Malware Analysis Report

2025-04-03 14:27

Sample ID 241216-sn1y9stlcy
Target Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe
SHA256 6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4
Tags
discovery guloader remcos remotehost collection downloader rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4

Threat Level: Known bad

The file Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe was found to be: Known bad.

Malicious Activity Summary

discovery guloader remcos remotehost collection downloader rat spyware stealer

Guloader family

Guloader,Cloudeye

Remcos

Remcos family

Detected Nirsoft tools

NirSoft MailPassView

NirSoft WebBrowserPassView

Reads user/profile data of web browsers

Loads dropped DLL

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of NtCreateThreadExHideFromDebugger

Program crash

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-16 15:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-12-16 15:17

Reported

2024-12-16 15:19

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

142s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4556 wrote to memory of 4240 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4556 wrote to memory of 4240 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4556 wrote to memory of 4240 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4240 -ip 4240

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 20.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-16 15:17

Reported

2024-12-16 15:19

Platform

win7-20240903-en

Max time kernel

150s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe"

Signatures

Guloader family

guloader

Guloader,Cloudeye

downloader guloader

Remcos

rat remcos

Remcos family

remcos

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2236 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe
PID 2236 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe
PID 2236 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe
PID 2236 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe
PID 2236 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe
PID 2236 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe
PID 2508 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe
PID 2508 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe
PID 2508 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe
PID 2508 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe
PID 2508 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe
PID 2508 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe
PID 2508 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe
PID 2508 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe
PID 2508 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe
PID 2508 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe
PID 2508 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe
PID 2508 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe

"C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe"

C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe

"C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe"

C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe

"C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe" /stext "C:\Users\Admin\AppData\Local\Temp\zqvyxyuqzcyyluzdptcmjuydbbhzj"

C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe

"C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe" /stext "C:\Users\Admin\AppData\Local\Temp\bsbqyqfrnkqlvivhgexntztmchzikkjj"

C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe

"C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe" /stext "C:\Users\Admin\AppData\Local\Temp\mmgb"

Network

Country Destination Domain Proto
US 66.63.187.30:80 66.63.187.30 tcp
US 162.251.122.87:2404 tcp
US 162.251.122.87:2404 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsdC257.tmp

MD5 16d513397f3c1f8334e8f3e4fc49828f
SHA1 4ee15afca81ca6a13af4e38240099b730d6931f0
SHA256 d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36
SHA512 4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3

\Users\Admin\AppData\Local\Temp\nsjC314.tmp\System.dll

MD5 ca332bb753b0775d5e806e236ddcec55
SHA1 f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f
SHA256 df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d
SHA512 2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

C:\Users\Admin\AppData\Local\Temp\nsjC315.tmp

MD5 5d04a35d3950677049c7a0cf17e37125
SHA1 cafdd49a953864f83d387774b39b2657a253470f
SHA256 a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266
SHA512 c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

memory/2236-577-0x0000000003EE0000-0x0000000004ABF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Settings.ini

MD5 87c38dc6ef4616ff016d1ccc1a793086
SHA1 afc6434aaad4fb1a250af0d167dab718da10b4af
SHA256 781c527a7a89fdbfa481bf8800e255dc1b69e47b2b68040dc39103c114e31849
SHA512 cc8ef7d9c98fb663c79a4a00fd68344f7aa3dba27d68b3aef463c758a74aebf8190c8a9532fe91bc7db32e78ff2c48c43230f03da226f9a9ef288324efebf0fe

C:\Users\Admin\AppData\Local\Temp\nstC356.tmp

MD5 f15bfdebb2df02d02c8491bde1b4e9bd
SHA1 93bd46f57c3316c27cad2605ddf81d6c0bde9301
SHA256 c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043
SHA512 1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1

C:\Users\Admin\AppData\Local\Temp\nsdC345.tmp

MD5 4ff83567cd3f682cb62e957f312f61a0
SHA1 5bb6b4b35e74fb335211813b25025166939ddf10
SHA256 9a2382a1ededef09ef70d6dfcea50be1594799e518a9f89c111875301539a2ae
SHA512 e7fbb21a2eaee93f4f607b77476c8605a7233cb16c0ef576fac05235252c5a0dab338277749a9a38babf9163d9d582d481e2a739ebbb578bfb3b813fc36a678e

C:\Users\Admin\AppData\Local\Temp\nsyC325.tmp

MD5 df8379d971f8775d91cd01506f558897
SHA1 e28ff2839b7cf171ce3540cb2de64fa18db9b12c
SHA256 ae63da186497c9240a3af76e8e52198426c3492aa7dcc62e8910405ef981ecec
SHA512 ac091f635bc253fed0c5c9e516f4e58968033793c66b2ec3e5ed31aa42d63667d85f1661ca6fbe8cfc28ad59b07d903556987c7f79aa59610934c3d6f6f60f02

memory/2236-578-0x0000000076E11000-0x0000000076F12000-memory.dmp

memory/2236-579-0x0000000076E10000-0x0000000076FB9000-memory.dmp

memory/2236-581-0x0000000003EE0000-0x0000000004ABF000-memory.dmp

memory/2508-580-0x0000000076E10000-0x0000000076FB9000-memory.dmp

memory/2508-582-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/2508-586-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/2508-588-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/276-594-0x0000000000400000-0x0000000000462000-memory.dmp

memory/904-605-0x0000000000400000-0x0000000000424000-memory.dmp

memory/904-608-0x0000000000400000-0x0000000000424000-memory.dmp

memory/904-607-0x0000000000400000-0x0000000000424000-memory.dmp

memory/276-606-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1660-604-0x0000000076E10000-0x0000000076FB9000-memory.dmp

memory/904-603-0x0000000000400000-0x0000000000424000-memory.dmp

memory/276-602-0x0000000076E10000-0x0000000076FB9000-memory.dmp

memory/904-601-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1660-600-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1660-599-0x0000000000400000-0x0000000000478000-memory.dmp

memory/276-598-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1660-597-0x0000000000400000-0x0000000000478000-memory.dmp

memory/276-596-0x0000000000400000-0x0000000000462000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zqvyxyuqzcyyluzdptcmjuydbbhzj

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/1660-614-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2508-617-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/276-619-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2508-624-0x0000000032D80000-0x0000000032D99000-memory.dmp

memory/2508-625-0x0000000032D80000-0x0000000032D99000-memory.dmp

memory/2508-621-0x0000000032D80000-0x0000000032D99000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 727899531485eb2836e70a9831f804d3
SHA1 dda21bc2fce631260779c35e39cf02903471c7b1
SHA256 5ef47fe77ab87f899ed4519afe5056bb0959fae4721d5c93096ac2767a684fec
SHA512 9617b45e0ba46b35ede0cc09bd9ff6688dec4cb91d8983d7ff68a7d545bb4b6ca7367d51ce411381e0a12c8560062f961f6fed9a1a84f207e58147f584f1e632

memory/2508-627-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/2508-631-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/2508-633-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/2508-636-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/2508-639-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/2508-642-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/2508-645-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/2508-648-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/2508-654-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/2508-657-0x0000000000480000-0x00000000014E2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-16 15:17

Reported

2024-12-16 15:19

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe"

Signatures

Guloader family

guloader

Guloader,Cloudeye

downloader guloader

Remcos

rat remcos

Remcos family

remcos

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3560 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe
PID 3560 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe
PID 3560 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe
PID 3560 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe
PID 3560 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe
PID 4608 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe
PID 4608 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe
PID 4608 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe
PID 4608 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe
PID 4608 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe
PID 4608 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe
PID 4608 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe
PID 4608 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe
PID 4608 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe

"C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe"

C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe

"C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe"

C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe

"C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe" /stext "C:\Users\Admin\AppData\Local\Temp\mssu"

C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe

"C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe" /stext "C:\Users\Admin\AppData\Local\Temp\xuyfikhp"

C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe

"C:\Users\Admin\AppData\Local\Temp\Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exe" /stext "C:\Users\Admin\AppData\Local\Temp\zpdxjcsipfa"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 181.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 66.63.187.30:80 66.63.187.30 tcp
US 8.8.8.8:53 30.187.63.66.in-addr.arpa udp
US 162.251.122.87:2404 tcp
US 162.251.122.87:2404 tcp
US 8.8.8.8:53 87.122.251.162.in-addr.arpa udp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nst8EC5.tmp

MD5 50484c19f1afdaf3841a0d821ed393d2
SHA1 c65a0fb7e74ffd2c9fc3a0f9aacb0f6a24b0a68b
SHA256 6923dd1bc0460082c5d55a831908c24a282860b7f1cd6c2b79cf1bc8857c639c
SHA512 d51a20d67571fe70bcd6c36e1382a3c342f42671c710090b75fcfc2405ce24488e03a7131eefe4751d0bd3aeaad816605ad10c8e3258d72fcf379e32416cbf3b

C:\Users\Admin\AppData\Local\Temp\nst8EC5.tmp

MD5 9b63af13344f6ef82f01f463737f3a43
SHA1 8d8b471641cae2462b39fa096c26475167bbf274
SHA256 8b0454c42dded71d9ee62354260d89e0565bb803a300bb2c49c9dd50fd2d1c4b
SHA512 708585072fc9f56b68a2737726b580347861fc188d60b19e59d9b6b4a9fcd25e39a972254146f97d4aee32fc9502546c5da2803b027222f70de6d223e93db674

C:\Users\Admin\AppData\Local\Temp\nst8EC5.tmp

MD5 2598d3e10bec5798f73f49de505a8514
SHA1 4431b20a112e277250649a917f846a6627870a60
SHA256 08643cfe1a514214ae4175809b7eadbc0bff209e07adf091e91748dccf9ca874
SHA512 83687d6fb3238184b92f04cc70e54ede282d56e34f67781db6c4dfd9529cab30ba15d9ca3059b68f9d82eb87a8d6432e80ba0779d1438c1df861b0bb30905f24

C:\Users\Admin\AppData\Local\Temp\nst8EC5.tmp

MD5 16d513397f3c1f8334e8f3e4fc49828f
SHA1 4ee15afca81ca6a13af4e38240099b730d6931f0
SHA256 d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36
SHA512 4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3

C:\Users\Admin\AppData\Local\Temp\nsi8F24.tmp

MD5 2b3884fe02299c565e1c37ee7ef99293
SHA1 d8e2ef2a52083f6df210109fea53860ea227af9c
SHA256 ae789a65914ed002efb82dad89e5a4d4b9ec8e7faae30d0ed6e3c0d20f7d3858
SHA512 aeb9374a52d0ad99336bfd4ec7bb7c5437b827845b8784d9c21f7d96a931693604689f6adc3ca25fad132a0ad6123013211ff550f427fa86e4f26c122ac6a0fe

C:\Users\Admin\AppData\Local\Temp\nsi8F23.tmp\System.dll

MD5 ca332bb753b0775d5e806e236ddcec55
SHA1 f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f
SHA256 df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d
SHA512 2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

C:\Users\Admin\AppData\Local\Temp\nsi8F24.tmp

MD5 60f65c2cd21dde8cc4ce815633d832e0
SHA1 c1196320458557d8c4f65ba6810953b1037a822b
SHA256 7f0f042b1879b1b8f04a5e6051e577a1e691ec322789c4d98d52494cfd906ce7
SHA512 301ead9a6620deccb0be51bbe4eb760ca9d48d029cded0c6cdc7115a4353f4d9330f2ca92df2519a78a7d5aa24975ca6fa19c0269cc411026739b3f733f8d8f2

C:\Users\Admin\AppData\Local\Temp\nsi8F24.tmp

MD5 3d4b43e24f8a5cb80bba86e69735e146
SHA1 caaa79191da01e6cdd282f084dd7299c54a57dfe
SHA256 54f4b8891dda2b1f31a6b798b8ef5e253f79173727341309c86f50191584a3eb
SHA512 6d34fba9a130aaff8dba31f64f7f0c4168134092428661adf9906826e39d497754927a479dcfe0809101b6da0a1d7c08cbb53ccc74c371edbf01c054c7bce4a2

C:\Users\Admin\AppData\Local\Temp\nsi8F24.tmp

MD5 288ddaeead52cc6f01034b0ca08e313d
SHA1 849306d8ccc2366251d6dbb07ba2447f800b121e
SHA256 5a3785d2999bdf1992068d247a71a7acc4946c13f17c880635dfa9e48fd2eb2e
SHA512 6101434e23c1bb35be4691de56dca636e4dd713d6ec9f1815b450af666b858b29a96bdae786be376dc312043ab19a3a88789816bf0023e363a703c551645d650

C:\Users\Admin\AppData\Local\Temp\nsi8F24.tmp

MD5 5d04a35d3950677049c7a0cf17e37125
SHA1 cafdd49a953864f83d387774b39b2657a253470f
SHA256 a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266
SHA512 c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

C:\Users\Admin\AppData\Local\Temp\nsj8F74.tmp

MD5 c3cb69218b85c3260387fb582cb518dd
SHA1 961c892ded09a4cbb5392097bb845ccba65902ad
SHA256 1c329924865741e0222d3ead23072cfbed14f96e2b0432573068eb0640513101
SHA512 2402fffeb89c531db742bf6f5466eee8fe13edf97b8ecfc2cace3522806b322924d1ca81dda25e59b4047b8f40ad11ae9216e0a0d5c7fc6beef4368eb9551422

C:\Users\Admin\AppData\Local\Temp\nsj8F74.tmp

MD5 bb7e44a9ab155210ab3d7a707c164476
SHA1 34cc96f86d6a1ee7fbf049b9e64dbc5bbf333102
SHA256 e92875a6d392be46dc5154fa117aa328d9fc000a782ce97ccc1a7677d098e29f
SHA512 fc5a6eea30fa54fa0cdd09998c03f43ee3b7218f631da61fe84aa8de226c8a9c98fdca6f089c4d3777dd858dd7115f1582877dadfb1a8caba5196d5f20dda7c0

C:\Users\Admin\AppData\Local\Temp\nsj8F74.tmp

MD5 94e9e62262609488f33753426e32d435
SHA1 562c971934fb81a7cbd690dfa6d3b7fcb463bf65
SHA256 7e7b96b7d22dec362c878c10b4d51887ad92aa210fe646e8667de5da82f1e47b
SHA512 5bcb92fefe3f86064ccdbd809fc308cf18e18d47f729a29a8f62b7c2bb9d42fa0376ad72baa1f24131edb6ebbed9284377618e317cbdf9cc88c09fd3a9e3eb38

C:\Users\Admin\AppData\Local\Temp\nsj8F74.tmp

MD5 132233b9e11f90e500762a52a793a875
SHA1 fd5599c8b694cc97ad8d537c6835f214fd27788a
SHA256 fdd905fcc72acfb953ff1a8a514efa2df13e9d181db7962ebd9ef4a325e2aef5
SHA512 26ebdfdddead6b3d197b25af1fb93bd2c9d42d96a7ae18c16870f7aca5cc5237bdef9cc8cb90ad3c0a264279152b0a4a3611cc8f09b207b5c8dadf6d0b099f13

C:\Users\Admin\AppData\Local\Temp\nsj8F74.tmp

MD5 442af9e3cdf3065c44bba4ebc29729a0
SHA1 7bb07055091eaaaaf7e6b4fc9b70adb42337c33e
SHA256 64bd20404625bf73c0bcb13bbc8180c9f573d0583c94105c07505ad44f4eec13
SHA512 06dd9fe340f84d1a2e527c8dc81b7a78c6b8d9e70b8dee63a27d87698be153b87c49993706ae246f643d47d3667c1678b0cb7f6181ecc39d88e34b309daa5f10

C:\Users\Admin\AppData\Local\Temp\nsj8F74.tmp

MD5 df8379d971f8775d91cd01506f558897
SHA1 e28ff2839b7cf171ce3540cb2de64fa18db9b12c
SHA256 ae63da186497c9240a3af76e8e52198426c3492aa7dcc62e8910405ef981ecec
SHA512 ac091f635bc253fed0c5c9e516f4e58968033793c66b2ec3e5ed31aa42d63667d85f1661ca6fbe8cfc28ad59b07d903556987c7f79aa59610934c3d6f6f60f02

C:\Users\Admin\AppData\Local\Temp\nsj8FC3.tmp

MD5 4ff83567cd3f682cb62e957f312f61a0
SHA1 5bb6b4b35e74fb335211813b25025166939ddf10
SHA256 9a2382a1ededef09ef70d6dfcea50be1594799e518a9f89c111875301539a2ae
SHA512 e7fbb21a2eaee93f4f607b77476c8605a7233cb16c0ef576fac05235252c5a0dab338277749a9a38babf9163d9d582d481e2a739ebbb578bfb3b813fc36a678e

C:\Users\Admin\AppData\Local\Temp\nsj8FC3.tmp

MD5 d52de89f9a53448452938d5bef6370af
SHA1 0a5e19717c5f25862231235165135923d3a3f6af
SHA256 8f38876522a41713735c750b50769955e309c3d608811003b6d16ca5f4b80282
SHA512 568e7cdea808709be892eacc59033688c4f7352a395aefbfc618519142136538c6220ca00b10abfc44e34e9d635dd72c5b51eefae2ab2a873149523c425f51f9

C:\Users\Admin\AppData\Local\Temp\nsy9021.tmp

MD5 f15bfdebb2df02d02c8491bde1b4e9bd
SHA1 93bd46f57c3316c27cad2605ddf81d6c0bde9301
SHA256 c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043
SHA512 1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1

memory/3560-575-0x0000000004A10000-0x00000000055EF000-memory.dmp

memory/3560-576-0x0000000077791000-0x00000000778B1000-memory.dmp

memory/3560-577-0x0000000010004000-0x0000000010005000-memory.dmp

memory/3560-578-0x0000000004A10000-0x00000000055EF000-memory.dmp

memory/4608-579-0x00000000016E0000-0x00000000022BF000-memory.dmp

memory/4608-580-0x0000000077791000-0x00000000778B1000-memory.dmp

memory/4608-581-0x0000000077818000-0x0000000077819000-memory.dmp

memory/4608-582-0x0000000077835000-0x0000000077836000-memory.dmp

memory/4608-583-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/4608-588-0x0000000077791000-0x00000000778B1000-memory.dmp

memory/4608-587-0x00000000016E0000-0x00000000022BF000-memory.dmp

memory/4608-589-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/4608-590-0x0000000077791000-0x00000000778B1000-memory.dmp

memory/4608-594-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1532-596-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2320-595-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2028-611-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2028-612-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2028-614-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2028-607-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2320-606-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2028-605-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1532-604-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1532-601-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2320-602-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2320-600-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1532-599-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2320-617-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4608-620-0x00000000332A0000-0x00000000332B9000-memory.dmp

memory/4608-624-0x00000000332A0000-0x00000000332B9000-memory.dmp

memory/4608-623-0x00000000332A0000-0x00000000332B9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mssu

MD5 60a0bdc1cf495566ff810105d728af4a
SHA1 243403c535f37a1f3d5f307fc3fb8bdd5cbcf6e6
SHA256 fd12da9f9b031f9fa742fa73bbb2c9265f84f49069b7c503e512427b93bce6d2
SHA512 4445f214dbf5a01d703f22a848b56866f3f37b399de503f99d40448dc86459bf49d1fa487231f23c080a559017d72bcd9f6c13562e1f0bd53c1c9a89e73306a5

memory/4608-627-0x0000000000480000-0x00000000016D4000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 789a5b2694430ce6590672c7c86d5c0a
SHA1 2b41f0905dd666a35a6315709112864155d459df
SHA256 84ceb73ba99279f64b6d1419cc187898da212fb752ff6e5e23501ecd8c4c6328
SHA512 a446add776161f289b6ad7f13a4a097040df90bdf8db1c19852be82a629d7e5807817e8890a66e10c66ef22269a28b99d442f8affef23beede12d257de5717e6

memory/4608-630-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/4608-633-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/4608-636-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/4608-639-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/4608-642-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/4608-645-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/4608-647-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/4608-650-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/4608-653-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/4608-657-0x0000000000480000-0x00000000016D4000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-16 15:17

Reported

2024-12-16 15:19

Platform

win7-20240903-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 224

Network

N/A

Files

N/A