Analysis Overview
SHA256
62f2fd47d0a3503d3ff5effe1bfc868624525af15e2b002ebc95830db73e5d59
Threat Level: Known bad
The file 62f2fd47d0a3503d3ff5effe1bfc868624525af15e2b002ebc95830db73e5d59 was found to be: Known bad.
Malicious Activity Summary
Remcos family
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 22:52
Signatures
Remcos family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 22:52
Reported
2024-11-09 22:54
Platform
win7-20240903-en
Max time kernel
147s
Max time network
146s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\62f2fd47d0a3503d3ff5effe1bfc868624525af15e2b002ebc95830db73e5d59.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\62f2fd47d0a3503d3ff5effe1bfc868624525af15e2b002ebc95830db73e5d59.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\62f2fd47d0a3503d3ff5effe1bfc868624525af15e2b002ebc95830db73e5d59.exe
"C:\Users\Admin\AppData\Local\Temp\62f2fd47d0a3503d3ff5effe1bfc868624525af15e2b002ebc95830db73e5d59.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | imaxatmonk.imaxatmonk.com | udp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
Files
C:\ProgramData\rochilds\logs.dat
| MD5 | 57bf1eb8c21bb5a9926a1a70898f206d |
| SHA1 | 6ada96d1bafbfc22dbeb63e6782b8814795ebfb7 |
| SHA256 | a8b514b22d9d4cbe8adc8f6bcae7e8fae3643640e0db9d1df5f330edab2da1f2 |
| SHA512 | 61c2407f66833bcf67b20ee0756cfe27d84877948f675c79e17b01f971290146286ea8fa79cf1005ac3092e9e0e024e195ad7a50c461458d1194537051098240 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 22:52
Reported
2024-11-09 22:54
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\62f2fd47d0a3503d3ff5effe1bfc868624525af15e2b002ebc95830db73e5d59.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\62f2fd47d0a3503d3ff5effe1bfc868624525af15e2b002ebc95830db73e5d59.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\62f2fd47d0a3503d3ff5effe1bfc868624525af15e2b002ebc95830db73e5d59.exe
"C:\Users\Admin\AppData\Local\Temp\62f2fd47d0a3503d3ff5effe1bfc868624525af15e2b002ebc95830db73e5d59.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | imaxatmonk.imaxatmonk.com | udp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| US | 8.8.8.8:53 | 74.209.201.84.in-addr.arpa | udp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
| CO | 181.49.85.74:2204 | imaxatmonk.imaxatmonk.com | tcp |
Files
C:\ProgramData\rochilds\logs.dat
| MD5 | 042f790976038c93872c1fa04377f9bf |
| SHA1 | 48c2cfb1aaca6b35657d49d078996bd6a68c39f9 |
| SHA256 | e73a60a4bfcc6a21328cd8a6e175a2a178c221f7f7ab4f0f0e92759397db034a |
| SHA512 | 5f72d8bcc1d8f20d3ff3d3d8844df79a369d34e9e21d1b2ca6e7e0bffa26aa07e7f14d6f0750e4468038d06df9f989d72ad4ac342e11fdc9c7aff8346646dcad |