Analysis Overview
SHA256
7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b
Threat Level: Known bad
The file 7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe was found to be: Known bad.
Malicious Activity Summary
Latentbot family
LatentBot
Remcos
Remcos family
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-03-08 09:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-08 09:43
Reported
2025-03-08 09:46
Platform
win7-20240729-en
Max time kernel
148s
Max time network
148s
Command Line
Signatures
LatentBot
Latentbot family
Remcos
Remcos family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2668 set thread context of 2528 | N/A | C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe | C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe
"C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\obrlHi.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\obrlHi" /XML "C:\Users\Admin\AppData\Local\Temp\tmp91D4.tmp"
C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe
"C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | oktoviyanto.ddns.net | udp |
| MY | 103.186.117.61:9373 | tcp | |
| US | 8.8.8.8:53 | benhenry2234.zapto.org | udp |
| MY | 103.186.117.61:9373 | tcp | |
| MY | 103.186.117.61:9373 | tcp | |
| MY | 103.186.117.61:9373 | tcp | |
| MY | 103.186.117.61:9373 | tcp | |
| MY | 103.186.117.61:9373 | tcp | |
| MY | 103.186.117.61:9373 | tcp |
Files
memory/2668-0-0x000000007421E000-0x000000007421F000-memory.dmp
memory/2668-1-0x0000000000A20000-0x0000000000B78000-memory.dmp
memory/2668-2-0x0000000074210000-0x00000000748FE000-memory.dmp
memory/2668-3-0x0000000000990000-0x00000000009AE000-memory.dmp
memory/2668-4-0x000000007421E000-0x000000007421F000-memory.dmp
memory/2668-5-0x0000000074210000-0x00000000748FE000-memory.dmp
memory/2668-6-0x0000000005610000-0x00000000056D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp91D4.tmp
| MD5 | acf5f5f5aa64b8f80fb6455f3d165784 |
| SHA1 | b70019a230467f64cce9dabc99b70de0ab4ed775 |
| SHA256 | d73ba41e9e0bb3c115c54377003927da905171d3798c097b760466cd290d2ab2 |
| SHA512 | 2204ccd3c6041bbeed32faa06356375d40150d531cf171129d2b442049684eed2fc7db5b4d925884cb2271693816179bc0e1dde556d4b4c81601d55fc472f26b |
memory/2528-12-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2528-29-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2528-34-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2528-31-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2528-30-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2528-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2528-26-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2528-22-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2528-20-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2528-18-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2528-16-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2528-14-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2528-24-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2668-37-0x0000000074210000-0x00000000748FE000-memory.dmp
memory/2528-38-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2528-43-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2528-44-0x0000000000400000-0x000000000047F000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | da790874cffba6fb79b6da884472b3ea |
| SHA1 | 553ba55e889d60869465d70676f34b6d65685d24 |
| SHA256 | db777010fc7e4e4a16f7e2cbb2a5e49556f1a416c33305b65d7fca6fe43b2dfc |
| SHA512 | c4e5e6fbc7b9f7b18b096c02790d27840fca83932d170336fa2720c3facb57ceb8fb31505401996302b13cfd0a1fd44c23361fdd97254abd6e8c340d0cdf9bfb |
memory/2528-49-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2528-50-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2528-56-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2528-57-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2528-62-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2528-63-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2528-68-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2528-70-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2528-75-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2528-76-0x0000000000400000-0x000000000047F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-03-08 09:43
Reported
2025-03-08 09:46
Platform
win10v2004-20250217-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
LatentBot
Latentbot family
Remcos
Remcos family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2628 set thread context of 3640 | N/A | C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe | C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe
"C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\obrlHi.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\obrlHi" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAAB7.tmp"
C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe
"C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | oktoviyanto.ddns.net | udp |
| MY | 103.186.117.61:9373 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | benhenry2234.zapto.org | udp |
| MY | 103.186.117.61:9373 | tcp | |
| MY | 103.186.117.61:9373 | tcp | |
| MY | 103.186.117.61:9373 | tcp | |
| MY | 103.186.117.61:9373 | tcp | |
| MY | 103.186.117.61:9373 | tcp | |
| MY | 103.186.117.61:9373 | tcp |
Files
memory/2628-0-0x000000007481E000-0x000000007481F000-memory.dmp
memory/2628-1-0x0000000000D50000-0x0000000000EA8000-memory.dmp
memory/2628-2-0x0000000005E70000-0x0000000006414000-memory.dmp
memory/2628-3-0x00000000058C0000-0x0000000005952000-memory.dmp
memory/2628-4-0x0000000005880000-0x000000000588A000-memory.dmp
memory/2628-5-0x0000000074810000-0x0000000074FC0000-memory.dmp
memory/2628-6-0x0000000007330000-0x000000000734E000-memory.dmp
memory/2628-7-0x000000007481E000-0x000000007481F000-memory.dmp
memory/2628-8-0x0000000074810000-0x0000000074FC0000-memory.dmp
memory/2628-9-0x00000000071B0000-0x0000000007270000-memory.dmp
memory/2628-10-0x000000000CE50000-0x000000000CEEC000-memory.dmp
memory/4748-15-0x0000000005240000-0x0000000005276000-memory.dmp
memory/4748-16-0x0000000074810000-0x0000000074FC0000-memory.dmp
memory/4748-18-0x0000000005A30000-0x0000000006058000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpAAB7.tmp
| MD5 | 350fcc01898078c2ff771b725228c3f3 |
| SHA1 | 0df780a5b7325a1d5bd2f5f1b6a08082ed1230c4 |
| SHA256 | 45aa26bd0d4b917bdbb6aa712730d664bc876dd59f84e108d572df867cc24a19 |
| SHA512 | 129bad9027b33ba436d71a4480a3753e7bcf7c448e4d8bb90143513c95aefe665b7bf69dad2ad7e7eba26209fc3b5c623aa65777c9c58983a75f2723dbc1e545 |
memory/4748-20-0x0000000074810000-0x0000000074FC0000-memory.dmp
memory/4748-19-0x0000000074810000-0x0000000074FC0000-memory.dmp
memory/4748-21-0x0000000005840000-0x0000000005862000-memory.dmp
memory/4748-22-0x00000000060D0000-0x0000000006136000-memory.dmp
memory/3640-33-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3640-34-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3640-35-0x0000000000400000-0x000000000047F000-memory.dmp
memory/4748-36-0x0000000006220000-0x0000000006574000-memory.dmp
memory/3640-42-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3640-41-0x0000000000400000-0x000000000047F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1aasaheb.0zm.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4748-23-0x00000000061B0000-0x0000000006216000-memory.dmp
memory/4748-44-0x0000000006800000-0x000000000681E000-memory.dmp
memory/4748-45-0x0000000006860000-0x00000000068AC000-memory.dmp
memory/2628-46-0x0000000074810000-0x0000000074FC0000-memory.dmp
memory/3640-43-0x0000000000400000-0x000000000047F000-memory.dmp
memory/4748-47-0x00000000077B0000-0x00000000077E2000-memory.dmp
memory/4748-48-0x000000006F1C0000-0x000000006F20C000-memory.dmp
memory/4748-58-0x0000000006DE0000-0x0000000006DFE000-memory.dmp
memory/4748-59-0x0000000007800000-0x00000000078A3000-memory.dmp
memory/4748-60-0x0000000008180000-0x00000000087FA000-memory.dmp
memory/4748-61-0x0000000007B40000-0x0000000007B5A000-memory.dmp
memory/4748-62-0x0000000007BB0000-0x0000000007BBA000-memory.dmp
memory/4748-63-0x0000000007DC0000-0x0000000007E56000-memory.dmp
memory/4748-64-0x0000000007D40000-0x0000000007D51000-memory.dmp
memory/4748-65-0x0000000007D70000-0x0000000007D7E000-memory.dmp
memory/4748-66-0x0000000007D80000-0x0000000007D94000-memory.dmp
memory/4748-67-0x0000000007E80000-0x0000000007E9A000-memory.dmp
memory/4748-68-0x0000000007E60000-0x0000000007E68000-memory.dmp
memory/4748-71-0x0000000074810000-0x0000000074FC0000-memory.dmp
memory/3640-74-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3640-77-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3640-78-0x0000000000400000-0x000000000047F000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | a7113a32d76d07889b4817a9ff3f3f00 |
| SHA1 | b3d5be621cde9dce35506c5f73e964a071a53233 |
| SHA256 | 09a3f1c701854910a22da5a916c17f993c62b2c46263151db9138c7cf9c8a974 |
| SHA512 | c994937f12b11192ef5df81d25c4258fd7e3eb871688ac4309a7ddaff113c1c4a34467069a55daa8d0f3cf00fa9f0a273ccc30fe25e9528266cefbfa9909a97b |
memory/3640-83-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3640-84-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3640-90-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3640-91-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3640-96-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3640-97-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3640-102-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3640-104-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3640-109-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3640-110-0x0000000000400000-0x000000000047F000-memory.dmp