Analysis Overview
SHA256
1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53
Threat Level: Known bad
The file Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe was found to be: Known bad.
Malicious Activity Summary
Guloader family
Guloader,Cloudeye
Remcos
Remcos family
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
Reads user/profile data of web browsers
Loads dropped DLL
Accesses Microsoft Outlook accounts
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Program crash
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-16 16:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-16 16:03
Reported
2024-12-16 16:05
Platform
win7-20240729-en
Max time kernel
149s
Max time network
148s
Command Line
Signatures
Guloader family
Guloader,Cloudeye
Remcos
Remcos family
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2308 set thread context of 1912 | N/A | C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe | C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe
"C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe"
C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe
"C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe"
Network
| Country | Destination | Domain | Proto |
| US | 66.63.187.30:80 | 66.63.187.30 | tcp |
| US | 162.251.122.87:2404 | tcp | |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\nseCFB0.tmp
| MD5 | 16d513397f3c1f8334e8f3e4fc49828f |
| SHA1 | 4ee15afca81ca6a13af4e38240099b730d6931f0 |
| SHA256 | d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36 |
| SHA512 | 4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3 |
\Users\Admin\AppData\Local\Temp\nstCFC0.tmp\System.dll
| MD5 | ca332bb753b0775d5e806e236ddcec55 |
| SHA1 | f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f |
| SHA256 | df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d |
| SHA512 | 2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00 |
C:\Users\Admin\AppData\Local\Temp\nszD030.tmp
| MD5 | 33714fd37d9159cf4911fe47896b9e69 |
| SHA1 | 77c9ddfb1cd8e4a9a0a9131d0d21ebac0ef57611 |
| SHA256 | 8eda392d2cd028b1a3385ff7673cade57e402248db7fe7eb192e8d6b0d8f78a2 |
| SHA512 | e4abaa9b5e706647dfe0174daa5164d0464f7ee971c5ee2983e28a4d2062eda2d0d9468340ebdbe6110b33958a9b3256757c3e5557b3ef617fe76ce576b8ba0a |
C:\Users\Admin\AppData\Local\Temp\nsoCFF0.tmp
| MD5 | 5d04a35d3950677049c7a0cf17e37125 |
| SHA1 | cafdd49a953864f83d387774b39b2657a253470f |
| SHA256 | a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266 |
| SHA512 | c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b |
C:\Users\Admin\AppData\Local\Temp\nszD11C.tmp
| MD5 | f15bfdebb2df02d02c8491bde1b4e9bd |
| SHA1 | 93bd46f57c3316c27cad2605ddf81d6c0bde9301 |
| SHA256 | c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043 |
| SHA512 | 1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1 |
memory/2308-577-0x0000000004380000-0x0000000005209000-memory.dmp
memory/2308-578-0x0000000076F61000-0x0000000077062000-memory.dmp
memory/2308-579-0x0000000076F60000-0x0000000077109000-memory.dmp
memory/2308-580-0x0000000004380000-0x0000000005209000-memory.dmp
memory/2308-581-0x0000000004380000-0x0000000005209000-memory.dmp
memory/1912-582-0x0000000076F60000-0x0000000077109000-memory.dmp
memory/1912-583-0x0000000000480000-0x00000000014E2000-memory.dmp
memory/1912-588-0x0000000000480000-0x00000000014E2000-memory.dmp
memory/1912-592-0x0000000000480000-0x00000000014E2000-memory.dmp
memory/1912-595-0x0000000000480000-0x00000000014E2000-memory.dmp
memory/1912-598-0x0000000000480000-0x00000000014E2000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | a3d9985e6f575d0d69a891f9c2830623 |
| SHA1 | 1ac35562a33f3844048d33a707c8b7d87836fb4c |
| SHA256 | 477d7f35e97e945a5f6b43c2f6597668603cf4380b971886d8b7bc42591f9dbb |
| SHA512 | 4302c016736d76399da7435e72bc3c28feac527797ea280049df57f6da9ccdbf9712512f733ca930ab402a4f336f80ce06e10201cd2777115522c8fa74ef3aa2 |
memory/1912-601-0x0000000000480000-0x00000000014E2000-memory.dmp
memory/1912-604-0x0000000000480000-0x00000000014E2000-memory.dmp
memory/1912-607-0x0000000000480000-0x00000000014E2000-memory.dmp
memory/1912-610-0x0000000000480000-0x00000000014E2000-memory.dmp
memory/1912-613-0x0000000000480000-0x00000000014E2000-memory.dmp
memory/1912-616-0x0000000000480000-0x00000000014E2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-16 16:03
Reported
2024-12-16 16:05
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Guloader family
Guloader,Cloudeye
Remcos
Remcos family
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe
"C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe"
C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe
"C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe"
C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe
"C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe" /stext "C:\Users\Admin\AppData\Local\Temp\fxjokfizxtiosoxdnqdmbonrzfwsfxifl"
C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe
"C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe" /stext "C:\Users\Admin\AppData\Local\Temp\paozcx"
C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe
"C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe" /stext "C:\Users\Admin\AppData\Local\Temp\auusdqeuz"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 66.63.187.30:80 | 66.63.187.30 | tcp |
| US | 8.8.8.8:53 | 30.187.63.66.in-addr.arpa | udp |
| US | 162.251.122.87:2404 | tcp | |
| US | 8.8.8.8:53 | 87.122.251.162.in-addr.arpa | udp |
| US | 162.251.122.87:2404 | tcp | |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nszC333.tmp
| MD5 | 433fcfa8e075cbbb3370cb2f6c4658da |
| SHA1 | c7926411bd50f5556bfbea60e7d81931e1aad868 |
| SHA256 | ccaabed14663822955f3eed5f5ebac067cbb8c0ff9734a67d30fb94a14826237 |
| SHA512 | 1306f8e4430ed4e981b775409e14d7f927aa630c2bf89b42949fd9ba11b6aceaba61d2bebc925ebc4a7fb4ac2f9add8677f2f579b591639c0b5950fa68f64ee0 |
C:\Users\Admin\AppData\Local\Temp\nszC333.tmp
| MD5 | a82a5da452642ddab3a7ee07f7c408df |
| SHA1 | cf937f2e7e57c21beaf57a2b7e0c4b77f37c63f7 |
| SHA256 | 84911471a6124a186d240b3b67eed83ba5a0a7cb911eefc790712d936c83d568 |
| SHA512 | 73ed822f62f762e6e8902b4a5c31ea9a0501926d2dd512f5e5285d39fa8b31e82e61294c99c341e0f2046d0cb0351396e8d97afc0ddc71d37c9b680cf757f5a0 |
C:\Users\Admin\AppData\Local\Temp\nszC333.tmp
| MD5 | bc970bd8ec8acf8ac1ada9e444673a39 |
| SHA1 | 6c03dfa1c2595129e8e0e2428fceb0f2df7f82a7 |
| SHA256 | 0092de36b51381e4fe5e613bdbae906f0c6e8691fec4a93f82b876f1af826648 |
| SHA512 | c3fc2d8b396b6753759b532bb9e91d015a039476ec2cf8abcd4c6d4d32b9305146752743692486bd4e3984325a7e9c6db0ff4d902c2879993789573f9cdca3b0 |
C:\Users\Admin\AppData\Local\Temp\nszC333.tmp
| MD5 | 16d513397f3c1f8334e8f3e4fc49828f |
| SHA1 | 4ee15afca81ca6a13af4e38240099b730d6931f0 |
| SHA256 | d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36 |
| SHA512 | 4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3 |
C:\Users\Admin\AppData\Local\Temp\nseC3A1.tmp\System.dll
| MD5 | ca332bb753b0775d5e806e236ddcec55 |
| SHA1 | f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f |
| SHA256 | df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d |
| SHA512 | 2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00 |
C:\Users\Admin\AppData\Local\Temp\nsuC3B2.tmp
| MD5 | f55b9d6e5f20db4066c68219d6cc7244 |
| SHA1 | b3a70fc3ea2da60d58274d9466a88a1e57926356 |
| SHA256 | 9c2c033694acd2ee629918b688ee91e0032e6d2fa5cbb6b39a13e50024e73e01 |
| SHA512 | 35bde19664ead683e639f42ed8447eab5bac8a1ac873efde467439e0631e3ece634b90e25140e62f46189df57f5c8fb6af44a8062ca9750514f8571d5860f2e1 |
C:\Users\Admin\AppData\Local\Temp\nsuC3B2.tmp
| MD5 | 8c367f7037d83ec5fc0be4bcd16dba9d |
| SHA1 | 0efc8b29b482afae9aaceef0d80a138ab9b527a9 |
| SHA256 | 6f470f6196119f505cd2d1b132c50c06fd6522bbd6ffc95b992212093221b637 |
| SHA512 | 356e4ee6b5572b174084957b61e2aaea850486e2c087b87019bcb7565013d86aadffdc1f3e70ec4c77be108519ce312a2db1896584a738d631c190c03f5fec56 |
C:\Users\Admin\AppData\Local\Temp\nsuC3B2.tmp
| MD5 | 749841d5d4f33aa61da2072ca8c75d85 |
| SHA1 | ed779369af6004bb662353a1a1688de21c9d5964 |
| SHA256 | 05ec837bf0f57ead1b3fae5bec24f103831be6946eda1fe4cec3700ae019b117 |
| SHA512 | 07884f39b2b1646dbad182d39167df36cb86fd3751b5c125b84ab3b3594dd0f6884d73f7f65d099e2874a0a73f8a76d7610b3ab30e174945a70073176e07b886 |
C:\Users\Admin\AppData\Local\Temp\nsuC3B2.tmp
| MD5 | 088d509592627d226179707a88a1f4ee |
| SHA1 | 8c03f8a469d4dc4e7f65da8daa8c0e9cdebbe9f4 |
| SHA256 | 7938b90dbe50e63bd3bc2b7ae77d43ba7c01c15354ab01f9a0b63ebac56b796d |
| SHA512 | f36c70cbb4dbb09a8081b472ceb712b983a676d5a34dc19ec4d0d95126c4e6b80cdd66640e304eb35445503255c9aac22edf386bf6782151844e8df4e1874d5f |
C:\Users\Admin\AppData\Local\Temp\nsuC3B2.tmp
| MD5 | 5d04a35d3950677049c7a0cf17e37125 |
| SHA1 | cafdd49a953864f83d387774b39b2657a253470f |
| SHA256 | a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266 |
| SHA512 | c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b |
C:\Users\Admin\AppData\Local\Temp\nsuC401.tmp
| MD5 | fee1a5ccd345e931c7fa183fb90669c8 |
| SHA1 | feccc85f260d7ceb016fedf3546a22073b58cce0 |
| SHA256 | 10112c27d1a291095f738b379cb8fbea6acdd2419ff4e44981f4a8df7ff8466e |
| SHA512 | 0076356776acd6c645ae954b6c1c70e60fb555f02daf1e1ff9c639c1bdf74afa80926d6482cb9669aba46db082180af05615ab149708070c48043324478d1289 |
C:\Users\Admin\AppData\Local\Temp\nsuC401.tmp
| MD5 | 44f5faa6c32983c85a139e1a0263c602 |
| SHA1 | 027ea1b136e708edbe28aadcfcc9fe02468175d2 |
| SHA256 | d7824479f1abbfbe5a5b2386ae7bf867746adbb62eb2df88b92037c2d1e9a431 |
| SHA512 | 2394ef0bf4670037dda86caf4254d68942500e626d556aa69b8b9bf24f3e7be5838be6c108e4933362008b34561e530e5d15badffe9b322e17b92231d4f18c37 |
C:\Users\Admin\AppData\Local\Temp\nsuC401.tmp
| MD5 | 33714fd37d9159cf4911fe47896b9e69 |
| SHA1 | 77c9ddfb1cd8e4a9a0a9131d0d21ebac0ef57611 |
| SHA256 | 8eda392d2cd028b1a3385ff7673cade57e402248db7fe7eb192e8d6b0d8f78a2 |
| SHA512 | e4abaa9b5e706647dfe0174daa5164d0464f7ee971c5ee2983e28a4d2062eda2d0d9468340ebdbe6110b33958a9b3256757c3e5557b3ef617fe76ce576b8ba0a |
C:\Users\Admin\AppData\Local\Temp\nsuC450.tmp
| MD5 | 24c65563d17054b07c6135e87a53cffd |
| SHA1 | 4765777312bf6c4c7272e61b4dbbce3202bb2d68 |
| SHA256 | e145085a50e8790798362058aa0b197b97b8ae38a54ff47ee89fd00dec4f47ce |
| SHA512 | f6419106a5e5d864da20840817f473556140fc982e271380c3eed2a5be03c2dc68fb69ab1b2ba5698dec4ca477377e53c589f9b280faf436dd94767e5d0cb15f |
C:\Users\Admin\AppData\Local\Temp\nskC4AF.tmp
| MD5 | 232ea7835f5abeffc769949d0bad82bf |
| SHA1 | d8183e34d3c48afb0f7598a4dc11182218d7e9fe |
| SHA256 | 384e1fc0d130aa5cbfa9077f6de89b555e096afb67cd2dd827933b992549e69c |
| SHA512 | e552cc1f310029859899ab726b70ef38c08026af5e0c125c58e9b31005d8c2fd2d636d8bb3aaf8a039aa3450f058c038186da34b63e883e3613049a6df6905e4 |
C:\Users\Admin\AppData\Local\Temp\nskC4AF.tmp
| MD5 | 2dc5ae451f6175ae513bed5c4714d5ee |
| SHA1 | 4f47723723e7643a5b4c67f5f9d68cd834f80a4f |
| SHA256 | 180f6fc17f1d6e7d0878868f1643dc8c340f457eac0d6fc3680a95f1f9e7e54e |
| SHA512 | 9140fa690eca23bdf03d3058e6527c56cd51089b394ef681979f8e63cdc183fa942aecfd2d1061f50966fb998a5c0999b97b5b3a9af6aff1ce1d4826cfd42887 |
C:\Users\Admin\AppData\Local\Temp\nskC4AF.tmp
| MD5 | 742d3f392842fd0a5ebecea567c2af34 |
| SHA1 | b680bc716a2b53ef6af5edcbf222e6ac2606e1e8 |
| SHA256 | c7c952a7580d506f694240eb56e705a182561523c14116ab5aab1c2c87f886bf |
| SHA512 | 1642176efc91de80dd89412d982f8c9b1b53a0c96067fdbb70cc04a94c0d37d18caee0bdfab9666930af4e50ad37fdb5335e58c210b67fa59420044d4130aedf |
memory/4944-575-0x0000000004A10000-0x0000000005899000-memory.dmp
memory/4944-576-0x0000000077201000-0x0000000077321000-memory.dmp
memory/4944-577-0x0000000010004000-0x0000000010005000-memory.dmp
memory/4944-579-0x0000000004A10000-0x0000000005899000-memory.dmp
memory/2324-580-0x00000000016E0000-0x0000000002569000-memory.dmp
memory/4944-578-0x0000000004A10000-0x0000000005899000-memory.dmp
memory/2324-581-0x0000000077288000-0x0000000077289000-memory.dmp
memory/2324-582-0x00000000016E0000-0x0000000002569000-memory.dmp
memory/2324-583-0x00000000772A5000-0x00000000772A6000-memory.dmp
memory/2324-584-0x0000000000480000-0x00000000016D4000-memory.dmp
memory/2324-585-0x0000000000480000-0x00000000016D4000-memory.dmp
memory/2324-589-0x0000000077201000-0x0000000077321000-memory.dmp
memory/4356-592-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4356-598-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2008-599-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1172-608-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4356-607-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1172-604-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2008-602-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1172-601-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1172-600-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2008-597-0x0000000000400000-0x0000000000462000-memory.dmp
memory/4356-596-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2008-595-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1172-610-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4356-615-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fxjokfizxtiosoxdnqdmbonrzfwsfxifl
| MD5 | c3c5f2de99b7486f697634681e21bab0 |
| SHA1 | 00f90d495c0b2b63fde6532e033fdd2ade25633d |
| SHA256 | 76296dc29f718988107d35d0e0b835c2bf3fc7405e79e5121aa4738f82b51582 |
| SHA512 | 7c60ffdc093de30e793d20768877f2f586bee3e948767871f9a1139252d5d2f593ba6f88ce0ed5f72c79faddb26186792df0581e4b6c84d405c44d9d12f951b8 |
memory/2324-620-0x0000000033660000-0x0000000033679000-memory.dmp
memory/2324-617-0x0000000033660000-0x0000000033679000-memory.dmp
memory/2324-621-0x0000000033660000-0x0000000033679000-memory.dmp
memory/2324-622-0x0000000000480000-0x00000000016D4000-memory.dmp
memory/2324-625-0x0000000000480000-0x00000000016D4000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | bdd80cd9708c717edc5e82ca37d7130b |
| SHA1 | 7c77815d424a1d6529de98124e35335193168bf3 |
| SHA256 | 799d2b1d8340de661998a59e8383500111140c34e27dc5eb22b1df7405b20f11 |
| SHA512 | b2e50cfdbf6fff93d7aaa0e6d06c69d1563adb5c4abdfe81912f6b0f5bbfb1c9877261b68cbb20c12941ada45a4e311610097068cde9e915ea14aec73622f041 |
memory/2324-628-0x0000000000480000-0x00000000016D4000-memory.dmp
memory/2324-631-0x0000000000480000-0x00000000016D4000-memory.dmp
memory/2324-634-0x0000000000480000-0x00000000016D4000-memory.dmp
memory/2324-637-0x0000000000480000-0x00000000016D4000-memory.dmp
memory/2324-640-0x0000000000480000-0x00000000016D4000-memory.dmp
memory/2324-652-0x0000000000480000-0x00000000016D4000-memory.dmp
memory/2324-655-0x0000000000480000-0x00000000016D4000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-12-16 16:03
Reported
2024-12-16 16:05
Platform
win7-20241010-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1192 -s 224
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-12-16 16:03
Reported
2024-12-16 16:05
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
139s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4856 wrote to memory of 4708 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4856 wrote to memory of 4708 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4856 wrote to memory of 4708 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4708 -ip 4708
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |