Malware Analysis Report

2025-04-03 14:26

Sample ID 241217-yhwegswkev
Target 6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4
SHA256 6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4
Tags
guloader remcos remotehost collection discovery downloader rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4

Threat Level: Known bad

The file 6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4 was found to be: Known bad.

Malicious Activity Summary

guloader remcos remotehost collection discovery downloader rat spyware stealer

Guloader,Cloudeye

Guloader family

Remcos

Remcos family

NirSoft MailPassView

NirSoft WebBrowserPassView

Detected Nirsoft tools

Loads dropped DLL

Reads user/profile data of web browsers

Accesses Microsoft Outlook accounts

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-17 19:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-17 19:47

Reported

2024-12-17 19:50

Platform

win7-20240903-en

Max time kernel

149s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe"

Signatures

Guloader family

guloader

Guloader,Cloudeye

downloader guloader

Remcos

rat remcos

Remcos family

remcos

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1964 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe
PID 1964 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe
PID 1964 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe
PID 1964 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe
PID 1964 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe
PID 1964 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe
PID 2908 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe
PID 2908 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe
PID 2908 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe
PID 2908 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe
PID 2908 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe
PID 2908 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe
PID 2908 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe
PID 2908 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe
PID 2908 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe
PID 2908 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe
PID 2908 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe
PID 2908 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe

"C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe"

C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe

"C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe"

C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe

C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe /stext "C:\Users\Admin\AppData\Local\Temp\nsuokfchgnmeuhixosxqwaumzynh"

C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe

C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe /stext "C:\Users\Admin\AppData\Local\Temp\xuhhdxniuvejwvebfdkszeovieeicixt"

C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe

C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe /stext "C:\Users\Admin\AppData\Local\Temp\iomz"

Network

Country Destination Domain Proto
US 66.63.187.30:80 66.63.187.30 tcp
US 162.251.122.87:2404 tcp
US 162.251.122.87:2404 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

\Users\Admin\AppData\Local\Temp\nsyF827.tmp\System.dll

MD5 ca332bb753b0775d5e806e236ddcec55
SHA1 f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f
SHA256 df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d
SHA512 2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

C:\Users\Admin\AppData\Local\Temp\nstF8A6.tmp

MD5 8ce4b16b22b58894aa86c421e8759df3
SHA1 13fbd79c3d390e5d6585a21e11ff5ec1970cff0c
SHA256 8254c329a92850f6d539dd376f4816ee2764517da5e0235514af433164480d7a
SHA512 2af8a9104b3f64ed640d8c7e298d2d480f03a3610cbc2b33474321ec59024a48592ea8545e41e09d5d1108759df48ede0054f225df39d4f0f312450e0aa9dd25

C:\Users\Admin\AppData\Local\Temp\nstF8A6.tmp

MD5 25bc6654798eb508fa0b6343212a74fe
SHA1 15d5e1d3b948fd5986aaff7d9419b5e52c75fc93
SHA256 8e5202705183bd3a20a29e224499b0f77a8273ee33cd93cca71043c57ad4bdfc
SHA512 5868c6241ed3cfcc5c34bfe42e4b9f5c69e74975e524771d8c9f35cafc13fd01cd943ec4d8caefee79a1f4a457e69d20b7a86f88db83a5bc3e6bd8a619972898

C:\Users\Admin\AppData\Local\Temp\nstF8A6.tmp

MD5 4e27f2226785e9abbe046fc592668860
SHA1 28b18a7f383131df509f7191f946a32c5a2e410c
SHA256 01a219245e1501fee01ce0baea8f6065ce5162cea12fa570689a07c9717be81d
SHA512 2a23585835bdb5db8175cab265566042282841efdcee8aaba8b9b5d466b0f165c0c5973033ce94bb9a8f07a956689247981ea07ac5a51408263e1653d9710adb

C:\Users\Admin\AppData\Local\Temp\nstF8A6.tmp

MD5 cde63b34c142af0a38cbe83791c964f8
SHA1 ece2b194b486118b40ad12c1f0e9425dd0672424
SHA256 65e2d70166c9a802b7ad2a87129b8945f083e5f268878790a9d1f1c03f47938d
SHA512 0559d3d34ad64ccc27e685431c24fc6ead0f645db14fa0e125a64fb67dbd158c15432c1fc5407811aac8a3486090dfbcfcbc3c6bf5aa0ec73f979ef62d14853c

C:\Users\Admin\AppData\Local\Temp\nstF8A6.tmp

MD5 e2fecc970546c3418917879fe354826c
SHA1 63f1c1dd01b87704a6b6c99fd9f141e0a3064f16
SHA256 ff91566d755f5d038ae698a2cc0a7d4d14e5273afafc37b6f03afda163768fa0
SHA512 3c4a68cbaee94f986515f43305a0e7620c14c30213d4a17db4a3e8a1b996764eb688bf733f472fc52073c2c80bb5229bb29411d7601aefe1c4370e230c341a0a

C:\Users\Admin\AppData\Local\Temp\nstF8A6.tmp

MD5 50484c19f1afdaf3841a0d821ed393d2
SHA1 c65a0fb7e74ffd2c9fc3a0f9aacb0f6a24b0a68b
SHA256 6923dd1bc0460082c5d55a831908c24a282860b7f1cd6c2b79cf1bc8857c639c
SHA512 d51a20d67571fe70bcd6c36e1382a3c342f42671c710090b75fcfc2405ce24488e03a7131eefe4751d0bd3aeaad816605ad10c8e3258d72fcf379e32416cbf3b

C:\Users\Admin\AppData\Local\Temp\nstF8A6.tmp

MD5 67cfa7364c4cf265b047d87ff2e673ae
SHA1 56e27889277981a9b63fcf5b218744a125bbc2fa
SHA256 639b68bd180b47d542dd001d03557ee2d5b3065c3c783143bc9fb548f3fd7713
SHA512 17f28a136b20b89e9c3a418b08fd8e6fcaac960872dc33b2481af2d872efc44228f420759c57724f5d953c7ba98f2283e2acc7dfe5a58cbf719c6480ec7a648b

C:\Users\Admin\AppData\Local\Temp\nstF8A6.tmp

MD5 c3cb69218b85c3260387fb582cb518dd
SHA1 961c892ded09a4cbb5392097bb845ccba65902ad
SHA256 1c329924865741e0222d3ead23072cfbed14f96e2b0432573068eb0640513101
SHA512 2402fffeb89c531db742bf6f5466eee8fe13edf97b8ecfc2cace3522806b322924d1ca81dda25e59b4047b8f40ad11ae9216e0a0d5c7fc6beef4368eb9551422

C:\Users\Admin\AppData\Local\Temp\nstF8A6.tmp

MD5 2b3884fe02299c565e1c37ee7ef99293
SHA1 d8e2ef2a52083f6df210109fea53860ea227af9c
SHA256 ae789a65914ed002efb82dad89e5a4d4b9ec8e7faae30d0ed6e3c0d20f7d3858
SHA512 aeb9374a52d0ad99336bfd4ec7bb7c5437b827845b8784d9c21f7d96a931693604689f6adc3ca25fad132a0ad6123013211ff550f427fa86e4f26c122ac6a0fe

C:\Users\Admin\AppData\Local\Temp\nstF8A6.tmp

MD5 9a53fc1d7126c5e7c81bb5c15b15537b
SHA1 e2d13e0fa37de4c98f30c728210d6afafbb2b000
SHA256 a7de06c22e4e67908840ec3f00ab8fe9e04ae94fb16a74136002afbaf607ff92
SHA512 b0bffbb8072dbdcfc68f0e632f727c08fe3ef936b2ef332c08486553ff2cef7b0bcdb400e421a117e977bb0fac17ce4706a8097e32d558a918433646b6d5f1a1

memory/1964-577-0x0000000004030000-0x0000000004C0F000-memory.dmp

memory/1964-578-0x0000000076D11000-0x0000000076E12000-memory.dmp

memory/1964-579-0x0000000076D10000-0x0000000076EB9000-memory.dmp

memory/1964-580-0x0000000004030000-0x0000000004C0F000-memory.dmp

memory/1964-581-0x0000000004030000-0x0000000004C0F000-memory.dmp

memory/2908-582-0x0000000076D10000-0x0000000076EB9000-memory.dmp

memory/2908-583-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/2908-584-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1380-591-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1240-592-0x0000000000400000-0x0000000000478000-memory.dmp

memory/980-599-0x0000000000400000-0x0000000000424000-memory.dmp

memory/980-602-0x0000000000400000-0x0000000000424000-memory.dmp

memory/980-601-0x0000000000400000-0x0000000000424000-memory.dmp

memory/980-600-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1380-598-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1240-597-0x0000000076D10000-0x0000000076EB9000-memory.dmp

memory/1240-596-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1240-595-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1380-594-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1380-593-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1240-589-0x0000000000400000-0x0000000000478000-memory.dmp

memory/980-605-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1240-610-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsuokfchgnmeuhixosxqwaumzynh

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/1380-614-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2908-616-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/2908-617-0x0000000033080000-0x0000000033099000-memory.dmp

memory/2908-621-0x0000000033080000-0x0000000033099000-memory.dmp

memory/2908-620-0x0000000033080000-0x0000000033099000-memory.dmp

memory/2908-624-0x0000000000480000-0x00000000014E2000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 d6bc8017fa2d97fda7fff520ad8dd674
SHA1 4b2a94aefd11b284392d804b6b7842073d31e20b
SHA256 53b662f3f47adbf4723ccafcf0cc2d0e0ca63a2040bb00094544046434cd9147
SHA512 a4f8dfc898ade6cf3273f66a6373230742deb2cb7a9b9af78734cfbf1ce41280da94d1c3ed4a7139aebb6ef2b3d85f9dd3833af254eeeb1db343f87e30235752

memory/2908-627-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/2908-630-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/2908-633-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/2908-636-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/2908-639-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/2908-642-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/2908-645-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/2908-648-0x0000000000480000-0x00000000014E2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-17 19:47

Reported

2024-12-17 19:50

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe"

Signatures

Guloader family

guloader

Guloader,Cloudeye

downloader guloader

Remcos

rat remcos

Remcos family

remcos

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4828 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe
PID 4828 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe
PID 4828 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe
PID 4828 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe
PID 4828 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe
PID 1824 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe
PID 1824 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe
PID 1824 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe
PID 1824 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe
PID 1824 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe
PID 1824 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe
PID 1824 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe
PID 1824 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe
PID 1824 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe

"C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe"

C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe

"C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe"

C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe

C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe /stext "C:\Users\Admin\AppData\Local\Temp\rwinsbyuadchbmidwkmayvakevywc"

C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe

C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe /stext "C:\Users\Admin\AppData\Local\Temp\cznfttqwolullswpnuhbbautfjqxvqyz"

C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe

C:\Users\Admin\AppData\Local\Temp\6959fb446ee0634e6622e50f0f1b9367bffddf12f8083507cdc0ff39ed50abf4.exe /stext "C:\Users\Admin\AppData\Local\Temp\mtbqu"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 21.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 66.63.187.30:80 66.63.187.30 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 30.187.63.66.in-addr.arpa udp
US 162.251.122.87:2404 tcp
US 162.251.122.87:2404 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 87.122.251.162.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 86.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsvBAF5.tmp

MD5 903e0572b61353c5e9e2f94582bd26d9
SHA1 bf6d18b2607a519c4486e845921b7070e53cb8eb
SHA256 fcc0de8ebc57a00f3f48bc8ba2e93cedc7efe9ecc9600ad63cdd1ba1d6c4fdea
SHA512 3857e85783aa8af1cd075e91729bfd471c3df9d93d944501bf8bd663df9ad1348ee9d81403505851d468beaea9a3ac0ad6799eb4b2e328176c27d32cdf206b94

C:\Users\Admin\AppData\Local\Temp\nsvBAF5.tmp

MD5 814da453daa6269ca4ed4cd15266b28c
SHA1 82981f8c0d5d3ffccbf06fff867f8c3b1aaa454b
SHA256 791004efaa6a41452708fe5db95097b4681e4f4d386e33b8044088b8f736d743
SHA512 3336dbdf67c28567e9cd6a495e2e7d7e7fca21fccdff35b7c84588237829c32f69be5f733cbc3e3bf1614868a3e9e6000c5ff3116b4cc035723c37ca743cb948

C:\Users\Admin\AppData\Local\Temp\nsvBAF5.tmp

MD5 16d513397f3c1f8334e8f3e4fc49828f
SHA1 4ee15afca81ca6a13af4e38240099b730d6931f0
SHA256 d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36
SHA512 4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3

C:\Users\Admin\AppData\Local\Temp\nsgBB83.tmp\System.dll

MD5 ca332bb753b0775d5e806e236ddcec55
SHA1 f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f
SHA256 df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d
SHA512 2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

C:\Users\Admin\AppData\Local\Temp\nsvBB93.tmp

MD5 9a53fc1d7126c5e7c81bb5c15b15537b
SHA1 e2d13e0fa37de4c98f30c728210d6afafbb2b000
SHA256 a7de06c22e4e67908840ec3f00ab8fe9e04ae94fb16a74136002afbaf607ff92
SHA512 b0bffbb8072dbdcfc68f0e632f727c08fe3ef936b2ef332c08486553ff2cef7b0bcdb400e421a117e977bb0fac17ce4706a8097e32d558a918433646b6d5f1a1

C:\Users\Admin\AppData\Local\Temp\nsvBB93.tmp

MD5 749841d5d4f33aa61da2072ca8c75d85
SHA1 ed779369af6004bb662353a1a1688de21c9d5964
SHA256 05ec837bf0f57ead1b3fae5bec24f103831be6946eda1fe4cec3700ae019b117
SHA512 07884f39b2b1646dbad182d39167df36cb86fd3751b5c125b84ab3b3594dd0f6884d73f7f65d099e2874a0a73f8a76d7610b3ab30e174945a70073176e07b886

C:\Users\Admin\AppData\Local\Temp\nsvBB93.tmp

MD5 3e930ca30f900b15da4ef96902f9b347
SHA1 92c4cd5b76b9be895152fdb3adcd165192daa552
SHA256 688f5bdbcde116a168af5f0ea57296f14181abe8fb92292eaf11febd498e3d42
SHA512 40bcbeea8dcf22201d275e68be32deadc953a2383f11788947d10aabf4469d61d8e3b86ded7e7369a9d413974d90e628aa1a4a6e6bc2b60c2de20bbd896fd489

C:\Users\Admin\AppData\Local\Temp\nsvBB93.tmp

MD5 088d509592627d226179707a88a1f4ee
SHA1 8c03f8a469d4dc4e7f65da8daa8c0e9cdebbe9f4
SHA256 7938b90dbe50e63bd3bc2b7ae77d43ba7c01c15354ab01f9a0b63ebac56b796d
SHA512 f36c70cbb4dbb09a8081b472ceb712b983a676d5a34dc19ec4d0d95126c4e6b80cdd66640e304eb35445503255c9aac22edf386bf6782151844e8df4e1874d5f

C:\Users\Admin\AppData\Local\Temp\nsvBB93.tmp

MD5 1aeb67240bc704bf6cc2fa0a6f52a970
SHA1 0d5cbc71d7e606e7f1a68332be8a7a5a7b4be02d
SHA256 bbd283b5a658ac95e8811c820de41f911e7559e982d9378b5b14c3f7cb5ccb6d
SHA512 c64bdb3c49ff5ca422fe5a4a03fac5145072f7cf692addc23e811ce39c25fc7fcb8e15a07fd770eb8d392d86cfc12c3520b080899a4d2c85646c09b181f2b47c

C:\Users\Admin\AppData\Local\Temp\nsvBB93.tmp

MD5 5d04a35d3950677049c7a0cf17e37125
SHA1 cafdd49a953864f83d387774b39b2657a253470f
SHA256 a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266
SHA512 c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

C:\Users\Admin\AppData\Local\Temp\nslBBF2.tmp

MD5 558ec0e73952eb4a395e7f17eb69221e
SHA1 d1cb97bfc8d9fad9eab7d19e685029b5f7084709
SHA256 4d8a1cb0f83d824cec9e15e4d45605ed2cc92ae959602d0cc8873b0125d4cd74
SHA512 698fb90fadb2b22ce78f874dac04c2f0bf72340d39f135e7736afdb9a9b28c9c55a8c6c9f871676134e6d057a90afc2944d1f1e8a117cc0f7a90c8d9b60c5dbe

C:\Users\Admin\AppData\Local\Temp\nslBBF2.tmp

MD5 adfb82dfa0a66bd7e108a83873cbd4cf
SHA1 caaf90327bb1e7b6731e154351f351bf3a3bb1c4
SHA256 2ba412a038068300e9e4a538ed1d2cfcefa9a1b91f44408785d90a5d838a9228
SHA512 103f484f3497eaf8cc231f09a5c565ba524d5af523970272d9a853ede106fc176f524bb6aeb8f7f59992e7a5651abb55b80134d539bb050aaf780624422d982b

C:\Users\Admin\AppData\Local\Temp\nslBBF2.tmp

MD5 7982b73098961cce471cecdc33aa7bbb
SHA1 737a12718c3514cbd45d67ab94b567d1efafc879
SHA256 6200b359a17d741c230d3208b9d12c3895194d6ac646289021948c03b8fe26d5
SHA512 b84043c3b4f41e7f5f82e9ba0d1a461f20b85260f6b2a0ded03da4e7cd2d635d0b292738fdb6a0eaace97e2dadd6d02d239ec1e8b7ac9dc59cb24966e82e0a42

C:\Users\Admin\AppData\Local\Temp\nslBBF2.tmp

MD5 ec01133e3c51113d5e323255076c8eb9
SHA1 7ad186ced7288ca1fe7b48d41ce6b7a778676cd7
SHA256 a643b23096ea0159d733afa20a64421a386c26e86b8bfddd0ccb18c3b58feef4
SHA512 7e4a43ac6c968540a0a3cb37ce2ca7ddf1314139db166147ab0a2256126e6b447b6450a6cae992e735f8daa572aa3c00c9375a1af5cdc4304af8da5d11be3ff7

C:\Users\Admin\AppData\Local\Temp\nsgBC70.tmp

MD5 2b3884fe02299c565e1c37ee7ef99293
SHA1 d8e2ef2a52083f6df210109fea53860ea227af9c
SHA256 ae789a65914ed002efb82dad89e5a4d4b9ec8e7faae30d0ed6e3c0d20f7d3858
SHA512 aeb9374a52d0ad99336bfd4ec7bb7c5437b827845b8784d9c21f7d96a931693604689f6adc3ca25fad132a0ad6123013211ff550f427fa86e4f26c122ac6a0fe

C:\Users\Admin\AppData\Local\Temp\nslBBF2.tmp

MD5 df8379d971f8775d91cd01506f558897
SHA1 e28ff2839b7cf171ce3540cb2de64fa18db9b12c
SHA256 ae63da186497c9240a3af76e8e52198426c3492aa7dcc62e8910405ef981ecec
SHA512 ac091f635bc253fed0c5c9e516f4e58968033793c66b2ec3e5ed31aa42d63667d85f1661ca6fbe8cfc28ad59b07d903556987c7f79aa59610934c3d6f6f60f02

C:\Users\Admin\AppData\Local\Temp\nsgBC70.tmp

MD5 25f205f6839d0787565c29c38a66e75e
SHA1 a2fbad8a011fe9e90a71727905ab119dd3c39b0f
SHA256 e2b210499b723d06146d7e4b169a4ae664b9f157a7ce9fdf76f763acad5163b2
SHA512 24b55c8bc4a2a7cd3e4360e0bdbd9dfdb8c81a5cc8b8e8205916064ebbcb9e83ffb86e6d42dc1325c93539625b66540353180119469b31d2a01b6c7300e9e495

C:\Users\Admin\AppData\Local\Temp\nsgBC70.tmp

MD5 d52de89f9a53448452938d5bef6370af
SHA1 0a5e19717c5f25862231235165135923d3a3f6af
SHA256 8f38876522a41713735c750b50769955e309c3d608811003b6d16ca5f4b80282
SHA512 568e7cdea808709be892eacc59033688c4f7352a395aefbfc618519142136538c6220ca00b10abfc44e34e9d635dd72c5b51eefae2ab2a873149523c425f51f9

C:\Users\Admin\AppData\Local\Temp\nsgBC70.tmp

MD5 4ff83567cd3f682cb62e957f312f61a0
SHA1 5bb6b4b35e74fb335211813b25025166939ddf10
SHA256 9a2382a1ededef09ef70d6dfcea50be1594799e518a9f89c111875301539a2ae
SHA512 e7fbb21a2eaee93f4f607b77476c8605a7233cb16c0ef576fac05235252c5a0dab338277749a9a38babf9163d9d582d481e2a739ebbb578bfb3b813fc36a678e

C:\Users\Admin\AppData\Local\Temp\nsmBCDF.tmp

MD5 bc86ffa91686a2ee2ac3cc3d50c4389e
SHA1 6d81aa156225f8df56a7711519ac3ff87abec24f
SHA256 9e56c757510a69c7ee47407dbda53e8d8b983755854362df4dbcad941696dceb
SHA512 5c54242e478199a95f615af1ac74fda63f4a1a1e22ef5799dc552ed432320adb20df54f9083cee1ee7c2d8ef2792f0f12e579229b7c64ffb74952e3044f4b7ff

C:\Users\Admin\AppData\Local\Temp\nsmBCDF.tmp

MD5 f15bfdebb2df02d02c8491bde1b4e9bd
SHA1 93bd46f57c3316c27cad2605ddf81d6c0bde9301
SHA256 c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043
SHA512 1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1

memory/4828-575-0x0000000004A10000-0x00000000055EF000-memory.dmp

memory/4828-576-0x00000000773C1000-0x00000000774E1000-memory.dmp

memory/4828-577-0x0000000004A10000-0x00000000055EF000-memory.dmp

memory/4828-578-0x0000000010004000-0x0000000010005000-memory.dmp

memory/1824-580-0x00000000016E0000-0x00000000022BF000-memory.dmp

memory/4828-579-0x0000000004A10000-0x00000000055EF000-memory.dmp

memory/1824-581-0x0000000077448000-0x0000000077449000-memory.dmp

memory/1824-583-0x0000000077465000-0x0000000077466000-memory.dmp

memory/1824-582-0x00000000016E0000-0x00000000022BF000-memory.dmp

memory/1824-588-0x00000000773C1000-0x00000000774E1000-memory.dmp

memory/1824-584-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1824-589-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1376-591-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1376-601-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2736-602-0x0000000000400000-0x0000000000462000-memory.dmp

memory/4432-605-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4432-611-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4432-609-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4432-604-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4432-603-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1824-599-0x00000000773C1000-0x00000000774E1000-memory.dmp

memory/1376-597-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2736-598-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2736-596-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1376-595-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2736-593-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1376-614-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rwinsbyuadchbmidwkmayvakevywc

MD5 79f35c7500a5cc739c1974804710441f
SHA1 24fdf1fa45049fc1a83925c45357bc3058bad060
SHA256 897101ed9da25ab0f10e8ad1aeb8dabc3282ccfdb6d3171dbac758117b8731f4
SHA512 03281e8abecff4e7d1f563596a4fd2513e016b7fbf011a455141460f9448d00b4a4666d2036cb448a8ac9a6feebeb51b366289ffa2ee5524a062fe8869aec61e

memory/1824-617-0x00000000332B0000-0x00000000332C9000-memory.dmp

memory/1824-621-0x00000000332B0000-0x00000000332C9000-memory.dmp

memory/1824-620-0x00000000332B0000-0x00000000332C9000-memory.dmp

memory/1824-624-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1824-627-0x0000000000480000-0x00000000016D4000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 35b48c45997d59f62beafbde25ee9baa
SHA1 2de919be0898a1f4bbda2ef613f6a9c7f24c1eaa
SHA256 94401a1d7af2fff5422f6c5749dc7305c562ad17fabcac072a8c61100c561840
SHA512 2917bae5129938a0dc3901c435f317518b48fd1db2ebeebca58e0605c8dc892b6b3b95f8c484cd86e65a51b3158f7f6558741ee283f3c5f91d7231bff3aa3b9d

memory/1824-630-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1824-633-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1824-636-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1824-639-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1824-642-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1824-645-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1824-648-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1824-651-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1824-654-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1824-657-0x0000000000480000-0x00000000016D4000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-17 19:47

Reported

2024-12-17 19:50

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 224

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-12-17 19:47

Reported

2024-12-17 19:50

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

140s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4744 wrote to memory of 4904 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4744 wrote to memory of 4904 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4744 wrote to memory of 4904 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4904 -ip 4904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 134.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 20.49.80.91.in-addr.arpa udp

Files

N/A