Analysis Overview
SHA256
1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53
Threat Level: Known bad
The file 1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53 was found to be: Known bad.
Malicious Activity Summary
Remcos
Remcos family
Guloader family
Guloader,Cloudeye
Detected Nirsoft tools
NirSoft WebBrowserPassView
NirSoft MailPassView
Loads dropped DLL
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-17 19:22
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2024-12-17 19:22
Reported
2024-12-17 19:24
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
147s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3088 wrote to memory of 1392 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3088 wrote to memory of 1392 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3088 wrote to memory of 1392 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1392 -ip 1392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 616
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-17 19:22
Reported
2024-12-17 19:24
Platform
win7-20240729-en
Max time kernel
120s
Max time network
126s
Command Line
Signatures
Guloader family
Guloader,Cloudeye
Remcos
Remcos family
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2652 set thread context of 2136 | N/A | C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe | C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
"C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe"
C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
"C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 700
Network
| Country | Destination | Domain | Proto |
| US | 66.63.187.30:80 | 66.63.187.30 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\nsyFF28.tmp
| MD5 | 16d513397f3c1f8334e8f3e4fc49828f |
| SHA1 | 4ee15afca81ca6a13af4e38240099b730d6931f0 |
| SHA256 | d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36 |
| SHA512 | 4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3 |
\Users\Admin\AppData\Local\Temp\nstFFA6.tmp\System.dll
| MD5 | ca332bb753b0775d5e806e236ddcec55 |
| SHA1 | f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f |
| SHA256 | df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d |
| SHA512 | 2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00 |
C:\Users\Admin\AppData\Local\Temp\nst92.tmp
| MD5 | 8ce4b16b22b58894aa86c421e8759df3 |
| SHA1 | 13fbd79c3d390e5d6585a21e11ff5ec1970cff0c |
| SHA256 | 8254c329a92850f6d539dd376f4816ee2764517da5e0235514af433164480d7a |
| SHA512 | 2af8a9104b3f64ed640d8c7e298d2d480f03a3610cbc2b33474321ec59024a48592ea8545e41e09d5d1108759df48ede0054f225df39d4f0f312450e0aa9dd25 |
C:\Users\Admin\AppData\Local\Temp\nst92.tmp
| MD5 | 25bc6654798eb508fa0b6343212a74fe |
| SHA1 | 15d5e1d3b948fd5986aaff7d9419b5e52c75fc93 |
| SHA256 | 8e5202705183bd3a20a29e224499b0f77a8273ee33cd93cca71043c57ad4bdfc |
| SHA512 | 5868c6241ed3cfcc5c34bfe42e4b9f5c69e74975e524771d8c9f35cafc13fd01cd943ec4d8caefee79a1f4a457e69d20b7a86f88db83a5bc3e6bd8a619972898 |
C:\Users\Admin\AppData\Local\Temp\nst92.tmp
| MD5 | 33714fd37d9159cf4911fe47896b9e69 |
| SHA1 | 77c9ddfb1cd8e4a9a0a9131d0d21ebac0ef57611 |
| SHA256 | 8eda392d2cd028b1a3385ff7673cade57e402248db7fe7eb192e8d6b0d8f78a2 |
| SHA512 | e4abaa9b5e706647dfe0174daa5164d0464f7ee971c5ee2983e28a4d2062eda2d0d9468340ebdbe6110b33958a9b3256757c3e5557b3ef617fe76ce576b8ba0a |
C:\Users\Admin\AppData\Local\Temp\nsyB2.tmp
| MD5 | 4e27f2226785e9abbe046fc592668860 |
| SHA1 | 28b18a7f383131df509f7191f946a32c5a2e410c |
| SHA256 | 01a219245e1501fee01ce0baea8f6065ce5162cea12fa570689a07c9717be81d |
| SHA512 | 2a23585835bdb5db8175cab265566042282841efdcee8aaba8b9b5d466b0f165c0c5973033ce94bb9a8f07a956689247981ea07ac5a51408263e1653d9710adb |
C:\Users\Admin\AppData\Local\Temp\nsyB2.tmp
| MD5 | cde63b34c142af0a38cbe83791c964f8 |
| SHA1 | ece2b194b486118b40ad12c1f0e9425dd0672424 |
| SHA256 | 65e2d70166c9a802b7ad2a87129b8945f083e5f268878790a9d1f1c03f47938d |
| SHA512 | 0559d3d34ad64ccc27e685431c24fc6ead0f645db14fa0e125a64fb67dbd158c15432c1fc5407811aac8a3486090dfbcfcbc3c6bf5aa0ec73f979ef62d14853c |
C:\Users\Admin\AppData\Local\Temp\nsyB2.tmp
| MD5 | e2fecc970546c3418917879fe354826c |
| SHA1 | 63f1c1dd01b87704a6b6c99fd9f141e0a3064f16 |
| SHA256 | ff91566d755f5d038ae698a2cc0a7d4d14e5273afafc37b6f03afda163768fa0 |
| SHA512 | 3c4a68cbaee94f986515f43305a0e7620c14c30213d4a17db4a3e8a1b996764eb688bf733f472fc52073c2c80bb5229bb29411d7601aefe1c4370e230c341a0a |
C:\Users\Admin\AppData\Local\Temp\nsyB2.tmp
| MD5 | 50484c19f1afdaf3841a0d821ed393d2 |
| SHA1 | c65a0fb7e74ffd2c9fc3a0f9aacb0f6a24b0a68b |
| SHA256 | 6923dd1bc0460082c5d55a831908c24a282860b7f1cd6c2b79cf1bc8857c639c |
| SHA512 | d51a20d67571fe70bcd6c36e1382a3c342f42671c710090b75fcfc2405ce24488e03a7131eefe4751d0bd3aeaad816605ad10c8e3258d72fcf379e32416cbf3b |
C:\Users\Admin\AppData\Local\Temp\nsyB2.tmp
| MD5 | 67cfa7364c4cf265b047d87ff2e673ae |
| SHA1 | 56e27889277981a9b63fcf5b218744a125bbc2fa |
| SHA256 | 639b68bd180b47d542dd001d03557ee2d5b3065c3c783143bc9fb548f3fd7713 |
| SHA512 | 17f28a136b20b89e9c3a418b08fd8e6fcaac960872dc33b2481af2d872efc44228f420759c57724f5d953c7ba98f2283e2acc7dfe5a58cbf719c6480ec7a648b |
C:\Users\Admin\AppData\Local\Temp\nsyB2.tmp
| MD5 | c3cb69218b85c3260387fb582cb518dd |
| SHA1 | 961c892ded09a4cbb5392097bb845ccba65902ad |
| SHA256 | 1c329924865741e0222d3ead23072cfbed14f96e2b0432573068eb0640513101 |
| SHA512 | 2402fffeb89c531db742bf6f5466eee8fe13edf97b8ecfc2cace3522806b322924d1ca81dda25e59b4047b8f40ad11ae9216e0a0d5c7fc6beef4368eb9551422 |
C:\Users\Admin\AppData\Local\Temp\nsyB2.tmp
| MD5 | 2b3884fe02299c565e1c37ee7ef99293 |
| SHA1 | d8e2ef2a52083f6df210109fea53860ea227af9c |
| SHA256 | ae789a65914ed002efb82dad89e5a4d4b9ec8e7faae30d0ed6e3c0d20f7d3858 |
| SHA512 | aeb9374a52d0ad99336bfd4ec7bb7c5437b827845b8784d9c21f7d96a931693604689f6adc3ca25fad132a0ad6123013211ff550f427fa86e4f26c122ac6a0fe |
C:\Users\Admin\AppData\Local\Temp\nsyB2.tmp
| MD5 | 9a53fc1d7126c5e7c81bb5c15b15537b |
| SHA1 | e2d13e0fa37de4c98f30c728210d6afafbb2b000 |
| SHA256 | a7de06c22e4e67908840ec3f00ab8fe9e04ae94fb16a74136002afbaf607ff92 |
| SHA512 | b0bffbb8072dbdcfc68f0e632f727c08fe3ef936b2ef332c08486553ff2cef7b0bcdb400e421a117e977bb0fac17ce4706a8097e32d558a918433646b6d5f1a1 |
C:\Users\Admin\AppData\Local\Temp\nsy239.tmp
| MD5 | f15bfdebb2df02d02c8491bde1b4e9bd |
| SHA1 | 93bd46f57c3316c27cad2605ddf81d6c0bde9301 |
| SHA256 | c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043 |
| SHA512 | 1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1 |
memory/2652-577-0x0000000004180000-0x0000000005009000-memory.dmp
memory/2652-578-0x0000000076D41000-0x0000000076E42000-memory.dmp
memory/2652-579-0x0000000076D40000-0x0000000076EE9000-memory.dmp
memory/2652-580-0x0000000004180000-0x0000000005009000-memory.dmp
memory/2136-582-0x0000000076D40000-0x0000000076EE9000-memory.dmp
memory/2652-581-0x0000000004180000-0x0000000005009000-memory.dmp
memory/2136-583-0x0000000000480000-0x00000000014E2000-memory.dmp
memory/2136-587-0x0000000000480000-0x00000000014E2000-memory.dmp
memory/2136-588-0x0000000000480000-0x00000000014E2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-17 19:22
Reported
2024-12-17 19:24
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Guloader family
Guloader,Cloudeye
Remcos
Remcos family
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
"C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe"
C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
"C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe"
C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe /stext "C:\Users\Admin\AppData\Local\Temp\molyameirzhempnsxvql"
C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe /stext "C:\Users\Admin\AppData\Local\Temp\xiqrbfpbfhzjovjwggdneeg"
C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe /stext "C:\Users\Admin\AppData\Local\Temp\hkvbuxadtprwybxaxrxgprarka"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 66.63.187.30:80 | 66.63.187.30 | tcp |
| US | 8.8.8.8:53 | 30.187.63.66.in-addr.arpa | udp |
| US | 162.251.122.87:2404 | tcp | |
| US | 8.8.8.8:53 | 87.122.251.162.in-addr.arpa | udp |
| US | 162.251.122.87:2404 | tcp | |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nshBDF3.tmp
| MD5 | e456acec0ef7fda3aef06b03bb007e2f |
| SHA1 | a7168146dd22139e81563b24beb736179d1c8370 |
| SHA256 | 73842f82df7cfef99c471c4301ef8130ddcd65d831b069b880bd71695d2bf607 |
| SHA512 | c641ae2e8961562f5fd0f2d258742b024c6564b3f3b6a1d3d642d72bf47a1d6c208055e31dc467a3ea41b7bac658bcbab6e1746daf08fe2484f0c860fb88d475 |
C:\Users\Admin\AppData\Local\Temp\nshBDF3.tmp
| MD5 | 9111ba1d1ceb4b7f775d74730aac363e |
| SHA1 | c0af4968c775735be12419b60b257ed4359cb9b2 |
| SHA256 | 0883f5bab7d5dafd9efec59b917070f5d051f50b047951d1ea87dab27fef7b91 |
| SHA512 | 836c5d3941109691f2589e317e10d661978d9fc4af435bde3467159913ff9192d6eab1efe3e50e2048d06ce0c85963efe1ac056e1fd6ff1d33ac05f25beabbbf |
C:\Users\Admin\AppData\Local\Temp\nshBDF3.tmp
| MD5 | 74b3a93cf5d11d11b8dff1d5ec57a81d |
| SHA1 | bc7da5a65649e99c488e6a4c130f1134e80dcf74 |
| SHA256 | 706dc879eaaeee6ada053cfd98acedee299c07a8dc98f0cc024cc614057c38b6 |
| SHA512 | bef3b9fa70eec9ecb57ccc75bb54a5a76e1a0c4a8387823f7c931f091a1157bea4e678e19fcc775a7ee1c43d025d09e8ae4869b4c785dc7f8c4de39cf9bd7d82 |
C:\Users\Admin\AppData\Local\Temp\nshBDF3.tmp
| MD5 | 16d513397f3c1f8334e8f3e4fc49828f |
| SHA1 | 4ee15afca81ca6a13af4e38240099b730d6931f0 |
| SHA256 | d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36 |
| SHA512 | 4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3 |
C:\Users\Admin\AppData\Local\Temp\nshBE42.tmp\System.dll
| MD5 | ca332bb753b0775d5e806e236ddcec55 |
| SHA1 | f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f |
| SHA256 | df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d |
| SHA512 | 2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00 |
C:\Users\Admin\AppData\Local\Temp\nshBE43.tmp
| MD5 | cde63b34c142af0a38cbe83791c964f8 |
| SHA1 | ece2b194b486118b40ad12c1f0e9425dd0672424 |
| SHA256 | 65e2d70166c9a802b7ad2a87129b8945f083e5f268878790a9d1f1c03f47938d |
| SHA512 | 0559d3d34ad64ccc27e685431c24fc6ead0f645db14fa0e125a64fb67dbd158c15432c1fc5407811aac8a3486090dfbcfcbc3c6bf5aa0ec73f979ef62d14853c |
C:\Users\Admin\AppData\Local\Temp\nshBE43.tmp
| MD5 | aec87a5b696e973fd725cfd7fccef0bb |
| SHA1 | 4c0cd9bd8adbc7ad00627bc192c73d3aa23f0f02 |
| SHA256 | a48c987be1252d84c855810b44ad498f5ab67b9b8bfea471b0e1ec5a7f480fc9 |
| SHA512 | 8cf3daf380683412911f7d0719c48a9ffa313d09016f6c811f41a16416ad0c3abba2cd34a57ca912ca1853b12665824732a480ec15f127a33aa1476d7479d499 |
C:\Users\Admin\AppData\Local\Temp\nshBE43.tmp
| MD5 | 040cc34b899dd5230d5113b5156ec5d4 |
| SHA1 | 60a49c8b3e3f33b38c1780e8826e50d9672c5bcf |
| SHA256 | 454a97bbcd88c00fd8617e38fec2ebc855a608adbb751ad5ce4355f6bd171c32 |
| SHA512 | e6d441445f20c73e6e23203323dd5ff68ac2a74767fa69aac7c2c1b05e7bd981cf461b66c9d516dc53b4bbc32117c12e103187cfca891846b9d42ee2aa2c423d |
C:\Users\Admin\AppData\Local\Temp\nshBE43.tmp
| MD5 | 5d04a35d3950677049c7a0cf17e37125 |
| SHA1 | cafdd49a953864f83d387774b39b2657a253470f |
| SHA256 | a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266 |
| SHA512 | c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b |
C:\Users\Admin\AppData\Local\Temp\nsrBE82.tmp
| MD5 | 13d43632e7fc3f0177c4e672edde4211 |
| SHA1 | fd3bbbadb96390ce62e8f195fd725d52f6839233 |
| SHA256 | 3b955e498bb942f66445cbbd2003b88362f5b91ba92dbc4ffb2030276024f643 |
| SHA512 | 79a1915145bd3f9d4da7714cad3470e919eaec136b8c3b42cc207e02abe259ca13f3e143b8917752d35807cd2254efef29964af931768f36fb424b1b8f9c2306 |
C:\Users\Admin\AppData\Local\Temp\nsrBE82.tmp
| MD5 | ee1dadb4e958e13067586e9583ee7fde |
| SHA1 | 9bbf08ac4c4cc8cb352052f6aae745e2ae79dbfb |
| SHA256 | 4ac1c6026e995495257253895020f3c21c49066e5ee98900dfb4c13871576cdb |
| SHA512 | f3dd9e62b48644cd8357407672d8574ea6c9658ea62f3035c3f0cf77b9b05627e3a400676dbc86f4cde1291880b31e3461a0160fe71c97a408eca48cdadabfe1 |
C:\Users\Admin\AppData\Local\Temp\nsrBE82.tmp
| MD5 | a5dde4a4ed71ac185b358173872007a7 |
| SHA1 | a6f8e7e1d21ee34170e66822a48da2f45edba8d7 |
| SHA256 | dc84657a32142582a05cb93c282ba54a7fd9334523817a14013057f659d54044 |
| SHA512 | bdd75b71c8808deb593dfb7fa955d116f3f29565019e0acdce2c61b914ddec943ee76ed18d4a20a4e0c63099734d6c2d7528d07379cc1a5f86e013a830f73254 |
C:\Users\Admin\AppData\Local\Temp\nsrBE82.tmp
| MD5 | 33714fd37d9159cf4911fe47896b9e69 |
| SHA1 | 77c9ddfb1cd8e4a9a0a9131d0d21ebac0ef57611 |
| SHA256 | 8eda392d2cd028b1a3385ff7673cade57e402248db7fe7eb192e8d6b0d8f78a2 |
| SHA512 | e4abaa9b5e706647dfe0174daa5164d0464f7ee971c5ee2983e28a4d2062eda2d0d9468340ebdbe6110b33958a9b3256757c3e5557b3ef617fe76ce576b8ba0a |
C:\Users\Admin\AppData\Local\Temp\nscBEC2.tmp
| MD5 | 67cfa7364c4cf265b047d87ff2e673ae |
| SHA1 | 56e27889277981a9b63fcf5b218744a125bbc2fa |
| SHA256 | 639b68bd180b47d542dd001d03557ee2d5b3065c3c783143bc9fb548f3fd7713 |
| SHA512 | 17f28a136b20b89e9c3a418b08fd8e6fcaac960872dc33b2481af2d872efc44228f420759c57724f5d953c7ba98f2283e2acc7dfe5a58cbf719c6480ec7a648b |
C:\Users\Admin\AppData\Local\Temp\nscBEC2.tmp
| MD5 | 1a069d3d8cca839a3c2f44a0e833d67c |
| SHA1 | 2bdc93e3d3aac0914cd4d3d43210bc2b2c7f09cf |
| SHA256 | 0c09cbcf0803dc2c44739757d37fe7f33fa193d747df71db3172e68aa0ddb309 |
| SHA512 | 970ed67a84e4132b0336cd8f7c07c4ab6dc56ce97993b64e4e94a80e76ee7bd4ca04349cd0113df5e04053fbfde9d27c3cb5ab61a9492d584b7febfcaddf53e2 |
C:\Users\Admin\AppData\Local\Temp\nscBEC2.tmp
| MD5 | 90d4148f2c3df01640574cf198642bff |
| SHA1 | 80df93c47461df2096af940f6ff710cc3b103a5d |
| SHA256 | 603018413ce2875406e3ef08d7ba9a2f086539f1d1ed1023efea06b635c426fc |
| SHA512 | 0e407fe7c335c47b7a81cd77fc17b3db6d179342b3d05d103663e5fa7780d9d496e4a9ea462dc5f66cc4708a67c02aec395a08d73b6e52f3c4fa490b89ac4d7e |
C:\Users\Admin\AppData\Local\Temp\nscBEC2.tmp
| MD5 | bcc2d4708d4557cd6dfb4ca08164719c |
| SHA1 | 5158b5fb3bcd9238e69352fb94a039ec90eddf86 |
| SHA256 | b029fc5e9252f17e84ef53c084ba0d67a0931fa02eb9e5a13bba202a008d7553 |
| SHA512 | 8f179a8895d1afe69d2ef5583eb63a1821ee94a0c30cd7c8cbb3ce40165bd1c0c5d30ea4156b81000e37c1ea71c57d34e059cd658e22056c4e06788badad54b2 |
C:\Users\Admin\AppData\Local\Temp\nscBEC2.tmp
| MD5 | 24c65563d17054b07c6135e87a53cffd |
| SHA1 | 4765777312bf6c4c7272e61b4dbbce3202bb2d68 |
| SHA256 | e145085a50e8790798362058aa0b197b97b8ae38a54ff47ee89fd00dec4f47ce |
| SHA512 | f6419106a5e5d864da20840817f473556140fc982e271380c3eed2a5be03c2dc68fb69ab1b2ba5698dec4ca477377e53c589f9b280faf436dd94767e5d0cb15f |
C:\Users\Admin\AppData\Local\Temp\nshBF30.tmp
| MD5 | 92877af70a45fd6a2ed7fe81e1236b78 |
| SHA1 | 0b7f849446d3383546d15a480966084442cd2193 |
| SHA256 | 5860faf02b6bc6222ba5aca523560f0e364ccd8b67bee486fe8bf7c01d492ccb |
| SHA512 | 8ac4145c8e388ddfe3cd94886f026260d917cab07903c533f3a26945019bc4a50e6f23f266acbb0cbae89130fa3242c9a5145e4218c3ef1deebccb58d1a64a43 |
C:\Users\Admin\AppData\Local\Temp\nshBF30.tmp
| MD5 | 2dc5ae451f6175ae513bed5c4714d5ee |
| SHA1 | 4f47723723e7643a5b4c67f5f9d68cd834f80a4f |
| SHA256 | 180f6fc17f1d6e7d0878868f1643dc8c340f457eac0d6fc3680a95f1f9e7e54e |
| SHA512 | 9140fa690eca23bdf03d3058e6527c56cd51089b394ef681979f8e63cdc183fa942aecfd2d1061f50966fb998a5c0999b97b5b3a9af6aff1ce1d4826cfd42887 |
C:\Users\Admin\AppData\Local\Temp\nshBF30.tmp
| MD5 | f15bfdebb2df02d02c8491bde1b4e9bd |
| SHA1 | 93bd46f57c3316c27cad2605ddf81d6c0bde9301 |
| SHA256 | c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043 |
| SHA512 | 1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1 |
memory/468-575-0x0000000004B40000-0x00000000059C9000-memory.dmp
memory/468-576-0x00000000772F1000-0x0000000077411000-memory.dmp
memory/468-577-0x0000000004B40000-0x00000000059C9000-memory.dmp
memory/468-578-0x0000000010004000-0x0000000010005000-memory.dmp
memory/468-579-0x0000000004B40000-0x00000000059C9000-memory.dmp
memory/4928-580-0x00000000016E0000-0x0000000002569000-memory.dmp
memory/4928-581-0x0000000077378000-0x0000000077379000-memory.dmp
memory/4928-582-0x0000000077395000-0x0000000077396000-memory.dmp
memory/4928-583-0x00000000016E0000-0x0000000002569000-memory.dmp
memory/4928-585-0x0000000000480000-0x00000000016D4000-memory.dmp
memory/4928-588-0x00000000772F1000-0x0000000077411000-memory.dmp
memory/4928-590-0x0000000000480000-0x00000000016D4000-memory.dmp
memory/1496-591-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1188-595-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1496-598-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1188-608-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2912-611-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2912-605-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2912-602-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1496-600-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1496-601-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2912-597-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1188-593-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1188-596-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1496-613-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\molyameirzhempnsxvql
| MD5 | bc25ccf39db8626dc249529bcc8c5639 |
| SHA1 | 3e9cbdb20a0970a3c13719a2f289d210cdcc9e1d |
| SHA256 | b333f8c736c701bc826886f395d928731850cbce6db77be752b3cf7979114904 |
| SHA512 | 9a546127bddc1d187e674cda82e6c5046cac7f3e6f9515aed68d5bff2264b9d679d857dd97270e10826cd11ce2d92d82dd7f9801e19027e346b60bcc814cca1a |
memory/4928-616-0x0000000033550000-0x0000000033569000-memory.dmp
memory/4928-620-0x0000000033550000-0x0000000033569000-memory.dmp
memory/4928-619-0x0000000033550000-0x0000000033569000-memory.dmp
memory/4928-623-0x0000000000480000-0x00000000016D4000-memory.dmp
memory/4928-626-0x0000000000480000-0x00000000016D4000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | eebf517b444cd49e6c17e5921852d4d7 |
| SHA1 | a32767a540a843a8e51c79c1343b85d4010acb48 |
| SHA256 | dda5d2a979b5f31514cfd2d656428a5042c2186ba1e4ff16fbd73018b55d7979 |
| SHA512 | 305a7430f22076333b9d2b9c674c995cb182e7ec55716ddcac498f1463646cc07dcd49c5cafcb27b4f098383295676aad91f87ddb9f2092bfccbb619cfc74d23 |
memory/4928-629-0x0000000000480000-0x00000000016D4000-memory.dmp
memory/4928-632-0x0000000000480000-0x00000000016D4000-memory.dmp
memory/4928-635-0x0000000000480000-0x00000000016D4000-memory.dmp
memory/4928-638-0x0000000000480000-0x00000000016D4000-memory.dmp
memory/4928-641-0x0000000000480000-0x00000000016D4000-memory.dmp
memory/4928-644-0x0000000000480000-0x00000000016D4000-memory.dmp
memory/4928-653-0x0000000000480000-0x00000000016D4000-memory.dmp
memory/4928-656-0x0000000000480000-0x00000000016D4000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-12-17 19:22
Reported
2024-12-17 19:24
Platform
win7-20240903-en
Max time kernel
117s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 224