Analysis Overview
SHA256
1f785691c057f5062ac9d630cf304ad946c825928c87e63172f335e96beddda1
Threat Level: Known bad
The file RFQ 6000208225.exe was found to be: Known bad.
Malicious Activity Summary
Guloader,Cloudeye
Remcos family
Remcos
Guloader family
Detected Nirsoft tools
NirSoft WebBrowserPassView
NirSoft MailPassView
Loads dropped DLL
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Program crash
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-06 12:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-06 12:37
Reported
2024-11-06 12:39
Platform
win7-20240729-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
Guloader family
Guloader,Cloudeye
Remcos
Remcos family
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2300 set thread context of 2964 | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe |
| PID 2964 set thread context of 2684 | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe |
| PID 2964 set thread context of 2724 | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe |
| PID 2964 set thread context of 1388 | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\karga.ini | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe"
C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe"
C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe" /stext "C:\Users\Admin\AppData\Local\Temp\wffvlpgpdzepqduzlcoegwnvn"
C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe" /stext "C:\Users\Admin\AppData\Local\Temp\hitolirqrhwuajidumigjbieoewtv"
C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe" /stext "C:\Users\Admin\AppData\Local\Temp\jcyymackfpogcxehdxvzuocvxkfcopxp"
Network
| Country | Destination | Domain | Proto |
| US | 212.162.149.211:80 | 212.162.149.211 | tcp |
| US | 212.162.149.220:2404 | tcp | |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| US | 212.162.149.220:2404 | tcp | |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
Files
\Users\Admin\AppData\Local\Temp\nseC85F.tmp\System.dll
| MD5 | fc3772787eb239ef4d0399680dcc4343 |
| SHA1 | db2fa99ec967178cd8057a14a428a8439a961a73 |
| SHA256 | 9b93c61c9d63ef8ec80892cc0e4a0877966dca9b0c3eb85555cebd2ddf4d6eed |
| SHA512 | 79e491ca4591a5da70116114b7fbb66ee15a0532386035e980c9dfe7afb59b1f9d9c758891e25bfb45c36b07afd3e171bac37a86c887387ef0e80b1eaf296c89 |
memory/2300-27-0x0000000004340000-0x0000000005C6C000-memory.dmp
memory/2300-28-0x0000000076F61000-0x0000000077062000-memory.dmp
memory/2300-29-0x0000000076F60000-0x0000000077109000-memory.dmp
memory/2964-30-0x0000000076F60000-0x0000000077109000-memory.dmp
memory/2300-31-0x0000000004340000-0x0000000005C6C000-memory.dmp
memory/2964-33-0x0000000000490000-0x00000000014F2000-memory.dmp
memory/2964-36-0x0000000000490000-0x00000000014F2000-memory.dmp
memory/2724-39-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2684-38-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2684-44-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1388-46-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1388-48-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2724-45-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2724-43-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2684-42-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2724-41-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2684-40-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1388-49-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1388-50-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2684-56-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wffvlpgpdzepqduzlcoegwnvn
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/2724-62-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2964-63-0x0000000032960000-0x0000000032979000-memory.dmp
memory/2964-67-0x0000000032960000-0x0000000032979000-memory.dmp
memory/2964-66-0x0000000032960000-0x0000000032979000-memory.dmp
memory/2964-69-0x0000000000490000-0x00000000014F2000-memory.dmp
memory/2964-72-0x0000000000490000-0x00000000014F2000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | 8ac1dbd9638470a6f6a205869a00ba68 |
| SHA1 | 5984d595bdefa760c4c91b3da686ef0db804e605 |
| SHA256 | df6248a62c64e054315f0b55bbf8db4f59cd714a43bde7f3bb998e53091da079 |
| SHA512 | 20fdc612785052a7f30d14c9ef4567266ee9bb73ea77ac40857b4ff6507ca0fe55eb7ea53c9b417f7f59e2283804a8b76be41d89dd5c4da085265aa2c4e1766f |
memory/2964-75-0x0000000000490000-0x00000000014F2000-memory.dmp
memory/2964-78-0x0000000000490000-0x00000000014F2000-memory.dmp
memory/2964-81-0x0000000000490000-0x00000000014F2000-memory.dmp
memory/2964-84-0x0000000000490000-0x00000000014F2000-memory.dmp
memory/2964-87-0x0000000000490000-0x00000000014F2000-memory.dmp
memory/2964-90-0x0000000000490000-0x00000000014F2000-memory.dmp
memory/2964-93-0x0000000000490000-0x00000000014F2000-memory.dmp
memory/2964-96-0x0000000000490000-0x00000000014F2000-memory.dmp
memory/2964-99-0x0000000000490000-0x00000000014F2000-memory.dmp
memory/2964-102-0x0000000000490000-0x00000000014F2000-memory.dmp
memory/2964-105-0x0000000000490000-0x00000000014F2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-06 12:37
Reported
2024-11-06 12:39
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
146s
Command Line
Signatures
Guloader family
Guloader,Cloudeye
Remcos
Remcos family
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1660 set thread context of 4056 | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe |
| PID 4056 set thread context of 2320 | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe |
| PID 4056 set thread context of 1064 | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe |
| PID 4056 set thread context of 2892 | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\karga.ini | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe"
C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe"
C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe" /stext "C:\Users\Admin\AppData\Local\Temp\jplstvdkndvcjaflgczklhd"
C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ujyduoodblnhugtppnlmwmxxue"
C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ 6000208225.exe" /stext "C:\Users\Admin\AppData\Local\Temp\wldvughfxtfuwvptgygfzykodsrsib"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 212.162.149.211:80 | 212.162.149.211 | tcp |
| US | 8.8.8.8:53 | 211.149.162.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 212.162.149.220:2404 | tcp | |
| US | 212.162.149.220:2404 | tcp | |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 220.149.162.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nstB576.tmp\System.dll
| MD5 | fc3772787eb239ef4d0399680dcc4343 |
| SHA1 | db2fa99ec967178cd8057a14a428a8439a961a73 |
| SHA256 | 9b93c61c9d63ef8ec80892cc0e4a0877966dca9b0c3eb85555cebd2ddf4d6eed |
| SHA512 | 79e491ca4591a5da70116114b7fbb66ee15a0532386035e980c9dfe7afb59b1f9d9c758891e25bfb45c36b07afd3e171bac37a86c887387ef0e80b1eaf296c89 |
memory/1660-25-0x0000000004A40000-0x000000000636C000-memory.dmp
memory/1660-26-0x00000000779A1000-0x0000000077AC1000-memory.dmp
memory/1660-27-0x0000000010004000-0x0000000010005000-memory.dmp
memory/1660-28-0x0000000004A40000-0x000000000636C000-memory.dmp
memory/4056-29-0x00000000016F0000-0x000000000301C000-memory.dmp
memory/4056-30-0x0000000077A28000-0x0000000077A29000-memory.dmp
memory/4056-31-0x0000000077A45000-0x0000000077A46000-memory.dmp
memory/4056-32-0x0000000000490000-0x00000000016E4000-memory.dmp
memory/4056-36-0x00000000016F0000-0x000000000301C000-memory.dmp
memory/2320-39-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2320-41-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2892-56-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1064-55-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2892-49-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2892-48-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2892-45-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2320-44-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1064-43-0x0000000000400000-0x0000000000462000-memory.dmp
memory/4056-54-0x00000000779A1000-0x0000000077AC1000-memory.dmp
memory/1064-40-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1064-42-0x0000000000400000-0x0000000000462000-memory.dmp
memory/4056-47-0x0000000000490000-0x00000000016E4000-memory.dmp
memory/2320-60-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jplstvdkndvcjaflgczklhd
| MD5 | ac300aeaf27709e2067788fdd4624843 |
| SHA1 | e98edd4615d35de96e30f1a0e13c05b42ee7eb7b |
| SHA256 | d2637d58bb120dc6fefe2f38d6e0d4b308006b8639106a7f9e915fa80b5cc9d9 |
| SHA512 | 09c46e708f9d253dccd4d943639d9f8126f868ae3dcd951aad12222bb98b5d3814676f878c8391b9bdab5dedcf5b9e9eaeb2ad3ffec57bda875198735586d4df |
memory/4056-63-0x0000000034010000-0x0000000034029000-memory.dmp
memory/4056-66-0x0000000034010000-0x0000000034029000-memory.dmp
memory/4056-67-0x0000000034010000-0x0000000034029000-memory.dmp
memory/4056-70-0x0000000000490000-0x00000000016E4000-memory.dmp
memory/4056-73-0x0000000000490000-0x00000000016E4000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | 2a90fa08e718cc299198c4b2713eec7f |
| SHA1 | 9aaca117f432881a59aa5672fdb643ff95f27465 |
| SHA256 | fcf7378a50653ca510828057605b5c01572ccc6a7b7a71beb41c2d372b5c647a |
| SHA512 | 3868c29def2b1fa5705a7f34a67a5af6e0fb142e61a8593b1958deeddb894b28326049eda17f599e1674774eac181fcd0c587be037196a8ed3bf400eaa2e9174 |
memory/4056-76-0x0000000000490000-0x00000000016E4000-memory.dmp
memory/4056-88-0x0000000000490000-0x00000000016E4000-memory.dmp
memory/4056-91-0x0000000000490000-0x00000000016E4000-memory.dmp
memory/4056-94-0x0000000000490000-0x00000000016E4000-memory.dmp
memory/4056-106-0x0000000000490000-0x00000000016E4000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-06 12:37
Reported
2024-11-06 12:39
Platform
win7-20241010-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 228
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-06 12:37
Reported
2024-11-06 12:39
Platform
win10v2004-20241007-en
Max time kernel
134s
Max time network
137s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4868 wrote to memory of 2380 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4868 wrote to memory of 2380 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4868 wrote to memory of 2380 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2380 -ip 2380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |