp
memory/2400-2-0x0000000074B80000-0x000000007526E000-memory.dmp
memory/2400-3-0x000000000D560000-0x000000000E6E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe
| MD5 | efc159c7cf75545997f8c6af52d3e802 |
| SHA1 | b85bd368c91a13db1c5de2326deb25ad666c24c1 |
| SHA256 | 898ac001d0f6c52c1001c640d9860287fdf30a648d580e9f5dd15e2ef84ab18e |
| SHA512 | d06a432233dceb731defd53238971699fef201d0f9144ee50e5dd7d6620dfdd6c298d52618bf2c9feb0519574f4565fb0177b00fd8292768fbd8b85dd11e650d |
\Users\Admin\AppData\Local\Temp\taskhost.exe
| MD5 | 9af17c8393f0970ee5136bd3ffa27001 |
| SHA1 | 4b285b72c1a11285a25f31f2597e090da6bbc049 |
| SHA256 | 71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019 |
| SHA512 | b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3 |
memory/2400-33-0x0000000074B8E000-0x0000000074B8F000-memory.dmp
memory/2400-34-0x0000000074B80000-0x000000007526E000-memory.dmp
memory/2400-35-0x0000000074B80000-0x000000007526E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-28 01:00
Reported
2024-09-28 01:01
Platform
win10v2004-20240802-en
Max time kernel
36s
Max time network
40s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Remcos 2022.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\taskhost.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4324 set thread context of 1052 | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos 2022.exe | C:\Users\Admin\AppData\Local\Temp\taskhost.exe |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\taskhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Remcos 2022.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos 2022.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\taskhost.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\taskhost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\taskhost.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\taskhost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\taskhost.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Remcos 2022.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos 2022.exe"
C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/Remcos 2022.exe" "%temp%\Profile Remcos\Update_Lock_Remcos.exe" /Y
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f
C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\Profile Remcos\Update_Lock_Remcos.exe:Zone.Identifier
C:\Users\Admin\AppData\Local\Temp\taskhost.exe
"C:\Users\Admin\AppData\Local\Temp\taskhost.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\taskhost.exe" "taskhost.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dllsys.duckdns.org | udp |
| IT | 84.220.8.178:3202 | dllsys.duckdns.org | tcp |
| US | 8.8.8.8:53 | breakingsec02.co.nf | udp |
| US | 199.59.243.227:80 | breakingsec02.co.nf | tcp |
| US | 199.59.243.227:80 | breakingsec02.co.nf | tcp |
| US | 8.8.8.8:53 | 227.243.59.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
memory/4324-0-0x0000000074E4E000-0x0000000074E4F000-memory.dmp
memory/4324-1-0x0000000000C70000-0x0000000001E1E000-memory.dmp
memory/4324-2-0x0000000006920000-0x00000000069BC000-memory.dmp
memory/4324-3-0x0000000074E40000-0x00000000755F0000-memory.dmp
memory/4324-4-0x000000000DFC0000-0x000000000F142000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe
| MD5 | c3c21fa4c2186deb641455482ab0d3aa |
| SHA1 | 2f4b49e8383e073ccb965943ce970de403412567 |
| SHA256 | 4ea203509d0fdff3e31f976413c546ca3d36133bc708e9a1301860961cc3a8d9 |
| SHA512 | 31db2963f1bd49f7b4a6ee38e54940d20120d6c05ef7bf34ec97eb93051bee6d5428e9e1271e4ae8f5544b824188ac7278315e2e2c27be302a312eebbf8c3fb7 |
memory/3996-18-0x0000025E74750000-0x0000025E74751000-memory.dmp
memory/3996-17-0x0000025E74750000-0x0000025E74751000-memory.dmp
memory/3996-16-0x0000025E74750000-0x0000025E74751000-memory.dmp
memory/3996-22-0x0000025E74750000-0x0000025E74751000-memory.dmp
memory/3996-28-0x0000025E74750000-0x0000025E74751000-memory.dmp
memory/3996-27-0x0000025E74750000-0x0000025E74751000-memory.dmp
memory/3996-26-0x0000025E74750000-0x0000025E74751000-memory.dmp
memory/3996-25-0x0000025E74750000-0x0000025E74751000-memory.dmp
memory/3996-24-0x0000025E74750000-0x0000025E74751000-memory.dmp
memory/3996-23-0x0000025E74750000-0x0000025E74751000-memory.dmp
memory/696-29-0x0000000000762000-0x000000000181E000-memory.dmp
memory/696-35-0x00000000030D0000-0x00000000030D1000-memory.dmp
memory/696-34-0x00000000030C0000-0x00000000030C1000-memory.dmp
memory/696-33-0x0000000002B90000-0x0000000002B91000-memory.dmp
memory/696-32-0x0000000002B80000-0x0000000002B81000-memory.dmp
memory/696-31-0x0000000002B70000-0x0000000002B71000-memory.dmp
memory/696-30-0x0000000002B50000-0x0000000002B51000-memory.dmp
memory/696-37-0x00000000030F0000-0x00000000030F1000-memory.dmp
memory/696-36-0x00000000030E0000-0x00000000030E1000-memory.dmp
memory/696-40-0x0000000000400000-0x0000000002991000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe
| MD5 | efc159c7cf75545997f8c6af52d3e802 |
| SHA1 | b85bd368c91a13db1c5de2326deb25ad666c24c1 |
| SHA256 | 898ac001d0f6c52c1001c640d9860287fdf30a648d580e9f5dd15e2ef84ab18e |
| SHA512 | d06a432233dceb731defd53238971699fef201d0f9144ee50e5dd7d6620dfdd6c298d52618bf2c9feb0519574f4565fb0177b00fd8292768fbd8b85dd11e650d |
memory/4324-45-0x0000000074E4E000-0x0000000074E4F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\taskhost.exe
| MD5 | 8fdf47e0ff70c40ed3a17014aeea4232 |
| SHA1 | e6256a0159688f0560b015da4d967f41cbf8c9bd |
| SHA256 | ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82 |
| SHA512 | bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be |
memory/1052-49-0x0000000000400000-0x000000000040E000-memory.dmp
memory/1052-54-0x0000000005570000-0x0000000005B14000-memory.dmp
memory/4324-55-0x0000000074E40000-0x00000000755F0000-memory.dmp
memory/696-56-0x0000000000762000-0x000000000181E000-memory.dmp
memory/1052-57-0x0000000005150000-0x00000000051E2000-memory.dmp
memory/696-58-0x0000000000400000-0x0000000002991000-memory.dmp
memory/1052-59-0x0000000005320000-0x000000000532A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Remcos_Settings.ini
| MD5 | 902927c48d191e30067d84a53158e2ba |
| SHA1 | 95dd6d3508790b98d1a576f0b2057bdcc2099247 |
| SHA256 | b408602c7d2107d819b18d47cbc196a307ab6435bbc819173f300e76573e616c |
| SHA512 | 328af5e697278b2c8150534162c330b11e9cc3024ee676cf9321a248701d99322cc1341694904d0ca5c6898e74e39419cd36765499d6992934075b08276c8eeb |
memory/4324-105-0x0000000074E40000-0x00000000755F0000-memory.dmp