Malware Analysis Report

2024-12-07 03:31

Sample ID 241113-cmlvysxqhl
Target 29db2e73129c1daeb6248f06e8ff6ef9db2b01811309b6849d430aada0384de1.zip
SHA256 29db2e73129c1daeb6248f06e8ff6ef9db2b01811309b6849d430aada0384de1
Tags
remcos new discovery rat upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

29db2e73129c1daeb6248f06e8ff6ef9db2b01811309b6849d430aada0384de1

Threat Level: Known bad

The file 29db2e73129c1daeb6248f06e8ff6ef9db2b01811309b6849d430aada0384de1.zip was found to be: Known bad.

Malicious Activity Summary

remcos new discovery rat upx

Remcos

Remcos family

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Suspicious use of SetThreadContext

UPX packed file

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 02:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 02:11

Reported

2024-11-13 02:14

Platform

win7-20240903-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe"

Signatures

Remcos

rat remcos

Remcos family

remcos

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2616 set thread context of 2816 N/A C:\Users\Admin\AppData\Roaming\Ultrajava\DeAct.exe C:\Windows\SysWOW64\cmd.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Ultrajava\DeAct.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2292 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
PID 2292 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
PID 2292 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
PID 2292 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
PID 2292 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
PID 2292 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
PID 2292 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
PID 1908 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
PID 1908 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
PID 1908 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
PID 1908 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
PID 1908 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Roaming\DeAct.exe
PID 1908 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Roaming\DeAct.exe
PID 1908 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Roaming\DeAct.exe
PID 1908 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Roaming\DeAct.exe
PID 2304 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Roaming\DeAct.exe C:\Users\Admin\AppData\Roaming\Ultrajava\DeAct.exe
PID 2304 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Roaming\DeAct.exe C:\Users\Admin\AppData\Roaming\Ultrajava\DeAct.exe
PID 2304 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Roaming\DeAct.exe C:\Users\Admin\AppData\Roaming\Ultrajava\DeAct.exe
PID 2616 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Roaming\Ultrajava\DeAct.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Roaming\Ultrajava\DeAct.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Roaming\Ultrajava\DeAct.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Roaming\Ultrajava\DeAct.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Roaming\Ultrajava\DeAct.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2816 wrote to memory of 440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2816 wrote to memory of 440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2816 wrote to memory of 440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2816 wrote to memory of 440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2816 wrote to memory of 440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe

"C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe"

C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe

"C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe" /VERYSILENT

C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe

"C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe"

C:\Users\Admin\AppData\Roaming\DeAct.exe

"C:\Users\Admin\AppData\Roaming\DeAct.exe"

C:\Users\Admin\AppData\Roaming\Ultrajava\DeAct.exe

C:\Users\Admin\AppData\Roaming\Ultrajava\DeAct.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 gpu.me udp
US 8.8.8.8:53 gpu.me udp
US 172.67.206.142:80 gpu.me tcp
US 172.67.206.142:80 gpu.me tcp
US 8.8.8.8:53 www.techpowerup.com udp
US 138.199.40.9:443 www.techpowerup.com tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp

Files

memory/2292-0-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/2292-3-0x0000000000400000-0x000000000070A000-memory.dmp

\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe

MD5 41421866b825dbdcc5f29a0bbd484362
SHA1 f7637ef22c82a108ab4668baca40e4f03eb49a5c
SHA256 efecb17d9d73082bf28a6e7c6bb87a81c65a59b2d4d14251678da3cffa6a12a1
SHA512 72ba988029e87661ad2adf68f79d054febe499d2fb3220518df7372b953d761acf88470f1620f7660eba963c42bc9327ad070b0c386282f6654f80b0ed50599d

\Users\Admin\AppData\Roaming\DeAct.exe

MD5 411cd1175b5e21b6a3c6a72c34e8773c
SHA1 faabd22ddca0062dd3d7bc534e49078ee5d84be8
SHA256 116b75d94dacf676931ff8623a0b34f3ea75b52d67b0494fefd1b8dce6bc121a
SHA512 6414d174a17edf813bb7f739b9d625c4489dd4a45c56932fad7f222a2b8ea646fd2316cdba4e421225cbdf4aeb245329aa5bb3034e2b54e3859dcd89c7d1dd90

memory/2304-39-0x000000013F2B0000-0x000000013F32D000-memory.dmp

memory/1908-40-0x0000000000400000-0x000000000070A000-memory.dmp

memory/1908-38-0x00000000044E0000-0x000000000455D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Qt5Core.dll

MD5 2be4a1cf7511bbb244fe323af4f117d2
SHA1 a7e79fae4522bad1c05c865c07acfa91028598a8
SHA256 7d6375d15e38ce9b3814089215d3969ce5430f83d01bd6519e2cbd1eb8d48b40
SHA512 7fb194433d15a6577e90d33dbeb2a64942585c82b46f120eec0f4e93b09f8895e37a1dd4c09a4273127b0f7f9985ab69b1fba524fa9068e19d9952888a2aaf5f

C:\Users\Admin\AppData\Roaming\MSVCP140.dll

MD5 7db24201efea565d930b7ec3306f4308
SHA1 880c8034b1655597d0eebe056719a6f79b60e03c
SHA256 72fe4598f0b75d31ce2dc621e8ef161338c6450bb017cd06895745690603729e
SHA512 bac5729a3eb53e9bc7b680671d028cabef5ea102dfaa48a7c453b67f8ecb358db9f8fb16b3b1d9ea5a2dff34f459f6ac87f3a563c736d81d31048766198ff11e

\Users\Admin\AppData\Roaming\vcruntime140.dll

MD5 f12681a472b9dd04a812e16096514974
SHA1 6fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256 d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA512 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

\Users\Admin\AppData\Roaming\vcruntime140_1.dll

MD5 75e78e4bf561031d39f86143753400ff
SHA1 324c2a99e39f8992459495182677e91656a05206
SHA256 1758085a61527b427c4380f0c976d29a8bee889f2ac480c356a3f166433bf70e
SHA512 ce4daf46bce44a89d21308c63e2de8b757a23be2630360209c4a25eb13f1f66a04fbb0a124761a33bbf34496f2f2a02b8df159b4b62f1b6241e1dbfb0e5d9756

C:\Users\Admin\AppData\Roaming\Qt5Gui.dll

MD5 34893cb3d9a2250f0edecd68aedb72c7
SHA1 37161412df2c1313a54749fe6f33e4dbf41d128a
SHA256 ca8334b2e63bc01f0749afeb9e87943c29882131efe58608ea25732961b2df34
SHA512 484e32832d69ec1799bd1bcc694418801c443c732ed59ecd76b3f67abf0b1c97d64ae123728dfa99013df846ba45be310502ef6f8da42155da2e89f2a1e8cb2c

C:\Users\Admin\AppData\Roaming\Qt5Network.dll

MD5 fe5ed4c5da03077f98c3efa91ecefd81
SHA1 e23e839ec0602662788f761ebe7dd4b39c018a7f
SHA256 d992aaeb21cb567113126c2912cf75e892c8e3ead5d50147a11abe704b9e2e2b
SHA512 22514732a0edf8fc2b8770139599132429080b86d2844143d21bb834cbddaaa077d763969960e39e2050a69493c1aae191600e5df6107bde90fae589a054f071

C:\Users\Admin\AppData\Roaming\Qt5PrintSupport.dll

MD5 d0634933db2745397a603d5976bee8e7
SHA1 ddec98433bcfec1d9e38557d803bc73e1ff883b6
SHA256 7d91d3d341dbba568e2d19382e9d58a42a0d78064c3ad7adfe3c7bb14742c2b1
SHA512 9271370cd22115f68bd62572640525e086a05d75f5bc768f06e20b90b48a182f29a658a07099c7bc1e99bf0ffcf1229709524e2af6745d6fed7b41c1addd09f1

C:\Users\Admin\AppData\Roaming\Qt5Widgets.dll

MD5 c502bb8a4a7dc3724ab09292cd3c70d6
SHA1 ff44fddeec2d335ec0eaa861714b561f899675fd
SHA256 4266918226c680789d49cf2407a7fec012b0ed872adafb84c7719e645f9b2e6d
SHA512 73bef89503ce032fba278876b7dab9eac275632df7a72c77093d433c932272da997e8fbeb431a09d84baac7b2ab2e55222ff687893311949a5603e738bfa6617

memory/2304-57-0x000007FEF49D0000-0x000007FEF4F1E000-memory.dmp

C:\Users\Admin\AppData\Roaming\uarrwmx

MD5 2c7353da4574e3bb2d66965717d45001
SHA1 5fc5523ee0b685e602707b4f5f98f657454743f5
SHA256 7652be5fde7c4dec0b4afa5eed98c3f1dd0e268376694bf37299e7e5f9ce290c
SHA512 4239d3e02dbfbfd7b60f7bed2d11780c6c7912e4ea1a653a56402c2584371a1517804e7f85afaea32043c904fc47fe60ccbb11cf6887cb30fd8518aef01ff480

C:\Users\Admin\AppData\Roaming\mpidcu

MD5 7bd89ff94b0a9abd5e989bece470730b
SHA1 531b309cdbec7ad61ba9ffca6f688012fdb8acc1
SHA256 90e70abbdd35d7fd3818770eca3030e477526b483128caf1eedbe1ba147f0e82
SHA512 ea930b15d9f6f321e4919db40aca5e2ae92cdc09d9b07d8c7f3170e825d32abe2fa766df1014f4ebbe54c92de27507fef730062ea7defaf9704bf4f2ac84117f

memory/2304-60-0x000007FEF46A0000-0x000007FEF47F8000-memory.dmp

memory/3044-89-0x00000000009B0000-0x0000000000D74000-memory.dmp

memory/2616-100-0x000007FEF2FB0000-0x000007FEF3108000-memory.dmp

memory/2616-97-0x000007FEF4940000-0x000007FEF4E8E000-memory.dmp

memory/3044-101-0x000000001B6F0000-0x000000001BCB0000-memory.dmp

memory/2616-80-0x000000013F500000-0x000000013F57D000-memory.dmp

memory/2304-77-0x000000013F2B0000-0x000000013F32D000-memory.dmp

memory/2304-74-0x000000013F500000-0x000000013F57D000-memory.dmp

memory/2616-102-0x000007FEF2FB0000-0x000007FEF3108000-memory.dmp

memory/3044-103-0x0000000000150000-0x0000000000156000-memory.dmp

memory/2616-106-0x000000013F500000-0x000000013F57D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b7ca5048

MD5 1b6330e55c32b93c5cf5dcd4893a2361
SHA1 1af56815fd001571c4ff467f4a7dda951129b4ce
SHA256 8543c31be5a24408b2f790421f12fc804ef5ac6cd2e0c8b0fb3515be6d75ef44
SHA512 41c931aa7d71482a687570d8d4c8b5597de997ccf7fed6a90ab2b438a086a8c0635764bb31a25cafbb4f2f391859bb22c58c97d24761fce19cc23b0ec54c04cd

memory/3044-108-0x0000000000290000-0x000000000029A000-memory.dmp

memory/2816-109-0x0000000077460000-0x0000000077609000-memory.dmp

memory/2816-137-0x0000000000240000-0x0000000000250000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabFECB.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/3044-173-0x0000000000290000-0x000000000029A000-memory.dmp

memory/2816-174-0x0000000074C80000-0x0000000074DF4000-memory.dmp

memory/2816-175-0x0000000000240000-0x0000000000250000-memory.dmp

memory/440-177-0x0000000077460000-0x0000000077609000-memory.dmp

memory/440-178-0x0000000000400000-0x0000000000483000-memory.dmp

memory/440-180-0x0000000000400000-0x0000000000483000-memory.dmp

memory/440-181-0x0000000000400000-0x0000000000483000-memory.dmp

memory/440-182-0x0000000000400000-0x0000000000483000-memory.dmp

memory/440-183-0x0000000000400000-0x0000000000483000-memory.dmp

memory/440-184-0x0000000000400000-0x0000000000483000-memory.dmp

memory/440-185-0x0000000000400000-0x0000000000483000-memory.dmp

memory/440-186-0x0000000000400000-0x0000000000483000-memory.dmp

memory/440-187-0x0000000000400000-0x0000000000483000-memory.dmp

memory/440-188-0x0000000000400000-0x0000000000483000-memory.dmp

memory/440-189-0x0000000000400000-0x0000000000483000-memory.dmp

memory/440-190-0x0000000000400000-0x0000000000483000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 02:11

Reported

2024-11-13 02:14

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe"

Signatures

Remcos

rat remcos

Remcos family

remcos

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3908 set thread context of 1892 N/A C:\Users\Admin\AppData\Roaming\Ultrajava\DeAct.exe C:\Windows\SysWOW64\cmd.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Ultrajava\DeAct.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2280 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
PID 2280 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
PID 2280 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
PID 516 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
PID 516 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe
PID 516 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Roaming\DeAct.exe
PID 516 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe C:\Users\Admin\AppData\Roaming\DeAct.exe
PID 3088 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Roaming\DeAct.exe C:\Users\Admin\AppData\Roaming\Ultrajava\DeAct.exe
PID 3088 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Roaming\DeAct.exe C:\Users\Admin\AppData\Roaming\Ultrajava\DeAct.exe
PID 3908 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Roaming\Ultrajava\DeAct.exe C:\Windows\SysWOW64\cmd.exe
PID 3908 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Roaming\Ultrajava\DeAct.exe C:\Windows\SysWOW64\cmd.exe
PID 3908 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Roaming\Ultrajava\DeAct.exe C:\Windows\SysWOW64\cmd.exe
PID 3908 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Roaming\Ultrajava\DeAct.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 1892 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 1892 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 1892 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 1892 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe

"C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe"

C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe

"C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe" /VERYSILENT

C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe

"C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe"

C:\Users\Admin\AppData\Roaming\DeAct.exe

"C:\Users\Admin\AppData\Roaming\DeAct.exe"

C:\Users\Admin\AppData\Roaming\Ultrajava\DeAct.exe

C:\Users\Admin\AppData\Roaming\Ultrajava\DeAct.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 gpu.me udp
US 104.21.53.3:80 gpu.me tcp
US 8.8.8.8:53 3.53.21.104.in-addr.arpa udp
US 8.8.8.8:53 www.techpowerup.com udp
US 138.199.40.9:443 www.techpowerup.com tcp
US 8.8.8.8:53 9.40.199.138.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp
FI 95.217.148.142:9001 tcp

Files

memory/2280-0-0x0000000000D20000-0x0000000000D21000-memory.dmp

memory/516-3-0x00000000008F0000-0x00000000008F1000-memory.dmp

memory/2280-4-0x0000000000400000-0x000000000070A000-memory.dmp

C:\Users\Admin\AppData\Roaming\NVCleanstall_1.16.0\NVCleanstall_1.16.0.exe

MD5 41421866b825dbdcc5f29a0bbd484362
SHA1 f7637ef22c82a108ab4668baca40e4f03eb49a5c
SHA256 efecb17d9d73082bf28a6e7c6bb87a81c65a59b2d4d14251678da3cffa6a12a1
SHA512 72ba988029e87661ad2adf68f79d054febe499d2fb3220518df7372b953d761acf88470f1620f7660eba963c42bc9327ad070b0c386282f6654f80b0ed50599d

C:\Users\Admin\AppData\Roaming\DeAct.exe

MD5 411cd1175b5e21b6a3c6a72c34e8773c
SHA1 faabd22ddca0062dd3d7bc534e49078ee5d84be8
SHA256 116b75d94dacf676931ff8623a0b34f3ea75b52d67b0494fefd1b8dce6bc121a
SHA512 6414d174a17edf813bb7f739b9d625c4489dd4a45c56932fad7f222a2b8ea646fd2316cdba4e421225cbdf4aeb245329aa5bb3034e2b54e3859dcd89c7d1dd90

C:\Users\Admin\AppData\Roaming\Qt5Gui.dll

MD5 34893cb3d9a2250f0edecd68aedb72c7
SHA1 37161412df2c1313a54749fe6f33e4dbf41d128a
SHA256 ca8334b2e63bc01f0749afeb9e87943c29882131efe58608ea25732961b2df34
SHA512 484e32832d69ec1799bd1bcc694418801c443c732ed59ecd76b3f67abf0b1c97d64ae123728dfa99013df846ba45be310502ef6f8da42155da2e89f2a1e8cb2c

C:\Users\Admin\AppData\Roaming\Qt5Core.dll

MD5 2be4a1cf7511bbb244fe323af4f117d2
SHA1 a7e79fae4522bad1c05c865c07acfa91028598a8
SHA256 7d6375d15e38ce9b3814089215d3969ce5430f83d01bd6519e2cbd1eb8d48b40
SHA512 7fb194433d15a6577e90d33dbeb2a64942585c82b46f120eec0f4e93b09f8895e37a1dd4c09a4273127b0f7f9985ab69b1fba524fa9068e19d9952888a2aaf5f

memory/516-60-0x0000000000400000-0x000000000070A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Qt5Widgets.dll

MD5 c502bb8a4a7dc3724ab09292cd3c70d6
SHA1 ff44fddeec2d335ec0eaa861714b561f899675fd
SHA256 4266918226c680789d49cf2407a7fec012b0ed872adafb84c7719e645f9b2e6d
SHA512 73bef89503ce032fba278876b7dab9eac275632df7a72c77093d433c932272da997e8fbeb431a09d84baac7b2ab2e55222ff687893311949a5603e738bfa6617

C:\Users\Admin\AppData\Roaming\uarrwmx

MD5 2c7353da4574e3bb2d66965717d45001
SHA1 5fc5523ee0b685e602707b4f5f98f657454743f5
SHA256 7652be5fde7c4dec0b4afa5eed98c3f1dd0e268376694bf37299e7e5f9ce290c
SHA512 4239d3e02dbfbfd7b60f7bed2d11780c6c7912e4ea1a653a56402c2584371a1517804e7f85afaea32043c904fc47fe60ccbb11cf6887cb30fd8518aef01ff480

memory/3088-63-0x00007FFA870F0000-0x00007FFA87262000-memory.dmp

C:\Users\Admin\AppData\Roaming\mpidcu

MD5 7bd89ff94b0a9abd5e989bece470730b
SHA1 531b309cdbec7ad61ba9ffca6f688012fdb8acc1
SHA256 90e70abbdd35d7fd3818770eca3030e477526b483128caf1eedbe1ba147f0e82
SHA512 ea930b15d9f6f321e4919db40aca5e2ae92cdc09d9b07d8c7f3170e825d32abe2fa766df1014f4ebbe54c92de27507fef730062ea7defaf9704bf4f2ac84117f

memory/3088-58-0x00007FFA875B0000-0x00007FFA87AFE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Ultrajava\Qt5PrintSupport.dll

MD5 d0634933db2745397a603d5976bee8e7
SHA1 ddec98433bcfec1d9e38557d803bc73e1ff883b6
SHA256 7d91d3d341dbba568e2d19382e9d58a42a0d78064c3ad7adfe3c7bb14742c2b1
SHA512 9271370cd22115f68bd62572640525e086a05d75f5bc768f06e20b90b48a182f29a658a07099c7bc1e99bf0ffcf1229709524e2af6745d6fed7b41c1addd09f1

memory/3908-102-0x00007FFA88050000-0x00007FFA881C2000-memory.dmp

memory/232-103-0x0000019D2F840000-0x0000019D2FE00000-memory.dmp

memory/232-104-0x0000019D16DA0000-0x0000019D16DC2000-memory.dmp

memory/232-106-0x0000019D154A0000-0x0000019D154A6000-memory.dmp

memory/232-105-0x0000019D302D0000-0x0000019D3079C000-memory.dmp

memory/3908-98-0x00007FFA883C0000-0x00007FFA8890E000-memory.dmp

memory/232-107-0x0000019D16FB0000-0x0000019D16FB8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Ultrajava\vcruntime140_1.dll

MD5 75e78e4bf561031d39f86143753400ff
SHA1 324c2a99e39f8992459495182677e91656a05206
SHA256 1758085a61527b427c4380f0c976d29a8bee889f2ac480c356a3f166433bf70e
SHA512 ce4daf46bce44a89d21308c63e2de8b757a23be2630360209c4a25eb13f1f66a04fbb0a124761a33bbf34496f2f2a02b8df159b4b62f1b6241e1dbfb0e5d9756

C:\Users\Admin\AppData\Roaming\Ultrajava\vcruntime140.dll

MD5 f12681a472b9dd04a812e16096514974
SHA1 6fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256 d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA512 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

C:\Users\Admin\AppData\Roaming\Ultrajava\msvcp140.dll

MD5 7db24201efea565d930b7ec3306f4308
SHA1 880c8034b1655597d0eebe056719a6f79b60e03c
SHA256 72fe4598f0b75d31ce2dc621e8ef161338c6450bb017cd06895745690603729e
SHA512 bac5729a3eb53e9bc7b680671d028cabef5ea102dfaa48a7c453b67f8ecb358db9f8fb16b3b1d9ea5a2dff34f459f6ac87f3a563c736d81d31048766198ff11e

C:\Users\Admin\AppData\Roaming\Ultrajava\Qt5Network.dll

MD5 fe5ed4c5da03077f98c3efa91ecefd81
SHA1 e23e839ec0602662788f761ebe7dd4b39c018a7f
SHA256 d992aaeb21cb567113126c2912cf75e892c8e3ead5d50147a11abe704b9e2e2b
SHA512 22514732a0edf8fc2b8770139599132429080b86d2844143d21bb834cbddaaa077d763969960e39e2050a69493c1aae191600e5df6107bde90fae589a054f071

memory/3088-84-0x00007FF7B1F30000-0x00007FF7B1FAD000-memory.dmp

memory/3908-79-0x00007FF75DF90000-0x00007FF75E00D000-memory.dmp

memory/232-59-0x0000019D14D30000-0x0000019D150F4000-memory.dmp

memory/232-40-0x00007FFA89F13000-0x00007FFA89F15000-memory.dmp

memory/3088-39-0x00007FF7B1F30000-0x00007FF7B1FAD000-memory.dmp

memory/3908-108-0x00007FFA88050000-0x00007FFA881C2000-memory.dmp

memory/3908-113-0x00007FF75DF90000-0x00007FF75E00D000-memory.dmp

memory/232-110-0x0000019D30080000-0x0000019D3008E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\269bdddc

MD5 cdc2145f9c8f28e729723360a24849f2
SHA1 5d40d3eef5727c44d9d815095d1774ea0f93df85
SHA256 afc4fc10d42f53f5e7b0f8c2f588cae4768b81d028acafc8c0b3fff573165c97
SHA512 9e417a35dfab2776aa53ec2af155d3012ace0b0507bb4f434de805f21ee636517d59a18769f36cb85068859e98fc9144d7c4f4fc764cee14ea4d0f7810f9a877

memory/232-109-0x0000019D30BE0000-0x0000019D30C18000-memory.dmp

memory/1892-115-0x00007FFAA89F0000-0x00007FFAA8BE5000-memory.dmp

memory/232-117-0x00007FFA89F13000-0x00007FFA89F15000-memory.dmp

memory/1892-118-0x0000000074FE0000-0x000000007515B000-memory.dmp

memory/1484-120-0x00007FFAA89F0000-0x00007FFAA8BE5000-memory.dmp

memory/1484-121-0x00000000010E0000-0x0000000001163000-memory.dmp

memory/1484-125-0x00000000010E0000-0x0000000001163000-memory.dmp

memory/1484-126-0x00000000010E0000-0x0000000001163000-memory.dmp

memory/1484-127-0x00000000010E0000-0x0000000001163000-memory.dmp

memory/1484-128-0x00000000010E0000-0x0000000001163000-memory.dmp

memory/1484-129-0x00000000010E0000-0x0000000001163000-memory.dmp

memory/1484-130-0x00000000010E0000-0x0000000001163000-memory.dmp

memory/1484-131-0x00000000010E0000-0x0000000001163000-memory.dmp

memory/1484-132-0x00000000010E0000-0x0000000001163000-memory.dmp

memory/1484-133-0x00000000010E0000-0x0000000001163000-memory.dmp

memory/1484-134-0x00000000010E0000-0x0000000001163000-memory.dmp

memory/1484-135-0x00000000010E0000-0x0000000001163000-memory.dmp