Analysis
-
max time kernel
172s -
max time network
301s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
29-09-2021 00:24
Static task
static1
Behavioral task
behavioral1
Sample
invoice_2818144.vbs
Resource
win10-en-20210920
General
-
Target
invoice_2818144.vbs
-
Size
226B
-
MD5
fce037aad780c08c85db2f24bff80cfa
-
SHA1
881fc64b6fe1dad9459327e931399635fc1fe27c
-
SHA256
cb77b93150cb0f7fe65ce8a7e2a5781e727419451355a7736db84109fa215a89
-
SHA512
cc3b7adfa276163c33fd5cb62dacf0ae754d53d749b0ed95686a42344ecd1cb94a712f89cc6a2ddaae2eaff90a6ac9913fd368ce196612a2a861fba9eecfbb95
Malware Config
Extracted
remcos
3.2.1 Pro
RemoteHost
snackebay.ddns.net:7676
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remasascos-LVXDHO
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Signatures
-
Registers COM server for autorun 1 TTPs
-
Blocklisted process makes network request 3 IoCs
Processes:
WScript.exeflow pid process 5 3624 WScript.exe 7 3624 WScript.exe 9 3624 WScript.exe -
Drops startup file 2 IoCs
Processes:
WSCRIPT.EXEdescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\invoice_2818144.vbs WSCRIPT.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\invoice_2818144.vbs WSCRIPT.EXE -
Loads dropped DLL 4 IoCs
Processes:
regsvr32.exeWSCRIPT.EXEregsvr32.exeregsvr32.exepid process 3996 regsvr32.exe 4296 WSCRIPT.EXE 3968 regsvr32.exe 4360 regsvr32.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
WSCRIPT.EXEdescription pid process target process PID 4296 set thread context of 4052 4296 WSCRIPT.EXE winhlp32.exe PID 4296 set thread context of 4380 4296 WSCRIPT.EXE winhlp32.exe PID 4296 set thread context of 4568 4296 WSCRIPT.EXE winhlp32.exe -
Drops file in Windows directory 1 IoCs
Processes:
winhlp32.exedescription ioc process File opened for modification C:\Windows\winhlp32.exe winhlp32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 17 IoCs
Processes:
regsvr32.exeregsvr32.exeregsvr32.exewinhlp32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32 regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32 regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\DynamicWrapperX\CLSID regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC} regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\DynamicWrapperX\CLSID regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\DynamicWrapperX regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32 regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\DynamicWrapperX\CLSID regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings winhlp32.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}" regsvr32.exe -
Suspicious use of WriteProcessMemory 51 IoCs
Processes:
WScript.exeWSCRIPT.EXEwinhlp32.exedescription pid process target process PID 3624 wrote to memory of 4296 3624 WScript.exe WSCRIPT.EXE PID 3624 wrote to memory of 4296 3624 WScript.exe WSCRIPT.EXE PID 3624 wrote to memory of 4296 3624 WScript.exe WSCRIPT.EXE PID 4296 wrote to memory of 3996 4296 WSCRIPT.EXE regsvr32.exe PID 4296 wrote to memory of 3996 4296 WSCRIPT.EXE regsvr32.exe PID 4296 wrote to memory of 3996 4296 WSCRIPT.EXE regsvr32.exe PID 4296 wrote to memory of 4052 4296 WSCRIPT.EXE winhlp32.exe PID 4296 wrote to memory of 4052 4296 WSCRIPT.EXE winhlp32.exe PID 4296 wrote to memory of 4052 4296 WSCRIPT.EXE winhlp32.exe PID 4296 wrote to memory of 4052 4296 WSCRIPT.EXE winhlp32.exe PID 4296 wrote to memory of 4052 4296 WSCRIPT.EXE winhlp32.exe PID 4296 wrote to memory of 4052 4296 WSCRIPT.EXE winhlp32.exe PID 4296 wrote to memory of 4052 4296 WSCRIPT.EXE winhlp32.exe PID 4296 wrote to memory of 4052 4296 WSCRIPT.EXE winhlp32.exe PID 4296 wrote to memory of 4052 4296 WSCRIPT.EXE winhlp32.exe PID 4296 wrote to memory of 4052 4296 WSCRIPT.EXE winhlp32.exe PID 4296 wrote to memory of 4052 4296 WSCRIPT.EXE winhlp32.exe PID 4296 wrote to memory of 4052 4296 WSCRIPT.EXE winhlp32.exe PID 4296 wrote to memory of 3968 4296 WSCRIPT.EXE regsvr32.exe PID 4296 wrote to memory of 3968 4296 WSCRIPT.EXE regsvr32.exe PID 4296 wrote to memory of 3968 4296 WSCRIPT.EXE regsvr32.exe PID 4296 wrote to memory of 4380 4296 WSCRIPT.EXE winhlp32.exe PID 4296 wrote to memory of 4380 4296 WSCRIPT.EXE winhlp32.exe PID 4296 wrote to memory of 4380 4296 WSCRIPT.EXE winhlp32.exe PID 4296 wrote to memory of 4380 4296 WSCRIPT.EXE winhlp32.exe PID 4296 wrote to memory of 4380 4296 WSCRIPT.EXE winhlp32.exe PID 4296 wrote to memory of 4380 4296 WSCRIPT.EXE winhlp32.exe PID 4296 wrote to memory of 4380 4296 WSCRIPT.EXE winhlp32.exe PID 4296 wrote to memory of 4380 4296 WSCRIPT.EXE winhlp32.exe PID 4296 wrote to memory of 4380 4296 WSCRIPT.EXE winhlp32.exe PID 4296 wrote to memory of 4380 4296 WSCRIPT.EXE winhlp32.exe PID 4296 wrote to memory of 4380 4296 WSCRIPT.EXE winhlp32.exe PID 4296 wrote to memory of 4380 4296 WSCRIPT.EXE winhlp32.exe PID 4296 wrote to memory of 4360 4296 WSCRIPT.EXE regsvr32.exe PID 4296 wrote to memory of 4360 4296 WSCRIPT.EXE regsvr32.exe PID 4296 wrote to memory of 4360 4296 WSCRIPT.EXE regsvr32.exe PID 4296 wrote to memory of 4568 4296 WSCRIPT.EXE winhlp32.exe PID 4296 wrote to memory of 4568 4296 WSCRIPT.EXE winhlp32.exe PID 4296 wrote to memory of 4568 4296 WSCRIPT.EXE winhlp32.exe PID 4296 wrote to memory of 4568 4296 WSCRIPT.EXE winhlp32.exe PID 4296 wrote to memory of 4568 4296 WSCRIPT.EXE winhlp32.exe PID 4296 wrote to memory of 4568 4296 WSCRIPT.EXE winhlp32.exe PID 4296 wrote to memory of 4568 4296 WSCRIPT.EXE winhlp32.exe PID 4296 wrote to memory of 4568 4296 WSCRIPT.EXE winhlp32.exe PID 4296 wrote to memory of 4568 4296 WSCRIPT.EXE winhlp32.exe PID 4296 wrote to memory of 4568 4296 WSCRIPT.EXE winhlp32.exe PID 4296 wrote to memory of 4568 4296 WSCRIPT.EXE winhlp32.exe PID 4296 wrote to memory of 4568 4296 WSCRIPT.EXE winhlp32.exe PID 4052 wrote to memory of 736 4052 winhlp32.exe WScript.exe PID 4052 wrote to memory of 736 4052 winhlp32.exe WScript.exe PID 4052 wrote to memory of 736 4052 winhlp32.exe WScript.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\invoice_2818144.vbs"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Windows\SYSWOW64\WSCRIPT.EXE"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Admin\AppData\Local\Temp\invoice_2818144.vbs"2⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"3⤵
- Loads dropped DLL
- Modifies registry class
PID:3996 -
C:\Windows\winhlp32.exe"C:\Windows\winhlp32.exe"3⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fknposccdrxufeqxvxheqn.vbs"4⤵PID:736
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"3⤵
- Loads dropped DLL
- Modifies registry class
PID:3968 -
C:\Windows\winhlp32.exe"C:\Windows\winhlp32.exe"3⤵PID:4380
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"3⤵
- Loads dropped DLL
- Modifies registry class
PID:4360 -
C:\Windows\winhlp32.exe"C:\Windows\winhlp32.exe"3⤵PID:4568
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
59001a5614e309d1a6819cab35eeb377
SHA121561ee502a20a001a444e6c325021e2f7925fd1
SHA2560d718ab19003d61ffece45beef64680d2543d64db8533eccc4ec522777bfd2f1
SHA512bc4ff36ec2a80c0bdda848465370c2315a9ff42005342d54275b74c6d7356d8f53ecd41b1119dd3ad5e38b18d555d8d19e263d331edad828918c1f949336712a
-
MD5
e0b8dfd17b8e7de760b273d18e58b142
SHA1801509fb6783c9e57edc67a72dde3c62080ffbaf
SHA2564ef3a6703abc6b2b8e2cac3031c1e5b86fe8b377fde92737349ee52bd2604379
SHA512443359da27b3c87e81ae4f4b9a2ab7e7bf6abfa93551fc62347a0b79b36d79635131abc14d4deddab3ace12fdf973496518f67e1be8dc4903b35fd465835556b
-
MD5
2fcc53839a07381c433bebe1f3bd1b7f
SHA107bcf6958c15af4b3d5ef8e93cf508da996d1e77
SHA25671f0a43e515536c7786776aeaedb1087e4675d4e7edc83b36bc89327cf2571dd
SHA512494be1560e61ad79e324ba0ec65e67af28780b2ff19f5ea1107a8f2b09ba9055591e835c6e39dade08840dd7125d25cd2d3710fcd5a1afa4767f18177d521b25
-
MD5
e0b8dfd17b8e7de760b273d18e58b142
SHA1801509fb6783c9e57edc67a72dde3c62080ffbaf
SHA2564ef3a6703abc6b2b8e2cac3031c1e5b86fe8b377fde92737349ee52bd2604379
SHA512443359da27b3c87e81ae4f4b9a2ab7e7bf6abfa93551fc62347a0b79b36d79635131abc14d4deddab3ace12fdf973496518f67e1be8dc4903b35fd465835556b
-
MD5
e0b8dfd17b8e7de760b273d18e58b142
SHA1801509fb6783c9e57edc67a72dde3c62080ffbaf
SHA2564ef3a6703abc6b2b8e2cac3031c1e5b86fe8b377fde92737349ee52bd2604379
SHA512443359da27b3c87e81ae4f4b9a2ab7e7bf6abfa93551fc62347a0b79b36d79635131abc14d4deddab3ace12fdf973496518f67e1be8dc4903b35fd465835556b
-
MD5
e0b8dfd17b8e7de760b273d18e58b142
SHA1801509fb6783c9e57edc67a72dde3c62080ffbaf
SHA2564ef3a6703abc6b2b8e2cac3031c1e5b86fe8b377fde92737349ee52bd2604379
SHA512443359da27b3c87e81ae4f4b9a2ab7e7bf6abfa93551fc62347a0b79b36d79635131abc14d4deddab3ace12fdf973496518f67e1be8dc4903b35fd465835556b
-
MD5
e0b8dfd17b8e7de760b273d18e58b142
SHA1801509fb6783c9e57edc67a72dde3c62080ffbaf
SHA2564ef3a6703abc6b2b8e2cac3031c1e5b86fe8b377fde92737349ee52bd2604379
SHA512443359da27b3c87e81ae4f4b9a2ab7e7bf6abfa93551fc62347a0b79b36d79635131abc14d4deddab3ace12fdf973496518f67e1be8dc4903b35fd465835556b