Analysis Overview
SHA256
eabb327310e486992484fbacba46b48b7839ba0dde0637e9f2cb4dd87be86bec
Threat Level: Known bad
The file aae87b34af259a558eb27f903ae0976a.zip was found to be: Known bad.
Malicious Activity Summary
Remcos
Remcos family
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 22:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 22:23
Reported
2024-11-12 22:26
Platform
win7-20240903-en
Max time kernel
179s
Max time network
153s
Command Line
Signatures
Remcos
Remcos family
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HandyBackupEditorDesigner = "C:\\Users\\Admin\\Music\\HandyBackupDesignUpdater\\HandyBackupVideo.exe" | C:\Users\Admin\AppData\Local\Temp\SOPORTE CONSIGNACIÓN ELECTRÓNICA PARA SU VERIFICACIÓN NOVIEMBRE 12 DE 2024.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SOPORTE CONSIGNACIÓN ELECTRÓNICA PARA SU VERIFICACIÓN NOVIEMBRE 12 DE 2024.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SOPORTE CONSIGNACIÓN ELECTRÓNICA PARA SU VERIFICACIÓN NOVIEMBRE 12 DE 2024.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SOPORTE CONSIGNACIÓN ELECTRÓNICA PARA SU VERIFICACIÓN NOVIEMBRE 12 DE 2024.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SOPORTE CONSIGNACIÓN ELECTRÓNICA PARA SU VERIFICACIÓN NOVIEMBRE 12 DE 2024.exe
"C:\Users\Admin\AppData\Local\Temp\SOPORTE CONSIGNACIÓN ELECTRÓNICA PARA SU VERIFICACIÓN NOVIEMBRE 12 DE 2024.exe"
C:\Users\Admin\AppData\Local\Temp\SOPORTE CONSIGNACIÓN ELECTRÓNICA PARA SU VERIFICACIÓN NOVIEMBRE 12 DE 2024.exe
"C:\Users\Admin\AppData\Local\Temp\SOPORTE CONSIGNACIÓN ELECTRÓNICA PARA SU VERIFICACIÓN NOVIEMBRE 12 DE 2024.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | LUNAPETRO.chickenkiller.com | udp |
| CO | 179.14.10.239:1991 | LUNAPETRO.chickenkiller.com | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| CO | 179.14.10.239:1991 | LUNAPETRO.chickenkiller.com | tcp |
| CO | 179.14.10.239:1991 | LUNAPETRO.chickenkiller.com | tcp |
| CO | 179.14.10.239:1991 | LUNAPETRO.chickenkiller.com | tcp |
| CO | 179.14.10.239:1991 | LUNAPETRO.chickenkiller.com | tcp |
Files
memory/2840-1-0x000000000046D000-0x0000000000485000-memory.dmp
memory/2840-0-0x0000000000400000-0x000000000083F000-memory.dmp
memory/2840-2-0x0000000000400000-0x000000000083F000-memory.dmp
memory/2840-3-0x0000000000400000-0x000000000083F000-memory.dmp
memory/2840-6-0x0000000000400000-0x000000000083F000-memory.dmp
memory/2840-5-0x0000000000400000-0x000000000083F000-memory.dmp
memory/2840-19-0x0000000000400000-0x000000000083F000-memory.dmp
memory/3064-20-0x00000000001C0000-0x000000000023F000-memory.dmp
memory/3064-16-0x00000000001C0000-0x000000000023F000-memory.dmp
memory/3064-21-0x0000000000400000-0x000000000083F000-memory.dmp
memory/3064-15-0x00000000001C0000-0x000000000023F000-memory.dmp
memory/2840-12-0x0000000000400000-0x000000000083F000-memory.dmp
memory/3064-11-0x00000000001C0000-0x000000000023F000-memory.dmp
memory/3064-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/3064-7-0x00000000001C0000-0x000000000023F000-memory.dmp
memory/3064-22-0x00000000001C0000-0x000000000023F000-memory.dmp
memory/3064-23-0x00000000001C0000-0x000000000023F000-memory.dmp
memory/3064-24-0x00000000001C0000-0x000000000023F000-memory.dmp
memory/3064-25-0x00000000001C0000-0x000000000023F000-memory.dmp
memory/3064-29-0x00000000001C0000-0x000000000023F000-memory.dmp
memory/3064-30-0x00000000001C0000-0x000000000023F000-memory.dmp
memory/3064-32-0x00000000001C0000-0x000000000023F000-memory.dmp
memory/3064-33-0x00000000001C0000-0x000000000023F000-memory.dmp
memory/3064-35-0x00000000001C0000-0x000000000023F000-memory.dmp
memory/3064-36-0x00000000001C0000-0x000000000023F000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | e86756859daecdbe6ed3a3b26182ac1a |
| SHA1 | 47664e5a0fb00807782a56b03c8b5a3b8a29230d |
| SHA256 | 8174b94ef88388fda87952ed4648068fbb5d4f5e2f8fcec1d9ecb18b5e126a59 |
| SHA512 | 33aa86c8c3936c4798789b5f273069be0658081d0f358dd8784f0bb3234ff3d79e926517703a2dc5a27355be68e4d1a5c8e270280f59394aae361f5cdc9660b9 |
memory/3064-42-0x00000000001C0000-0x000000000023F000-memory.dmp
memory/3064-43-0x00000000001C0000-0x000000000023F000-memory.dmp
memory/3064-46-0x00000000001C0000-0x000000000023F000-memory.dmp
memory/3064-45-0x00000000001C0000-0x000000000023F000-memory.dmp
memory/3064-53-0x00000000001C0000-0x000000000023F000-memory.dmp
memory/3064-54-0x00000000001C0000-0x000000000023F000-memory.dmp
memory/3064-57-0x00000000001C0000-0x000000000023F000-memory.dmp
memory/3064-58-0x00000000001C0000-0x000000000023F000-memory.dmp
memory/3064-59-0x00000000001C0000-0x000000000023F000-memory.dmp
memory/3064-60-0x00000000001C0000-0x000000000023F000-memory.dmp
memory/3064-62-0x00000000001C0000-0x000000000023F000-memory.dmp
memory/3064-66-0x00000000001C0000-0x000000000023F000-memory.dmp
memory/3064-67-0x00000000001C0000-0x000000000023F000-memory.dmp
memory/3064-74-0x00000000001C0000-0x000000000023F000-memory.dmp
memory/3064-75-0x00000000001C0000-0x000000000023F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 22:23
Reported
2024-11-12 22:26
Platform
win10v2004-20241007-en
Max time kernel
180s
Max time network
154s
Command Line
Signatures
Remcos
Remcos family
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HandyBackupEditorDesigner = "C:\\Users\\Admin\\Music\\HandyBackupDesignUpdater\\HandyBackupVideo.exe" | C:\Users\Admin\AppData\Local\Temp\SOPORTE CONSIGNACIÓN ELECTRÓNICA PARA SU VERIFICACIÓN NOVIEMBRE 12 DE 2024.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SOPORTE CONSIGNACIÓN ELECTRÓNICA PARA SU VERIFICACIÓN NOVIEMBRE 12 DE 2024.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SOPORTE CONSIGNACIÓN ELECTRÓNICA PARA SU VERIFICACIÓN NOVIEMBRE 12 DE 2024.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SOPORTE CONSIGNACIÓN ELECTRÓNICA PARA SU VERIFICACIÓN NOVIEMBRE 12 DE 2024.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SOPORTE CONSIGNACIÓN ELECTRÓNICA PARA SU VERIFICACIÓN NOVIEMBRE 12 DE 2024.exe
"C:\Users\Admin\AppData\Local\Temp\SOPORTE CONSIGNACIÓN ELECTRÓNICA PARA SU VERIFICACIÓN NOVIEMBRE 12 DE 2024.exe"
C:\Users\Admin\AppData\Local\Temp\SOPORTE CONSIGNACIÓN ELECTRÓNICA PARA SU VERIFICACIÓN NOVIEMBRE 12 DE 2024.exe
"C:\Users\Admin\AppData\Local\Temp\SOPORTE CONSIGNACIÓN ELECTRÓNICA PARA SU VERIFICACIÓN NOVIEMBRE 12 DE 2024.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | LUNAPETRO.chickenkiller.com | udp |
| CO | 179.14.10.239:1991 | LUNAPETRO.chickenkiller.com | tcp |
| US | 8.8.8.8:53 | 239.10.14.179.in-addr.arpa | udp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| CO | 179.14.10.239:1991 | LUNAPETRO.chickenkiller.com | tcp |
| CO | 179.14.10.239:1991 | LUNAPETRO.chickenkiller.com | tcp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
memory/3540-1-0x000000000046D000-0x0000000000485000-memory.dmp
memory/3540-0-0x0000000000400000-0x000000000083F000-memory.dmp
memory/3540-3-0x0000000000400000-0x000000000083F000-memory.dmp
memory/3540-8-0x0000000000400000-0x000000000083F000-memory.dmp
memory/3540-10-0x0000000000400000-0x000000000083F000-memory.dmp
memory/992-11-0x0000000000840000-0x00000000008BF000-memory.dmp
memory/992-7-0x0000000000840000-0x00000000008BF000-memory.dmp
memory/992-12-0x0000000000840000-0x00000000008BF000-memory.dmp
memory/992-13-0x0000000000840000-0x00000000008BF000-memory.dmp
memory/3540-6-0x0000000000400000-0x000000000083F000-memory.dmp
memory/3540-4-0x0000000000400000-0x000000000083F000-memory.dmp
memory/3540-5-0x0000000000400000-0x000000000083F000-memory.dmp
memory/992-16-0x0000000000840000-0x00000000008BF000-memory.dmp
memory/992-17-0x0000000000840000-0x00000000008BF000-memory.dmp
memory/992-18-0x0000000000400000-0x000000000083F000-memory.dmp
memory/992-19-0x0000000000840000-0x00000000008BF000-memory.dmp
memory/992-20-0x0000000000840000-0x00000000008BF000-memory.dmp
memory/992-21-0x0000000000840000-0x00000000008BF000-memory.dmp
memory/3540-24-0x000000000046D000-0x0000000000485000-memory.dmp
memory/992-26-0x0000000000840000-0x00000000008BF000-memory.dmp
memory/992-27-0x0000000000840000-0x00000000008BF000-memory.dmp
memory/992-28-0x0000000000840000-0x00000000008BF000-memory.dmp
memory/992-29-0x0000000000840000-0x00000000008BF000-memory.dmp
memory/992-31-0x0000000000840000-0x00000000008BF000-memory.dmp
memory/992-33-0x0000000000840000-0x00000000008BF000-memory.dmp
memory/992-34-0x0000000000840000-0x00000000008BF000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | 0f241f0c96310fe421a1696697105ea0 |
| SHA1 | abb6e0c9bc87dc4133cb4a73d665f0e4fffcaf8c |
| SHA256 | e4862ff4ccc391279e2e2c162807d2e095a712a64bf02892fb9b118d673d9d34 |
| SHA512 | bdf7cbcde966ccb30f51ee3bcf6ff703820af503e2b2009a3fe6fb2fca3d4890fab6bec5a0a6a84edb05de09fc60e0b45a6e2ee10af6a91f2cf7a5d84db64d90 |
memory/992-41-0x0000000000840000-0x00000000008BF000-memory.dmp
memory/992-49-0x0000000000840000-0x00000000008BF000-memory.dmp
memory/992-50-0x0000000000840000-0x00000000008BF000-memory.dmp
memory/992-57-0x0000000000840000-0x00000000008BF000-memory.dmp
memory/992-65-0x0000000000840000-0x00000000008BF000-memory.dmp
memory/992-66-0x0000000000840000-0x00000000008BF000-memory.dmp