Malware Analysis Report

2024-12-06 03:18

Sample ID 241024-gelmfawcmd
Target 24102024_0543_22102024_5702771896_AWB_20240902_225_20240902.rar
SHA256 544d772118922c50b382935f5403c6b9e6fcffdad5a82ea1ad1aec139c138581
Tags
guloader remcos remotehost collection discovery downloader rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

544d772118922c50b382935f5403c6b9e6fcffdad5a82ea1ad1aec139c138581

Threat Level: Known bad

The file 24102024_0543_22102024_5702771896_AWB_20240902_225_20240902.rar was found to be: Known bad.

Malicious Activity Summary

guloader remcos remotehost collection discovery downloader rat spyware stealer

Remcos

Guloader,Cloudeye

NirSoft MailPassView

Detected Nirsoft tools

NirSoft WebBrowserPassView

Reads user/profile data of web browsers

Loads dropped DLL

Accesses Microsoft Outlook accounts

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-24 05:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-24 05:43

Reported

2024-10-24 06:02

Platform

win7-20240903-en

Max time kernel

298s

Max time network

299s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe"

Signatures

Guloader,Cloudeye

downloader guloader

Remcos

rat remcos

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2756 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe
PID 2756 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe
PID 2756 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe
PID 2756 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe
PID 2756 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe
PID 2756 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe
PID 2652 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe
PID 2652 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe
PID 2652 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe
PID 2652 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe
PID 2652 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe
PID 2652 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe
PID 2652 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe
PID 2652 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe
PID 2652 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe
PID 2652 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe
PID 2652 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe
PID 2652 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe

"C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe"

C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe

"C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe"

C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe

C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe /stext "C:\Users\Admin\AppData\Local\Temp\fusngzvyedgexbkwpgap"

C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe

C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe /stext "C:\Users\Admin\AppData\Local\Temp\qwfxhkfaslyjzpghyqnqslp"

C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe

C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe /stext "C:\Users\Admin\AppData\Local\Temp\sqlqicquntqwjvulpbzkvykgtq"

Network

Country Destination Domain Proto
US 212.162.149.192:80 212.162.149.192 tcp
US 23.227.202.197:2404 tcp
US 23.227.202.197:2404 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

\Users\Admin\AppData\Local\Temp\nstF4AD.tmp\System.dll

MD5 9625d5b1754bc4ff29281d415d27a0fd
SHA1 80e85afc5cccd4c0a3775edbb90595a1a59f5ce0
SHA256 c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
SHA512 dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

memory/2756-16-0x0000000003EC0000-0x0000000004E5E000-memory.dmp

memory/2756-18-0x00000000773E0000-0x0000000077589000-memory.dmp

memory/2756-17-0x00000000773E1000-0x00000000774E2000-memory.dmp

memory/2756-19-0x0000000003EC0000-0x0000000004E5E000-memory.dmp

memory/2652-20-0x00000000773E0000-0x0000000077589000-memory.dmp

memory/2652-21-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1304-27-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2108-26-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1272-36-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1272-38-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1272-37-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2108-35-0x00000000773E0000-0x0000000077589000-memory.dmp

memory/1304-34-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2108-33-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2108-32-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1304-31-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2108-30-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1304-29-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1272-39-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1272-42-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2108-47-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fusngzvyedgexbkwpgap

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/2652-50-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1304-54-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2652-55-0x0000000031F70000-0x0000000031F89000-memory.dmp

memory/2652-59-0x0000000031F70000-0x0000000031F89000-memory.dmp

memory/2652-58-0x0000000031F70000-0x0000000031F89000-memory.dmp

memory/2652-61-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/2652-64-0x0000000000480000-0x00000000014E2000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 bf70c538372bea698c8ee68784f944fe
SHA1 30e7b529fa307e23d690838c25c07551534316cf
SHA256 ffb690fcccbfd22df99a2d339841b9eb11824d640abeaa26e2cd418dca99fce6
SHA512 2c0e7554dd4ecedc37b530b4b6a83f2b0eb155f1a293223267a957fdc6e2fe03757eb0a4819c7ac10489e38491c1bdb27784b6ab148d3abea9fd34478012908c

memory/2652-67-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/2652-70-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/2652-73-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/2652-76-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/2652-79-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/2652-82-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/2652-85-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/2652-88-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/2652-91-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/2652-100-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/2652-103-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/2652-106-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/2652-109-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/2652-112-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/2652-118-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/2652-121-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/2652-124-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/2652-127-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/2652-130-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/2652-133-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/2652-136-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/2652-139-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/2652-142-0x0000000000480000-0x00000000014E2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-24 05:43

Reported

2024-10-24 19:16

Platform

win10v2004-20241007-en

Max time kernel

299s

Max time network

299s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe"

Signatures

Remcos

rat remcos

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1004 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe
PID 1004 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe
PID 1004 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe
PID 1004 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe
PID 1004 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe
PID 2464 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe
PID 2464 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe
PID 2464 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe
PID 2464 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe
PID 2464 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe
PID 2464 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe
PID 2464 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe
PID 2464 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe
PID 2464 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe

"C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe"

C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe

"C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe"

C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe

C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe /stext "C:\Users\Admin\AppData\Local\Temp\zitdtzlqyfrhrugjlhgfjilmdqcbn"

C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe

C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe /stext "C:\Users\Admin\AppData\Local\Temp\bcyntswjmnjmtbunusbyuvgdeftkozvf"

C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe

C:\Users\Admin\AppData\Local\Temp\5702771896_AWB_20240902_225_20240902.exe /stext "C:\Users\Admin\AppData\Local\Temp\lelg"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 212.162.149.192:80 212.162.149.192 tcp
US 8.8.8.8:53 192.149.162.212.in-addr.arpa udp
US 23.227.202.197:2404 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 197.202.227.23.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 23.227.202.197:2404 tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 75.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsuD0FE.tmp\System.dll

MD5 9625d5b1754bc4ff29281d415d27a0fd
SHA1 80e85afc5cccd4c0a3775edbb90595a1a59f5ce0
SHA256 c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
SHA512 dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

memory/1004-14-0x00007FFED8810000-0x00007FFED8A05000-memory.dmp

memory/2464-15-0x00007FFED8810000-0x00007FFED8A05000-memory.dmp

memory/2464-16-0x00007FFED8810000-0x00007FFED8A05000-memory.dmp

memory/2464-17-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2464-21-0x00007FFED8810000-0x00007FFED8A05000-memory.dmp

memory/2464-23-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2464-27-0x00007FFED8810000-0x00007FFED8A05000-memory.dmp

memory/3912-38-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2904-34-0x0000000000400000-0x0000000000462000-memory.dmp

memory/3912-33-0x0000000000400000-0x0000000000424000-memory.dmp

memory/5012-41-0x00007FFED8810000-0x00007FFED8A05000-memory.dmp

memory/2904-43-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2904-40-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2904-39-0x0000000000400000-0x0000000000462000-memory.dmp

memory/3912-32-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3912-30-0x0000000000400000-0x0000000000424000-memory.dmp

memory/5012-31-0x0000000000400000-0x0000000000478000-memory.dmp

memory/5012-29-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2904-26-0x0000000000400000-0x0000000000462000-memory.dmp

memory/5012-24-0x0000000000400000-0x0000000000478000-memory.dmp

memory/5012-47-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2464-54-0x0000000033650000-0x0000000033669000-memory.dmp

memory/2464-53-0x0000000033650000-0x0000000033669000-memory.dmp

memory/2464-50-0x0000000033650000-0x0000000033669000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zitdtzlqyfrhrugjlhgfjilmdqcbn

MD5 f1d2c01ce674ad7d5bad04197c371fbc
SHA1 4bf0ed04d156a3dc6c8d27e134ecbda76d3585aa
SHA256 25b006032deccd628940ef728fffe83b325a85de453a34691f55f570e4460094
SHA512 81cb982cc33dcc27600a8a681c3ec3cc5b9221b95baa45e1ab24479745a9638b9f31d7beeeb1128b3294ff69b44e958c75e25d565f66790c364665caff96ee77

memory/2464-56-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2464-59-0x0000000000480000-0x00000000016D4000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 bc2dba59425750566e43284febc9ab21
SHA1 934bb003a208bdf913265d0fcd8aebd5d8b8631d
SHA256 6b6d69da82f0dd712abbe17ead623cbd94511ca8e96772eafb0b33fe32839ec7
SHA512 4880b52ef9da059382128aa9665ce1fb08e8abdf8abcc8151cc683d3632677afcafe24b54d312a65224aacd5b27dea1af0da55227792869517cd1706c8a2de1d

memory/2464-62-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2464-65-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2464-74-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2464-77-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2464-80-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2464-92-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2464-95-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2464-98-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2464-101-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2464-104-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2464-107-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2464-110-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2464-119-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2464-122-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2464-125-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2464-131-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2464-134-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2464-137-0x0000000000480000-0x00000000016D4000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-24 05:43

Reported

2024-10-24 06:02

Platform

win7-20240903-en

Max time kernel

122s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 224

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-24 05:43

Reported

2024-10-24 19:16

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

204s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2964 wrote to memory of 2668 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2964 wrote to memory of 2668 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2964 wrote to memory of 2668 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2668 -ip 2668

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 616

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A