Malware Analysis Report

2024-12-07 03:35

Sample ID 241113-h7v71sxfqk
Target IMG635673567357735773573757875883587935775753Bjlkeloftet.exe
SHA256 4fc786009ad36ded81dfbd863802b06436b718112c35a505d447f6e0d31cbf8d
Tags
discovery remcos lonewolf collection persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4fc786009ad36ded81dfbd863802b06436b718112c35a505d447f6e0d31cbf8d

Threat Level: Known bad

The file IMG635673567357735773573757875883587935775753Bjlkeloftet.exe was found to be: Known bad.

Malicious Activity Summary

discovery remcos lonewolf collection persistence rat spyware stealer

Remcos

Remcos family

NirSoft WebBrowserPassView

Detected Nirsoft tools

NirSoft MailPassView

Loads dropped DLL

Reads user/profile data of web browsers

Accesses Microsoft Outlook accounts

Adds Run key to start application

Suspicious use of SetThreadContext

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Program crash

NSIS installer

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 07:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 07:23

Reported

2024-11-13 07:25

Platform

win7-20241010-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe

"C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 328 -s 528

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\nsyEF01.tmp

MD5 de15696c9e742811f33a76627a5af41a
SHA1 888fbecc300c1487bc2cc47ccfc562a622d4800f
SHA256 67e9b2f9ff46c1d3b647fd5df95b6014021dbcb74a2aa2f5e4fc99c733520545
SHA512 92f92c15bbf47bf31ea9130261198219b2c703ec6eb62af9e9b80c38639fd23b867752b6daab612f83d75e988c1ec641acf900904272babbfb82a48a51c65254

C:\Users\Admin\AppData\Local\Temp\nsyEF01.tmp

MD5 3463a4cc4cc8584279b312ee3ae746dc
SHA1 512bb30dc772b97916374c4ba7ac0263dab1ffa5
SHA256 4d9933ad3cb07723bac43a5c519fb12e5950334cf688b284acdfa4d8931d5620
SHA512 239e174c3cea06f716dfc802fd32bddfa78d51f07d91f1cfc28ab0bf125d22bd18c6f05af672b0b8edbb6a618f4e6492fe1b41150c34cc3196070961c34c010c

C:\Users\Admin\AppData\Local\Temp\nsyEF01.tmp

MD5 b80ef50d0f02b0e60035ddab237b744e
SHA1 addac470421ca09efee0c0718d805e1312246086
SHA256 d26183d8122f1a8b4a98c5716a0520bdf9b28b95fa3baac4af25c49d39bd1da9
SHA512 ccf91989bb62dfd85144b5b85528921f2a134515797fbe6be348852bca34e6e7bc27a7d6a17e7ba28b62a8c644581a092a892957c84853cbb29eea8cb6792820

\Users\Admin\AppData\Local\Temp\nsjEF41.tmp\System.dll

MD5 12b140583e3273ee1f65016becea58c4
SHA1 92df24d11797fefd2e1f8d29be9dfd67c56c1ada
SHA256 014f1dfeb842cf7265a3644bc6903c592abe9049bfc7396829172d3d72c4d042
SHA512 49ffdfa1941361430b6acb3555fd3aa05e4120f28cbdf7ceaa2af5937d0b8cccd84471cf63f06f97cf203b4aa20f226bdad082e9421b8e6b62ab6e1e9fc1e68a

C:\Users\Admin\AppData\Local\Temp\nsoEF61.tmp

MD5 5d04a35d3950677049c7a0cf17e37125
SHA1 cafdd49a953864f83d387774b39b2657a253470f
SHA256 a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266
SHA512 c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

C:\Users\Admin\AppData\Local\Temp\nsjEF91.tmp

MD5 25bc6654798eb508fa0b6343212a74fe
SHA1 15d5e1d3b948fd5986aaff7d9419b5e52c75fc93
SHA256 8e5202705183bd3a20a29e224499b0f77a8273ee33cd93cca71043c57ad4bdfc
SHA512 5868c6241ed3cfcc5c34bfe42e4b9f5c69e74975e524771d8c9f35cafc13fd01cd943ec4d8caefee79a1f4a457e69d20b7a86f88db83a5bc3e6bd8a619972898

C:\Users\Admin\AppData\Local\Temp\nsjEF91.tmp

MD5 8a6feb72c105d909acb8cdcbb2a50683
SHA1 ade2d08d235d0a72925b969f7899618b3b574b1d
SHA256 d7125f4fd6c0fe2127e014742c3d60380cb5c8c0a5914ceef0e050f192ee9a60
SHA512 56fbf184aa3ddc25c20f565d719d5488650ce46a8c01cf4b3c21620b8fa0b18f0a4d7826f792d2a92fcc415b85262373a83ef7865009517b592665f81e51bab8

C:\Users\Admin\AppData\Local\Temp\nstEFD0.tmp

MD5 4e27f2226785e9abbe046fc592668860
SHA1 28b18a7f383131df509f7191f946a32c5a2e410c
SHA256 01a219245e1501fee01ce0baea8f6065ce5162cea12fa570689a07c9717be81d
SHA512 2a23585835bdb5db8175cab265566042282841efdcee8aaba8b9b5d466b0f165c0c5973033ce94bb9a8f07a956689247981ea07ac5a51408263e1653d9710adb

C:\Users\Admin\AppData\Local\Temp\nstEFD0.tmp

MD5 cde63b34c142af0a38cbe83791c964f8
SHA1 ece2b194b486118b40ad12c1f0e9425dd0672424
SHA256 65e2d70166c9a802b7ad2a87129b8945f083e5f268878790a9d1f1c03f47938d
SHA512 0559d3d34ad64ccc27e685431c24fc6ead0f645db14fa0e125a64fb67dbd158c15432c1fc5407811aac8a3486090dfbcfcbc3c6bf5aa0ec73f979ef62d14853c

C:\Users\Admin\AppData\Local\Temp\nstEFD0.tmp

MD5 e2fecc970546c3418917879fe354826c
SHA1 63f1c1dd01b87704a6b6c99fd9f141e0a3064f16
SHA256 ff91566d755f5d038ae698a2cc0a7d4d14e5273afafc37b6f03afda163768fa0
SHA512 3c4a68cbaee94f986515f43305a0e7620c14c30213d4a17db4a3e8a1b996764eb688bf733f472fc52073c2c80bb5229bb29411d7601aefe1c4370e230c341a0a

C:\Users\Admin\AppData\Local\Temp\nstEFD0.tmp

MD5 50484c19f1afdaf3841a0d821ed393d2
SHA1 c65a0fb7e74ffd2c9fc3a0f9aacb0f6a24b0a68b
SHA256 6923dd1bc0460082c5d55a831908c24a282860b7f1cd6c2b79cf1bc8857c639c
SHA512 d51a20d67571fe70bcd6c36e1382a3c342f42671c710090b75fcfc2405ce24488e03a7131eefe4751d0bd3aeaad816605ad10c8e3258d72fcf379e32416cbf3b

C:\Users\Admin\AppData\Local\Temp\nstEFD0.tmp

MD5 67cfa7364c4cf265b047d87ff2e673ae
SHA1 56e27889277981a9b63fcf5b218744a125bbc2fa
SHA256 639b68bd180b47d542dd001d03557ee2d5b3065c3c783143bc9fb548f3fd7713
SHA512 17f28a136b20b89e9c3a418b08fd8e6fcaac960872dc33b2481af2d872efc44228f420759c57724f5d953c7ba98f2283e2acc7dfe5a58cbf719c6480ec7a648b

C:\Users\Admin\AppData\Local\Temp\nstEFD0.tmp

MD5 c3cb69218b85c3260387fb582cb518dd
SHA1 961c892ded09a4cbb5392097bb845ccba65902ad
SHA256 1c329924865741e0222d3ead23072cfbed14f96e2b0432573068eb0640513101
SHA512 2402fffeb89c531db742bf6f5466eee8fe13edf97b8ecfc2cace3522806b322924d1ca81dda25e59b4047b8f40ad11ae9216e0a0d5c7fc6beef4368eb9551422

C:\Users\Admin\AppData\Local\Temp\nstEFD0.tmp

MD5 17eed3cef7476c00265275ac05c5a710
SHA1 2cefb04cff812bcd63449a7eca36ff6808afc3f5
SHA256 b05145f0ba7ae6cb19ab9d49e6194c1898bd8bfe4edf8b6648cd44f3501b8db0
SHA512 5731c43d3d81ba70e9bce01a31c50535d036cdb54361e2e4f0402e33c94a686581d4d25c38fc303553a58b00a4f747dd9aca83f4ef8157c6b0302888bdaf2d04

C:\Users\Admin\AppData\Local\Temp\nstEFD0.tmp

MD5 5974087856e59ba1b1d228e39d15591a
SHA1 43555cd275094990a54289fca083e1f9e14ab8c7
SHA256 9d118dc7d563043a8ec352f7112af2eac3ebffd11258e4924533ff4fd00bb771
SHA512 876d36cb1b3a22cd0686d04fd0830b7c15b67c4003d9c2cd67496d3f726b72544e64f9cd94bcd951c8eba9e74cb1e2aaa0638552fd82bc5bdb547a6e28950082

C:\Users\Admin\AppData\Local\Temp\nstF01F.tmp

MD5 f15bfdebb2df02d02c8491bde1b4e9bd
SHA1 93bd46f57c3316c27cad2605ddf81d6c0bde9301
SHA256 c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043
SHA512 1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 07:23

Reported

2024-11-13 07:25

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe"

Signatures

Remcos

rat remcos

Remcos family

remcos

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Startup key = "C:\\Users\\Admin\\AppData\\Local\\Temp\\subfolder1\\Vaskegthed.exe" C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3960 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe
PID 3960 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe
PID 3960 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe
PID 3960 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe
PID 3960 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe
PID 4340 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe
PID 4340 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe
PID 4340 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe
PID 4340 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe
PID 4340 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe
PID 4340 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe
PID 4340 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe
PID 4340 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe
PID 4340 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe

Processes

C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe

"C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe"

C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe

"C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe"

C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe

C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe /stext "C:\Users\Admin\AppData\Local\Temp\zjpcrldjmye"

C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe

C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe /stext "C:\Users\Admin\AppData\Local\Temp\bduvseokagwgjd"

C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe

C:\Users\Admin\AppData\Local\Temp\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe /stext "C:\Users\Admin\AppData\Local\Temp\lfiftwyeoooltjijj"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 bdias.com udp
BG 91.196.125.125:80 bdias.com tcp
BG 91.196.125.125:443 bdias.com tcp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 2.23.210.82:80 r10.o.lencr.org tcp
US 8.8.8.8:53 125.125.196.91.in-addr.arpa udp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
US 8.8.8.8:53 82.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 odumegwu.duckdns.org udp
UA 143.244.46.148:51525 odumegwu.duckdns.org tcp
UA 143.244.46.148:51525 odumegwu.duckdns.org tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 148.46.244.143.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
UA 143.244.46.148:51525 odumegwu.duckdns.org tcp
UA 143.244.46.148:51525 odumegwu.duckdns.org tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nso7715.tmp

MD5 1ef630a300aa83be06f631ae4caafaaa
SHA1 d6f50f255a7a2c875b9a2e72f9fe0e3555d7d0a9
SHA256 1886befe7455fcda2daf5715f2b768e012a1d6debe288fa5feb4e523fd4f52d4
SHA512 05b243bd5bfcc6445cf75d3ce9786761a1bf88850d6232e988956f1f5975fb5de1e801fdb8ccb8c8baa340080c4a51817943eba07d3ca07c1d8bf8d7f66f160e

C:\Users\Admin\AppData\Local\Temp\nso7715.tmp

MD5 db255f53108568593d80f2b9196f73d5
SHA1 e00bde519e33311332599680b51d6c4bdda77f8f
SHA256 46cc3e4da899bd4967072208983b1cc3f7bbfdac794a908d90e14f8dc97dd780
SHA512 5b1032ca47c32dd2d23230ad83b1ccd2f74139b7c2da086140c93896f56cc65345c25f57cd54427e5786b4cb3ec675ad10184c8018a0e11118a580a1b3c68e87

C:\Users\Admin\AppData\Local\Temp\nsj7793.tmp\System.dll

MD5 12b140583e3273ee1f65016becea58c4
SHA1 92df24d11797fefd2e1f8d29be9dfd67c56c1ada
SHA256 014f1dfeb842cf7265a3644bc6903c592abe9049bfc7396829172d3d72c4d042
SHA512 49ffdfa1941361430b6acb3555fd3aa05e4120f28cbdf7ceaa2af5937d0b8cccd84471cf63f06f97cf203b4aa20f226bdad082e9421b8e6b62ab6e1e9fc1e68a

C:\Users\Admin\AppData\Local\Temp\nsj7794.tmp

MD5 f55b9d6e5f20db4066c68219d6cc7244
SHA1 b3a70fc3ea2da60d58274d9466a88a1e57926356
SHA256 9c2c033694acd2ee629918b688ee91e0032e6d2fa5cbb6b39a13e50024e73e01
SHA512 35bde19664ead683e639f42ed8447eab5bac8a1ac873efde467439e0631e3ece634b90e25140e62f46189df57f5c8fb6af44a8062ca9750514f8571d5860f2e1

C:\Users\Admin\AppData\Local\Temp\nsj7794.tmp

MD5 43157868a196cf407824a5411f44f7e2
SHA1 7752306ef99ff3506a6ff41cb71d0c347b932565
SHA256 12a5b941c522748da012db793d839e52457ef62d7964de9001a30469f69e05d1
SHA512 322383a4d970f07ba4e00417d42054ea58347b5d4d068b85669d9512380c772f80788358d579a0419df634855711877478bc67bd1e7d2f8f6d30c63f63368852

C:\Users\Admin\AppData\Local\Temp\nsj7794.tmp

MD5 5d04a35d3950677049c7a0cf17e37125
SHA1 cafdd49a953864f83d387774b39b2657a253470f
SHA256 a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266
SHA512 c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

C:\Users\Admin\AppData\Local\Temp\nsz77F3.tmp

MD5 8ce4b16b22b58894aa86c421e8759df3
SHA1 13fbd79c3d390e5d6585a21e11ff5ec1970cff0c
SHA256 8254c329a92850f6d539dd376f4816ee2764517da5e0235514af433164480d7a
SHA512 2af8a9104b3f64ed640d8c7e298d2d480f03a3610cbc2b33474321ec59024a48592ea8545e41e09d5d1108759df48ede0054f225df39d4f0f312450e0aa9dd25

C:\Users\Admin\AppData\Local\Temp\nsz77F3.tmp

MD5 25bc6654798eb508fa0b6343212a74fe
SHA1 15d5e1d3b948fd5986aaff7d9419b5e52c75fc93
SHA256 8e5202705183bd3a20a29e224499b0f77a8273ee33cd93cca71043c57ad4bdfc
SHA512 5868c6241ed3cfcc5c34bfe42e4b9f5c69e74975e524771d8c9f35cafc13fd01cd943ec4d8caefee79a1f4a457e69d20b7a86f88db83a5bc3e6bd8a619972898

C:\Users\Admin\AppData\Local\Temp\nsz77F3.tmp

MD5 cde63b34c142af0a38cbe83791c964f8
SHA1 ece2b194b486118b40ad12c1f0e9425dd0672424
SHA256 65e2d70166c9a802b7ad2a87129b8945f083e5f268878790a9d1f1c03f47938d
SHA512 0559d3d34ad64ccc27e685431c24fc6ead0f645db14fa0e125a64fb67dbd158c15432c1fc5407811aac8a3486090dfbcfcbc3c6bf5aa0ec73f979ef62d14853c

C:\Users\Admin\AppData\Local\Temp\nsz77F3.tmp

MD5 e2fecc970546c3418917879fe354826c
SHA1 63f1c1dd01b87704a6b6c99fd9f141e0a3064f16
SHA256 ff91566d755f5d038ae698a2cc0a7d4d14e5273afafc37b6f03afda163768fa0
SHA512 3c4a68cbaee94f986515f43305a0e7620c14c30213d4a17db4a3e8a1b996764eb688bf733f472fc52073c2c80bb5229bb29411d7601aefe1c4370e230c341a0a

C:\Users\Admin\AppData\Local\Temp\nsz77F3.tmp

MD5 50484c19f1afdaf3841a0d821ed393d2
SHA1 c65a0fb7e74ffd2c9fc3a0f9aacb0f6a24b0a68b
SHA256 6923dd1bc0460082c5d55a831908c24a282860b7f1cd6c2b79cf1bc8857c639c
SHA512 d51a20d67571fe70bcd6c36e1382a3c342f42671c710090b75fcfc2405ce24488e03a7131eefe4751d0bd3aeaad816605ad10c8e3258d72fcf379e32416cbf3b

C:\Users\Admin\AppData\Local\Temp\nsz77F3.tmp

MD5 67cfa7364c4cf265b047d87ff2e673ae
SHA1 56e27889277981a9b63fcf5b218744a125bbc2fa
SHA256 639b68bd180b47d542dd001d03557ee2d5b3065c3c783143bc9fb548f3fd7713
SHA512 17f28a136b20b89e9c3a418b08fd8e6fcaac960872dc33b2481af2d872efc44228f420759c57724f5d953c7ba98f2283e2acc7dfe5a58cbf719c6480ec7a648b

C:\Users\Admin\AppData\Local\Temp\nsz77F3.tmp

MD5 c3cb69218b85c3260387fb582cb518dd
SHA1 961c892ded09a4cbb5392097bb845ccba65902ad
SHA256 1c329924865741e0222d3ead23072cfbed14f96e2b0432573068eb0640513101
SHA512 2402fffeb89c531db742bf6f5466eee8fe13edf97b8ecfc2cace3522806b322924d1ca81dda25e59b4047b8f40ad11ae9216e0a0d5c7fc6beef4368eb9551422

C:\Users\Admin\AppData\Local\Temp\nsz77F3.tmp

MD5 953ec092c39a753076f7ba3888679925
SHA1 a658db8c80e2175c08e026d20ae06dacdfc7e100
SHA256 46d1e26793406453e0df203bbbf7a964247e33dc6c5a9d842a41acee70755e9d
SHA512 ea1730869e58239fd68489649305d5324dac06ecc00b4f19bd4dc4c4138865f7a5948307fa33b6e69136b20b4d934e2ec01b8a7cd75f056e09fe738f0ca27c39

C:\Users\Admin\AppData\Local\Temp\nsu7871.tmp

MD5 9a53fc1d7126c5e7c81bb5c15b15537b
SHA1 e2d13e0fa37de4c98f30c728210d6afafbb2b000
SHA256 a7de06c22e4e67908840ec3f00ab8fe9e04ae94fb16a74136002afbaf607ff92
SHA512 b0bffbb8072dbdcfc68f0e632f727c08fe3ef936b2ef332c08486553ff2cef7b0bcdb400e421a117e977bb0fac17ce4706a8097e32d558a918433646b6d5f1a1

C:\Users\Admin\AppData\Local\Temp\nsu7871.tmp

MD5 6658ed40c7550d8486fc23837a8a3fa7
SHA1 7459ab9e2c7db6a2a3150f5371f208fe667f61b1
SHA256 2c358a39ad02f9133b59f28fa48bfef03c631522ff50cdd0dca86c8719baecf1
SHA512 748b3bbbf4e480872db2683c0e5600cfe0f99550f6ed7183be6f03d4ab885b8fbf36805ace1b55187b722a8b6a22acc0e06a7ef0ab41326000cc95cfffeb6eb4

C:\Users\Admin\AppData\Local\Temp\nsu7871.tmp

MD5 90d4148f2c3df01640574cf198642bff
SHA1 80df93c47461df2096af940f6ff710cc3b103a5d
SHA256 603018413ce2875406e3ef08d7ba9a2f086539f1d1ed1023efea06b635c426fc
SHA512 0e407fe7c335c47b7a81cd77fc17b3db6d179342b3d05d103663e5fa7780d9d496e4a9ea462dc5f66cc4708a67c02aec395a08d73b6e52f3c4fa490b89ac4d7e

C:\Users\Admin\AppData\Local\Temp\nsu7871.tmp

MD5 b72c80659ee665f24bdbca2887973540
SHA1 690bfd54f3a1d137ce3d9202a6aeb3034e6999b6
SHA256 631a3a14f97e88fbc2e75ddea3d26babd9efffaebdc4cf51cb645f466b601041
SHA512 4bc1fb5b0b3a5211efe52677559078e04f6b8a21c6e58c17419dfe74998608ab977e14ae6c8a533772bb594925b3eecbfab69fe92e2842b2852cb33d0e70a163

C:\Users\Admin\AppData\Local\Temp\nsu7871.tmp

MD5 5974087856e59ba1b1d228e39d15591a
SHA1 43555cd275094990a54289fca083e1f9e14ab8c7
SHA256 9d118dc7d563043a8ec352f7112af2eac3ebffd11258e4924533ff4fd00bb771
SHA512 876d36cb1b3a22cd0686d04fd0830b7c15b67c4003d9c2cd67496d3f726b72544e64f9cd94bcd951c8eba9e74cb1e2aaa0638552fd82bc5bdb547a6e28950082

memory/3960-565-0x0000000077AC1000-0x0000000077BE1000-memory.dmp

memory/3960-567-0x0000000074925000-0x0000000074926000-memory.dmp

memory/3960-566-0x0000000077AC1000-0x0000000077BE1000-memory.dmp

memory/4340-568-0x0000000077B48000-0x0000000077B49000-memory.dmp

memory/4340-569-0x0000000077AC1000-0x0000000077BE1000-memory.dmp

memory/4340-571-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4340-578-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4340-582-0x0000000077AC1000-0x0000000077BE1000-memory.dmp

memory/4340-583-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4340-584-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4340-585-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4340-586-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4340-587-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4340-588-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4340-589-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4340-590-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4340-591-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4340-592-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4340-594-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4340-595-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4340-596-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4340-597-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4340-598-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4340-599-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4340-600-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4340-601-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4340-602-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4340-603-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3640-604-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3640-606-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1748-617-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1748-619-0x0000000000400000-0x0000000000462000-memory.dmp

memory/4340-621-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4340-625-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4340-626-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4340-628-0x0000000000460000-0x00000000016B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zjpcrldjmye

MD5 c3c5f2de99b7486f697634681e21bab0
SHA1 00f90d495c0b2b63fde6532e033fdd2ade25633d
SHA256 76296dc29f718988107d35d0e0b835c2bf3fc7405e79e5121aa4738f82b51582
SHA512 7c60ffdc093de30e793d20768877f2f586bee3e948767871f9a1139252d5d2f593ba6f88ce0ed5f72c79faddb26186792df0581e4b6c84d405c44d9d12f951b8

memory/3640-640-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4340-641-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4340-643-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4340-642-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4340-638-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4340-635-0x0000000035C50000-0x0000000035C69000-memory.dmp

memory/4340-634-0x0000000035C50000-0x0000000035C69000-memory.dmp

memory/4340-631-0x0000000035C50000-0x0000000035C69000-memory.dmp

memory/4340-630-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4340-627-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4340-624-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4340-623-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4340-618-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2908-616-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2908-612-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2908-609-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4340-608-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/3640-607-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1748-611-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2908-610-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1748-605-0x0000000000400000-0x0000000000462000-memory.dmp

memory/4340-649-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4340-650-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4340-651-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4340-652-0x0000000000493000-0x0000000000494000-memory.dmp

memory/4340-654-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4340-655-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4340-656-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4340-657-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4340-659-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4340-658-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4340-660-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4340-661-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4340-662-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4340-663-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4340-664-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4340-665-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4340-667-0x0000000000460000-0x00000000016B4000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 af0ca52348e25f42478aa7bcea979e59
SHA1 6618d9965f8214b96694ea6a67c5b1a5849b0d25
SHA256 af84a4a1338c4f75d4baf81fce793d80395bde5654ea83fc4827267927c1273c
SHA512 f33d9ee227d1f46a441e8450f9a145e0a9960591771784b8ea9f3cf7f03ccb2461ebdb45d833ead856088caacdc2cd2609c076410d06ed3146e854f59f606b2f

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-13 07:23

Reported

2024-11-13 07:25

Platform

win7-20240903-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 220

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-13 07:23

Reported

2024-11-13 07:25

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

145s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3008 wrote to memory of 4836 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3008 wrote to memory of 4836 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3008 wrote to memory of 4836 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4836 -ip 4836

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

N/A