Malware Analysis Report

2025-04-03 14:26

Sample ID 241217-x29wjswpcj
Target 1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53
SHA256 1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53
Tags
discovery guloader remcos remotehost downloader rat collection spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53

Threat Level: Known bad

The file 1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53 was found to be: Known bad.

Malicious Activity Summary

discovery guloader remcos remotehost downloader rat collection spyware stealer

Remcos

Remcos family

Guloader family

Guloader,Cloudeye

Detected Nirsoft tools

NirSoft WebBrowserPassView

NirSoft MailPassView

Loads dropped DLL

Reads user/profile data of web browsers

Accesses Microsoft Outlook accounts

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-17 19:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-12-17 19:22

Reported

2024-12-17 19:24

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

147s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3088 wrote to memory of 1392 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3088 wrote to memory of 1392 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3088 wrote to memory of 1392 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1392 -ip 1392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 616

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 196.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 134.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-17 19:22

Reported

2024-12-17 19:24

Platform

win7-20240729-en

Max time kernel

120s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe"

Signatures

Guloader family

guloader

Guloader,Cloudeye

downloader guloader

Remcos

rat remcos

Remcos family

remcos

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2652 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
PID 2652 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
PID 2652 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
PID 2652 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
PID 2652 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
PID 2652 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
PID 2136 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Windows\SysWOW64\WerFault.exe
PID 2136 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Windows\SysWOW64\WerFault.exe
PID 2136 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Windows\SysWOW64\WerFault.exe
PID 2136 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe

"C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe"

C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe

"C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 700

Network

Country Destination Domain Proto
US 66.63.187.30:80 66.63.187.30 tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsyFF28.tmp

MD5 16d513397f3c1f8334e8f3e4fc49828f
SHA1 4ee15afca81ca6a13af4e38240099b730d6931f0
SHA256 d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36
SHA512 4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3

\Users\Admin\AppData\Local\Temp\nstFFA6.tmp\System.dll

MD5 ca332bb753b0775d5e806e236ddcec55
SHA1 f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f
SHA256 df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d
SHA512 2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

C:\Users\Admin\AppData\Local\Temp\nst92.tmp

MD5 8ce4b16b22b58894aa86c421e8759df3
SHA1 13fbd79c3d390e5d6585a21e11ff5ec1970cff0c
SHA256 8254c329a92850f6d539dd376f4816ee2764517da5e0235514af433164480d7a
SHA512 2af8a9104b3f64ed640d8c7e298d2d480f03a3610cbc2b33474321ec59024a48592ea8545e41e09d5d1108759df48ede0054f225df39d4f0f312450e0aa9dd25

C:\Users\Admin\AppData\Local\Temp\nst92.tmp

MD5 25bc6654798eb508fa0b6343212a74fe
SHA1 15d5e1d3b948fd5986aaff7d9419b5e52c75fc93
SHA256 8e5202705183bd3a20a29e224499b0f77a8273ee33cd93cca71043c57ad4bdfc
SHA512 5868c6241ed3cfcc5c34bfe42e4b9f5c69e74975e524771d8c9f35cafc13fd01cd943ec4d8caefee79a1f4a457e69d20b7a86f88db83a5bc3e6bd8a619972898

C:\Users\Admin\AppData\Local\Temp\nst92.tmp

MD5 33714fd37d9159cf4911fe47896b9e69
SHA1 77c9ddfb1cd8e4a9a0a9131d0d21ebac0ef57611
SHA256 8eda392d2cd028b1a3385ff7673cade57e402248db7fe7eb192e8d6b0d8f78a2
SHA512 e4abaa9b5e706647dfe0174daa5164d0464f7ee971c5ee2983e28a4d2062eda2d0d9468340ebdbe6110b33958a9b3256757c3e5557b3ef617fe76ce576b8ba0a

C:\Users\Admin\AppData\Local\Temp\nsyB2.tmp

MD5 4e27f2226785e9abbe046fc592668860
SHA1 28b18a7f383131df509f7191f946a32c5a2e410c
SHA256 01a219245e1501fee01ce0baea8f6065ce5162cea12fa570689a07c9717be81d
SHA512 2a23585835bdb5db8175cab265566042282841efdcee8aaba8b9b5d466b0f165c0c5973033ce94bb9a8f07a956689247981ea07ac5a51408263e1653d9710adb

C:\Users\Admin\AppData\Local\Temp\nsyB2.tmp

MD5 cde63b34c142af0a38cbe83791c964f8
SHA1 ece2b194b486118b40ad12c1f0e9425dd0672424
SHA256 65e2d70166c9a802b7ad2a87129b8945f083e5f268878790a9d1f1c03f47938d
SHA512 0559d3d34ad64ccc27e685431c24fc6ead0f645db14fa0e125a64fb67dbd158c15432c1fc5407811aac8a3486090dfbcfcbc3c6bf5aa0ec73f979ef62d14853c

C:\Users\Admin\AppData\Local\Temp\nsyB2.tmp

MD5 e2fecc970546c3418917879fe354826c
SHA1 63f1c1dd01b87704a6b6c99fd9f141e0a3064f16
SHA256 ff91566d755f5d038ae698a2cc0a7d4d14e5273afafc37b6f03afda163768fa0
SHA512 3c4a68cbaee94f986515f43305a0e7620c14c30213d4a17db4a3e8a1b996764eb688bf733f472fc52073c2c80bb5229bb29411d7601aefe1c4370e230c341a0a

C:\Users\Admin\AppData\Local\Temp\nsyB2.tmp

MD5 50484c19f1afdaf3841a0d821ed393d2
SHA1 c65a0fb7e74ffd2c9fc3a0f9aacb0f6a24b0a68b
SHA256 6923dd1bc0460082c5d55a831908c24a282860b7f1cd6c2b79cf1bc8857c639c
SHA512 d51a20d67571fe70bcd6c36e1382a3c342f42671c710090b75fcfc2405ce24488e03a7131eefe4751d0bd3aeaad816605ad10c8e3258d72fcf379e32416cbf3b

C:\Users\Admin\AppData\Local\Temp\nsyB2.tmp

MD5 67cfa7364c4cf265b047d87ff2e673ae
SHA1 56e27889277981a9b63fcf5b218744a125bbc2fa
SHA256 639b68bd180b47d542dd001d03557ee2d5b3065c3c783143bc9fb548f3fd7713
SHA512 17f28a136b20b89e9c3a418b08fd8e6fcaac960872dc33b2481af2d872efc44228f420759c57724f5d953c7ba98f2283e2acc7dfe5a58cbf719c6480ec7a648b

C:\Users\Admin\AppData\Local\Temp\nsyB2.tmp

MD5 c3cb69218b85c3260387fb582cb518dd
SHA1 961c892ded09a4cbb5392097bb845ccba65902ad
SHA256 1c329924865741e0222d3ead23072cfbed14f96e2b0432573068eb0640513101
SHA512 2402fffeb89c531db742bf6f5466eee8fe13edf97b8ecfc2cace3522806b322924d1ca81dda25e59b4047b8f40ad11ae9216e0a0d5c7fc6beef4368eb9551422

C:\Users\Admin\AppData\Local\Temp\nsyB2.tmp

MD5 2b3884fe02299c565e1c37ee7ef99293
SHA1 d8e2ef2a52083f6df210109fea53860ea227af9c
SHA256 ae789a65914ed002efb82dad89e5a4d4b9ec8e7faae30d0ed6e3c0d20f7d3858
SHA512 aeb9374a52d0ad99336bfd4ec7bb7c5437b827845b8784d9c21f7d96a931693604689f6adc3ca25fad132a0ad6123013211ff550f427fa86e4f26c122ac6a0fe

C:\Users\Admin\AppData\Local\Temp\nsyB2.tmp

MD5 9a53fc1d7126c5e7c81bb5c15b15537b
SHA1 e2d13e0fa37de4c98f30c728210d6afafbb2b000
SHA256 a7de06c22e4e67908840ec3f00ab8fe9e04ae94fb16a74136002afbaf607ff92
SHA512 b0bffbb8072dbdcfc68f0e632f727c08fe3ef936b2ef332c08486553ff2cef7b0bcdb400e421a117e977bb0fac17ce4706a8097e32d558a918433646b6d5f1a1

C:\Users\Admin\AppData\Local\Temp\nsy239.tmp

MD5 f15bfdebb2df02d02c8491bde1b4e9bd
SHA1 93bd46f57c3316c27cad2605ddf81d6c0bde9301
SHA256 c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043
SHA512 1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1

memory/2652-577-0x0000000004180000-0x0000000005009000-memory.dmp

memory/2652-578-0x0000000076D41000-0x0000000076E42000-memory.dmp

memory/2652-579-0x0000000076D40000-0x0000000076EE9000-memory.dmp

memory/2652-580-0x0000000004180000-0x0000000005009000-memory.dmp

memory/2136-582-0x0000000076D40000-0x0000000076EE9000-memory.dmp

memory/2652-581-0x0000000004180000-0x0000000005009000-memory.dmp

memory/2136-583-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/2136-587-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/2136-588-0x0000000000480000-0x00000000014E2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-17 19:22

Reported

2024-12-17 19:24

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe"

Signatures

Guloader family

guloader

Guloader,Cloudeye

downloader guloader

Remcos

rat remcos

Remcos family

remcos

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 468 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
PID 468 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
PID 468 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
PID 468 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
PID 468 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
PID 4928 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
PID 4928 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
PID 4928 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
PID 4928 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
PID 4928 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
PID 4928 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
PID 4928 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
PID 4928 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
PID 4928 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe

"C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe"

C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe

"C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe"

C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe

C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe /stext "C:\Users\Admin\AppData\Local\Temp\molyameirzhempnsxvql"

C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe

C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe /stext "C:\Users\Admin\AppData\Local\Temp\xiqrbfpbfhzjovjwggdneeg"

C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe

C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe /stext "C:\Users\Admin\AppData\Local\Temp\hkvbuxadtprwybxaxrxgprarka"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 86.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 66.63.187.30:80 66.63.187.30 tcp
US 8.8.8.8:53 30.187.63.66.in-addr.arpa udp
US 162.251.122.87:2404 tcp
US 8.8.8.8:53 87.122.251.162.in-addr.arpa udp
US 162.251.122.87:2404 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nshBDF3.tmp

MD5 e456acec0ef7fda3aef06b03bb007e2f
SHA1 a7168146dd22139e81563b24beb736179d1c8370
SHA256 73842f82df7cfef99c471c4301ef8130ddcd65d831b069b880bd71695d2bf607
SHA512 c641ae2e8961562f5fd0f2d258742b024c6564b3f3b6a1d3d642d72bf47a1d6c208055e31dc467a3ea41b7bac658bcbab6e1746daf08fe2484f0c860fb88d475

C:\Users\Admin\AppData\Local\Temp\nshBDF3.tmp

MD5 9111ba1d1ceb4b7f775d74730aac363e
SHA1 c0af4968c775735be12419b60b257ed4359cb9b2
SHA256 0883f5bab7d5dafd9efec59b917070f5d051f50b047951d1ea87dab27fef7b91
SHA512 836c5d3941109691f2589e317e10d661978d9fc4af435bde3467159913ff9192d6eab1efe3e50e2048d06ce0c85963efe1ac056e1fd6ff1d33ac05f25beabbbf

C:\Users\Admin\AppData\Local\Temp\nshBDF3.tmp

MD5 74b3a93cf5d11d11b8dff1d5ec57a81d
SHA1 bc7da5a65649e99c488e6a4c130f1134e80dcf74
SHA256 706dc879eaaeee6ada053cfd98acedee299c07a8dc98f0cc024cc614057c38b6
SHA512 bef3b9fa70eec9ecb57ccc75bb54a5a76e1a0c4a8387823f7c931f091a1157bea4e678e19fcc775a7ee1c43d025d09e8ae4869b4c785dc7f8c4de39cf9bd7d82

C:\Users\Admin\AppData\Local\Temp\nshBDF3.tmp

MD5 16d513397f3c1f8334e8f3e4fc49828f
SHA1 4ee15afca81ca6a13af4e38240099b730d6931f0
SHA256 d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36
SHA512 4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3

C:\Users\Admin\AppData\Local\Temp\nshBE42.tmp\System.dll

MD5 ca332bb753b0775d5e806e236ddcec55
SHA1 f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f
SHA256 df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d
SHA512 2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

C:\Users\Admin\AppData\Local\Temp\nshBE43.tmp

MD5 cde63b34c142af0a38cbe83791c964f8
SHA1 ece2b194b486118b40ad12c1f0e9425dd0672424
SHA256 65e2d70166c9a802b7ad2a87129b8945f083e5f268878790a9d1f1c03f47938d
SHA512 0559d3d34ad64ccc27e685431c24fc6ead0f645db14fa0e125a64fb67dbd158c15432c1fc5407811aac8a3486090dfbcfcbc3c6bf5aa0ec73f979ef62d14853c

C:\Users\Admin\AppData\Local\Temp\nshBE43.tmp

MD5 aec87a5b696e973fd725cfd7fccef0bb
SHA1 4c0cd9bd8adbc7ad00627bc192c73d3aa23f0f02
SHA256 a48c987be1252d84c855810b44ad498f5ab67b9b8bfea471b0e1ec5a7f480fc9
SHA512 8cf3daf380683412911f7d0719c48a9ffa313d09016f6c811f41a16416ad0c3abba2cd34a57ca912ca1853b12665824732a480ec15f127a33aa1476d7479d499

C:\Users\Admin\AppData\Local\Temp\nshBE43.tmp

MD5 040cc34b899dd5230d5113b5156ec5d4
SHA1 60a49c8b3e3f33b38c1780e8826e50d9672c5bcf
SHA256 454a97bbcd88c00fd8617e38fec2ebc855a608adbb751ad5ce4355f6bd171c32
SHA512 e6d441445f20c73e6e23203323dd5ff68ac2a74767fa69aac7c2c1b05e7bd981cf461b66c9d516dc53b4bbc32117c12e103187cfca891846b9d42ee2aa2c423d

C:\Users\Admin\AppData\Local\Temp\nshBE43.tmp

MD5 5d04a35d3950677049c7a0cf17e37125
SHA1 cafdd49a953864f83d387774b39b2657a253470f
SHA256 a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266
SHA512 c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

C:\Users\Admin\AppData\Local\Temp\nsrBE82.tmp

MD5 13d43632e7fc3f0177c4e672edde4211
SHA1 fd3bbbadb96390ce62e8f195fd725d52f6839233
SHA256 3b955e498bb942f66445cbbd2003b88362f5b91ba92dbc4ffb2030276024f643
SHA512 79a1915145bd3f9d4da7714cad3470e919eaec136b8c3b42cc207e02abe259ca13f3e143b8917752d35807cd2254efef29964af931768f36fb424b1b8f9c2306

C:\Users\Admin\AppData\Local\Temp\nsrBE82.tmp

MD5 ee1dadb4e958e13067586e9583ee7fde
SHA1 9bbf08ac4c4cc8cb352052f6aae745e2ae79dbfb
SHA256 4ac1c6026e995495257253895020f3c21c49066e5ee98900dfb4c13871576cdb
SHA512 f3dd9e62b48644cd8357407672d8574ea6c9658ea62f3035c3f0cf77b9b05627e3a400676dbc86f4cde1291880b31e3461a0160fe71c97a408eca48cdadabfe1

C:\Users\Admin\AppData\Local\Temp\nsrBE82.tmp

MD5 a5dde4a4ed71ac185b358173872007a7
SHA1 a6f8e7e1d21ee34170e66822a48da2f45edba8d7
SHA256 dc84657a32142582a05cb93c282ba54a7fd9334523817a14013057f659d54044
SHA512 bdd75b71c8808deb593dfb7fa955d116f3f29565019e0acdce2c61b914ddec943ee76ed18d4a20a4e0c63099734d6c2d7528d07379cc1a5f86e013a830f73254

C:\Users\Admin\AppData\Local\Temp\nsrBE82.tmp

MD5 33714fd37d9159cf4911fe47896b9e69
SHA1 77c9ddfb1cd8e4a9a0a9131d0d21ebac0ef57611
SHA256 8eda392d2cd028b1a3385ff7673cade57e402248db7fe7eb192e8d6b0d8f78a2
SHA512 e4abaa9b5e706647dfe0174daa5164d0464f7ee971c5ee2983e28a4d2062eda2d0d9468340ebdbe6110b33958a9b3256757c3e5557b3ef617fe76ce576b8ba0a

C:\Users\Admin\AppData\Local\Temp\nscBEC2.tmp

MD5 67cfa7364c4cf265b047d87ff2e673ae
SHA1 56e27889277981a9b63fcf5b218744a125bbc2fa
SHA256 639b68bd180b47d542dd001d03557ee2d5b3065c3c783143bc9fb548f3fd7713
SHA512 17f28a136b20b89e9c3a418b08fd8e6fcaac960872dc33b2481af2d872efc44228f420759c57724f5d953c7ba98f2283e2acc7dfe5a58cbf719c6480ec7a648b

C:\Users\Admin\AppData\Local\Temp\nscBEC2.tmp

MD5 1a069d3d8cca839a3c2f44a0e833d67c
SHA1 2bdc93e3d3aac0914cd4d3d43210bc2b2c7f09cf
SHA256 0c09cbcf0803dc2c44739757d37fe7f33fa193d747df71db3172e68aa0ddb309
SHA512 970ed67a84e4132b0336cd8f7c07c4ab6dc56ce97993b64e4e94a80e76ee7bd4ca04349cd0113df5e04053fbfde9d27c3cb5ab61a9492d584b7febfcaddf53e2

C:\Users\Admin\AppData\Local\Temp\nscBEC2.tmp

MD5 90d4148f2c3df01640574cf198642bff
SHA1 80df93c47461df2096af940f6ff710cc3b103a5d
SHA256 603018413ce2875406e3ef08d7ba9a2f086539f1d1ed1023efea06b635c426fc
SHA512 0e407fe7c335c47b7a81cd77fc17b3db6d179342b3d05d103663e5fa7780d9d496e4a9ea462dc5f66cc4708a67c02aec395a08d73b6e52f3c4fa490b89ac4d7e

C:\Users\Admin\AppData\Local\Temp\nscBEC2.tmp

MD5 bcc2d4708d4557cd6dfb4ca08164719c
SHA1 5158b5fb3bcd9238e69352fb94a039ec90eddf86
SHA256 b029fc5e9252f17e84ef53c084ba0d67a0931fa02eb9e5a13bba202a008d7553
SHA512 8f179a8895d1afe69d2ef5583eb63a1821ee94a0c30cd7c8cbb3ce40165bd1c0c5d30ea4156b81000e37c1ea71c57d34e059cd658e22056c4e06788badad54b2

C:\Users\Admin\AppData\Local\Temp\nscBEC2.tmp

MD5 24c65563d17054b07c6135e87a53cffd
SHA1 4765777312bf6c4c7272e61b4dbbce3202bb2d68
SHA256 e145085a50e8790798362058aa0b197b97b8ae38a54ff47ee89fd00dec4f47ce
SHA512 f6419106a5e5d864da20840817f473556140fc982e271380c3eed2a5be03c2dc68fb69ab1b2ba5698dec4ca477377e53c589f9b280faf436dd94767e5d0cb15f

C:\Users\Admin\AppData\Local\Temp\nshBF30.tmp

MD5 92877af70a45fd6a2ed7fe81e1236b78
SHA1 0b7f849446d3383546d15a480966084442cd2193
SHA256 5860faf02b6bc6222ba5aca523560f0e364ccd8b67bee486fe8bf7c01d492ccb
SHA512 8ac4145c8e388ddfe3cd94886f026260d917cab07903c533f3a26945019bc4a50e6f23f266acbb0cbae89130fa3242c9a5145e4218c3ef1deebccb58d1a64a43

C:\Users\Admin\AppData\Local\Temp\nshBF30.tmp

MD5 2dc5ae451f6175ae513bed5c4714d5ee
SHA1 4f47723723e7643a5b4c67f5f9d68cd834f80a4f
SHA256 180f6fc17f1d6e7d0878868f1643dc8c340f457eac0d6fc3680a95f1f9e7e54e
SHA512 9140fa690eca23bdf03d3058e6527c56cd51089b394ef681979f8e63cdc183fa942aecfd2d1061f50966fb998a5c0999b97b5b3a9af6aff1ce1d4826cfd42887

C:\Users\Admin\AppData\Local\Temp\nshBF30.tmp

MD5 f15bfdebb2df02d02c8491bde1b4e9bd
SHA1 93bd46f57c3316c27cad2605ddf81d6c0bde9301
SHA256 c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043
SHA512 1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1

memory/468-575-0x0000000004B40000-0x00000000059C9000-memory.dmp

memory/468-576-0x00000000772F1000-0x0000000077411000-memory.dmp

memory/468-577-0x0000000004B40000-0x00000000059C9000-memory.dmp

memory/468-578-0x0000000010004000-0x0000000010005000-memory.dmp

memory/468-579-0x0000000004B40000-0x00000000059C9000-memory.dmp

memory/4928-580-0x00000000016E0000-0x0000000002569000-memory.dmp

memory/4928-581-0x0000000077378000-0x0000000077379000-memory.dmp

memory/4928-582-0x0000000077395000-0x0000000077396000-memory.dmp

memory/4928-583-0x00000000016E0000-0x0000000002569000-memory.dmp

memory/4928-585-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/4928-588-0x00000000772F1000-0x0000000077411000-memory.dmp

memory/4928-590-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1496-591-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1188-595-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1496-598-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1188-608-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2912-611-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2912-605-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2912-602-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1496-600-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1496-601-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2912-597-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1188-593-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1188-596-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1496-613-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\molyameirzhempnsxvql

MD5 bc25ccf39db8626dc249529bcc8c5639
SHA1 3e9cbdb20a0970a3c13719a2f289d210cdcc9e1d
SHA256 b333f8c736c701bc826886f395d928731850cbce6db77be752b3cf7979114904
SHA512 9a546127bddc1d187e674cda82e6c5046cac7f3e6f9515aed68d5bff2264b9d679d857dd97270e10826cd11ce2d92d82dd7f9801e19027e346b60bcc814cca1a

memory/4928-616-0x0000000033550000-0x0000000033569000-memory.dmp

memory/4928-620-0x0000000033550000-0x0000000033569000-memory.dmp

memory/4928-619-0x0000000033550000-0x0000000033569000-memory.dmp

memory/4928-623-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/4928-626-0x0000000000480000-0x00000000016D4000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 eebf517b444cd49e6c17e5921852d4d7
SHA1 a32767a540a843a8e51c79c1343b85d4010acb48
SHA256 dda5d2a979b5f31514cfd2d656428a5042c2186ba1e4ff16fbd73018b55d7979
SHA512 305a7430f22076333b9d2b9c674c995cb182e7ec55716ddcac498f1463646cc07dcd49c5cafcb27b4f098383295676aad91f87ddb9f2092bfccbb619cfc74d23

memory/4928-629-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/4928-632-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/4928-635-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/4928-638-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/4928-641-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/4928-644-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/4928-653-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/4928-656-0x0000000000480000-0x00000000016D4000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-17 19:22

Reported

2024-12-17 19:24

Platform

win7-20240903-en

Max time kernel

117s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 224

Network

N/A

Files

N/A