Windows Analysis Report
tu.exe

Overview

General Information

Sample name:	tu.exe
Analysis ID:	1428245
MD5:	de717951989420c6b9790c9160a23d35
SHA1:	df8621b3d9fa7e4e1d511d6ff732457aac6a0a1d
SHA256:	d434e12726aee7ad7378dc4e395dd5f8fba6255546eef9e1dbb51d52d966af2c
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Contains functionality to bypass UAC (CMSTPLUA)

Detected Remcos RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: Remcos

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

C2 URLs / IPs found in malware configuration

Contains functionality to infect the boot sector

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Drops PE files to the document folder of the user

Drops large PE files

Injects a PE file into a foreign processes

Installs a global keyboard hook

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to communicate with device drivers

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/ https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Signatures

AV Detection

Antivirus detection for URL or domain

Source: http://geoplugin.net/json.gp	URL Reputation: Label: phishing
Source: http://geoplugin.net/json.gp/C	URL Reputation: Label: phishing

Found malware configuration

Source: 00000005.00000002.4579253118.00000000008F8000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": "abril18.con-ip.com:7770:1", "Assigned name": "ALETEO", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-PO8SC5", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara detected Remcos RAT

Source: Yara match	File source: 5.2.tu.exe.550000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.46d672.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.23c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.23c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.46d672.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.tu.exe.550000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4579308792.0000000000937000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4585822426.00000000024CF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4579253118.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tu.exe PID: 5412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tu.exe PID: 4256, type: MEMORYSTR

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_00583837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

5_2_00583837

Source: tu.exe

Binary or memory string: -----BEGIN PUBLIC KEY-----

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 5.2.tu.exe.550000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.46d672.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.23c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.23c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.46d672.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.tu.exe.550000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tu.exe PID: 5412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tu.exe PID: 4256, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_005574FD _wcslen,CoGetObject,

5_2_005574FD

Uses 32bit PE files

Source: tu.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: tu.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\vmagent_new\bin\joblist\222359\out\Release\360AdvToolExecutor.pdbpF source: tu.exe, SentinelOne.exe.0.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\222359\out\Release\360AdvToolExecutor.pdb source: tu.exe, SentinelOne.exe.0.dr

Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00559253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	5_2_00559253
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0056C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	5_2_0056C291
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0055C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	5_2_0055C34D
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00559665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	5_2_00559665
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0059E879 FindFirstFileExA,	5_2_0059E879
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0055880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	5_2_0055880C
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0055783C FindFirstFileW,FindNextFileW,	5_2_0055783C
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00569AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	5_2_00569AF5
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0055BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	5_2_0055BB30
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0055BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	5_2_0055BD37

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_00557C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

5_2_00557C97

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: abril18.con-ip.com

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49721 -> 179.14.10.110:7770

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 178.237.33.50 178.237.33.50

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: ColombiaMovilCO ColombiaMovilCO

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_0056B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

5_2_0056B380

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: abril18.con-ip.com

Source: tu.exe, SentinelOne.exe.0.dr	String found in binary or memory: http://.inihttps://map/set
Source: tu.exe, SentinelOne.exe.0.dr	String found in binary or memory: http://certificates.godaddy.com/repository/0
Source: tu.exe, SentinelOne.exe.0.dr	String found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
Source: tu.exe, SentinelOne.exe.0.dr	String found in binary or memory: http://certs.godaddy.com/repository/1301
Source: tu.exe, SentinelOne.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: tu.exe, SentinelOne.exe.0.dr	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: tu.exe, SentinelOne.exe.0.dr	String found in binary or memory: http://crl.godaddy.com/gdig2s5-6.crl0
Source: tu.exe, SentinelOne.exe.0.dr	String found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
Source: tu.exe, SentinelOne.exe.0.dr	String found in binary or memory: http://down.360safe.com/360zip_setup.exe360SysReset
Source: tu.exe, SentinelOne.exe.0.dr	String found in binary or memory: http://down.360safe.com/setup.exeIsBetaVersion360ver.dllSOFTWARE
Source: tu.exe, SentinelOne.exe.0.dr	String found in binary or memory: http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exe
Source: tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp, tu.exe, 00000005.00000003.2347351969.0000000000953000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/
Source: tu.exe, 00000005.00000003.2347351969.0000000000953000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/;
Source: tu.exe, 00000005.00000002.4579253118.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp, tu.exe, 00000005.00000003.2347351969.0000000000953000.00000004.00000020.00020000.00000000.sdmp, tu.exe, 00000005.00000003.2347351969.0000000000937000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: tu.exe, 00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, tu.exe, 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmp, tu.exe, 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp, tu.exe, 00000005.00000003.2347351969.0000000000953000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpJ
Source: tu.exe, 00000005.00000003.2347351969.0000000000937000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpK
Source: tu.exe, 00000005.00000003.2347351969.0000000000937000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpQ
Source: tu.exe, 00000005.00000002.4579253118.00000000008F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpSystem32
Source: tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp, tu.exe, 00000005.00000003.2347351969.0000000000953000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpT
Source: tu.exe, 00000005.00000003.2347351969.0000000000953000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpalF
Source: tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp, tu.exe, 00000005.00000003.2347351969.0000000000953000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpl
Source: tu.exe, SentinelOne.exe.0.dr	String found in binary or memory: http://ocsp.godaddy.com/0
Source: tu.exe, SentinelOne.exe.0.dr	String found in binary or memory: http://ocsp.godaddy.com/05
Source: tu.exe, SentinelOne.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: tu.exe, SentinelOne.exe.0.dr	String found in binary or memory: https://certs.godaddy.com/repository/0
Source: tu.exe, SentinelOne.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: tu.exe, SentinelOne.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/03

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_0055A2B8 SetWindowsHookExA 0000000D,0055A2A4,00000000

5_2_0055A2B8

Installs a global keyboard hook

Source: C:\Users\user\Desktop\tu.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\tu.exe

Jump to behavior

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_0055B70E OpenClipboard,GetClipboardData,CloseClipboard,

5_2_0055B70E

Contains functionality to modify clipboard data

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_005668C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

5_2_005668C1

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_0055B70E OpenClipboard,GetClipboardData,CloseClipboard,

5_2_0055B70E

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_0055A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

5_2_0055A3E0

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 5.2.tu.exe.550000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.46d672.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.23c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.23c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.46d672.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.tu.exe.550000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4579308792.0000000000937000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4585822426.00000000024CF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4579253118.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tu.exe PID: 5412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tu.exe PID: 4256, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_0056C9E2 SystemParametersInfoW,

5_2_0056C9E2

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.tu.exe.550000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 5.2.tu.exe.550000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 5.2.tu.exe.550000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.tu.exe.46d672.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.tu.exe.46d672.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.tu.exe.46d672.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.tu.exe.23c0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.tu.exe.23c0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.tu.exe.23c0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.tu.exe.23c0000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.tu.exe.23c0000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.tu.exe.23c0000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.tu.exe.46d672.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.tu.exe.46d672.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.tu.exe.46d672.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 5.2.tu.exe.550000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 5.2.tu.exe.550000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 5.2.tu.exe.550000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.tu.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.tu.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: tu.exe PID: 5412, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: tu.exe PID: 4256, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Drops large PE files

Source: C:\Users\user\Desktop\tu.exe

File dump: SentinelOne.exe.0.dr 800000000

Jump to dropped file

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\tu.exe

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\tu.exe

Code function: 0_2_004115E1 NtQueryDefaultLocale,

0_2_004115E1

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\tu.exe

Code function: 0_2_00406279: CreateFileA,_memset,DeviceIoControl,CloseHandle,

0_2_00406279

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_005667B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,

5_2_005667B4

Detected potential crypto function

Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0042B525	0_2_0042B525
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_004115E1	0_2_004115E1
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00412583	0_2_00412583
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00407010	0_2_00407010
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040E020	0_2_0040E020
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040E024	0_2_0040E024
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00455031	0_2_00455031
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00456160	0_2_00456160
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0044A29E	0_2_0044A29E
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040D2A8	0_2_0040D2A8
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0043F34D	0_2_0043F34D
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040E36C	0_2_0040E36C
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0041236C	0_2_0041236C
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0042B441	0_2_0042B441
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00428486	0_2_00428486
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_004124AF	0_2_004124AF
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00455575	0_2_00455575
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0042A571	0_2_0042A571
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00440533	0_2_00440533
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040D608	0_2_0040D608
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00428613	0_2_00428613
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040D62D	0_2_0040D62D
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040F695	0_2_0040F695
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00445732	0_2_00445732
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_004127ED	0_2_004127ED
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040D7FF	0_2_0040D7FF
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040F8F3	0_2_0040F8F3
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040D882	0_2_0040D882
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0042788F	0_2_0042788F
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040D892	0_2_0040D892
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0042B8B9	0_2_0042B8B9
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00438950	0_2_00438950
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040F904	0_2_0040F904
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0042991A	0_2_0042991A
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00456924	0_2_00456924
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00429A53	0_2_00429A53
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00426A6B	0_2_00426A6B
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040FA08	0_2_0040FA08
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0044CAB8	0_2_0044CAB8
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00438B4E	0_2_00438B4E
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00429B6A	0_2_00429B6A
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00454B06	0_2_00454B06
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00459BC1	0_2_00459BC1
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00455BE0	0_2_00455BE0
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00407B90	0_2_00407B90
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0044EBBB	0_2_0044EBBB
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00406D10	0_2_00406D10
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00455E5B	0_2_00455E5B
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040DE67	0_2_0040DE67
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040CE0C	0_2_0040CE0C
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040CE13	0_2_0040CE13
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040CE28	0_2_0040CE28
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00433E86	0_2_00433E86
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040CE87	0_2_0040CE87
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00403E90	0_2_00403E90
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00426E9F	0_2_00426E9F
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040DF69	0_2_0040DF69
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00411F13	0_2_00411F13
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040DFF6	0_2_0040DFF6
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00429FFD	0_2_00429FFD
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0040F002	5_2_0040F002
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00407010	5_2_00407010
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0040D01B	5_2_0040D01B
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0040F023	5_2_0040F023
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00456160	5_2_00456160
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0040D19C	5_2_0040D19C
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_004121AA	5_2_004121AA
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0040D2D3	5_2_0040D2D3
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0044A29E	5_2_0044A29E
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0040D2A8	5_2_0040D2A8
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_004112B9	5_2_004112B9
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0043F34D	5_2_0043F34D
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0040D3EA	5_2_0040D3EA
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_004124AF	5_2_004124AF
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00455575	5_2_00455575
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00440533	5_2_00440533
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0040D678	5_2_0040D678
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0040F695	5_2_0040F695
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00445732	5_2_00445732
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_004127ED	5_2_004127ED
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0040D7FF	5_2_0040D7FF
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_004118D7	5_2_004118D7
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0040D882	5_2_0040D882
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0040D892	5_2_0040D892
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0040F8B1	5_2_0040F8B1
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00438950	5_2_00438950
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0040F904	5_2_0040F904
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00456924	5_2_00456924
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0040FA08	5_2_0040FA08
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0044CAB8	5_2_0044CAB8
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00411ABC	5_2_00411ABC
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00438B4E	5_2_00438B4E
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00454B06	5_2_00454B06
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00459BC1	5_2_00459BC1
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00455BE0	5_2_00455BE0
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00407B90	5_2_00407B90
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0044EBBB	5_2_0044EBBB
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00406D10	5_2_00406D10
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0040EE49	5_2_0040EE49
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00455E5B	5_2_00455E5B
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00433E86	5_2_00433E86
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00403E90	5_2_00403E90
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00410E9D	5_2_00410E9D
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00411F57	5_2_00411F57
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0040EF70	5_2_0040EF70
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00411F0D	5_2_00411F0D
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0058E0CC	5_2_0058E0CC
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0056F0FA	5_2_0056F0FA
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_005A4159	5_2_005A4159
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00588168	5_2_00588168
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_005961F0	5_2_005961F0
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0058E2FB	5_2_0058E2FB
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_005A332B	5_2_005A332B
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0057739D	5_2_0057739D
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_005874E6	5_2_005874E6
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0058E558	5_2_0058E558
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00588770	5_2_00588770
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_005878FE	5_2_005878FE
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00583946	5_2_00583946
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0059D9C9	5_2_0059D9C9
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00577A46	5_2_00577A46
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0056DB62	5_2_0056DB62
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00577BAF	5_2_00577BAF
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00587D33	5_2_00587D33
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00585E5E	5_2_00585E5E
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00576E0E	5_2_00576E0E
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0058DE9D	5_2_0058DE9D
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00563FCA	5_2_00563FCA
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00586FEA	5_2_00586FEA

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\tu.exe	Code function: String function: 00433768 appears 56 times
Source: C:\Users\user\Desktop\tu.exe	Code function: String function: 00584E10 appears 54 times
Source: C:\Users\user\Desktop\tu.exe	Code function: String function: 00552093 appears 50 times
Source: C:\Users\user\Desktop\tu.exe	Code function: String function: 00584770 appears 41 times
Source: C:\Users\user\Desktop\tu.exe	Code function: String function: 00443C7F appears 38 times
Source: C:\Users\user\Desktop\tu.exe	Code function: String function: 00408EE0 appears 68 times
Source: C:\Users\user\Desktop\tu.exe	Code function: String function: 00551E65 appears 34 times
Source: C:\Users\user\Desktop\tu.exe	Code function: String function: 004322DC appears 96 times
Source: C:\Users\user\Desktop\tu.exe	Code function: String function: 00408AE0 appears 94 times

PE / OLE file has an invalid certificate

Source: tu.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: tu.exe	Binary or memory string: OriginalFilename vs tu.exe
Source: tu.exe, 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameREGEDIT.EXEj% vs tu.exe
Source: tu.exe, 00000000.00000000.2099392755.000000000046D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameREGEDIT.EXEj% vs tu.exe
Source: tu.exe, 00000000.00000003.2276384508.00000000007DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameD3D10Warp.dllj% vs tu.exe
Source: tu.exe, 00000000.00000002.2312497564.0000000002589000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameREGEDIT.EXEj% vs tu.exe
Source: tu.exe, 00000000.00000002.2312300285.00000000007DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameD3D10Warp.dllj% vs tu.exe
Source: tu.exe, 00000005.00000000.2310003818.000000000046D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameREGEDIT.EXEj% vs tu.exe
Source: tu.exe	Binary or memory string: OriginalFilenameREGEDIT.EXEj% vs tu.exe

Uses 32bit PE files

Source: tu.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 5.2.tu.exe.550000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 5.2.tu.exe.550000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 5.2.tu.exe.550000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.tu.exe.46d672.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.tu.exe.46d672.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.tu.exe.46d672.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.tu.exe.23c0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.tu.exe.23c0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.tu.exe.23c0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.tu.exe.23c0000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.tu.exe.23c0000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.tu.exe.23c0000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.tu.exe.46d672.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.tu.exe.46d672.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.tu.exe.46d672.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 5.2.tu.exe.550000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 5.2.tu.exe.550000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 5.2.tu.exe.550000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.tu.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.tu.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: tu.exe PID: 5412, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: tu.exe PID: 4256, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@3/3@3/2

Source: C:\Users\user\Desktop\tu.exe

Code function: 0_2_00408380 SetLastError,GetLastError,SetLastError,GetLastError,_wcsrchr,_wcsncpy,_strerror,MultiByteToWideChar,_wcsncpy,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,FormatMessageW,_wcstok,_vswprintf_s,_wcsncpy,GetSystemTime,LocalFree,FreeLibrary,

0_2_00408380

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_00567952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

5_2_00567952

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_0055F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

5_2_0055F474

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_0056B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,

5_2_0056B4A8

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_0056AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

5_2_0056AA4A

Source: C:\Users\user\Desktop\tu.exe

File created: C:\Users\user\Documents\ChromeUpdate

Jump to behavior

Source: C:\Users\user\Desktop\tu.exe

Mutant created: \Sessions\1\BaseNamedObjects\Rmc-PO8SC5

Source: tu.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\tu.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\tu.exe

File read: C:\Users\user\Desktop\tu.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\tu.exe "C:\Users\user\Desktop\tu.exe"
Source: C:\Users\user\Desktop\tu.exe	Process created: C:\Users\user\Desktop\tu.exe "C:\Users\user\Desktop\tu.exe"
Source: C:\Users\user\Desktop\tu.exe	Process created: C:\Users\user\Desktop\tu.exe "C:\Users\user\Desktop\tu.exe"	Jump to behavior

Source: C:\Users\user\Desktop\tu.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: k7rn7l32.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: ntd3ll.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: winnsi.dll	Jump to behavior

Source: C:\Users\user\Desktop\tu.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: tu.exe

Static file information: File size 1340704 > 1048576

Source: tu.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: tu.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: tu.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: tu.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: tu.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: tu.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: tu.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: tu.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\vmagent_new\bin\joblist\222359\out\Release\360AdvToolExecutor.pdbpF source: tu.exe, SentinelOne.exe.0.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\222359\out\Release\360AdvToolExecutor.pdb source: tu.exe, SentinelOne.exe.0.dr

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\tu.exe

Code function: 0_2_00447B97 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

0_2_00447B97

PE file contains an invalid checksum

Source: tu.exe

Static PE information: real checksum: 0x798b9 should be: 0x154233

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00403180 push ecx; mov dword ptr [esp], 00000000h	0_2_00403181
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00432321 push ecx; ret	0_2_00432334
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00403400 push ecx; mov dword ptr [esp], 00000000h	0_2_00403401
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_004140D0 push ecx; retf	5_2_004140A5
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_004140A6 push ecx; retf	5_2_004140A5
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_004140BB push ecx; retf	5_2_004140C1
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00403180 push ecx; mov dword ptr [esp], 00000000h	5_2_00403181
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_004152A0 push edi; retf	5_2_0041537A
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00417356 push ecx; retf	5_2_0041750A
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0041537B push edi; retf	5_2_0041537A
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00432321 push ecx; ret	5_2_00432334
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00415390 push edi; retf	5_2_0041537A
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0041539E push edi; retf	5_2_0041537A
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00403400 push ecx; mov dword ptr [esp], 00000000h	5_2_00403401
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00415432 push edi; retf	5_2_0041543F
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_004154D3 push edi; retf	5_2_00415512
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0041750B push ecx; retf	5_2_0041750A
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00417535 push ecx; retf	5_2_0041750A
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0041E630 push ecx; retf	5_2_0041E631
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_004136EA push ecx; retf	5_2_00413729
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00413746 push ecx; retf	5_2_00413729
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00418711 push ecx; retf	5_2_004188C7
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0041372A push ecx; retf	5_2_00413729
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_004137D3 push edi; retf	5_2_004137E0
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_004137BE push esp; retf	5_2_004137D2
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00413840 push ecx; retf	5_2_00413851
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00413867 push edi; retf	5_2_0041386D
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_004188C8 push ecx; retf	5_2_004188C7
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_004188F2 push ecx; retf	5_2_004188C7
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00415A8C push ecx; retf	5_2_00415A92
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00415AA8 push ecx; retf	5_2_00415AAE

Source: tu.exe	Static PE information: section name: .text entropy: 6.861631705496741
Source: SentinelOne.exe.0.dr	Static PE information: section name: .text entropy: 6.861631705496741

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\Users\user\Desktop\tu.exe	Code function: CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	0_2_00406279
Source: C:\Users\user\Desktop\tu.exe	Code function: RegQueryValueExW,_malloc,SetLastError,CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	0_2_00406210
Source: C:\Users\user\Desktop\tu.exe	Code function: CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	5_2_00406279
Source: C:\Users\user\Desktop\tu.exe	Code function: RegQueryValueExW,_malloc,SetLastError,CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	5_2_00406210

Drops PE files to the document folder of the user

Source: C:\Users\user\Desktop\tu.exe

File created: C:\Users\user\Documents\ChromeUpdate\SentinelOne.exe

Jump to dropped file

Contains functionality to download and launch executables

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_00556EB0 ShellExecuteW,URLDownloadToFileW,

5_2_00556EB0

Drops PE files

Source: C:\Users\user\Desktop\tu.exe

File created: C:\Users\user\Documents\ChromeUpdate\SentinelOne.exe

Jump to dropped file

Boot Survival

Contains functionality to infect the boot sector

Source: C:\Users\user\Desktop\tu.exe	Code function: CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	0_2_00406279
Source: C:\Users\user\Desktop\tu.exe	Code function: RegQueryValueExW,_malloc,SetLastError,CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	0_2_00406210
Source: C:\Users\user\Desktop\tu.exe	Code function: CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	5_2_00406279
Source: C:\Users\user\Desktop\tu.exe	Code function: RegQueryValueExW,_malloc,SetLastError,CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	5_2_00406210

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_0056AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

5_2_0056AA4A

Source: C:\Users\user\Desktop\tu.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SentinelOneIsCrap			Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SentinelOneIsCrap			Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_0056CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

5_2_0056CB50

Source: C:\Users\user\Desktop\tu.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_0055F7A7 Sleep,ExitProcess,

5_2_0055F7A7

Contains functionality to enumerate running services

Source: C:\Users\user\Desktop\tu.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

5_2_0056A748

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\tu.exe	Window / User API: threadDelayed 9521			Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Window / User API: foregroundWindowGot 1745			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\tu.exe

Dropped PE file which has not been started: C:\Users\user\Documents\ChromeUpdate\SentinelOne.exe

Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\tu.exe	API coverage: 0.8 %
Source: C:\Users\user\Desktop\tu.exe	API coverage: 8.5 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\tu.exe TID: 6712	Thread sleep count: 137 > 30	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe TID: 6712	Thread sleep time: -68500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe TID: 2420	Thread sleep count: 133 > 30	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe TID: 2420	Thread sleep time: -399000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe TID: 2420	Thread sleep count: 9521 > 30	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe TID: 2420	Thread sleep time: -28563000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00559253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	5_2_00559253
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0056C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	5_2_0056C291
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0055C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	5_2_0055C34D
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00559665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	5_2_00559665
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0059E879 FindFirstFileExA,	5_2_0059E879
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0055880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	5_2_0055880C
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0055783C FindFirstFileW,FindNextFileW,	5_2_0055783C
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00569AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	5_2_00569AF5
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0055BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	5_2_0055BB30
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0055BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	5_2_0055BD37

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_00557C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

5_2_00557C97

Source: tu.exe, 00000005.00000003.2347351969.0000000000972000.00000004.00000020.00020000.00000000.sdmp, tu.exe, 00000005.00000002.4579308792.0000000000972000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW<
Source: tu.exe, 00000005.00000002.4579253118.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, tu.exe, 00000005.00000003.2347351969.0000000000972000.00000004.00000020.00020000.00000000.sdmp, tu.exe, 00000005.00000002.4579308792.0000000000972000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\tu.exe

API call chain: ExitProcess graph end node

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\tu.exe

Code function: 0_2_0042F43A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_0042F43A

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\tu.exe

Code function: 0_2_0040BB10 GetCurrentThreadId,GetProcessHeap,OpenThread,OpenThread,GetLastError,GetProcessHeap,HeapFree,OutputDebugStringW,CloseHandle,

0_2_0040BB10

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\tu.exe

0_2_00447B97

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_005932B5 mov eax, dword ptr fs:[00000030h]

5_2_005932B5

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\tu.exe

Code function: 0_2_0040C050 GetProcessHeap,HeapAlloc,

0_2_0040C050

Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0042F43A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0042F43A
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00430B49 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00430B49
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00414B51 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00414B51
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00435C77 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00435C77
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0042F43A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_0042F43A
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00430B49 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00430B49
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00435C77 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00435C77
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_005849F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_005849F9
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00584B47 SetUnhandledExceptionFilter,	5_2_00584B47
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0058BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_0058BB22
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00584FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00584FDC

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\tu.exe

Memory written: C:\Users\user\Desktop\tu.exe base: 550000 value starts with: 4D5A

Jump to behavior

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Source: C:\Users\user\Desktop\tu.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

5_2_005620F7

Contains functionality to simulate mouse events

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_00569627 mouse_event,

5_2_00569627

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\tu.exe

Process created: C:\Users\user\Desktop\tu.exe "C:\Users\user\Desktop\tu.exe"

Jump to behavior

Source: tu.exe, 00000005.00000002.4579308792.0000000000937000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerC5\08
Source: tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerC5\D
Source: tu.exe, 00000005.00000002.4579308792.0000000000937000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerQ
Source: tu.exe, 00000005.00000002.4579253118.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerC5\
Source: tu.exe, 00000005.00000002.4579308792.0000000000937000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager_
Source: tu.exe, 00000005.00000002.4579308792.0000000000937000.00000004.00000020.00020000.00000000.sdmp, tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerC5\2V
Source: tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerC5\2
Source: tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerC5\25
Source: tu.exe, 00000005.00000002.4579308792.0000000000937000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager9
Source: tu.exe, 00000005.00000002.4579253118.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, logs.dat.5.dr	Binary or memory string: [Program Manager]
Source: tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerC5\54

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\tu.exe

Code function: 0_2_00406100 cpuid

0_2_00406100

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoA,	0_2_00454050
Source: C:\Users\user\Desktop\tu.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	0_2_0044B1C1
Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoA,	0_2_0045322C
Source: C:\Users\user\Desktop\tu.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_0044B2AE
Source: C:\Users\user\Desktop\tu.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,	0_2_004492AE
Source: C:\Users\user\Desktop\tu.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	0_2_0044B351
Source: C:\Users\user\Desktop\tu.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_0044B315
Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,	0_2_0044845E
Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoW,	0_2_00448411
Source: C:\Users\user\Desktop\tu.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,	0_2_0044842A
Source: C:\Users\user\Desktop\tu.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	0_2_00449539
Source: C:\Users\user\Desktop\tu.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_0044859D
Source: C:\Users\user\Desktop\tu.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	0_2_004497FF
Source: C:\Users\user\Desktop\tu.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_00448C0D
Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	0_2_0044ADCC
Source: C:\Users\user\Desktop\tu.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	0_2_00435DAF
Source: C:\Users\user\Desktop\tu.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	0_2_0044AEE3
Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	0_2_0044AF7B
Source: C:\Users\user\Desktop\tu.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	0_2_0044AFEF
Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoA,	5_2_00454050
Source: C:\Users\user\Desktop\tu.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	5_2_0044B1C1
Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoA,	5_2_0045322C
Source: C:\Users\user\Desktop\tu.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	5_2_0044B2AE
Source: C:\Users\user\Desktop\tu.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,	5_2_004492AE
Source: C:\Users\user\Desktop\tu.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	5_2_0044B351
Source: C:\Users\user\Desktop\tu.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	5_2_0044B315
Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,	5_2_0044845E
Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoW,	5_2_00448411
Source: C:\Users\user\Desktop\tu.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,	5_2_0044842A
Source: C:\Users\user\Desktop\tu.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	5_2_00449539
Source: C:\Users\user\Desktop\tu.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	5_2_0044859D
Source: C:\Users\user\Desktop\tu.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	5_2_004497FF
Source: C:\Users\user\Desktop\tu.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	5_2_00448C0D
Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	5_2_0044ADCC
Source: C:\Users\user\Desktop\tu.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	5_2_00435DAF
Source: C:\Users\user\Desktop\tu.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	5_2_0044AEE3
Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	5_2_0044AF7B
Source: C:\Users\user\Desktop\tu.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	5_2_0044AFEF
Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoA,	5_2_0055F8D1
Source: C:\Users\user\Desktop\tu.exe	Code function: EnumSystemLocalesW,	5_2_005A2036
Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	5_2_005A20C3
Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoW,	5_2_005A2313
Source: C:\Users\user\Desktop\tu.exe	Code function: EnumSystemLocalesW,	5_2_00598404
Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	5_2_005A243C
Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoW,	5_2_005A2543
Source: C:\Users\user\Desktop\tu.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	5_2_005A2610
Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoW,	5_2_005988ED
Source: C:\Users\user\Desktop\tu.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	5_2_005A1CD8
Source: C:\Users\user\Desktop\tu.exe	Code function: EnumSystemLocalesW,	5_2_005A1F50
Source: C:\Users\user\Desktop\tu.exe	Code function: EnumSystemLocalesW,	5_2_005A1F9B

Source: C:\Users\user\Desktop\tu.exe

Code function: 0_2_00409120 GetCurrentThreadId,GetLocalTime,__swprintf,

0_2_00409120

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_0056B60D GetComputerNameExW,GetUserNameW,

5_2_0056B60D

Source: C:\Users\user\Desktop\tu.exe

Code function: 0_2_004535C3 __lock,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,__getenv_helper_nolock,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,

0_2_004535C3

Source: C:\Users\user\Desktop\tu.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 5.2.tu.exe.550000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.46d672.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.23c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.23c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.46d672.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.tu.exe.550000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4579308792.0000000000937000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4585822426.00000000024CF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4579253118.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tu.exe PID: 5412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tu.exe PID: 4256, type: MEMORYSTR

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\Desktop\tu.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

5_2_0055BA12

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\user\Desktop\tu.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		5_2_0055BB30
Source: C:\Users\user\Desktop\tu.exe	Code function: \key3.db		5_2_0055BB30

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\user\Desktop\tu.exe

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-PO8SC5

Jump to behavior

Yara detected Remcos RAT

Source: Yara match	File source: 5.2.tu.exe.550000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.46d672.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.23c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.23c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.46d672.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.tu.exe.550000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4579308792.0000000000937000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4585822426.00000000024CF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4579253118.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tu.exe PID: 5412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tu.exe PID: 4256, type: MEMORYSTR

Contains functionality to launch a control a shell (cmd.exe)

Source: C:\Users\user\Desktop\tu.exe

Code function: cmd.exe

5_2_0055569A

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
179.14.10.110	abril18.con-ip.com	Colombia		27831	ColombiaMovilCO	true
178.237.33.50	geoplugin.net	Netherlands		8455	ATOM86-ASATOM86NL	false

Contacted Domains

Name	IP	Active
geoplugin.net	178.237.33.50	true
abril18.con-ip.com	179.14.10.110	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://geoplugin.net/json.gp	true	URL Reputation: phishing	unknown
abril18.con-ip.com	true		unknown

AV Detection

Antivirus detection for URL or domain

Source: http://geoplugin.net/json.gp	URL Reputation: Label: phishing
Source: http://geoplugin.net/json.gp/C	URL Reputation: Label: phishing

Found malware configuration

Source: 00000005.00000002.4579253118.00000000008F8000.00000004.00000020.00020000.00000000.sdmp

Yara detected Remcos RAT

Source: Yara match	File source: 5.2.tu.exe.550000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.46d672.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.23c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.23c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.46d672.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.tu.exe.550000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4579308792.0000000000937000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4585822426.00000000024CF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4579253118.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tu.exe PID: 5412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tu.exe PID: 4256, type: MEMORYSTR

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_00583837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

5_2_00583837

Source: tu.exe

Binary or memory string: -----BEGIN PUBLIC KEY-----

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 5.2.tu.exe.550000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.46d672.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.23c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.23c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.46d672.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.tu.exe.550000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tu.exe PID: 5412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tu.exe PID: 4256, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_005574FD _wcslen,CoGetObject,

5_2_005574FD

Uses 32bit PE files

Source: tu.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: tu.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\vmagent_new\bin\joblist\222359\out\Release\360AdvToolExecutor.pdbpF source: tu.exe, SentinelOne.exe.0.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\222359\out\Release\360AdvToolExecutor.pdb source: tu.exe, SentinelOne.exe.0.dr

Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00559253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	5_2_00559253
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0056C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	5_2_0056C291
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0055C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	5_2_0055C34D
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00559665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	5_2_00559665
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0059E879 FindFirstFileExA,	5_2_0059E879
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0055880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	5_2_0055880C
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0055783C FindFirstFileW,FindNextFileW,	5_2_0055783C
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00569AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	5_2_00569AF5
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0055BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	5_2_0055BB30
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0055BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	5_2_0055BD37

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_00557C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

5_2_00557C97

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: abril18.con-ip.com

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49721 -> 179.14.10.110:7770

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 178.237.33.50 178.237.33.50

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: ColombiaMovilCO ColombiaMovilCO

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_0056B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

5_2_0056B380

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: abril18.con-ip.com

Source: tu.exe, SentinelOne.exe.0.dr	String found in binary or memory: http://.inihttps://map/set
Source: tu.exe, SentinelOne.exe.0.dr	String found in binary or memory: http://certificates.godaddy.com/repository/0
Source: tu.exe, SentinelOne.exe.0.dr	String found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
Source: tu.exe, SentinelOne.exe.0.dr	String found in binary or memory: http://certs.godaddy.com/repository/1301
Source: tu.exe, SentinelOne.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: tu.exe, SentinelOne.exe.0.dr	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: tu.exe, SentinelOne.exe.0.dr	String found in binary or memory: http://crl.godaddy.com/gdig2s5-6.crl0
Source: tu.exe, SentinelOne.exe.0.dr	String found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
Source: tu.exe, SentinelOne.exe.0.dr	String found in binary or memory: http://down.360safe.com/360zip_setup.exe360SysReset
Source: tu.exe, SentinelOne.exe.0.dr	String found in binary or memory: http://down.360safe.com/setup.exeIsBetaVersion360ver.dllSOFTWARE
Source: tu.exe, SentinelOne.exe.0.dr	String found in binary or memory: http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exe
Source: tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp, tu.exe, 00000005.00000003.2347351969.0000000000953000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/
Source: tu.exe, 00000005.00000003.2347351969.0000000000953000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/;
Source: tu.exe, 00000005.00000002.4579253118.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp, tu.exe, 00000005.00000003.2347351969.0000000000953000.00000004.00000020.00020000.00000000.sdmp, tu.exe, 00000005.00000003.2347351969.0000000000937000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: tu.exe, 00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, tu.exe, 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmp, tu.exe, 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp, tu.exe, 00000005.00000003.2347351969.0000000000953000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpJ
Source: tu.exe, 00000005.00000003.2347351969.0000000000937000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpK
Source: tu.exe, 00000005.00000003.2347351969.0000000000937000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpQ
Source: tu.exe, 00000005.00000002.4579253118.00000000008F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpSystem32
Source: tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp, tu.exe, 00000005.00000003.2347351969.0000000000953000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpT
Source: tu.exe, 00000005.00000003.2347351969.0000000000953000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpalF
Source: tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp, tu.exe, 00000005.00000003.2347351969.0000000000953000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpl
Source: tu.exe, SentinelOne.exe.0.dr	String found in binary or memory: http://ocsp.godaddy.com/0
Source: tu.exe, SentinelOne.exe.0.dr	String found in binary or memory: http://ocsp.godaddy.com/05
Source: tu.exe, SentinelOne.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: tu.exe, SentinelOne.exe.0.dr	String found in binary or memory: https://certs.godaddy.com/repository/0
Source: tu.exe, SentinelOne.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: tu.exe, SentinelOne.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/03

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_0055A2B8 SetWindowsHookExA 0000000D,0055A2A4,00000000

5_2_0055A2B8

Installs a global keyboard hook

Source: C:\Users\user\Desktop\tu.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\tu.exe

Jump to behavior

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_0055B70E OpenClipboard,GetClipboardData,CloseClipboard,

5_2_0055B70E

Contains functionality to modify clipboard data

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_005668C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

5_2_005668C1

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_0055B70E OpenClipboard,GetClipboardData,CloseClipboard,

5_2_0055B70E

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_0055A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

5_2_0055A3E0

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 5.2.tu.exe.550000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.46d672.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.23c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.23c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.46d672.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.tu.exe.550000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4579308792.0000000000937000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4585822426.00000000024CF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4579253118.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tu.exe PID: 5412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tu.exe PID: 4256, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_0056C9E2 SystemParametersInfoW,

5_2_0056C9E2

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.tu.exe.550000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 5.2.tu.exe.550000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 5.2.tu.exe.550000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.tu.exe.46d672.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.tu.exe.46d672.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.tu.exe.46d672.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.tu.exe.23c0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.tu.exe.23c0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.tu.exe.23c0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.tu.exe.23c0000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.tu.exe.23c0000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.tu.exe.23c0000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.tu.exe.46d672.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.tu.exe.46d672.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.tu.exe.46d672.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 5.2.tu.exe.550000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 5.2.tu.exe.550000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 5.2.tu.exe.550000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.tu.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.tu.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: tu.exe PID: 5412, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: tu.exe PID: 4256, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Drops large PE files

Source: C:\Users\user\Desktop\tu.exe

File dump: SentinelOne.exe.0.dr 800000000

Jump to dropped file

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\tu.exe

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\tu.exe

Code function: 0_2_004115E1 NtQueryDefaultLocale,

0_2_004115E1

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\tu.exe

Code function: 0_2_00406279: CreateFileA,_memset,DeviceIoControl,CloseHandle,

0_2_00406279

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_005667B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,

5_2_005667B4

Detected potential crypto function

Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0042B525	0_2_0042B525
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_004115E1	0_2_004115E1
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00412583	0_2_00412583
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00407010	0_2_00407010
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040E020	0_2_0040E020
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040E024	0_2_0040E024
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00455031	0_2_00455031
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00456160	0_2_00456160
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0044A29E	0_2_0044A29E
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040D2A8	0_2_0040D2A8
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0043F34D	0_2_0043F34D
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040E36C	0_2_0040E36C
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0041236C	0_2_0041236C
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0042B441	0_2_0042B441
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00428486	0_2_00428486
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_004124AF	0_2_004124AF
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00455575	0_2_00455575
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0042A571	0_2_0042A571
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00440533	0_2_00440533
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040D608	0_2_0040D608
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00428613	0_2_00428613
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040D62D	0_2_0040D62D
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040F695	0_2_0040F695
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00445732	0_2_00445732
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_004127ED	0_2_004127ED
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040D7FF	0_2_0040D7FF
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040F8F3	0_2_0040F8F3
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040D882	0_2_0040D882
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0042788F	0_2_0042788F
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040D892	0_2_0040D892
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0042B8B9	0_2_0042B8B9
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00438950	0_2_00438950
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040F904	0_2_0040F904
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0042991A	0_2_0042991A
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00456924	0_2_00456924
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00429A53	0_2_00429A53
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00426A6B	0_2_00426A6B
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040FA08	0_2_0040FA08
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0044CAB8	0_2_0044CAB8
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00438B4E	0_2_00438B4E
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00429B6A	0_2_00429B6A
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00454B06	0_2_00454B06
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00459BC1	0_2_00459BC1
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00455BE0	0_2_00455BE0
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00407B90	0_2_00407B90
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0044EBBB	0_2_0044EBBB
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00406D10	0_2_00406D10
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00455E5B	0_2_00455E5B
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040DE67	0_2_0040DE67
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040CE0C	0_2_0040CE0C
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040CE13	0_2_0040CE13
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040CE28	0_2_0040CE28
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00433E86	0_2_00433E86
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040CE87	0_2_0040CE87
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00403E90	0_2_00403E90
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00426E9F	0_2_00426E9F
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040DF69	0_2_0040DF69
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00411F13	0_2_00411F13
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040DFF6	0_2_0040DFF6
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00429FFD	0_2_00429FFD
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0040F002	5_2_0040F002
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00407010	5_2_00407010
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0040D01B	5_2_0040D01B
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0040F023	5_2_0040F023
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00456160	5_2_00456160
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0040D19C	5_2_0040D19C
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_004121AA	5_2_004121AA
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0040D2D3	5_2_0040D2D3
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0044A29E	5_2_0044A29E
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0040D2A8	5_2_0040D2A8
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_004112B9	5_2_004112B9
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0043F34D	5_2_0043F34D
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0040D3EA	5_2_0040D3EA
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_004124AF	5_2_004124AF
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00455575	5_2_00455575
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00440533	5_2_00440533
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0040D678	5_2_0040D678
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0040F695	5_2_0040F695
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00445732	5_2_00445732
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_004127ED	5_2_004127ED
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0040D7FF	5_2_0040D7FF
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_004118D7	5_2_004118D7
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0040D882	5_2_0040D882
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0040D892	5_2_0040D892
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0040F8B1	5_2_0040F8B1
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00438950	5_2_00438950
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0040F904	5_2_0040F904
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00456924	5_2_00456924
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0040FA08	5_2_0040FA08
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0044CAB8	5_2_0044CAB8
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00411ABC	5_2_00411ABC
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00438B4E	5_2_00438B4E
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00454B06	5_2_00454B06
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00459BC1	5_2_00459BC1
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00455BE0	5_2_00455BE0
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00407B90	5_2_00407B90
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0044EBBB	5_2_0044EBBB
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00406D10	5_2_00406D10
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0040EE49	5_2_0040EE49
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00455E5B	5_2_00455E5B
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00433E86	5_2_00433E86
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00403E90	5_2_00403E90
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00410E9D	5_2_00410E9D
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00411F57	5_2_00411F57
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0040EF70	5_2_0040EF70
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00411F0D	5_2_00411F0D
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0058E0CC	5_2_0058E0CC
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0056F0FA	5_2_0056F0FA
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_005A4159	5_2_005A4159
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00588168	5_2_00588168
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_005961F0	5_2_005961F0
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0058E2FB	5_2_0058E2FB
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_005A332B	5_2_005A332B
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0057739D	5_2_0057739D
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_005874E6	5_2_005874E6
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0058E558	5_2_0058E558
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00588770	5_2_00588770
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_005878FE	5_2_005878FE
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00583946	5_2_00583946
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0059D9C9	5_2_0059D9C9
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00577A46	5_2_00577A46
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0056DB62	5_2_0056DB62
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00577BAF	5_2_00577BAF
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00587D33	5_2_00587D33
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00585E5E	5_2_00585E5E
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00576E0E	5_2_00576E0E
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0058DE9D	5_2_0058DE9D
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00563FCA	5_2_00563FCA
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00586FEA	5_2_00586FEA

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\tu.exe	Code function: String function: 00433768 appears 56 times
Source: C:\Users\user\Desktop\tu.exe	Code function: String function: 00584E10 appears 54 times
Source: C:\Users\user\Desktop\tu.exe	Code function: String function: 00552093 appears 50 times
Source: C:\Users\user\Desktop\tu.exe	Code function: String function: 00584770 appears 41 times
Source: C:\Users\user\Desktop\tu.exe	Code function: String function: 00443C7F appears 38 times
Source: C:\Users\user\Desktop\tu.exe	Code function: String function: 00408EE0 appears 68 times
Source: C:\Users\user\Desktop\tu.exe	Code function: String function: 00551E65 appears 34 times
Source: C:\Users\user\Desktop\tu.exe	Code function: String function: 004322DC appears 96 times
Source: C:\Users\user\Desktop\tu.exe	Code function: String function: 00408AE0 appears 94 times

PE / OLE file has an invalid certificate

Source: tu.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: tu.exe	Binary or memory string: OriginalFilename vs tu.exe
Source: tu.exe, 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameREGEDIT.EXEj% vs tu.exe
Source: tu.exe, 00000000.00000000.2099392755.000000000046D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameREGEDIT.EXEj% vs tu.exe
Source: tu.exe, 00000000.00000003.2276384508.00000000007DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameD3D10Warp.dllj% vs tu.exe
Source: tu.exe, 00000000.00000002.2312497564.0000000002589000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameREGEDIT.EXEj% vs tu.exe
Source: tu.exe, 00000000.00000002.2312300285.00000000007DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameD3D10Warp.dllj% vs tu.exe
Source: tu.exe, 00000005.00000000.2310003818.000000000046D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameREGEDIT.EXEj% vs tu.exe
Source: tu.exe	Binary or memory string: OriginalFilenameREGEDIT.EXEj% vs tu.exe

Uses 32bit PE files

Source: tu.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 5.2.tu.exe.550000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 5.2.tu.exe.550000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 5.2.tu.exe.550000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.tu.exe.46d672.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.tu.exe.46d672.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.tu.exe.46d672.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.tu.exe.23c0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.tu.exe.23c0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.tu.exe.23c0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.tu.exe.23c0000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.tu.exe.23c0000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.tu.exe.23c0000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.tu.exe.46d672.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.tu.exe.46d672.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.tu.exe.46d672.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 5.2.tu.exe.550000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 5.2.tu.exe.550000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 5.2.tu.exe.550000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.tu.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.tu.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: tu.exe PID: 5412, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: tu.exe PID: 4256, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@3/3@3/2

Source: C:\Users\user\Desktop\tu.exe

0_2_00408380

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_00567952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

5_2_00567952

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_0055F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

5_2_0055F474

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_0056B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,

5_2_0056B4A8

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_0056AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

5_2_0056AA4A

Source: C:\Users\user\Desktop\tu.exe

File created: C:\Users\user\Documents\ChromeUpdate

Jump to behavior

Source: C:\Users\user\Desktop\tu.exe

Mutant created: \Sessions\1\BaseNamedObjects\Rmc-PO8SC5

Source: tu.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\tu.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\tu.exe

File read: C:\Users\user\Desktop\tu.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\tu.exe "C:\Users\user\Desktop\tu.exe"
Source: C:\Users\user\Desktop\tu.exe	Process created: C:\Users\user\Desktop\tu.exe "C:\Users\user\Desktop\tu.exe"
Source: C:\Users\user\Desktop\tu.exe	Process created: C:\Users\user\Desktop\tu.exe "C:\Users\user\Desktop\tu.exe"	Jump to behavior

Source: C:\Users\user\Desktop\tu.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: k7rn7l32.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: ntd3ll.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: winnsi.dll	Jump to behavior

Source: C:\Users\user\Desktop\tu.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: tu.exe

Static file information: File size 1340704 > 1048576

Source: tu.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: tu.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: tu.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: tu.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: tu.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: tu.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: tu.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: tu.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\vmagent_new\bin\joblist\222359\out\Release\360AdvToolExecutor.pdbpF source: tu.exe, SentinelOne.exe.0.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\222359\out\Release\360AdvToolExecutor.pdb source: tu.exe, SentinelOne.exe.0.dr

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\tu.exe

0_2_00447B97

PE file contains an invalid checksum

Source: tu.exe

Static PE information: real checksum: 0x798b9 should be: 0x154233

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00403180 push ecx; mov dword ptr [esp], 00000000h	0_2_00403181
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00432321 push ecx; ret	0_2_00432334
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00403400 push ecx; mov dword ptr [esp], 00000000h	0_2_00403401
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_004140D0 push ecx; retf	5_2_004140A5
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_004140A6 push ecx; retf	5_2_004140A5
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_004140BB push ecx; retf	5_2_004140C1
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00403180 push ecx; mov dword ptr [esp], 00000000h	5_2_00403181
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_004152A0 push edi; retf	5_2_0041537A
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00417356 push ecx; retf	5_2_0041750A
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0041537B push edi; retf	5_2_0041537A
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00432321 push ecx; ret	5_2_00432334
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00415390 push edi; retf	5_2_0041537A
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0041539E push edi; retf	5_2_0041537A
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00403400 push ecx; mov dword ptr [esp], 00000000h	5_2_00403401
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00415432 push edi; retf	5_2_0041543F
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_004154D3 push edi; retf	5_2_00415512
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0041750B push ecx; retf	5_2_0041750A
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00417535 push ecx; retf	5_2_0041750A
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0041E630 push ecx; retf	5_2_0041E631
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_004136EA push ecx; retf	5_2_00413729
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00413746 push ecx; retf	5_2_00413729
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00418711 push ecx; retf	5_2_004188C7
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0041372A push ecx; retf	5_2_00413729
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_004137D3 push edi; retf	5_2_004137E0
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_004137BE push esp; retf	5_2_004137D2
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00413840 push ecx; retf	5_2_00413851
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00413867 push edi; retf	5_2_0041386D
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_004188C8 push ecx; retf	5_2_004188C7
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_004188F2 push ecx; retf	5_2_004188C7
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00415A8C push ecx; retf	5_2_00415A92
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00415AA8 push ecx; retf	5_2_00415AAE

Source: tu.exe	Static PE information: section name: .text entropy: 6.861631705496741
Source: SentinelOne.exe.0.dr	Static PE information: section name: .text entropy: 6.861631705496741

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\Users\user\Desktop\tu.exe	Code function: CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	0_2_00406279
Source: C:\Users\user\Desktop\tu.exe	Code function: RegQueryValueExW,_malloc,SetLastError,CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	0_2_00406210
Source: C:\Users\user\Desktop\tu.exe	Code function: CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	5_2_00406279
Source: C:\Users\user\Desktop\tu.exe	Code function: RegQueryValueExW,_malloc,SetLastError,CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	5_2_00406210

Drops PE files to the document folder of the user

Source: C:\Users\user\Desktop\tu.exe

File created: C:\Users\user\Documents\ChromeUpdate\SentinelOne.exe

Jump to dropped file

Contains functionality to download and launch executables

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_00556EB0 ShellExecuteW,URLDownloadToFileW,

5_2_00556EB0

Drops PE files

Source: C:\Users\user\Desktop\tu.exe

File created: C:\Users\user\Documents\ChromeUpdate\SentinelOne.exe

Jump to dropped file

Boot Survival

Contains functionality to infect the boot sector

Source: C:\Users\user\Desktop\tu.exe	Code function: CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	0_2_00406279
Source: C:\Users\user\Desktop\tu.exe	Code function: RegQueryValueExW,_malloc,SetLastError,CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	0_2_00406210
Source: C:\Users\user\Desktop\tu.exe	Code function: CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	5_2_00406279
Source: C:\Users\user\Desktop\tu.exe	Code function: RegQueryValueExW,_malloc,SetLastError,CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	5_2_00406210

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_0056AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

5_2_0056AA4A

Source: C:\Users\user\Desktop\tu.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SentinelOneIsCrap			Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SentinelOneIsCrap			Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\tu.exe

5_2_0056CB50

Source: C:\Users\user\Desktop\tu.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_0055F7A7 Sleep,ExitProcess,

5_2_0055F7A7

Contains functionality to enumerate running services

Source: C:\Users\user\Desktop\tu.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

5_2_0056A748

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\tu.exe	Window / User API: threadDelayed 9521			Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Window / User API: foregroundWindowGot 1745			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\tu.exe

Dropped PE file which has not been started: C:\Users\user\Documents\ChromeUpdate\SentinelOne.exe

Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\tu.exe	API coverage: 0.8 %
Source: C:\Users\user\Desktop\tu.exe	API coverage: 8.5 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\tu.exe TID: 6712	Thread sleep count: 137 > 30	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe TID: 6712	Thread sleep time: -68500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe TID: 2420	Thread sleep count: 133 > 30	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe TID: 2420	Thread sleep time: -399000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe TID: 2420	Thread sleep count: 9521 > 30	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe TID: 2420	Thread sleep time: -28563000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00559253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	5_2_00559253
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0056C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	5_2_0056C291
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0055C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	5_2_0055C34D
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00559665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	5_2_00559665
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0059E879 FindFirstFileExA,	5_2_0059E879
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0055880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	5_2_0055880C
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0055783C FindFirstFileW,FindNextFileW,	5_2_0055783C
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00569AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	5_2_00569AF5
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0055BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	5_2_0055BB30
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0055BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	5_2_0055BD37

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_00557C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

5_2_00557C97

Source: tu.exe, 00000005.00000003.2347351969.0000000000972000.00000004.00000020.00020000.00000000.sdmp, tu.exe, 00000005.00000002.4579308792.0000000000972000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW<
Source: tu.exe, 00000005.00000002.4579253118.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, tu.exe, 00000005.00000003.2347351969.0000000000972000.00000004.00000020.00020000.00000000.sdmp, tu.exe, 00000005.00000002.4579308792.0000000000972000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\tu.exe

API call chain: ExitProcess graph end node

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\tu.exe

Code function: 0_2_0042F43A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_0042F43A

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\tu.exe

Code function: 0_2_0040BB10 GetCurrentThreadId,GetProcessHeap,OpenThread,OpenThread,GetLastError,GetProcessHeap,HeapFree,OutputDebugStringW,CloseHandle,

0_2_0040BB10

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\tu.exe

0_2_00447B97

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_005932B5 mov eax, dword ptr fs:[00000030h]

5_2_005932B5

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\tu.exe

Code function: 0_2_0040C050 GetProcessHeap,HeapAlloc,

0_2_0040C050

Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0042F43A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0042F43A
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00430B49 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00430B49
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00414B51 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00414B51
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00435C77 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00435C77
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0042F43A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_0042F43A
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00430B49 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00430B49
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00435C77 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00435C77
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_005849F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_005849F9
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00584B47 SetUnhandledExceptionFilter,	5_2_00584B47
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0058BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_0058BB22
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00584FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00584FDC

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\tu.exe

Memory written: C:\Users\user\Desktop\tu.exe base: 550000 value starts with: 4D5A

Jump to behavior

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Source: C:\Users\user\Desktop\tu.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

5_2_005620F7

Contains functionality to simulate mouse events

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_00569627 mouse_event,

5_2_00569627

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\tu.exe

Process created: C:\Users\user\Desktop\tu.exe "C:\Users\user\Desktop\tu.exe"

Jump to behavior

Source: tu.exe, 00000005.00000002.4579308792.0000000000937000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerC5\08
Source: tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerC5\D
Source: tu.exe, 00000005.00000002.4579308792.0000000000937000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerQ
Source: tu.exe, 00000005.00000002.4579253118.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerC5\
Source: tu.exe, 00000005.00000002.4579308792.0000000000937000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager_
Source: tu.exe, 00000005.00000002.4579308792.0000000000937000.00000004.00000020.00020000.00000000.sdmp, tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerC5\2V
Source: tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerC5\2
Source: tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerC5\25
Source: tu.exe, 00000005.00000002.4579308792.0000000000937000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager9
Source: tu.exe, 00000005.00000002.4579253118.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, logs.dat.5.dr	Binary or memory string: [Program Manager]
Source: tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerC5\54

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\tu.exe

Code function: 0_2_00406100 cpuid

0_2_00406100

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoA,	0_2_00454050
Source: C:\Users\user\Desktop\tu.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	0_2_0044B1C1
Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoA,	0_2_0045322C
Source: C:\Users\user\Desktop\tu.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_0044B2AE
Source: C:\Users\user\Desktop\tu.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,	0_2_004492AE
Source: C:\Users\user\Desktop\tu.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	0_2_0044B351
Source: C:\Users\user\Desktop\tu.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_0044B315
Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,	0_2_0044845E
Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoW,	0_2_00448411
Source: C:\Users\user\Desktop\tu.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,	0_2_0044842A
Source: C:\Users\user\Desktop\tu.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	0_2_00449539
Source: C:\Users\user\Desktop\tu.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_0044859D
Source: C:\Users\user\Desktop\tu.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	0_2_004497FF
Source: C:\Users\user\Desktop\tu.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_00448C0D
Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	0_2_0044ADCC
Source: C:\Users\user\Desktop\tu.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	0_2_00435DAF
Source: C:\Users\user\Desktop\tu.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	0_2_0044AEE3
Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	0_2_0044AF7B
Source: C:\Users\user\Desktop\tu.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	0_2_0044AFEF
Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoA,	5_2_00454050
Source: C:\Users\user\Desktop\tu.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	5_2_0044B1C1
Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoA,	5_2_0045322C
Source: C:\Users\user\Desktop\tu.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	5_2_0044B2AE
Source: C:\Users\user\Desktop\tu.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,	5_2_004492AE
Source: C:\Users\user\Desktop\tu.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	5_2_0044B351
Source: C:\Users\user\Desktop\tu.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	5_2_0044B315
Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,	5_2_0044845E
Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoW,	5_2_00448411
Source: C:\Users\user\Desktop\tu.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,	5_2_0044842A
Source: C:\Users\user\Desktop\tu.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	5_2_00449539
Source: C:\Users\user\Desktop\tu.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	5_2_0044859D
Source: C:\Users\user\Desktop\tu.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	5_2_004497FF
Source: C:\Users\user\Desktop\tu.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	5_2_00448C0D
Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	5_2_0044ADCC
Source: C:\Users\user\Desktop\tu.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	5_2_00435DAF
Source: C:\Users\user\Desktop\tu.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	5_2_0044AEE3
Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	5_2_0044AF7B
Source: C:\Users\user\Desktop\tu.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	5_2_0044AFEF
Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoA,	5_2_0055F8D1
Source: C:\Users\user\Desktop\tu.exe	Code function: EnumSystemLocalesW,	5_2_005A2036
Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	5_2_005A20C3
Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoW,	5_2_005A2313
Source: C:\Users\user\Desktop\tu.exe	Code function: EnumSystemLocalesW,	5_2_00598404
Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	5_2_005A243C
Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoW,	5_2_005A2543
Source: C:\Users\user\Desktop\tu.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	5_2_005A2610
Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoW,	5_2_005988ED
Source: C:\Users\user\Desktop\tu.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	5_2_005A1CD8
Source: C:\Users\user\Desktop\tu.exe	Code function: EnumSystemLocalesW,	5_2_005A1F50
Source: C:\Users\user\Desktop\tu.exe	Code function: EnumSystemLocalesW,	5_2_005A1F9B

Source: C:\Users\user\Desktop\tu.exe

Code function: 0_2_00409120 GetCurrentThreadId,GetLocalTime,__swprintf,

0_2_00409120

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_0056B60D GetComputerNameExW,GetUserNameW,

5_2_0056B60D

Source: C:\Users\user\Desktop\tu.exe

0_2_004535C3

Source: C:\Users\user\Desktop\tu.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 5.2.tu.exe.550000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.46d672.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.23c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.23c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.46d672.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.tu.exe.550000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4579308792.0000000000937000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4585822426.00000000024CF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4579253118.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tu.exe PID: 5412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tu.exe PID: 4256, type: MEMORYSTR

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\Desktop\tu.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

5_2_0055BA12

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\user\Desktop\tu.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		5_2_0055BB30
Source: C:\Users\user\Desktop\tu.exe	Code function: \key3.db		5_2_0055BB30

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\user\Desktop\tu.exe

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-PO8SC5

Jump to behavior

Yara detected Remcos RAT

Source: Yara match	File source: 5.2.tu.exe.550000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.46d672.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.23c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.23c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.46d672.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.tu.exe.550000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4579308792.0000000000937000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4585822426.00000000024CF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4579253118.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tu.exe PID: 5412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tu.exe PID: 4256, type: MEMORYSTR

Contains functionality to launch a control a shell (cmd.exe)

Source: C:\Users\user\Desktop\tu.exe

Code function: cmd.exe

5_2_0055569A

ID:	1428245
Product:	CloudBasic
Start time:	18:15:00
Start date:	18.04.2024
Sample:	tu.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	de717951989420c6b9790c9160a23d35
SHA1:	df8621b3d9fa7e4e1d511d6ff732457aac6a0a1d
SHA256:	d434e12726aee7ad7378dc4e395dd5f8fba6255546eef9e1dbb51d52d966af2c
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\remcos\logs.dat	data	5EF0EE6432275F6F7514A02C97553C88	8C31C2D60704EF05C9204DC731A83FE6E85E7747	C266BF987AF7197AD3E1FD1921B4DD0FA9C94FBCCDE11253F0B9A4E6C620776E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\json[1].json	JSON data	334018F02CE31BCBB4864D602B557FE5	C6DE43E8D6B5C026C0B0A56A898A3F00B282B881	F70CE925C3923E25A5ADB7089E7EE752E771FBD073888ABFC426138C9094F1B3
C:\Users\user\Documents\ChromeUpdate\SentinelOne.exe	PE32 executable (GUI) Intel 80386, for MS Windows	F663BBF108427C54B5CC385802066A8E	E75E867A96F2184C56EA3D4F5D73BCDE6BA8E298	956E8BA641EB4A1A28F42AEFF877E65B44E111158D07E89302C229028723924D

Windows Analysis Report
tu.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report tu.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
tu.exe

Malware Threat Intel
Provided by