Windows Analysis Report
Marys Organizer 2023 Release.zip

Overview

General Information

Sample name:	Marys Organizer 2023 Release.zip
Analysis ID:	1518514
MD5:	e2e67e92cc1d95783a0d5f19edc451d8
SHA1:	c8c5a9002de6c1e69dc700115b21f2f6ee452c3c
SHA256:	68f4332560b060339063e982589becd336a8b1024c6c9bb62207ff2b6b58fb91
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Remcos RAT

Malicious sample detected (through community Yara rule)

Sigma detected: Remcos

Suricata IDS alerts for network traffic

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Creates autostart registry keys with suspicious names

Creates multiple autostart registry keys

Injects a PE file into a foreign processes

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

Detected TCP or UDP traffic on non-standard ports

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Direct Autorun Keys Modification

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Suricata IDS alerts with low severity for network traffic

Uses reg.exe to modify the Windows registry

Yara detected Keylogger Generic

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Signatures

AV Detection

Yara detected Remcos RAT

Source: Yara match	File source: 00000011.00000002.1620343071.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1621692866.0000000010163000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1864206574.00000000006CF000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2328371032.0000000000D48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2328340039.0000000000A08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 00000011.00000002.1620343071.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1621692866.0000000010163000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1864206574.00000000006CF000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.17:49714 -> 172.111.163.227:9583
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.17:49712 -> 172.111.163.227:9583
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.17:49715 -> 45.74.48.2:9774
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.17:49719 -> 45.74.48.2:9774
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.17:49720 -> 45.74.48.2:9774
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.17:49718 -> 45.74.48.2:9774

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.17:49715 -> 45.74.48.2:9774

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.17:49713 -> 178.237.33.50:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.17:49716 -> 178.237.33.50:80

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: privmerkt.com
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net
Source: global traffic	DNS traffic detected: DNS query: nwemarkets.com

Yara detected Keylogger Generic

Source: Yara match	File source: 00000011.00000002.1620343071.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1621692866.0000000010163000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1864206574.00000000006CF000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 00000011.00000002.1620343071.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1621692866.0000000010163000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1864206574.00000000006CF000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2328371032.0000000000D48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2328340039.0000000000A08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000011.00000002.1620343071.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000011.00000002.1620343071.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000011.00000002.1620343071.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000011.00000002.1621692866.0000000010163000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000016.00000002.1866004314.0000000000E7B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000016.00000002.1864206574.00000000006CF000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Uses reg.exe to modify the Windows registry

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f

Yara signature match

Source: 00000011.00000002.1620343071.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000011.00000002.1620343071.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000011.00000002.1620343071.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000011.00000002.1621692866.0000000010163000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000016.00000002.1866004314.0000000000E7B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000016.00000002.1864206574.00000000006CF000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.expl.evad.winZIP@14/3@3/21

Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe

File created: C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll

Source: C:\Windows\System32\OpenWith.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6956:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2304:120:WilError_03

Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe

File created: C:\Users\user\AppData\Local\Temp\build.exe

Source: C:\Windows\System32\OpenWith.exe

File read: C:\Users\desktop.ini

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: unknown	Process created: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe "C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe"
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Process created: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe "C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe"
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Process created: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe "C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe"
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f & exit
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"

Source: C:\Windows\System32\OpenWith.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: actxprxy.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.appdefaults.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.immersive.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uiautomationcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dui70.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: duser.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47mrm.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uianimation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dcomp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: oleacc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowmanagementapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: inputhost.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: slc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: tiledatarepository.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: staterepository.core.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepository.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositorycore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: mrmcorer.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: directmanipulation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textshaping.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: msimg32.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: oledlg.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: k7rn7l32.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: ntd3ll.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: winmm.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: propsys.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: edputil.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: appresolver.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: slc.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: sppc.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: k7rn7l32.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: ntd3ll.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: windowscodecs.dll

Source: C:\Windows\System32\OpenWith.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Source: Marys Organizer 2023 Release.zip

Static file information: File size 66873356 > 1048576

Creates processes with suspicious names

Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	File created: \my organizer 2023 mortgage interest paymentspdf.exe
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	File created: \my organizer 2023 mortgage interest paymentspdf.exe
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	File created: \my organizer 2023 mortgage interest paymentspdf.exe
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	File created: \my organizer 2023 mortgage interest paymentspdf.exe
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	File created: \my organizer 2023 mortgage interest paymentspdf.exe
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	File created: \my organizer 2023 mortgage interest paymentspdf.exe

Drops PE files

Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe

File created: C:\Users\user\AppData\Local\Temp\build.exe

Jump to dropped file

Boot Survival

Creates autostart registry keys with suspicious names

Source: C:\Windows\SysWOW64\reg.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run *UpdaterCisco

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\build.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BluetoothExpress
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run *UpdaterCisco

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run *UpdaterCisco
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run *UpdaterCisco
Source: C:\Users\user\AppData\Local\Temp\build.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BluetoothExpress
Source: C:\Users\user\AppData\Local\Temp\build.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BluetoothExpress

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe

Window / User API: threadDelayed 9840

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe TID: 348	Thread sleep count: 9840 > 30
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe TID: 348	Thread sleep time: -29520000s >= -30000s

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe

Process created: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe "C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe"

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\build.exe

Memory written: C:\Users\user\AppData\Local\Temp\build.exe base: 800000 value starts with: 4D5A

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation

Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 00000011.00000002.1620343071.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1621692866.0000000010163000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1864206574.00000000006CF000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2328371032.0000000000D48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2328340039.0000000000A08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-9QRTYQ
Source: C:\Users\user\AppData\Local\Temp\build.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-WREC50

Yara detected Remcos RAT

Source: Yara match	File source: 00000011.00000002.1620343071.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1621692866.0000000010163000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1864206574.00000000006CF000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2328371032.0000000000D48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2328340039.0000000000A08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.111.163.227	privmerkt.com	United States	32489	AMANAHA-NEWCA	true
45.74.48.2	nwemarkets.com	United States	3223	VOXILITYGB	true
178.237.33.50	geoplugin.net	Netherlands	8455	ATOM86-ASATOM86NL	false

Contacted Domains

Name	IP	Active
privmerkt.com	172.111.163.227	true
nwemarkets.com	45.74.48.2	true
geoplugin.net	178.237.33.50	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://geoplugin.net/json.gp	false	URL Reputation: safe	unknown

AV Detection

Yara detected Remcos RAT

Source: Yara match	File source: 00000011.00000002.1620343071.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1621692866.0000000010163000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1864206574.00000000006CF000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2328371032.0000000000D48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2328340039.0000000000A08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 00000011.00000002.1620343071.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1621692866.0000000010163000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1864206574.00000000006CF000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.17:49714 -> 172.111.163.227:9583
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.17:49712 -> 172.111.163.227:9583
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.17:49715 -> 45.74.48.2:9774
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.17:49719 -> 45.74.48.2:9774
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.17:49720 -> 45.74.48.2:9774
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.17:49718 -> 45.74.48.2:9774

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.17:49715 -> 45.74.48.2:9774

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.17:49713 -> 178.237.33.50:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.17:49716 -> 178.237.33.50:80

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: privmerkt.com
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net
Source: global traffic	DNS traffic detected: DNS query: nwemarkets.com

Yara detected Keylogger Generic

Source: Yara match	File source: 00000011.00000002.1620343071.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1621692866.0000000010163000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1864206574.00000000006CF000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 00000011.00000002.1620343071.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1621692866.0000000010163000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1864206574.00000000006CF000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2328371032.0000000000D48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2328340039.0000000000A08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000011.00000002.1620343071.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000011.00000002.1620343071.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000011.00000002.1620343071.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000011.00000002.1621692866.0000000010163000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000016.00000002.1866004314.0000000000E7B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000016.00000002.1864206574.00000000006CF000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Uses reg.exe to modify the Windows registry

Source: C:\Windows\SysWOW64\cmd.exe

Yara signature match

Source: 00000011.00000002.1620343071.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000011.00000002.1620343071.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000011.00000002.1620343071.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000011.00000002.1621692866.0000000010163000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000016.00000002.1866004314.0000000000E7B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000016.00000002.1864206574.00000000006CF000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.expl.evad.winZIP@14/3@3/21

Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe

File created: C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll

Source: C:\Windows\System32\OpenWith.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6956:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2304:120:WilError_03

Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe

File created: C:\Users\user\AppData\Local\Temp\build.exe

Source: C:\Windows\System32\OpenWith.exe

File read: C:\Users\desktop.ini

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: unknown	Process created: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe "C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe"
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Process created: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe "C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe"
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Process created: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe "C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe"
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f & exit
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"

Source: C:\Windows\System32\OpenWith.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: actxprxy.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.appdefaults.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.immersive.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uiautomationcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dui70.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: duser.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47mrm.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uianimation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dcomp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: oleacc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowmanagementapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: inputhost.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: slc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: tiledatarepository.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: staterepository.core.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepository.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositorycore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: mrmcorer.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: directmanipulation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textshaping.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: msimg32.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: oledlg.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: k7rn7l32.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: ntd3ll.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: winmm.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: propsys.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: edputil.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: appresolver.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: slc.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: sppc.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: k7rn7l32.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: ntd3ll.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: windowscodecs.dll

Source: C:\Windows\System32\OpenWith.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Source: Marys Organizer 2023 Release.zip

Static file information: File size 66873356 > 1048576

Creates processes with suspicious names

Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	File created: \my organizer 2023 mortgage interest paymentspdf.exe
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	File created: \my organizer 2023 mortgage interest paymentspdf.exe
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	File created: \my organizer 2023 mortgage interest paymentspdf.exe
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	File created: \my organizer 2023 mortgage interest paymentspdf.exe
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	File created: \my organizer 2023 mortgage interest paymentspdf.exe
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	File created: \my organizer 2023 mortgage interest paymentspdf.exe

Drops PE files

Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe

File created: C:\Users\user\AppData\Local\Temp\build.exe

Jump to dropped file

Boot Survival

Creates autostart registry keys with suspicious names

Source: C:\Windows\SysWOW64\reg.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run *UpdaterCisco

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\build.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BluetoothExpress
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run *UpdaterCisco

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run *UpdaterCisco
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run *UpdaterCisco
Source: C:\Users\user\AppData\Local\Temp\build.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BluetoothExpress
Source: C:\Users\user\AppData\Local\Temp\build.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BluetoothExpress

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe

Window / User API: threadDelayed 9840

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe TID: 348	Thread sleep count: 9840 > 30
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe TID: 348	Thread sleep time: -29520000s >= -30000s

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\build.exe

Memory written: C:\Users\user\AppData\Local\Temp\build.exe base: 800000 value starts with: 4D5A

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation

Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 00000011.00000002.1620343071.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1621692866.0000000010163000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1864206574.00000000006CF000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2328371032.0000000000D48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2328340039.0000000000A08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-9QRTYQ
Source: C:\Users\user\AppData\Local\Temp\build.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-WREC50

Yara detected Remcos RAT

Source: Yara match	File source: 00000011.00000002.1620343071.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1621692866.0000000010163000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1864206574.00000000006CF000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2328371032.0000000000D48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2328340039.0000000000A08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

ID:	1518514
Product:	CloudBasic
Start time:	19:04:44
Start date:	25.09.2024
Sample:	Marys Organizer 2023 Release.zip
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	e2e67e92cc1d95783a0d5f19edc451d8
SHA1:	c8c5a9002de6c1e69dc700115b21f2f6ee452c3c
SHA256:	68f4332560b060339063e982589becd336a8b1024c6c9bb62207ff2b6b58fb91
Filetype:	ZIP compressed archive (8000/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\96LGQ1XY\json[1].json	JSON data	18BC6D34FABB00C1E30D98E8DAEC814A	D21EF72B8421AA7D1F8E8B1DB1323AA93B884C54	862D5523F77D193121112B15A36F602C4439791D03E24D97EF25F3A6CBE37ED0
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GO30WR0E\json[1].json	JSON data	F61E5CC20FBBA892FF93BFBFC9F41061	36CD25DFAD6D9BC98697518D8C2F5B7E12A5864E	28B330BB74B512AFBD70418465EC04C52450513D3CC8609B08B293DBEC847568
C:\Users\user\AppData\Local\Temp\build.exe	PE32 executable (GUI) Intel 80386, for MS Windows	55FC1A86363D371667FFC9D4DF110A5E	97AB0AF74FCB6F2254BFBCCE912F1BCCCD58463B	A3A4B56DAAC71B1CE0B62F548C200323E603555438C7FB1452268BCA37C8E94F

Windows Analysis Report
Marys Organizer 2023 Release.zip

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Exploits

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report Marys Organizer 2023 Release.zip

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Exploits

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Marys Organizer 2023 Release.zip

Malware Threat Intel
Provided by