Malware Analysis Report

2024-12-07 03:17

Sample ID 241114-cv4qqstbne
Target 4fc786009ad36ded81dfbd863802b06436b718112c35a505d447f6e0d31cbf8d.exe
SHA256 4fc786009ad36ded81dfbd863802b06436b718112c35a505d447f6e0d31cbf8d
Tags
discovery remcos lonewolf persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4fc786009ad36ded81dfbd863802b06436b718112c35a505d447f6e0d31cbf8d

Threat Level: Known bad

The file 4fc786009ad36ded81dfbd863802b06436b718112c35a505d447f6e0d31cbf8d.exe was found to be: Known bad.

Malicious Activity Summary

discovery remcos lonewolf persistence rat

Remcos

Remcos family

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Program crash

NSIS installer

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 02:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 02:24

Reported

2024-11-14 02:27

Platform

win7-20240903-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4fc786009ad36ded81dfbd863802b06436b718112c35a505d447f6e0d31cbf8d.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4fc786009ad36ded81dfbd863802b06436b718112c35a505d447f6e0d31cbf8d.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4fc786009ad36ded81dfbd863802b06436b718112c35a505d447f6e0d31cbf8d.exe

"C:\Users\Admin\AppData\Local\Temp\4fc786009ad36ded81dfbd863802b06436b718112c35a505d447f6e0d31cbf8d.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 528

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\nsdA3DE.tmp

MD5 16d513397f3c1f8334e8f3e4fc49828f
SHA1 4ee15afca81ca6a13af4e38240099b730d6931f0
SHA256 d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36
SHA512 4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3

\Users\Admin\AppData\Local\Temp\nstA3EF.tmp\System.dll

MD5 12b140583e3273ee1f65016becea58c4
SHA1 92df24d11797fefd2e1f8d29be9dfd67c56c1ada
SHA256 014f1dfeb842cf7265a3644bc6903c592abe9049bfc7396829172d3d72c4d042
SHA512 49ffdfa1941361430b6acb3555fd3aa05e4120f28cbdf7ceaa2af5937d0b8cccd84471cf63f06f97cf203b4aa20f226bdad082e9421b8e6b62ab6e1e9fc1e68a

C:\Users\Admin\AppData\Local\Temp\nsjA400.tmp

MD5 5d04a35d3950677049c7a0cf17e37125
SHA1 cafdd49a953864f83d387774b39b2657a253470f
SHA256 a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266
SHA512 c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

C:\Users\Admin\AppData\Local\Temp\nsyA410.tmp

MD5 953ec092c39a753076f7ba3888679925
SHA1 a658db8c80e2175c08e026d20ae06dacdfc7e100
SHA256 46d1e26793406453e0df203bbbf7a964247e33dc6c5a9d842a41acee70755e9d
SHA512 ea1730869e58239fd68489649305d5324dac06ecc00b4f19bd4dc4c4138865f7a5948307fa33b6e69136b20b4d934e2ec01b8a7cd75f056e09fe738f0ca27c39

C:\Users\Admin\AppData\Local\Temp\nsoA421.tmp

MD5 5974087856e59ba1b1d228e39d15591a
SHA1 43555cd275094990a54289fca083e1f9e14ab8c7
SHA256 9d118dc7d563043a8ec352f7112af2eac3ebffd11258e4924533ff4fd00bb771
SHA512 876d36cb1b3a22cd0686d04fd0830b7c15b67c4003d9c2cd67496d3f726b72544e64f9cd94bcd951c8eba9e74cb1e2aaa0638552fd82bc5bdb547a6e28950082

C:\Users\Admin\AppData\Local\Temp\nstA441.tmp

MD5 f15bfdebb2df02d02c8491bde1b4e9bd
SHA1 93bd46f57c3316c27cad2605ddf81d6c0bde9301
SHA256 c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043
SHA512 1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-14 02:24

Reported

2024-11-14 02:27

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4fc786009ad36ded81dfbd863802b06436b718112c35a505d447f6e0d31cbf8d.exe"

Signatures

Remcos

rat remcos

Remcos family

remcos

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Startup key = "C:\\Users\\Admin\\AppData\\Local\\Temp\\subfolder1\\Vaskegthed.exe" C:\Users\Admin\AppData\Local\Temp\4fc786009ad36ded81dfbd863802b06436b718112c35a505d447f6e0d31cbf8d.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc786009ad36ded81dfbd863802b06436b718112c35a505d447f6e0d31cbf8d.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4fc786009ad36ded81dfbd863802b06436b718112c35a505d447f6e0d31cbf8d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4fc786009ad36ded81dfbd863802b06436b718112c35a505d447f6e0d31cbf8d.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc786009ad36ded81dfbd863802b06436b718112c35a505d447f6e0d31cbf8d.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc786009ad36ded81dfbd863802b06436b718112c35a505d447f6e0d31cbf8d.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4fc786009ad36ded81dfbd863802b06436b718112c35a505d447f6e0d31cbf8d.exe

"C:\Users\Admin\AppData\Local\Temp\4fc786009ad36ded81dfbd863802b06436b718112c35a505d447f6e0d31cbf8d.exe"

C:\Users\Admin\AppData\Local\Temp\4fc786009ad36ded81dfbd863802b06436b718112c35a505d447f6e0d31cbf8d.exe

"C:\Users\Admin\AppData\Local\Temp\4fc786009ad36ded81dfbd863802b06436b718112c35a505d447f6e0d31cbf8d.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 85.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 bdias.com udp
BG 91.196.125.125:80 bdias.com tcp
BG 91.196.125.125:443 bdias.com tcp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 88.221.135.97:80 r10.o.lencr.org tcp
US 8.8.8.8:53 125.21.192.23.in-addr.arpa udp
US 8.8.8.8:53 125.125.196.91.in-addr.arpa udp
US 8.8.8.8:53 97.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 odumegwu.duckdns.org udp
US 192.169.69.26:51525 odumegwu.duckdns.org tcp
US 8.8.8.8:53 odumeje1.duckdns.org udp
US 192.169.69.26:51525 odumeje1.duckdns.org tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 26.69.169.192.in-addr.arpa udp
US 8.8.8.8:53 odumeje.duckdns.org udp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 8.8.8.8:53 101.210.23.2.in-addr.arpa udp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 8.8.8.8:53 odumegwu.duckdns.org udp
US 192.169.69.26:51525 odumegwu.duckdns.org tcp
US 8.8.8.8:53 odumeje1.duckdns.org udp
US 192.169.69.26:51525 odumeje1.duckdns.org tcp
US 8.8.8.8:53 odumeje.duckdns.org udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp
US 192.169.69.26:51525 odumeje.duckdns.org tcp

Files

C:\Users\Admin\AppData\Local\Temp\nslA152.tmp

MD5 44faec7c0702b7ef4cda5820a608da0a
SHA1 10313d20436f6968228a07ad4dfad29f37e6532d
SHA256 c9eb8d8cea8dd215bb20f4674c6b4b3ea865cc9390eb982c501af89142dfd95d
SHA512 dd2bf84c8609abd2f9acc8f45ead13f65f2f804cc2951774b857c0a86616d2a4656a88af4d8277e71bb3bf34afd065ed4dd62577f215f8e4b2f6683967db3a39

C:\Users\Admin\AppData\Local\Temp\nslA152.tmp

MD5 11598c9bea98b902fd23f62d92e2c755
SHA1 5abf26b3891bde2c11143deac679d44d5af7dde4
SHA256 e57e26e68b9ee25d136d2b440e28ffc09be1233efac52ec2f050c098a7e8090c
SHA512 aa6045bade9bee63b80e2822d1e17ed4186202c8ba840af93f4d14dad4a2d32790e1ffd7448b4cbc8b92891967174cf70a54d2aa5957f3b266da7bb61d8f6b7c

C:\Users\Admin\AppData\Local\Temp\nslA152.tmp

MD5 3463a4cc4cc8584279b312ee3ae746dc
SHA1 512bb30dc772b97916374c4ba7ac0263dab1ffa5
SHA256 4d9933ad3cb07723bac43a5c519fb12e5950334cf688b284acdfa4d8931d5620
SHA512 239e174c3cea06f716dfc802fd32bddfa78d51f07d91f1cfc28ab0bf125d22bd18c6f05af672b0b8edbb6a618f4e6492fe1b41150c34cc3196070961c34c010c

C:\Users\Admin\AppData\Local\Temp\nslA152.tmp

MD5 8e69760955a717be873f8253ebc6905b
SHA1 c813b0cc54451465777460ef2f46bc98c273c739
SHA256 3159fb26988fd82c5a652bdf09e65bb021011a4f8953f009c0a7d893149a9c8e
SHA512 16de94f841400aeffd2b67ca45e807da10023229f667f746b8fc7b127c347d843ff51b822191e656a94b63d8c8187c928d40113914d34570136c878b64279600

C:\Users\Admin\AppData\Local\Temp\nslA152.tmp

MD5 3a055708070979e7bf5088d9471320ba
SHA1 cb4e803ae05765ee43787cbd3abb91166bbf8fd7
SHA256 cc1c32ae1abcb46fd4871832a8b7a51a440905d97709c53e66d16a0cd33276ee
SHA512 3f3b5c9c1fdca9e76fda76ff601d11320b4866ee0b0358b014699e33be79252cb94390fb589fa5099b68d00491a207f3fe6223b955a5a4be6f1df1b389fd613e

C:\Users\Admin\AppData\Local\Temp\nslA152.tmp

MD5 3f9d86b820955195e9467112480c175c
SHA1 c9b53af6ff79125000b5aee2afb33ce6575d4d31
SHA256 ab4b36271e68b6e5b546158733c5450e775242021442a40bec4e42838eecca53
SHA512 ed78bd4b7b9b953bf73b1156872864b68ba1b46b3c2e5d21c56766217ec8b70e6421796a9d31716a94d62d81cf7a2c9f83735ea7c229881d4845c70364b77a17

C:\Users\Admin\AppData\Local\Temp\nslA152.tmp

MD5 16d513397f3c1f8334e8f3e4fc49828f
SHA1 4ee15afca81ca6a13af4e38240099b730d6931f0
SHA256 d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36
SHA512 4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3

C:\Users\Admin\AppData\Local\Temp\nsgA21E.tmp\System.dll

MD5 12b140583e3273ee1f65016becea58c4
SHA1 92df24d11797fefd2e1f8d29be9dfd67c56c1ada
SHA256 014f1dfeb842cf7265a3644bc6903c592abe9049bfc7396829172d3d72c4d042
SHA512 49ffdfa1941361430b6acb3555fd3aa05e4120f28cbdf7ceaa2af5937d0b8cccd84471cf63f06f97cf203b4aa20f226bdad082e9421b8e6b62ab6e1e9fc1e68a

C:\Users\Admin\AppData\Local\Temp\nsvA22E.tmp

MD5 9a53fc1d7126c5e7c81bb5c15b15537b
SHA1 e2d13e0fa37de4c98f30c728210d6afafbb2b000
SHA256 a7de06c22e4e67908840ec3f00ab8fe9e04ae94fb16a74136002afbaf607ff92
SHA512 b0bffbb8072dbdcfc68f0e632f727c08fe3ef936b2ef332c08486553ff2cef7b0bcdb400e421a117e977bb0fac17ce4706a8097e32d558a918433646b6d5f1a1

C:\Users\Admin\AppData\Local\Temp\nsvA22E.tmp

MD5 4916cd6b7dda05c7a23b1d31d796ed7b
SHA1 a999776c87fb3bc6fc6390469c79ec302ee2410f
SHA256 fbd1ae27c78de7d1be52844bfb664657c23dc7a39dc32126f422e26ef472b954
SHA512 db2e17ed849245ab83db878e80b743fd1967f8609793be2736e300d683f9484e61c83fdab089fdf39aca4d196513d7afe65ec7d37964a162852a3f372e39d051

C:\Users\Admin\AppData\Local\Temp\nsvA22E.tmp

MD5 43157868a196cf407824a5411f44f7e2
SHA1 7752306ef99ff3506a6ff41cb71d0c347b932565
SHA256 12a5b941c522748da012db793d839e52457ef62d7964de9001a30469f69e05d1
SHA512 322383a4d970f07ba4e00417d42054ea58347b5d4d068b85669d9512380c772f80788358d579a0419df634855711877478bc67bd1e7d2f8f6d30c63f63368852

C:\Users\Admin\AppData\Local\Temp\nsvA22E.tmp

MD5 d3144a48344fb7e92143afd22844d684
SHA1 5125040cc4ae70e7d78bc767cba0bca8238e21ac
SHA256 094fe155451e834d551457304fa995d544fde9079944bb275f6b4bc158e25e2d
SHA512 98b0a5f95b730738f02e04c7ed2906d0a7bdbbfab7ffe34c2317f36ceff0a9fae3068f0a4a17d8829c1e6355984e19c50c399e4b7ae2c81a568adf826fcbcb37

C:\Users\Admin\AppData\Local\Temp\nsvA22E.tmp

MD5 749841d5d4f33aa61da2072ca8c75d85
SHA1 ed779369af6004bb662353a1a1688de21c9d5964
SHA256 05ec837bf0f57ead1b3fae5bec24f103831be6946eda1fe4cec3700ae019b117
SHA512 07884f39b2b1646dbad182d39167df36cb86fd3751b5c125b84ab3b3594dd0f6884d73f7f65d099e2874a0a73f8a76d7610b3ab30e174945a70073176e07b886

C:\Users\Admin\AppData\Local\Temp\nsvA22E.tmp

MD5 3d4b43e24f8a5cb80bba86e69735e146
SHA1 caaa79191da01e6cdd282f084dd7299c54a57dfe
SHA256 54f4b8891dda2b1f31a6b798b8ef5e253f79173727341309c86f50191584a3eb
SHA512 6d34fba9a130aaff8dba31f64f7f0c4168134092428661adf9906826e39d497754927a479dcfe0809101b6da0a1d7c08cbb53ccc74c371edbf01c054c7bce4a2

C:\Users\Admin\AppData\Local\Temp\nsvA22E.tmp

MD5 5d04a35d3950677049c7a0cf17e37125
SHA1 cafdd49a953864f83d387774b39b2657a253470f
SHA256 a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266
SHA512 c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

C:\Users\Admin\AppData\Local\Temp\nsqA2AC.tmp

MD5 1a976b081f77c04dad951286222ed3da
SHA1 1fd2c47eab6b8b5ee42fee2f8238bd065881d99d
SHA256 d7c42493656ae25d5a3ff0b7fa739e43557d2c54a82833c8782ddbe8d364816d
SHA512 e087d4f397761e3525241f2610f8be1bd46533905fc0bf39435127e1341c1f4c21fc1d2f1b213d78b0505d8bafbc4f797b85537601a0f186850457d3d2847a23

C:\Users\Admin\AppData\Local\Temp\nsqA2AC.tmp

MD5 cc425c0e67a76a3ef42ffd875ac98788
SHA1 81867852fcd85548b1dc0d6a4acd4135055ff869
SHA256 2787c54979c964e4cc50064d4d89581a327a02067a8efb1be41764f428e9b5ee
SHA512 da263e2abfe2b2f1809edd4f67e76051141c16ddc1fd8c19f24e494c1e2bde6cdc099799bedac0cdcc2b5e06a1d6ea2d582023d4dbfb0cf03a690f7daa09d8a6

C:\Users\Admin\AppData\Local\Temp\nsqA2AC.tmp

MD5 0818b53b46f3916f04da816e685cbbd8
SHA1 b1fb987d6e1efb77a0c3e3f71e9346b06d864813
SHA256 5f96090de43d795f232b813964efc7635163ceeef9381326a17b89b1dd5d0b8e
SHA512 c525cccab3a85b911ed6da4331e670cc3bfe4fd20314256715c1276f6b726fe327e69dcd2107680b6176732befc8f672aa7f6acc68290665ad4cab6eb800dcda

C:\Users\Admin\AppData\Local\Temp\nsqA2AC.tmp

MD5 862d905f91bbda36cef0ce97d96f946e
SHA1 b60689e1c049e070a6f8caaf9618ffc943756608
SHA256 2a2eb56ef14a8d312a968f8c32dc5787efa125085f17219245aed478f1b45a7d
SHA512 32969a23eb49e066a3d6efbff91d2a376929e1af6c1f84c4f65653d16f17401ce1531afc362061b977be1403c3ec9950f2d7763ed1cf387816fb184f0ea18c2f

C:\Users\Admin\AppData\Local\Temp\nswA369.tmp

MD5 c3cb69218b85c3260387fb582cb518dd
SHA1 961c892ded09a4cbb5392097bb845ccba65902ad
SHA256 1c329924865741e0222d3ead23072cfbed14f96e2b0432573068eb0640513101
SHA512 2402fffeb89c531db742bf6f5466eee8fe13edf97b8ecfc2cace3522806b322924d1ca81dda25e59b4047b8f40ad11ae9216e0a0d5c7fc6beef4368eb9551422

C:\Users\Admin\AppData\Local\Temp\nswA369.tmp

MD5 e8c18675512ae7a157ecefcd0ccb8a39
SHA1 1be3573b104dcbfea327ca8bdcd3117e9f2aa5c8
SHA256 e2e68104a9c94e67d09ca759e6198f071a83dbc480114349bc58d3d4bb0dd81b
SHA512 a137143beb6e0b7a25e4a2511ac310ec7649351d35fae51ae23b3d4492a5f4a16cf388f4fe9ff88d5cc3d4c46abbd96a04131c2fb6fb375c4c7f0888a7a1b8a7

C:\Users\Admin\AppData\Local\Temp\nswA369.tmp

MD5 260c98d7f8711581d74b765418ab0c62
SHA1 c1576919e479c83a60f20d2942e5accca52459dd
SHA256 4f1799843d94d8e3aac84596a7332f01e5dd4dedde6d140f3f6c1281959a1f1c
SHA512 a1c96695c6ddedf4faa10c28dddd13a0f6017370704b70a65518e0db8a9136e5cf94acd628f5763844a77b79dff032d4b2d597d94354fd96b567df73af7ddc5d

C:\Users\Admin\AppData\Local\Temp\nshA4E1.tmp

MD5 51363b8d2e5583ff2bfea0ad020f8ac0
SHA1 bf73704dedd0ed2a6c383f9370d7ce27e19d79ed
SHA256 939fb56ca6afb8ec7f034eb2c92880425c966e10a113c87a979130de27701210
SHA512 b0217d6ed0dcf3f677cc0e3a890c837968ec33ea5e2c4ba3f324305a8cb5a07d898b9742d7c37d4c3590e0306348af8e07f24fb5b6f68193a5bcd390b7ddd3b5

memory/3156-565-0x0000000077DA1000-0x0000000077EC1000-memory.dmp

memory/3156-566-0x0000000074C05000-0x0000000074C06000-memory.dmp

memory/2960-567-0x0000000077DA1000-0x0000000077EC1000-memory.dmp

memory/2960-568-0x0000000077E28000-0x0000000077E29000-memory.dmp

memory/2960-569-0x0000000077DA1000-0x0000000077EC1000-memory.dmp

memory/2960-571-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-578-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-582-0x0000000077DA1000-0x0000000077EC1000-memory.dmp

memory/2960-583-0x0000000000494000-0x0000000000495000-memory.dmp

memory/2960-584-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-585-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-586-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-587-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-588-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-589-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-590-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-591-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-592-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-593-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-596-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-597-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-598-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-599-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-600-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-602-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-603-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-604-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-605-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-606-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-607-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-608-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-609-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-610-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-611-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-613-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-614-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-615-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-616-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-617-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-619-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-620-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-621-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-622-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-623-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-624-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-627-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-628-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-629-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-630-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-631-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-632-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-633-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-634-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-635-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-636-0x0000000000460000-0x00000000016B4000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 504ad3b74590fcbf96940f0a97ea23ec
SHA1 9ef9c893403a9dec1d1fa60d47fe78a2d7cf1f44
SHA256 b11977e3426e6989f0677291c1052abc6cf641f7d740908a0d239005281a0270
SHA512 97a4be8361c0e6fae01fd3dcc729df870f9378baea84b683fcb79dfeadfda5b1beebe0c8d0cc951510e7a17eb8dcc203b30ca144298cdd572686963c33e19bf8

memory/2960-639-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-640-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-641-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-642-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-643-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-644-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-645-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-651-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-652-0x0000000000494000-0x0000000000495000-memory.dmp

memory/2960-653-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-654-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-655-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-656-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-657-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-659-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-660-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-661-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-662-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-663-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-664-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-665-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-666-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-667-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-668-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-669-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-670-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-671-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-673-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-672-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-674-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-675-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-676-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-677-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-678-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-679-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-681-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-682-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-684-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/2960-680-0x0000000000460000-0x00000000016B4000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-14 02:24

Reported

2024-11-14 02:27

Platform

win7-20240708-en

Max time kernel

118s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 220

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-14 02:24

Reported

2024-11-14 02:27

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

160s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3012 wrote to memory of 624 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3012 wrote to memory of 624 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3012 wrote to memory of 624 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 624 -ip 624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 130.238.56.23.in-addr.arpa udp
US 8.8.8.8:53 20.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 10.73.50.20.in-addr.arpa udp

Files

N/A