Analysis Overview
SHA256
1d1c6bda17ebae5d6af1cc83de37f18ea006748098dc9da1681141409846103c
Threat Level: Known bad
The file 1d1c6bda17ebae5d6af1cc83de37f18ea006748098dc9da1681141409846103c.zip was found to be: Known bad.
Malicious Activity Summary
Remcos family
Remcos
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Suspicious use of SetThreadContext
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Checks processor information in registry
Suspicious use of FindShellTrayWindow
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 02:09
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-13 02:09
Reported
2024-11-13 02:11
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
138s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3608 wrote to memory of 1028 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3608 wrote to memory of 1028 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3608 wrote to memory of 1028 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\setfsb\WinRing0.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\setfsb\WinRing0.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-13 02:09
Reported
2024-11-13 02:11
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\setfsb\WinRing0x64.sys
C:\Users\Admin\AppData\Local\Temp\setfsb\WinRing0x64.sys
C:\Users\Admin\AppData\Local\Temp\setfsb\WinRing0x64.sys
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/784-0-0x0000000000010000-0x0000000000017000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-11-13 02:09
Reported
2024-11-13 02:11
Platform
win7-20240903-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Remcos
Remcos family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\setfsb\setfsb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\scr_previw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setfsb\setfsb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setfsb\setfsb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\scr_previw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\scr_previw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2648 set thread context of 2192 | N/A | C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe | C:\Windows\SysWOW64\cmd.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\setfsb\setfsb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\scr_previw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setfsb\setfsb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setfsb\setfsb.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setfsb\setfsb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setfsb\setfsb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\scr_previw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setfsb\setfsb.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\setfsb\setfsb.exe
"C:\Users\Admin\AppData\Local\Temp\setfsb\setfsb.exe"
C:\Users\Admin\AppData\Local\Temp\setfsb\setfsb.exe
"C:\Users\Admin\AppData\Local\Temp\setfsb\setfsb.exe" /VERYSILENT
C:\Users\Admin\AppData\Roaming\setfsb\setfsb.exe
"C:\Users\Admin\AppData\Roaming\setfsb\setfsb.exe"
C:\Users\Admin\AppData\Roaming\scr_previw.exe
"C:\Users\Admin\AppData\Roaming\scr_previw.exe"
C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe
C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
Network
| Country | Destination | Domain | Proto |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp |
Files
memory/2232-0-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/2232-3-0x0000000000400000-0x000000000070A000-memory.dmp
\Users\Admin\AppData\Roaming\setfsb\setfsb.exe
| MD5 | 06d6023afb0ad4a828637863ba67277f |
| SHA1 | 393a8ea1e0ae4d5d2c4934850b996ec0618d4a90 |
| SHA256 | 0f52243a7916d0b453be438133be2d55cf7da381c34f751ee8d593c10ab00168 |
| SHA512 | 2e9e683bd3ae8987181cd2d8aa36134674adf81f540f035f8ff8780de67ff753202ba2b806e878bf17a4e1387f172c189682022e216df31b1c591fb1f2536a96 |
\Users\Admin\AppData\Roaming\scr_previw.exe
| MD5 | d9530ecee42acccfd3871672a511bc9e |
| SHA1 | 89b4d2406f1294bd699ef231a4def5f495f12778 |
| SHA256 | 81e04f9a131534acc0e9de08718c062d3d74c80c7f168ec7e699cd4b2bd0f280 |
| SHA512 | d5f048ea995affdf9893ec4c5ac5eb188b6714f5b6712e0b5a316702033421b145b8ee6a62d303eb4576bf8f57273ff35c5d675807563a31157136f79d8a9980 |
C:\Users\Admin\AppData\Roaming\d3dx9_43.dll
| MD5 | e8ad346c114fda96fca288966eae8e92 |
| SHA1 | fdfad7f2030b54f076b2a2e24ef1199abf2588e6 |
| SHA256 | 7e04681fdc438855e5b27a92c73b74ccb0a13338ee24a5054571b8efd8918ba0 |
| SHA512 | d63e542de66eb09d6847ed99e173763b7c24335566f650bdb198d4279b0de6e14cb4a03f29c66b5d7d6c480a6f520f677fccf8cbf51dc5db3f8af6c5412d7549 |
memory/2800-28-0x0000000000400000-0x000000000070A000-memory.dmp
C:\Users\Admin\AppData\Roaming\gbxchd
| MD5 | 162ba47ec20e7fb580672579a6fef9d2 |
| SHA1 | a6b52b8f549ca44ffe821f65e846b869da544c28 |
| SHA256 | 227baa93552cc95a5d2142c23c27f2006e41093cfe24f89bea1b8fe8abbac159 |
| SHA512 | 135e057a779e5ed593f455ecc646dbf0f21b0bab909e0d8c3d83c7817e82e52115551cd6710b75dbfb9026393861e6f24f63ec59722d1e73553df97ac0e55cd4 |
C:\Users\Admin\AppData\Roaming\cygrt
| MD5 | a727c368e3a6c273f28c80607f2df861 |
| SHA1 | a31a2b4a4677d58bf9f7126da6dedaf4502eb283 |
| SHA256 | bc5e2a7118a6e0a37b968dca2c110dd9db9a4359f6aea13f41ac04c663d066ca |
| SHA512 | b7a47943727fced7da83f89d8eac50a50308a8a7abacf57b7ffcc0b2c05349360a8af60f3ab81755ba456b956b022c99f21692d339d399a42a5b8d9860b9045d |
memory/2624-32-0x0000000074590000-0x0000000074704000-memory.dmp
memory/2624-33-0x0000000077120000-0x00000000772C9000-memory.dmp
memory/2648-47-0x0000000074350000-0x00000000744C4000-memory.dmp
memory/2648-48-0x0000000077120000-0x00000000772C9000-memory.dmp
memory/2648-49-0x0000000074350000-0x00000000744C4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3a96de30
| MD5 | e1ed225cd80e45d8fbd6659dfca2647e |
| SHA1 | 87c707d7932a76e0dacd6b8ca209016860383204 |
| SHA256 | 355df58b67bbf4af2240165d91932abde0588fa846ad98a28772449974d30bdc |
| SHA512 | dbc8efe9b174153ab99526fc59ba8d9a225a151bb8062c510afd51fa8a955d80d1f938becd2f77dcdb794a1439397143c224192f064515cad8a1b8023b43c3d2 |
memory/2192-52-0x0000000077120000-0x00000000772C9000-memory.dmp
memory/2192-98-0x0000000074350000-0x00000000744C4000-memory.dmp
memory/2568-100-0x0000000077120000-0x00000000772C9000-memory.dmp
memory/2568-101-0x0000000000400000-0x0000000000484000-memory.dmp
memory/2568-104-0x0000000000400000-0x0000000000484000-memory.dmp
memory/2568-105-0x0000000000400000-0x0000000000484000-memory.dmp
memory/2568-106-0x0000000000400000-0x0000000000484000-memory.dmp
memory/2568-107-0x0000000000400000-0x0000000000484000-memory.dmp
memory/2568-108-0x0000000000400000-0x0000000000484000-memory.dmp
memory/2568-109-0x0000000000400000-0x0000000000484000-memory.dmp
memory/2568-110-0x0000000000400000-0x0000000000484000-memory.dmp
memory/2568-111-0x0000000000400000-0x0000000000484000-memory.dmp
memory/2568-112-0x0000000000400000-0x0000000000484000-memory.dmp
memory/2568-113-0x0000000000400000-0x0000000000484000-memory.dmp
memory/2568-114-0x0000000000400000-0x0000000000484000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 02:09
Reported
2024-11-13 02:11
Platform
win7-20240729-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\setfsb\Creator.xls
Network
Files
memory/2436-0-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2436-1-0x0000000072D4D000-0x0000000072D58000-memory.dmp
memory/2436-2-0x0000000072D4D000-0x0000000072D58000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 02:09
Reported
2024-11-13 02:11
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\setfsb\Creator.xls"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.32.109.52.in-addr.arpa | udp |
| FR | 52.109.68.129:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 129.68.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/3080-3-0x00007FF9FED50000-0x00007FF9FED60000-memory.dmp
memory/3080-1-0x00007FFA3ED6D000-0x00007FFA3ED6E000-memory.dmp
memory/3080-5-0x00007FF9FED50000-0x00007FF9FED60000-memory.dmp
memory/3080-4-0x00007FF9FED50000-0x00007FF9FED60000-memory.dmp
memory/3080-0-0x00007FF9FED50000-0x00007FF9FED60000-memory.dmp
memory/3080-6-0x00007FFA3ECD0000-0x00007FFA3EEC5000-memory.dmp
memory/3080-9-0x00007FFA3ECD0000-0x00007FFA3EEC5000-memory.dmp
memory/3080-10-0x00007FFA3ECD0000-0x00007FFA3EEC5000-memory.dmp
memory/3080-13-0x00007FFA3ECD0000-0x00007FFA3EEC5000-memory.dmp
memory/3080-14-0x00007FF9FCA50000-0x00007FF9FCA60000-memory.dmp
memory/3080-12-0x00007FFA3ECD0000-0x00007FFA3EEC5000-memory.dmp
memory/3080-15-0x00007FF9FCA50000-0x00007FF9FCA60000-memory.dmp
memory/3080-11-0x00007FFA3ECD0000-0x00007FFA3EEC5000-memory.dmp
memory/3080-8-0x00007FFA3ECD0000-0x00007FFA3EEC5000-memory.dmp
memory/3080-7-0x00007FFA3ECD0000-0x00007FFA3EEC5000-memory.dmp
memory/3080-2-0x00007FF9FED50000-0x00007FF9FED60000-memory.dmp
memory/3080-17-0x00007FFA3ECD0000-0x00007FFA3EEC5000-memory.dmp
memory/3080-19-0x00007FFA3ECD0000-0x00007FFA3EEC5000-memory.dmp
memory/3080-18-0x00007FFA3ECD0000-0x00007FFA3EEC5000-memory.dmp
memory/3080-21-0x00007FFA3ECD0000-0x00007FFA3EEC5000-memory.dmp
memory/3080-20-0x00007FFA3ECD0000-0x00007FFA3EEC5000-memory.dmp
memory/3080-16-0x00007FFA3ECD0000-0x00007FFA3EEC5000-memory.dmp
memory/3080-31-0x00007FFA3ECD0000-0x00007FFA3EEC5000-memory.dmp
memory/3080-32-0x00007FFA3ED6D000-0x00007FFA3ED6E000-memory.dmp
memory/3080-33-0x00007FFA3ECD0000-0x00007FFA3EEC5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
| MD5 | fe643de8c05f18b73dd109c04a99a7bf |
| SHA1 | 25526cfa71048d6c09ae07801f20adc97b614736 |
| SHA256 | 2ddc51e747dc1dc070b6d83379e84e2603574d9094042ab436abe71959b85457 |
| SHA512 | 635acc2cf51607474cc29bec716b2fb4cd9ada570ee073beac5716c90cf2d472d6fa2bd3becc72dc68f43d2d3e4795ebde74eebc7ee32a99a6c02682568d66ab |
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-13 02:09
Reported
2024-11-13 02:11
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2192 wrote to memory of 2680 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2192 wrote to memory of 2680 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2192 wrote to memory of 2680 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2192 wrote to memory of 2680 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2192 wrote to memory of 2680 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2192 wrote to memory of 2680 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2192 wrote to memory of 2680 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\setfsb\WinRing0.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\setfsb\WinRing0.dll,#1
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-13 02:09
Reported
2024-11-13 02:11
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\setfsb\WinRing0.sys
C:\Users\Admin\AppData\Local\Temp\setfsb\WinRing0.sys
C:\Users\Admin\AppData\Local\Temp\setfsb\WinRing0.sys
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-13 02:09
Reported
2024-11-13 02:11
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\setfsb\WinRing0.sys
C:\Users\Admin\AppData\Local\Temp\setfsb\WinRing0.sys
C:\Users\Admin\AppData\Local\Temp\setfsb\WinRing0.sys
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-13 02:09
Reported
2024-11-13 02:11
Platform
win7-20240903-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\setfsb\WinRing0x64.sys
C:\Users\Admin\AppData\Local\Temp\setfsb\WinRing0x64.sys
C:\Users\Admin\AppData\Local\Temp\setfsb\WinRing0x64.sys
Network
Files
memory/2784-0-0x0000000000010000-0x0000000000017000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-11-13 02:09
Reported
2024-11-13 02:11
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Remcos
Remcos family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setfsb\setfsb.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\setfsb\setfsb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\scr_previw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\scr_previw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3676 set thread context of 1540 | N/A | C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe | C:\Windows\SysWOW64\cmd.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setfsb\setfsb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setfsb\setfsb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\setfsb\setfsb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\scr_previw.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setfsb\setfsb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setfsb\setfsb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\scr_previw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setfsb\setfsb.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\setfsb\setfsb.exe
"C:\Users\Admin\AppData\Local\Temp\setfsb\setfsb.exe"
C:\Users\Admin\AppData\Local\Temp\setfsb\setfsb.exe
"C:\Users\Admin\AppData\Local\Temp\setfsb\setfsb.exe" /VERYSILENT
C:\Users\Admin\AppData\Roaming\setfsb\setfsb.exe
"C:\Users\Admin\AppData\Roaming\setfsb\setfsb.exe"
C:\Users\Admin\AppData\Roaming\scr_previw.exe
"C:\Users\Admin\AppData\Roaming\scr_previw.exe"
C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe
C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| FI | 95.217.148.142:9004 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| FI | 95.217.148.142:9004 | tcp | |
| US | 8.8.8.8:53 | 168.253.116.51.in-addr.arpa | udp |
| FI | 95.217.148.142:9004 | tcp |
Files
memory/2580-0-0x0000000002800000-0x0000000002801000-memory.dmp
memory/3488-3-0x00000000009E0000-0x00000000009E1000-memory.dmp
memory/2580-4-0x0000000000400000-0x000000000070A000-memory.dmp
C:\Users\Admin\AppData\Roaming\setfsb\setfsb.exe
| MD5 | 06d6023afb0ad4a828637863ba67277f |
| SHA1 | 393a8ea1e0ae4d5d2c4934850b996ec0618d4a90 |
| SHA256 | 0f52243a7916d0b453be438133be2d55cf7da381c34f751ee8d593c10ab00168 |
| SHA512 | 2e9e683bd3ae8987181cd2d8aa36134674adf81f540f035f8ff8780de67ff753202ba2b806e878bf17a4e1387f172c189682022e216df31b1c591fb1f2536a96 |
C:\Users\Admin\AppData\Roaming\scr_previw.exe
| MD5 | d9530ecee42acccfd3871672a511bc9e |
| SHA1 | 89b4d2406f1294bd699ef231a4def5f495f12778 |
| SHA256 | 81e04f9a131534acc0e9de08718c062d3d74c80c7f168ec7e699cd4b2bd0f280 |
| SHA512 | d5f048ea995affdf9893ec4c5ac5eb188b6714f5b6712e0b5a316702033421b145b8ee6a62d303eb4576bf8f57273ff35c5d675807563a31157136f79d8a9980 |
C:\Users\Admin\AppData\Roaming\d3dx9_43.dll
| MD5 | e8ad346c114fda96fca288966eae8e92 |
| SHA1 | fdfad7f2030b54f076b2a2e24ef1199abf2588e6 |
| SHA256 | 7e04681fdc438855e5b27a92c73b74ccb0a13338ee24a5054571b8efd8918ba0 |
| SHA512 | d63e542de66eb09d6847ed99e173763b7c24335566f650bdb198d4279b0de6e14cb4a03f29c66b5d7d6c480a6f520f677fccf8cbf51dc5db3f8af6c5412d7549 |
memory/3488-26-0x0000000000400000-0x000000000070A000-memory.dmp
C:\Users\Admin\AppData\Roaming\gbxchd
| MD5 | 162ba47ec20e7fb580672579a6fef9d2 |
| SHA1 | a6b52b8f549ca44ffe821f65e846b869da544c28 |
| SHA256 | 227baa93552cc95a5d2142c23c27f2006e41093cfe24f89bea1b8fe8abbac159 |
| SHA512 | 135e057a779e5ed593f455ecc646dbf0f21b0bab909e0d8c3d83c7817e82e52115551cd6710b75dbfb9026393861e6f24f63ec59722d1e73553df97ac0e55cd4 |
C:\Users\Admin\AppData\Roaming\cygrt
| MD5 | a727c368e3a6c273f28c80607f2df861 |
| SHA1 | a31a2b4a4677d58bf9f7126da6dedaf4502eb283 |
| SHA256 | bc5e2a7118a6e0a37b968dca2c110dd9db9a4359f6aea13f41ac04c663d066ca |
| SHA512 | b7a47943727fced7da83f89d8eac50a50308a8a7abacf57b7ffcc0b2c05349360a8af60f3ab81755ba456b956b022c99f21692d339d399a42a5b8d9860b9045d |
memory/904-29-0x0000000073EE0000-0x000000007405B000-memory.dmp
memory/904-30-0x00007FFCF7810000-0x00007FFCF7A05000-memory.dmp
memory/3676-42-0x00000000740E0000-0x000000007425B000-memory.dmp
memory/3676-43-0x00007FFCF7810000-0x00007FFCF7A05000-memory.dmp
memory/3676-44-0x00000000740E0000-0x000000007425B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\f9824780
| MD5 | 045726669f3b5d66049ff4d9c397e816 |
| SHA1 | 26d79181e0d08aa824d734c4efbc4c10628b66e5 |
| SHA256 | 8f7975598a05f4937a7259eacd68fa46e6cc875830eecdef8fe593a23b31c5c8 |
| SHA512 | eae64a98109f8a16881049d126f6f518ab17770a6052a5ff6ba97892417aea07a18e4289afe547995904bc1245a5dc1e06069c4ba1157ab46844362cb0ccf3b9 |
memory/1540-47-0x00007FFCF7810000-0x00007FFCF7A05000-memory.dmp
memory/1540-49-0x00000000740E0000-0x000000007425B000-memory.dmp
memory/3488-51-0x00007FFCF7810000-0x00007FFCF7A05000-memory.dmp
memory/3488-52-0x0000000000400000-0x0000000000484000-memory.dmp
memory/3488-54-0x0000000000400000-0x0000000000484000-memory.dmp
memory/3488-55-0x0000000000400000-0x0000000000484000-memory.dmp
memory/3488-56-0x0000000000400000-0x0000000000484000-memory.dmp
memory/3488-57-0x0000000000400000-0x0000000000484000-memory.dmp
memory/3488-58-0x0000000000400000-0x0000000000484000-memory.dmp
memory/3488-59-0x0000000000400000-0x0000000000484000-memory.dmp
memory/3488-60-0x0000000000400000-0x0000000000484000-memory.dmp
memory/3488-61-0x0000000000400000-0x0000000000484000-memory.dmp
memory/3488-62-0x0000000000400000-0x0000000000484000-memory.dmp
memory/3488-63-0x0000000000400000-0x0000000000484000-memory.dmp