Analysis Overview
SHA256
bf44cea9ad3b2537695ad68051a3d76103f51acac12dae98046bcc67655a8d89
Threat Level: Known bad
The file d3f3e7bf2f74eee0bab26b57b4086508.uue was found to be: Known bad.
Malicious Activity Summary
Remcos family
Remcos
Downloads MZ/PE file
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of SetWindowsHookEx
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 22:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 22:23
Reported
2024-11-13 22:26
Platform
win10v2004-20241007-en
Max time kernel
128s
Max time network
154s
Command Line
Signatures
Remcos
Remcos family
Downloads MZ/PE file
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UnuKick = "C:\\Users\\Admin\\Videos\\Kick\\VideoUnu.exe" | C:\Users\Admin\AppData\Local\Temp\Por medio de la presente, se le comunica que, en virtud del proceso No. 2024-52100-63561-56165, ejec.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1788 set thread context of 4448 | N/A | C:\Users\Admin\AppData\Local\Temp\Por medio de la presente, se le comunica que, en virtud del proceso No. 2024-52100-63561-56165, ejec.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe |
| PID 4448 set thread context of 3812 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Por medio de la presente, se le comunica que, en virtud del proceso No. 2024-52100-63561-56165, ejec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Por medio de la presente, se le comunica que, en virtud del proceso No. 2024-52100-63561-56165, ejec.exe
"C:\Users\Admin\AppData\Local\Temp\Por medio de la presente, se le comunica que, en virtud del proceso No. 2024-52100-63561-56165, ejec.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dgzaswrowflohczggavxhg.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | seguridadcolombia-activa.homepc.it | udp |
| CO | 181.141.40.225:30201 | seguridadcolombia-activa.homepc.it | tcp |
| US | 8.8.8.8:53 | contath.org | udp |
| US | 8.8.8.8:53 | 225.40.141.181.in-addr.arpa | udp |
| US | 69.49.234.173:443 | contath.org | tcp |
| CO | 181.141.40.225:30201 | seguridadcolombia-activa.homepc.it | tcp |
| US | 8.8.8.8:53 | nuevodntestchec.addns.org | udp |
| CO | 181.141.40.225:3018 | nuevodntestchec.addns.org | tcp |
| US | 8.8.8.8:53 | 173.234.49.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| CO | 181.141.40.225:3018 | nuevodntestchec.addns.org | tcp |
| CO | 181.141.40.225:3018 | nuevodntestchec.addns.org | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/1788-1-0x0000000000573000-0x000000000058C000-memory.dmp
memory/1788-0-0x0000000000400000-0x0000000000B20000-memory.dmp
memory/1788-3-0x0000000000400000-0x0000000000B20000-memory.dmp
memory/1788-6-0x0000000000400000-0x0000000000B20000-memory.dmp
memory/1788-5-0x0000000000400000-0x0000000000B20000-memory.dmp
memory/1788-9-0x0000000000400000-0x0000000000B20000-memory.dmp
memory/1788-8-0x0000000000400000-0x0000000000B20000-memory.dmp
memory/4448-7-0x00000000010A0000-0x0000000001144000-memory.dmp
memory/1788-4-0x0000000000400000-0x0000000000B20000-memory.dmp
memory/4448-10-0x0000000005780000-0x0000000005854000-memory.dmp
memory/4448-21-0x0000000005780000-0x000000000584F000-memory.dmp
memory/4448-24-0x0000000005780000-0x000000000584F000-memory.dmp
memory/4448-58-0x0000000005780000-0x000000000584F000-memory.dmp
memory/1788-171-0x0000000000AA9000-0x0000000000AB5000-memory.dmp
memory/4448-168-0x0000000073DEE000-0x0000000073DEF000-memory.dmp
memory/4448-66-0x0000000005780000-0x000000000584F000-memory.dmp
memory/4448-64-0x0000000005780000-0x000000000584F000-memory.dmp
memory/4448-254-0x0000000005940000-0x0000000005950000-memory.dmp
memory/4448-62-0x0000000005780000-0x000000000584F000-memory.dmp
memory/4448-60-0x0000000005780000-0x000000000584F000-memory.dmp
memory/4448-56-0x0000000005780000-0x000000000584F000-memory.dmp
memory/4448-55-0x0000000005780000-0x000000000584F000-memory.dmp
memory/4448-52-0x0000000005780000-0x000000000584F000-memory.dmp
memory/4448-50-0x0000000005780000-0x000000000584F000-memory.dmp
memory/4448-48-0x0000000005780000-0x000000000584F000-memory.dmp
memory/4448-46-0x0000000005780000-0x000000000584F000-memory.dmp
memory/4448-44-0x0000000005780000-0x000000000584F000-memory.dmp
memory/4448-42-0x0000000005780000-0x000000000584F000-memory.dmp
memory/4448-40-0x0000000005780000-0x000000000584F000-memory.dmp
memory/4448-36-0x0000000005780000-0x000000000584F000-memory.dmp
memory/4448-34-0x0000000005780000-0x000000000584F000-memory.dmp
memory/4448-32-0x0000000005780000-0x000000000584F000-memory.dmp
memory/4448-30-0x0000000005780000-0x000000000584F000-memory.dmp
memory/4448-28-0x0000000005780000-0x000000000584F000-memory.dmp
memory/4448-26-0x0000000005780000-0x000000000584F000-memory.dmp
memory/4448-22-0x0000000005780000-0x000000000584F000-memory.dmp
memory/4448-18-0x0000000005780000-0x000000000584F000-memory.dmp
memory/4448-16-0x0000000005780000-0x000000000584F000-memory.dmp
memory/4448-14-0x0000000005780000-0x000000000584F000-memory.dmp
memory/4448-11-0x0000000005780000-0x000000000584F000-memory.dmp
memory/4448-38-0x0000000005780000-0x000000000584F000-memory.dmp
memory/4448-12-0x0000000005780000-0x000000000584F000-memory.dmp
memory/1788-3129-0x0000000000573000-0x000000000058C000-memory.dmp
memory/4448-3929-0x0000000005950000-0x00000000059A6000-memory.dmp
memory/4448-3930-0x00000000059B0000-0x00000000059FC000-memory.dmp
memory/4448-3931-0x0000000005A90000-0x0000000005AF6000-memory.dmp
memory/4448-3932-0x0000000073DEE000-0x0000000073DEF000-memory.dmp
memory/4448-3933-0x0000000006130000-0x0000000006184000-memory.dmp
memory/3812-3940-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3812-3952-0x0000000000400000-0x000000000047F000-memory.dmp
C:\ProgramData\data\registros.dat
| MD5 | 1f7eb09e0c6bac0673ebcc3e8a69ca43 |
| SHA1 | 9bae1f4251cc13e7129501cce58d590dd963ecf5 |
| SHA256 | d546db9b1b42fa64cf820ec0ed4abb96e482647edf33a70c94e19c99754040b3 |
| SHA512 | 0bdd4ab1f8aa7f2de86137f0f480df91cfbe291ee235012e1739d5e546fdd37d2f7628cf6ab3232b5f96cda145f7bdb5e747528b4b5e1e44541e337372fd9f10 |
memory/3812-3985-0x0000000000400000-0x000000000047F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dgzaswrowflohczggavxhg.vbs
| MD5 | 92323d5eafdd057f2602a2a0b5f5230e |
| SHA1 | 9498775850b22af3303ce67d042c7cf3925b396b |
| SHA256 | 52512978ad3bd19b5bbc6a332b2cc7635947c9f29979f746f406161ffb3ac34a |
| SHA512 | 268d4fe79242535278a9ca3396d1e39f9be88285a4ea01304bd39415728e07e5d9b8392a778732ab3b65ab050aa6aa6aadf6f4d1443b39605763fc380637bb5c |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 22:23
Reported
2024-11-13 22:26
Platform
win7-20240708-en
Max time kernel
122s
Max time network
124s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\UnuKick = "C:\\Users\\Admin\\Videos\\Kick\\VideoUnu.exe" | C:\Users\Admin\AppData\Local\Temp\Por medio de la presente, se le comunica que, en virtud del proceso No. 2024-52100-63561-56165, ejec.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1700 set thread context of 2536 | N/A | C:\Users\Admin\AppData\Local\Temp\Por medio de la presente, se le comunica que, en virtud del proceso No. 2024-52100-63561-56165, ejec.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Por medio de la presente, se le comunica que, en virtud del proceso No. 2024-52100-63561-56165, ejec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Por medio de la presente, se le comunica que, en virtud del proceso No. 2024-52100-63561-56165, ejec.exe
"C:\Users\Admin\AppData\Local\Temp\Por medio de la presente, se le comunica que, en virtud del proceso No. 2024-52100-63561-56165, ejec.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | seguridadcolombia-activa.homepc.it | udp |
| CO | 181.141.40.225:30201 | seguridadcolombia-activa.homepc.it | tcp |
| US | 8.8.8.8:53 | contath.org | udp |
| US | 69.49.234.173:443 | contath.org | tcp |
Files
memory/1700-1-0x0000000000573000-0x000000000058C000-memory.dmp
memory/1700-0-0x0000000000400000-0x0000000000B20000-memory.dmp
memory/1700-2-0x0000000000400000-0x0000000000B20000-memory.dmp
memory/1700-4-0x0000000000400000-0x0000000000B20000-memory.dmp
memory/1700-5-0x0000000000400000-0x0000000000B20000-memory.dmp
memory/1700-6-0x0000000000400000-0x0000000000B20000-memory.dmp
memory/2536-19-0x00000000745AE000-0x00000000745AF000-memory.dmp
memory/2536-18-0x0000000000350000-0x00000000003F4000-memory.dmp
memory/1700-17-0x0000000000400000-0x0000000000B20000-memory.dmp
memory/2536-14-0x0000000000350000-0x00000000003F4000-memory.dmp
memory/1700-11-0x0000000000400000-0x0000000000B20000-memory.dmp
memory/2536-10-0x0000000000350000-0x00000000003F4000-memory.dmp
memory/2536-9-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2536-7-0x0000000000350000-0x00000000003F4000-memory.dmp
memory/2536-20-0x00000000745A0000-0x0000000074C8E000-memory.dmp
memory/2536-21-0x0000000001120000-0x00000000011F4000-memory.dmp
memory/2536-22-0x0000000001120000-0x00000000011EF000-memory.dmp
memory/2536-25-0x0000000001120000-0x00000000011EF000-memory.dmp
memory/2536-32-0x0000000001120000-0x00000000011EF000-memory.dmp
memory/2536-41-0x0000000001120000-0x00000000011EF000-memory.dmp
memory/2536-59-0x0000000001120000-0x00000000011EF000-memory.dmp
memory/2536-23-0x0000000001120000-0x00000000011EF000-memory.dmp
memory/2536-71-0x0000000001120000-0x00000000011EF000-memory.dmp
memory/2536-69-0x0000000001120000-0x00000000011EF000-memory.dmp
memory/2536-67-0x0000000001120000-0x00000000011EF000-memory.dmp
memory/2536-65-0x0000000001120000-0x00000000011EF000-memory.dmp
memory/2536-63-0x0000000001120000-0x00000000011EF000-memory.dmp
memory/2536-61-0x0000000001120000-0x00000000011EF000-memory.dmp
memory/2536-57-0x0000000001120000-0x00000000011EF000-memory.dmp
memory/2536-55-0x0000000001120000-0x00000000011EF000-memory.dmp
memory/2536-53-0x0000000001120000-0x00000000011EF000-memory.dmp
memory/2536-52-0x0000000001120000-0x00000000011EF000-memory.dmp
memory/2536-49-0x0000000001120000-0x00000000011EF000-memory.dmp
memory/2536-47-0x0000000001120000-0x00000000011EF000-memory.dmp
memory/2536-45-0x0000000001120000-0x00000000011EF000-memory.dmp
memory/2536-43-0x0000000001120000-0x00000000011EF000-memory.dmp
memory/2536-39-0x0000000001120000-0x00000000011EF000-memory.dmp
memory/2536-37-0x0000000001120000-0x00000000011EF000-memory.dmp
memory/2536-35-0x0000000001120000-0x00000000011EF000-memory.dmp
memory/2536-33-0x0000000001120000-0x00000000011EF000-memory.dmp
memory/2536-29-0x0000000001120000-0x00000000011EF000-memory.dmp
memory/2536-27-0x0000000001120000-0x00000000011EF000-memory.dmp
memory/2536-3936-0x0000000000D60000-0x0000000000DB6000-memory.dmp
memory/2536-3937-0x0000000000DC0000-0x0000000000E0C000-memory.dmp
memory/1700-3938-0x0000000000573000-0x000000000058C000-memory.dmp
memory/2536-3939-0x0000000001070000-0x00000000010C4000-memory.dmp
memory/2536-3940-0x00000000745AE000-0x00000000745AF000-memory.dmp
memory/2536-3941-0x00000000745A0000-0x0000000074C8E000-memory.dmp