Malware Analysis Report

2025-04-03 14:27

Sample ID 241216-thcj6avjhx
Target Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe
SHA256 1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53
Tags
guloader remcos remotehost discovery downloader rat collection spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53

Threat Level: Known bad

The file Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe was found to be: Known bad.

Malicious Activity Summary

guloader remcos remotehost discovery downloader rat collection spyware stealer

Guloader family

Guloader,Cloudeye

Remcos

Remcos family

Detected Nirsoft tools

NirSoft MailPassView

NirSoft WebBrowserPassView

Reads user/profile data of web browsers

Loads dropped DLL

Accesses Microsoft Outlook accounts

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-16 16:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-16 16:03

Reported

2024-12-16 16:05

Platform

win7-20240729-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe"

Signatures

Guloader family

guloader

Guloader,Cloudeye

downloader guloader

Remcos

rat remcos

Remcos family

remcos

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2308 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe
PID 2308 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe
PID 2308 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe
PID 2308 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe
PID 2308 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe
PID 2308 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe

"C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe"

C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe

"C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe"

Network

Country Destination Domain Proto
US 66.63.187.30:80 66.63.187.30 tcp
US 162.251.122.87:2404 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\nseCFB0.tmp

MD5 16d513397f3c1f8334e8f3e4fc49828f
SHA1 4ee15afca81ca6a13af4e38240099b730d6931f0
SHA256 d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36
SHA512 4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3

\Users\Admin\AppData\Local\Temp\nstCFC0.tmp\System.dll

MD5 ca332bb753b0775d5e806e236ddcec55
SHA1 f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f
SHA256 df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d
SHA512 2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

C:\Users\Admin\AppData\Local\Temp\nszD030.tmp

MD5 33714fd37d9159cf4911fe47896b9e69
SHA1 77c9ddfb1cd8e4a9a0a9131d0d21ebac0ef57611
SHA256 8eda392d2cd028b1a3385ff7673cade57e402248db7fe7eb192e8d6b0d8f78a2
SHA512 e4abaa9b5e706647dfe0174daa5164d0464f7ee971c5ee2983e28a4d2062eda2d0d9468340ebdbe6110b33958a9b3256757c3e5557b3ef617fe76ce576b8ba0a

C:\Users\Admin\AppData\Local\Temp\nsoCFF0.tmp

MD5 5d04a35d3950677049c7a0cf17e37125
SHA1 cafdd49a953864f83d387774b39b2657a253470f
SHA256 a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266
SHA512 c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

C:\Users\Admin\AppData\Local\Temp\nszD11C.tmp

MD5 f15bfdebb2df02d02c8491bde1b4e9bd
SHA1 93bd46f57c3316c27cad2605ddf81d6c0bde9301
SHA256 c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043
SHA512 1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1

memory/2308-577-0x0000000004380000-0x0000000005209000-memory.dmp

memory/2308-578-0x0000000076F61000-0x0000000077062000-memory.dmp

memory/2308-579-0x0000000076F60000-0x0000000077109000-memory.dmp

memory/2308-580-0x0000000004380000-0x0000000005209000-memory.dmp

memory/2308-581-0x0000000004380000-0x0000000005209000-memory.dmp

memory/1912-582-0x0000000076F60000-0x0000000077109000-memory.dmp

memory/1912-583-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1912-588-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1912-592-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1912-595-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1912-598-0x0000000000480000-0x00000000014E2000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 a3d9985e6f575d0d69a891f9c2830623
SHA1 1ac35562a33f3844048d33a707c8b7d87836fb4c
SHA256 477d7f35e97e945a5f6b43c2f6597668603cf4380b971886d8b7bc42591f9dbb
SHA512 4302c016736d76399da7435e72bc3c28feac527797ea280049df57f6da9ccdbf9712512f733ca930ab402a4f336f80ce06e10201cd2777115522c8fa74ef3aa2

memory/1912-601-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1912-604-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1912-607-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1912-610-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1912-613-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1912-616-0x0000000000480000-0x00000000014E2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-16 16:03

Reported

2024-12-16 16:05

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe"

Signatures

Guloader family

guloader

Guloader,Cloudeye

downloader guloader

Remcos

rat remcos

Remcos family

remcos

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4944 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe
PID 4944 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe
PID 4944 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe
PID 4944 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe
PID 4944 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe
PID 2324 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe
PID 2324 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe
PID 2324 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe
PID 2324 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe
PID 2324 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe
PID 2324 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe
PID 2324 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe
PID 2324 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe
PID 2324 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe

"C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe"

C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe

"C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe"

C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe

"C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe" /stext "C:\Users\Admin\AppData\Local\Temp\fxjokfizxtiosoxdnqdmbonrzfwsfxifl"

C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe

"C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe" /stext "C:\Users\Admin\AppData\Local\Temp\paozcx"

C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe

"C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe" /stext "C:\Users\Admin\AppData\Local\Temp\auusdqeuz"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 66.63.187.30:80 66.63.187.30 tcp
US 8.8.8.8:53 30.187.63.66.in-addr.arpa udp
US 162.251.122.87:2404 tcp
US 8.8.8.8:53 87.122.251.162.in-addr.arpa udp
US 162.251.122.87:2404 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nszC333.tmp

MD5 433fcfa8e075cbbb3370cb2f6c4658da
SHA1 c7926411bd50f5556bfbea60e7d81931e1aad868
SHA256 ccaabed14663822955f3eed5f5ebac067cbb8c0ff9734a67d30fb94a14826237
SHA512 1306f8e4430ed4e981b775409e14d7f927aa630c2bf89b42949fd9ba11b6aceaba61d2bebc925ebc4a7fb4ac2f9add8677f2f579b591639c0b5950fa68f64ee0

C:\Users\Admin\AppData\Local\Temp\nszC333.tmp

MD5 a82a5da452642ddab3a7ee07f7c408df
SHA1 cf937f2e7e57c21beaf57a2b7e0c4b77f37c63f7
SHA256 84911471a6124a186d240b3b67eed83ba5a0a7cb911eefc790712d936c83d568
SHA512 73ed822f62f762e6e8902b4a5c31ea9a0501926d2dd512f5e5285d39fa8b31e82e61294c99c341e0f2046d0cb0351396e8d97afc0ddc71d37c9b680cf757f5a0

C:\Users\Admin\AppData\Local\Temp\nszC333.tmp

MD5 bc970bd8ec8acf8ac1ada9e444673a39
SHA1 6c03dfa1c2595129e8e0e2428fceb0f2df7f82a7
SHA256 0092de36b51381e4fe5e613bdbae906f0c6e8691fec4a93f82b876f1af826648
SHA512 c3fc2d8b396b6753759b532bb9e91d015a039476ec2cf8abcd4c6d4d32b9305146752743692486bd4e3984325a7e9c6db0ff4d902c2879993789573f9cdca3b0

C:\Users\Admin\AppData\Local\Temp\nszC333.tmp

MD5 16d513397f3c1f8334e8f3e4fc49828f
SHA1 4ee15afca81ca6a13af4e38240099b730d6931f0
SHA256 d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36
SHA512 4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3

C:\Users\Admin\AppData\Local\Temp\nseC3A1.tmp\System.dll

MD5 ca332bb753b0775d5e806e236ddcec55
SHA1 f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f
SHA256 df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d
SHA512 2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

C:\Users\Admin\AppData\Local\Temp\nsuC3B2.tmp

MD5 f55b9d6e5f20db4066c68219d6cc7244
SHA1 b3a70fc3ea2da60d58274d9466a88a1e57926356
SHA256 9c2c033694acd2ee629918b688ee91e0032e6d2fa5cbb6b39a13e50024e73e01
SHA512 35bde19664ead683e639f42ed8447eab5bac8a1ac873efde467439e0631e3ece634b90e25140e62f46189df57f5c8fb6af44a8062ca9750514f8571d5860f2e1

C:\Users\Admin\AppData\Local\Temp\nsuC3B2.tmp

MD5 8c367f7037d83ec5fc0be4bcd16dba9d
SHA1 0efc8b29b482afae9aaceef0d80a138ab9b527a9
SHA256 6f470f6196119f505cd2d1b132c50c06fd6522bbd6ffc95b992212093221b637
SHA512 356e4ee6b5572b174084957b61e2aaea850486e2c087b87019bcb7565013d86aadffdc1f3e70ec4c77be108519ce312a2db1896584a738d631c190c03f5fec56

C:\Users\Admin\AppData\Local\Temp\nsuC3B2.tmp

MD5 749841d5d4f33aa61da2072ca8c75d85
SHA1 ed779369af6004bb662353a1a1688de21c9d5964
SHA256 05ec837bf0f57ead1b3fae5bec24f103831be6946eda1fe4cec3700ae019b117
SHA512 07884f39b2b1646dbad182d39167df36cb86fd3751b5c125b84ab3b3594dd0f6884d73f7f65d099e2874a0a73f8a76d7610b3ab30e174945a70073176e07b886

C:\Users\Admin\AppData\Local\Temp\nsuC3B2.tmp

MD5 088d509592627d226179707a88a1f4ee
SHA1 8c03f8a469d4dc4e7f65da8daa8c0e9cdebbe9f4
SHA256 7938b90dbe50e63bd3bc2b7ae77d43ba7c01c15354ab01f9a0b63ebac56b796d
SHA512 f36c70cbb4dbb09a8081b472ceb712b983a676d5a34dc19ec4d0d95126c4e6b80cdd66640e304eb35445503255c9aac22edf386bf6782151844e8df4e1874d5f

C:\Users\Admin\AppData\Local\Temp\nsuC3B2.tmp

MD5 5d04a35d3950677049c7a0cf17e37125
SHA1 cafdd49a953864f83d387774b39b2657a253470f
SHA256 a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266
SHA512 c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

C:\Users\Admin\AppData\Local\Temp\nsuC401.tmp

MD5 fee1a5ccd345e931c7fa183fb90669c8
SHA1 feccc85f260d7ceb016fedf3546a22073b58cce0
SHA256 10112c27d1a291095f738b379cb8fbea6acdd2419ff4e44981f4a8df7ff8466e
SHA512 0076356776acd6c645ae954b6c1c70e60fb555f02daf1e1ff9c639c1bdf74afa80926d6482cb9669aba46db082180af05615ab149708070c48043324478d1289

C:\Users\Admin\AppData\Local\Temp\nsuC401.tmp

MD5 44f5faa6c32983c85a139e1a0263c602
SHA1 027ea1b136e708edbe28aadcfcc9fe02468175d2
SHA256 d7824479f1abbfbe5a5b2386ae7bf867746adbb62eb2df88b92037c2d1e9a431
SHA512 2394ef0bf4670037dda86caf4254d68942500e626d556aa69b8b9bf24f3e7be5838be6c108e4933362008b34561e530e5d15badffe9b322e17b92231d4f18c37

C:\Users\Admin\AppData\Local\Temp\nsuC401.tmp

MD5 33714fd37d9159cf4911fe47896b9e69
SHA1 77c9ddfb1cd8e4a9a0a9131d0d21ebac0ef57611
SHA256 8eda392d2cd028b1a3385ff7673cade57e402248db7fe7eb192e8d6b0d8f78a2
SHA512 e4abaa9b5e706647dfe0174daa5164d0464f7ee971c5ee2983e28a4d2062eda2d0d9468340ebdbe6110b33958a9b3256757c3e5557b3ef617fe76ce576b8ba0a

C:\Users\Admin\AppData\Local\Temp\nsuC450.tmp

MD5 24c65563d17054b07c6135e87a53cffd
SHA1 4765777312bf6c4c7272e61b4dbbce3202bb2d68
SHA256 e145085a50e8790798362058aa0b197b97b8ae38a54ff47ee89fd00dec4f47ce
SHA512 f6419106a5e5d864da20840817f473556140fc982e271380c3eed2a5be03c2dc68fb69ab1b2ba5698dec4ca477377e53c589f9b280faf436dd94767e5d0cb15f

C:\Users\Admin\AppData\Local\Temp\nskC4AF.tmp

MD5 232ea7835f5abeffc769949d0bad82bf
SHA1 d8183e34d3c48afb0f7598a4dc11182218d7e9fe
SHA256 384e1fc0d130aa5cbfa9077f6de89b555e096afb67cd2dd827933b992549e69c
SHA512 e552cc1f310029859899ab726b70ef38c08026af5e0c125c58e9b31005d8c2fd2d636d8bb3aaf8a039aa3450f058c038186da34b63e883e3613049a6df6905e4

C:\Users\Admin\AppData\Local\Temp\nskC4AF.tmp

MD5 2dc5ae451f6175ae513bed5c4714d5ee
SHA1 4f47723723e7643a5b4c67f5f9d68cd834f80a4f
SHA256 180f6fc17f1d6e7d0878868f1643dc8c340f457eac0d6fc3680a95f1f9e7e54e
SHA512 9140fa690eca23bdf03d3058e6527c56cd51089b394ef681979f8e63cdc183fa942aecfd2d1061f50966fb998a5c0999b97b5b3a9af6aff1ce1d4826cfd42887

C:\Users\Admin\AppData\Local\Temp\nskC4AF.tmp

MD5 742d3f392842fd0a5ebecea567c2af34
SHA1 b680bc716a2b53ef6af5edcbf222e6ac2606e1e8
SHA256 c7c952a7580d506f694240eb56e705a182561523c14116ab5aab1c2c87f886bf
SHA512 1642176efc91de80dd89412d982f8c9b1b53a0c96067fdbb70cc04a94c0d37d18caee0bdfab9666930af4e50ad37fdb5335e58c210b67fa59420044d4130aedf

memory/4944-575-0x0000000004A10000-0x0000000005899000-memory.dmp

memory/4944-576-0x0000000077201000-0x0000000077321000-memory.dmp

memory/4944-577-0x0000000010004000-0x0000000010005000-memory.dmp

memory/4944-579-0x0000000004A10000-0x0000000005899000-memory.dmp

memory/2324-580-0x00000000016E0000-0x0000000002569000-memory.dmp

memory/4944-578-0x0000000004A10000-0x0000000005899000-memory.dmp

memory/2324-581-0x0000000077288000-0x0000000077289000-memory.dmp

memory/2324-582-0x00000000016E0000-0x0000000002569000-memory.dmp

memory/2324-583-0x00000000772A5000-0x00000000772A6000-memory.dmp

memory/2324-584-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2324-585-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2324-589-0x0000000077201000-0x0000000077321000-memory.dmp

memory/4356-592-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4356-598-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2008-599-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1172-608-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4356-607-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1172-604-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2008-602-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1172-601-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1172-600-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2008-597-0x0000000000400000-0x0000000000462000-memory.dmp

memory/4356-596-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2008-595-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1172-610-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4356-615-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fxjokfizxtiosoxdnqdmbonrzfwsfxifl

MD5 c3c5f2de99b7486f697634681e21bab0
SHA1 00f90d495c0b2b63fde6532e033fdd2ade25633d
SHA256 76296dc29f718988107d35d0e0b835c2bf3fc7405e79e5121aa4738f82b51582
SHA512 7c60ffdc093de30e793d20768877f2f586bee3e948767871f9a1139252d5d2f593ba6f88ce0ed5f72c79faddb26186792df0581e4b6c84d405c44d9d12f951b8

memory/2324-620-0x0000000033660000-0x0000000033679000-memory.dmp

memory/2324-617-0x0000000033660000-0x0000000033679000-memory.dmp

memory/2324-621-0x0000000033660000-0x0000000033679000-memory.dmp

memory/2324-622-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2324-625-0x0000000000480000-0x00000000016D4000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 bdd80cd9708c717edc5e82ca37d7130b
SHA1 7c77815d424a1d6529de98124e35335193168bf3
SHA256 799d2b1d8340de661998a59e8383500111140c34e27dc5eb22b1df7405b20f11
SHA512 b2e50cfdbf6fff93d7aaa0e6d06c69d1563adb5c4abdfe81912f6b0f5bbfb1c9877261b68cbb20c12941ada45a4e311610097068cde9e915ea14aec73622f041

memory/2324-628-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2324-631-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2324-634-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2324-637-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2324-640-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2324-652-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2324-655-0x0000000000480000-0x00000000016D4000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-16 16:03

Reported

2024-12-16 16:05

Platform

win7-20241010-en

Max time kernel

120s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1192 -s 224

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-12-16 16:03

Reported

2024-12-16 16:05

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

139s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4856 wrote to memory of 4708 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4856 wrote to memory of 4708 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4856 wrote to memory of 4708 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4708 -ip 4708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A