Windows Analysis Report
4wECQoBvYC.exe

Overview

General Information

Sample name: 4wECQoBvYC.exe
renamed because original name is a hash value
Original sample name: 472cd96b1b5771243c40c10cd034324e.exe
Analysis ID: 1571962
MD5: 472cd96b1b5771243c40c10cd034324e
SHA1: e6544fd71357a36bf5bad454a2662ef3af7a4e03
SHA256: 24c3329fc783efce51593d5e4274008fcff8d86f8df9fd8a47ca0af8df1e031d
Tags: exeRATRemcosRATuser-abuse_ch
Infos:

Detection

Remcos
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Deletes itself after installation
Drops PE files to the document folder of the user
Drops large PE files
Injects a PE file into a foreign processes
Installs a global keyboard hook
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

AV Detection
barindex
Antivirus detection for URL or domain
Source: formationslistcomplet2.sexidude.com Avira URL Cloud: Label: malware
Found malware configuration
Source: 0.2.4wECQoBvYC.exe.21b0000.2.unpack Malware Configuration Extractor: Remcos {"Host:Port:Password": ["formationslistcomplet2.sexidude.com:30201:0"], "Assigned name": "sol4", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "kkdhhcnbvyrmqyodgffgfdds-SO2AWR", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "registros.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Capturas de pantalla", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "registro", "Keylog file max size": ""}
Multi AV Scanner detection for submitted file
Source: 4wECQoBvYC.exe ReversingLabs: Detection: 28%
Yara detected Remcos RAT
Source: Yara match File source: 2.2.4wECQoBvYC.exe.c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4wECQoBvYC.exe.21b0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4wECQoBvYC.exe.21b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.4wECQoBvYC.exe.c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4wECQoBvYC.exe.700c62.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4wECQoBvYC.exe.700c62.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4wECQoBvYC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2197049819.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 4wECQoBvYC.exe PID: 6172, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 4wECQoBvYC.exe PID: 6580, type: MEMORYSTR
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 0_2_004084F3 lstrcmp,CryptDecodeObject,LocalAlloc,CryptDecodeObject, 0_2_004084F3
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 0_2_00408E76 LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCRLContext,CertFreeCRLContext,CertCloseStore,CryptMsgClose, 0_2_00408E76
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 0_2_00408636 lstrcmp,CryptDecodeObject,FileTimeToLocalFileTime,FileTimeToSystemTime, 0_2_00408636
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 0_2_004086CE lstrcmp,CryptDecodeObject,CryptDecodeObject,LocalAlloc,CryptDecodeObject, 0_2_004086CE
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 0_2_004087AE _strlen,MultiByteToWideChar,CryptQueryObject,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,CryptMsgGetParam,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,CertFindCertificateInStore,_strlen,CertFindCertificateInStore,SystemTimeToFileTime,CertVerifyTimeValidity, 0_2_004087AE
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000F293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 2_2_000F293A
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_004084F3 lstrcmpA,CryptDecodeObject,LocalAlloc,CryptDecodeObject, 2_2_004084F3
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_00408636 lstrcmpA,CryptDecodeObject,FileTimeToLocalFileTime,FileTimeToSystemTime, 2_2_00408636
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_004086CE lstrcmpA,CryptDecodeObject,CryptDecodeObject,LocalAlloc,CryptDecodeObject, 2_2_004086CE
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_004087AE _strlen,MultiByteToWideChar,CryptQueryObject,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,CryptMsgGetParam,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,CertFindCertificateInStore,_strlen,CertFindCertificateInStore,SystemTimeToFileTime,CertVerifyTimeValidity, 2_2_004087AE
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_00408E76 LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CertFreeCertificateContext,CertCloseStore,CryptMsgClose, 2_2_00408E76
Source: 4wECQoBvYC.exe Binary or memory string: -----BEGIN PUBLIC KEY-----

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 2.2.4wECQoBvYC.exe.c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4wECQoBvYC.exe.21b0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4wECQoBvYC.exe.21b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.4wECQoBvYC.exe.c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4wECQoBvYC.exe.700c62.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4wECQoBvYC.exe.700c62.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4wECQoBvYC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2197049819.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 4wECQoBvYC.exe PID: 6172, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 4wECQoBvYC.exe PID: 6580, type: MEMORYSTR

Privilege Escalation
barindex
Contains functionality to bypass UAC (CMSTPLUA)
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000C6764 _wcslen,CoGetObject, 2_2_000C6764
Uses 32bit PE files
Source: 4wECQoBvYC.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000CB335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 2_2_000CB335
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000DB42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose, 2_2_000DB42F
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000CB53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 2_2_000CB53A
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_0010D5E9 FindFirstFileExA, 2_2_0010D5E9
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000C89A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8, 2_2_000C89A9
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000C7A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8, 2_2_000C7A8C
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000C6AC2 FindFirstFileW,FindNextFileW, 2_2_000C6AC2
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000D8C69 FindFirstFileW,FindNextFileW,FindNextFileW, 2_2_000D8C69
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000C8DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose, 2_2_000C8DA7
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000C6F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 2_2_000C6F06

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49704 -> 181.131.217.244:30201
Source: Network traffic Suricata IDS: 2032777 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Server Response : 181.131.217.244:30201 -> 192.168.2.5:49704
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: formationslistcomplet2.sexidude.com
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49704 -> 181.131.217.244:30201
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 181.131.217.244 181.131.217.244
Source: Joe Sandbox View IP Address: 178.237.33.50 178.237.33.50
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49707 -> 178.237.33.50:80
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000DA51B InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 2_2_000DA51B
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: formationslistcomplet2.sexidude.com
Source: global traffic DNS traffic detected: DNS query: geoplugin.net
Source: 4wECQoBvYC.exe, 00000002.00000003.2200531420.0000000001B25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/
Source: 4wECQoBvYC.exe, 4wECQoBvYC.exe, 00000002.00000002.3272233299.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, 4wECQoBvYC.exe, 00000002.00000003.2200531420.0000000001B04000.00000004.00000020.00020000.00000000.sdmp, 4wECQoBvYC.exe, 00000002.00000003.2200531420.0000000001B25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp
Source: 4wECQoBvYC.exe, 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmp, 4wECQoBvYC.exe, 00000000.00000002.2197049819.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, 4wECQoBvYC.exe, 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp/C
Source: 4wECQoBvYC.exe, 00000002.00000003.2200531420.0000000001B25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp:
Source: 4wECQoBvYC.exe, 00000002.00000003.2200531420.0000000001B04000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpSystem32
Source: 4wECQoBvYC.exe, 00000002.00000003.2200531420.0000000001B04000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpl
Source: 4wECQoBvYC.exe, 00000002.00000003.2200531420.0000000001B25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpq
Source: PerfectouinVans.exe.0.dr String found in binary or memory: http://www.evenbalance.com/
Source: PerfectouinVans.exe.0.dr String found in binary or memory: http://www.evenbalance.com/index.php?page=pbsvcfaq.php
Source: PerfectouinVans.exe.0.dr String found in binary or memory: http://www.evenbalance.com/index.php?page=pbsvcfaq.phpChecking
Source: 4wECQoBvYC.exe, PerfectouinVans.exe.0.dr String found in binary or memory: http://www.evenbalance.com/index.php?page=pbsvcfaq.phpDisplayVersion%d.%dDisplayNamePunkBuster
Source: 4wECQoBvYC.exe String found in binary or memory: http://www.evenbalance.com/troubletick
Source: PerfectouinVans.exe.0.dr String found in binary or memory: http://www.evenbalance.com/troubleticket/

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to register a low level keyboard hook
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000C99E4 SetWindowsHookExA 0000000D,000C99D0,00000000 2_2_000C99E4
Installs a global keyboard hook
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\4wECQoBvYC.exe Jump to behavior
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000D59C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 2_2_000D59C6
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000D59C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 2_2_000D59C6
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000D59C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 2_2_000D59C6
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000C9B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx, 2_2_000C9B10
Yara detected Keylogger Generic
Source: Yara match File source: 2.2.4wECQoBvYC.exe.c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4wECQoBvYC.exe.21b0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4wECQoBvYC.exe.21b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.4wECQoBvYC.exe.c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4wECQoBvYC.exe.700c62.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4wECQoBvYC.exe.700c62.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4wECQoBvYC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2197049819.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 4wECQoBvYC.exe PID: 6172, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 4wECQoBvYC.exe PID: 6580, type: MEMORYSTR

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 2.2.4wECQoBvYC.exe.c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4wECQoBvYC.exe.21b0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4wECQoBvYC.exe.21b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.4wECQoBvYC.exe.c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4wECQoBvYC.exe.700c62.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4wECQoBvYC.exe.700c62.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4wECQoBvYC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2197049819.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 4wECQoBvYC.exe PID: 6172, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 4wECQoBvYC.exe PID: 6580, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands
barindex
Contains functionalty to change the wallpaper
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000DBB77 SystemParametersInfoW, 2_2_000DBB77

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 2.2.4wECQoBvYC.exe.c0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 2.2.4wECQoBvYC.exe.c0000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 2.2.4wECQoBvYC.exe.c0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.4wECQoBvYC.exe.21b0000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.4wECQoBvYC.exe.21b0000.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.4wECQoBvYC.exe.21b0000.2.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.4wECQoBvYC.exe.21b0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.4wECQoBvYC.exe.21b0000.2.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.4wECQoBvYC.exe.21b0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2.4wECQoBvYC.exe.c0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 2.2.4wECQoBvYC.exe.c0000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 2.2.4wECQoBvYC.exe.c0000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.4wECQoBvYC.exe.700c62.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.4wECQoBvYC.exe.700c62.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.4wECQoBvYC.exe.700c62.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.4wECQoBvYC.exe.700c62.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.4wECQoBvYC.exe.700c62.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.4wECQoBvYC.exe.700c62.1.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.4wECQoBvYC.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.4wECQoBvYC.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.2197049819.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.2197049819.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000000.00000002.2197049819.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: 4wECQoBvYC.exe PID: 6172, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: 4wECQoBvYC.exe PID: 6580, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Drops large PE files
Source: C:\Users\user\Desktop\4wECQoBvYC.exe File dump: PerfectouinVans.exe.0.dr 979567347 Jump to dropped file
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Process Stats: CPU usage > 49%
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000D58B9 ExitWindowsEx,LoadLibraryA,GetProcAddress, 2_2_000D58B9
Detected potential crypto function
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 0_2_004BF370 0_2_004BF370
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 0_2_004C4DBB 0_2_004C4DBB
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000DD071 2_2_000DD071
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000FD098 2_2_000FD098
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_001120D2 2_2_001120D2
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000F7150 2_2_000F7150
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000F61AA 2_2_000F61AA
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000E6254 2_2_000E6254
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000F1377 2_2_000F1377
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000F651C 2_2_000F651C
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000DE5DF 2_2_000DE5DF
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_0010C739 2_2_0010C739
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000E67CB 2_2_000E67CB
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000F67C6 2_2_000F67C6
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000FC9DD 2_2_000FC9DD
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000F2A49 2_2_000F2A49
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000F6A8D 2_2_000F6A8D
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000FCC0C 2_2_000FCC0C
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000F4D22 2_2_000F4D22
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000F6D48 2_2_000F6D48
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_00100E20 2_2_00100E20
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000FCE3B 2_2_000FCE3B
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000E6E73 2_2_000E6E73
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_00112F00 2_2_00112F00
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000D2F45 2_2_000D2F45
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000E6FAD 2_2_000E6FAD
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_004BF370 2_2_004BF370
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_004C4DBB 2_2_004C4DBB
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: String function: 000C1F66 appears 49 times
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: String function: 004010F0 appears 34 times
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: String function: 000F38A5 appears 41 times
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: String function: 000F3FB0 appears 55 times
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: String function: 004BC0F4 appears 126 times
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: String function: 000C20E7 appears 41 times
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: String function: 004BD2C8 appears 82 times
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: String function: 00401072 appears 114 times
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: String function: 0048CFD0 appears 50 times
Sample file is different than original file name gathered from version info
Source: 4wECQoBvYC.exe, 00000002.00000002.3272233299.0000000001B55000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewscript.exe.mui` vs 4wECQoBvYC.exe
Source: 4wECQoBvYC.exe, 00000002.00000002.3272233299.0000000001B55000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewscript.exe` vs 4wECQoBvYC.exe
Uses 32bit PE files
Source: 4wECQoBvYC.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 2.2.4wECQoBvYC.exe.c0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 2.2.4wECQoBvYC.exe.c0000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 2.2.4wECQoBvYC.exe.c0000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.4wECQoBvYC.exe.21b0000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.4wECQoBvYC.exe.21b0000.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.4wECQoBvYC.exe.21b0000.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.4wECQoBvYC.exe.21b0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.4wECQoBvYC.exe.21b0000.2.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.4wECQoBvYC.exe.21b0000.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2.4wECQoBvYC.exe.c0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 2.2.4wECQoBvYC.exe.c0000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 2.2.4wECQoBvYC.exe.c0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.4wECQoBvYC.exe.700c62.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.4wECQoBvYC.exe.700c62.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.4wECQoBvYC.exe.700c62.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.4wECQoBvYC.exe.700c62.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.4wECQoBvYC.exe.700c62.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.4wECQoBvYC.exe.700c62.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.4wECQoBvYC.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.4wECQoBvYC.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.2197049819.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.2197049819.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000000.00000002.2197049819.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: 4wECQoBvYC.exe PID: 6172, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: 4wECQoBvYC.exe PID: 6580, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@5/4@2/2
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 0_2_00401896 __EH_prolog,GetLastError,FormatMessageA,LocalFree, 0_2_00401896
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 0_2_004090DF GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 0_2_004090DF
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000D6AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 2_2_000D6AB7
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_004090DF GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 2_2_004090DF
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000CE219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle, 2_2_000CE219
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 0_2_0040631D __EH_prolog,CoCreateInstance, 0_2_0040631D
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000DA63F FindResourceA,LoadResource,LockResource,SizeofResource, 2_2_000DA63F
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000D9BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 2_2_000D9BC4
Source: C:\Users\user\Desktop\4wECQoBvYC.exe File created: C:\Users\user\Documents\Perfectouin Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Mutant created: \Sessions\1\BaseNamedObjects\kkdhhcnbvyrmqyodgffgfdds-SO2AWR
Source: C:\Users\user\Desktop\4wECQoBvYC.exe File created: C:\Users\user\AppData\Local\Temp\ukiglbypimmphepyxgwyogkqxgydyyk.vbs Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ukiglbypimmphepyxgwyogkqxgydyyk.vbs"
Source: 4wECQoBvYC.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\4wECQoBvYC.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 4wECQoBvYC.exe ReversingLabs: Detection: 28%
Source: 4wECQoBvYC.exe String found in binary or memory: **ERROR: You must specify install or un-install when using the no-display command-line switch.
Source: 4wECQoBvYC.exe String found in binary or memory: **ERROR: You must specify install or un-install when using the no-prompts command-line switch.
Source: 4wECQoBvYC.exe String found in binary or memory: Un-Install PunkBuster Service
Source: 4wECQoBvYC.exe String found in binary or memory: Are you sure you want to un-install the PunkBuster Service?
Source: 4wECQoBvYC.exe String found in binary or memory: Un-installing
Source: 4wECQoBvYC.exe String found in binary or memory: **ERROR: Could not read PnkBstrB port registry entry. Please first uninstall and re-install using this application. If you still have problems, please contact Even Balance at http://www.evenbalance.com/ for further support.
Source: 4wECQoBvYC.exe String found in binary or memory: **ERROR: Could not read PnkBstrA port registry entry. Please first uninstall and re-install using this application. If you still have problems, please contact Even Balance at http://www.evenbalance.com/ for further support.
Source: 4wECQoBvYC.exe String found in binary or memory: **ERROR: The version of PnkBstrA installed on your system is outdated. Please first uninstall and re-install using this application. If you still have problems, please contact Even Balance at http://www.evenbalance.com/ for further support.
Source: 4wECQoBvYC.exe String found in binary or memory: This program will help you install or un-install the PunkBuster Anti-cheat service. Please make your selection and then click "Next" to continue.
Source: 4wECQoBvYC.exe String found in binary or memory: Install/Re-Install PunkBuster Service
Source: 4wECQoBvYC.exe String found in binary or memory: Un-Install/Remove PunkBuster Service
Source: 4wECQoBvYC.exe String found in binary or memory: This program will help you install or un-install the PunkBuster Anti-cheat service.Please make your selection and then click "Next" to continue.
Source: 4wECQoBvYC.exe String found in binary or memory: Un-Install PunkBuster Service
Source: 4wECQoBvYC.exe String found in binary or memory: Are you sure you want to un-install the PunkBuster Service?
Source: 4wECQoBvYC.exe String found in binary or memory: **ERROR: You must specify install or un-install when using the no-display command-line switch.
Source: 4wECQoBvYC.exe String found in binary or memory: **ERROR: You must specify install or un-install when using the no-prompts command-line switch.
Source: 4wECQoBvYC.exe String found in binary or memory: Un-installing
Source: 4wECQoBvYC.exe String found in binary or memory: **ERROR: Could not read PnkBstrB port registry entry. Please first uninstall and re-install using this application. If you still have problems, please contact Even Balance at http://www.evenbalance.com/ for further support.
Source: 4wECQoBvYC.exe String found in binary or memory: **ERROR: Could not read PnkBstrA port registry entry. Please first uninstall and re-install using this application. If you still have problems, please contact Even Balance at http://www.evenbalance.com/ for further support.
Source: 4wECQoBvYC.exe String found in binary or memory: **ERROR: The version of PnkBstrA installed on your system is outdated. Please first uninstall and re-install using this application. If you still have problems, please contact Even Balance at http://www.evenbalance.com/ for further support.
Source: 4wECQoBvYC.exe String found in binary or memory: This program will help you install or un-install the PunkBuster Anti-cheat service. Please make your selection and then click "Next" to continue.
Source: 4wECQoBvYC.exe String found in binary or memory: Install/Re-Install PunkBuster Service
Source: 4wECQoBvYC.exe String found in binary or memory: Un-Install/Remove PunkBuster Service
Source: 4wECQoBvYC.exe String found in binary or memory: This program will help you install or un-install the PunkBuster Anti-cheat service.Please make your selection and then click "Next" to continue.
Source: 4wECQoBvYC.exe String found in binary or memory: **ERROR: Could not read PnkBstrB port registry entry. Please first uninstall and re-install using this application. If you still have problems, please contact Even Balance at http://www.evenbalance.com/ for further support.
Source: 4wECQoBvYC.exe String found in binary or memory: **ERROR: Could not read PnkBstrA port registry entry. Please first uninstall and re-install using this application. If you still have problems, please contact Even Balance at http://www.evenbalance.com/ for further support.
Source: 4wECQoBvYC.exe String found in binary or memory: **ERROR: The version of PnkBstrA installed on your system is outdated. Please first uninstall and re-install using this application. If you still have problems, please contact Even Balance at http://www.evenbalance.com/ for further support.
Source: 4wECQoBvYC.exe String found in binary or memory: Stopping PnkBstrKCould not query the PnkBstrK driverPnkBstrKChecking PnkBstrK driver statusReceiving version from PnkBstrBSending version packet to PnkBstrB **ERROR: Could not read PnkBstrB port registry entry. Please first uninstall and re-install using this application. If you still have problems, please contact Even Balance at http://www.evenbalance.com/ for further support.Getting port for PnkBstrBCHANGED (%ld)
Source: 4wECQoBvYC.exe String found in binary or memory: **ERROR: Could not read PnkBstrA port registry entry. Please first uninstall and re-install using this application. If you still have problems, please contact Even Balance at http://www.evenbalance.com/ for further support.PortGetting port for PnkBstrANOT RUNNING
Source: 4wECQoBvYC.exe String found in binary or memory: PnkBstrB file not found **ERROR: The version of PnkBstrA installed on your system is outdated. Please first uninstall and re-install using this application. If you still have problems, please contact Even Balance at http://www.evenbalance.com/ for further support.OUTDATED (%ld)
Source: 4wECQoBvYC.exe String found in binary or memory: **ERROR: You must specify install or un-install when using the no-display command-line switch.
Source: 4wECQoBvYC.exe String found in binary or memory: **ERROR: You must specify install or un-install when using the no-prompts command-line switch.
Source: 4wECQoBvYC.exe String found in binary or memory: **ERROR: You must specify install or un-install when using the no-display command-line switch. **ERROR: You must specify install or un-install when using the no-prompts command-line switch.q2.8 (no debug,ANSI,Visual C++,wx containers,compatible with 2.6)your program
Source: 4wECQoBvYC.exe String found in binary or memory: Are you sure you want to un-install the PunkBuster Service?
Source: 4wECQoBvYC.exe String found in binary or memory: Un-Install PunkBuster Service
Source: 4wECQoBvYC.exe String found in binary or memory: @PunkBuster Service Setup v%d.%d %s - Step 1 of 2PunkBuster Service Setup v%d.%d %s- Step 1 of 3Are you sure you want to un-install the PunkBuster Service?Un-Install PunkBuster ServiceP Q
Source: 4wECQoBvYC.exe String found in binary or memory: Un-installing
Source: 4wECQoBvYC.exe String found in binary or memory: @PunkBuster Service Setup v%d.%d %s - Step 3 of 3 - %sPunkBuster Service Setup v%d.%d %s - Step 2 of 2 - %sUn-installingInstalling`!Q
Source: 4wECQoBvYC.exe String found in binary or memory: This program will help you install or un-install the PunkBuster Anti-cheat service.
Source: 4wECQoBvYC.exe String found in binary or memory: Un-Install/Remove PunkBuster Service
Source: 4wECQoBvYC.exe String found in binary or memory: Install/Re-Install PunkBuster Service
Source: 4wECQoBvYC.exe String found in binary or memory: &Test ServicesUn-Install/Remove PunkBuster ServiceInstall/Re-Install PunkBuster ServicePunkBuster Service SetupFinished! NOTE: A reboot may be necessary to completely remove the service files.Installation Finished.
Source: 4wECQoBvYC.exe String found in binary or memory: <!--StartFrag
Source: 4wECQoBvYC.exe String found in binary or memory: <!--StartFragment -->
Source: 4wECQoBvYC.exe String found in binary or memory: hAFailed to put data on the clipboardFailed to set clipboard data.<!--EndFragEndFragment<!--StartFragStartFragmentEndHTML%08u<html>StartHTML<!--EndFragment-->
Source: C:\Users\user\Desktop\4wECQoBvYC.exe File read: C:\Users\user\Desktop\4wECQoBvYC.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\4wECQoBvYC.exe "C:\Users\user\Desktop\4wECQoBvYC.exe"
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Process created: C:\Users\user\Desktop\4wECQoBvYC.exe "C:\Users\user\Desktop\4wECQoBvYC.exe"
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ukiglbypimmphepyxgwyogkqxgydyyk.vbs"
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Process created: C:\Users\user\Desktop\4wECQoBvYC.exe "C:\Users\user\Desktop\4wECQoBvYC.exe" Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ukiglbypimmphepyxgwyogkqxgydyyk.vbs" Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Section loaded: k7rn7l32.dll Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Section loaded: ntd3ll.dll Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: 4wECQoBvYC.exe Static file information: File size 4087808 > 1048576
Source: 4wECQoBvYC.exe Static PE information: Raw size of .data is bigger than: 0x100000 < 0x1a4000
Source: 4wECQoBvYC.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x117000
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000DBCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 2_2_000DBCE3
PE file contains an invalid checksum
Source: 4wECQoBvYC.exe Static PE information: real checksum: 0x2f3a40 should be: 0x3e8ca0
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 0_2_0048D070 push ecx; mov dword ptr [esp], 00000000h 0_2_0048D086
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 0_2_004BC0F4 push eax; ret 0_2_004BC112
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 0_2_004BD303 push ecx; ret 0_2_004BD313
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 0_2_004BC670 push eax; ret 0_2_004BC684
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 0_2_004BC670 push eax; ret 0_2_004BC6AC
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 0_2_0048CFD0 push ecx; mov dword ptr [esp], 00000000h 0_2_0048CFE6
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_001167E0 push eax; ret 2_2_001167FE
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_0011B9DD push esi; ret 2_2_0011B9E6
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_0011CCDC push esp; retf 0011h 2_2_0011CCDD
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_0011CD3C pushad ; retf 2_2_0011CD3D
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_0011CD28 push eax; retf 2_2_0011CD39
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_0011CD60 pushad ; retf 2_2_0011CD3D
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_00115EAF push ecx; ret 2_2_00115EC2
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000F3FF6 push ecx; ret 2_2_000F4009
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_0048D070 push ecx; mov dword ptr [esp], 00000000h 2_2_0048D086
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_004BC0F4 push eax; ret 2_2_004BC112
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_004BD303 push ecx; ret 2_2_004BD313
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_004BC670 push eax; ret 2_2_004BC684
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_004BC670 push eax; ret 2_2_004BC6AC
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_0046AEA0 pushfd ; iretd 2_2_0046AEB6
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_0048CFD0 push ecx; mov dword ptr [esp], 00000000h 2_2_0048CFE6
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_0046AFF0 pushfd ; iretd 2_2_0046B085
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_0046AFF0 pushfd ; iretd 2_2_0046B0D3
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_0046AF80 pushfd ; iretd 2_2_0046B085

Persistence and Installation Behavior
barindex
Drops PE files to the document folder of the user
Source: C:\Users\user\Desktop\4wECQoBvYC.exe File created: C:\Users\user\Documents\Perfectouin\Bin\PerfectouinVans.exe Jump to dropped file
Contains functionality to download and launch executables
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000C6128 ShellExecuteW,URLDownloadToFileW, 2_2_000C6128
Drops PE files
Source: C:\Users\user\Desktop\4wECQoBvYC.exe File created: C:\Users\user\Documents\Perfectouin\Bin\PerfectouinVans.exe Jump to dropped file
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000D9BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 2_2_000D9BC4
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PerfectouinVans Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PerfectouinVans Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Deletes itself after installation
Source: C:\Windows\SysWOW64\wscript.exe File deleted: c:\users\user\desktop\4wecqobvyc.exe Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000DBCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 2_2_000DBCE3
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Delayed program exit found
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000CE54F Sleep,ExitProcess, 2_2_000CE54F
Contains functionality to enumerate running services
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 2_2_000D98C2
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Window / User API: threadDelayed 2613 Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Window / User API: threadDelayed 6867 Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Window / User API: foregroundWindowGot 1749 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Dropped PE file which has not been started: C:\Users\user\Documents\Perfectouin\Bin\PerfectouinVans.exe Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\4wECQoBvYC.exe API coverage: 0.4 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\4wECQoBvYC.exe TID: 528 Thread sleep count: 232 > 30 Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe TID: 528 Thread sleep time: -116000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe TID: 5948 Thread sleep count: 2613 > 30 Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe TID: 5948 Thread sleep time: -7839000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe TID: 5948 Thread sleep count: 6867 > 30 Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe TID: 5948 Thread sleep time: -20601000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000CB335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 2_2_000CB335
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000DB42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose, 2_2_000DB42F
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000CB53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 2_2_000CB53A
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_0010D5E9 FindFirstFileExA, 2_2_0010D5E9
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000C89A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8, 2_2_000C89A9
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000C7A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8, 2_2_000C7A8C
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000C6AC2 FindFirstFileW,FindNextFileW, 2_2_000C6AC2
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000D8C69 FindFirstFileW,FindNextFileW,FindNextFileW, 2_2_000D8C69
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000C8DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose, 2_2_000C8DA7
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000C6F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 2_2_000C6F06
Source: 4wECQoBvYC.exe, 00000002.00000002.3272233299.0000000001B3A000.00000004.00000020.00020000.00000000.sdmp, 4wECQoBvYC.exe, 00000002.00000003.2200600896.0000000001B3A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW[O
Source: 4wECQoBvYC.exe, 00000002.00000002.3272233299.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, 4wECQoBvYC.exe, 00000002.00000002.3272233299.0000000001B3A000.00000004.00000020.00020000.00000000.sdmp, 4wECQoBvYC.exe, 00000002.00000003.2200600896.0000000001B3A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\4wECQoBvYC.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000FA65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_000FA65D
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000DBCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 2_2_000DBCE3
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_00102554 mov eax, dword ptr fs:[00000030h] 2_2_00102554
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_0010E92E GetProcessHeap, 2_2_0010E92E
Launches processes in debugging mode, may be used to hinder debugging
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Process created: C:\Users\user\Desktop\4wECQoBvYC.exe "C:\Users\user\Desktop\4wECQoBvYC.exe" Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000F4168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_000F4168
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000FA65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_000FA65D
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000F3B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_000F3B44
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000F3CD7 SetUnhandledExceptionFilter, 2_2_000F3CD7

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Memory written: C:\Users\user\Desktop\4wECQoBvYC.exe base: C0000 value starts with: 4D5A Jump to behavior
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe 2_2_000D0F36
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000D8754 mouse_event, 2_2_000D8754
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ukiglbypimmphepyxgwyogkqxgydyyk.vbs" Jump to behavior
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 0_2_0040906B AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 0_2_0040906B
Source: 4wECQoBvYC.exe, 00000002.00000002.3272233299.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, registros.dat.2.dr Binary or memory string: [2024/12/09 16:42:26 Program Manager]
Source: 4wECQoBvYC.exe, 00000002.00000003.2200531420.0000000001B25000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerD
Source: 4wECQoBvYC.exe, 00000002.00000002.3272233299.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagersInfos
Source: registros.dat.2.dr Binary or memory string: [2024/12/09 16:42:19 Program Manager]
Source: registros.dat.2.dr Binary or memory string: [2024/12/09 16:42:08 Program Manager]
Source: 4wECQoBvYC.exe, 00000002.00000003.2200531420.0000000001B25000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerz
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000F3E0A cpuid 2_2_000F3E0A
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: GetLocaleInfoA, 2_2_000CE679
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: GetLocaleInfoW, 2_2_001110BA
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: EnumSystemLocalesW, 2_2_001070AE
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 2_2_001111E3
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: GetLocaleInfoW, 2_2_001112EA
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 2_2_001113B7
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: GetLocaleInfoW, 2_2_00107597
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 2_2_00110A7F
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: EnumSystemLocalesW, 2_2_00110CF7
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: EnumSystemLocalesW, 2_2_00110D42
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: EnumSystemLocalesW, 2_2_00110DDD
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 2_2_00110E6A
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 0_2_004BE9CD GetSystemTimeAsFileTime,__aulldiv, 0_2_004BE9CD
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_000DA7A2 GetComputerNameExW,GetUserNameW, 2_2_000DA7A2
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 2_2_0010800F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 2_2_0010800F
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: 0_2_004999D0 GetVersionExA, 0_2_004999D0
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 2.2.4wECQoBvYC.exe.c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4wECQoBvYC.exe.21b0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4wECQoBvYC.exe.21b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.4wECQoBvYC.exe.c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4wECQoBvYC.exe.700c62.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4wECQoBvYC.exe.700c62.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4wECQoBvYC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2197049819.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 4wECQoBvYC.exe PID: 6172, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 4wECQoBvYC.exe PID: 6580, type: MEMORYSTR
Contains functionality to steal Chrome passwords or cookies
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 2_2_000CB21B
Contains functionality to steal Firefox passwords or cookies
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 2_2_000CB335
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: \key3.db 2_2_000CB335

Remote Access Functionality
barindex
Yara detected Remcos RAT
Source: Yara match File source: 2.2.4wECQoBvYC.exe.c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4wECQoBvYC.exe.21b0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4wECQoBvYC.exe.21b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.4wECQoBvYC.exe.c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4wECQoBvYC.exe.700c62.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4wECQoBvYC.exe.700c62.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4wECQoBvYC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2197049819.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 4wECQoBvYC.exe PID: 6172, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 4wECQoBvYC.exe PID: 6580, type: MEMORYSTR
Contains functionality to launch a control a shell (cmd.exe)
Source: C:\Users\user\Desktop\4wECQoBvYC.exe Code function: cmd.exe 2_2_000C5042
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1571962 Sample: 4wECQoBvYC.exe Startdate: 09/12/2024 Architecture: WINDOWS Score: 100 24 geoplugin.net 2->24 26 formationslistcomplet2.sexidude.com 2->26 34 Suricata IDS alerts for network traffic 2->34 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 9 other signatures 2->40 8 4wECQoBvYC.exe 1 3 2->8         started        signatures3 process4 file5 20 C:\Users\user\...\PerfectouinVans.exe, PE32 8->20 dropped 42 Contains functionality to bypass UAC (CMSTPLUA) 8->42 44 Drops PE files to the document folder of the user 8->44 46 Contains functionalty to change the wallpaper 8->46 48 6 other signatures 8->48 12 4wECQoBvYC.exe 6 18 8->12         started        signatures6 process7 dnsIp8 28 formationslistcomplet2.sexidude.com 181.131.217.244, 30201, 49704 EPMTelecomunicacionesSAESPCO Colombia 12->28 30 geoplugin.net 178.237.33.50, 49707, 80 ATOM86-ASATOM86NL Netherlands 12->30 22 C:\...\ukiglbypimmphepyxgwyogkqxgydyyk.vbs, data 12->22 dropped 50 Installs a global keyboard hook 12->50 17 wscript.exe 12->17         started        file9 signatures10 process11 signatures12 32 Deletes itself after installation 17->32
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
181.131.217.244
 formationslistcomplet2.sexidude.com Colombia
13489 EPMTelecomunicacionesSAESPCO false
178.237.33.50
 geoplugin.net Netherlands
8455 ATOM86-ASATOM86NL false

Contacted Domains

Name IP Active
formationslistcomplet2.sexidude.com 181.131.217.244 true
geoplugin.net 178.237.33.50 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://geoplugin.net/json.gp false
    		high
    formationslistcomplet2.sexidude.com true
    • Avira URL Cloud: malware
    		 unknown