Overview

overview

10

Static

static

attack.ps1

windows7-x64

10

attack.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-10-2022 08:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    attack.ps1

  • Size

    4KB

  • MD5

    176f540c8e71f960c63b239859ec05d2

  • SHA1

    c517eed5e7a5609f90933840094e78db12a4c68f

  • SHA256

    9986a5a295dcbcf5ca4b5c70f8f7a160316d20c7073956ad4ac636506b14bf18

  • SHA512

    726d248fd0f86487fe4b392b79ef0b7ef636cd9442d2bd8cebafb68520076153f07e4bb4318e155f1df36458dec570769af4f3817ecec8428d381e3753285cb4

  • SSDEEP

    96:w8vjRjNL3nxnBHbHXdb/p3FPPtLfhTbbfLThzZZTXP7CKx:w8vjRjNL3nxnBHbHXdb/p3FPPtLfhTbh

Score
10/10
remcostampabayrat

Malware Config

Extracted

Family

remcos

Botnet

tampabay

C2

zelthin.dvrlists.com:6268

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-MOJ319

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Blocklisted process makes network request 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\attack.ps1
    1⤵
    • Blocklisted process makes network request
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\WINDOWS\syswow64\notepad.exe
      "C:\WINDOWS\syswow64\notepad.exe"
      2⤵
        PID:4684
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k netsvcs -p
      1⤵
      • Drops file in System32 directory
      • Checks processor information in registry
      • Enumerates system info in registry
      PID:4652

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\73ab9a28-0688-49e7-b77d-eacdd07237df\AgileDotNetRT64.dll
      Filesize

      75KB

      MD5

      42b2c266e49a3acd346b91e3b0e638c0

      SHA1

      2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

      SHA256

      adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

      SHA512

      770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

      Download Submit
    • memory/3012-132-0x000002347A1F0000-0x000002347A212000-memory.dmp
      Filesize

      136KB

      Download
    • memory/3012-133-0x00007FFD6C980000-0x00007FFD6D441000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3012-135-0x00007FFD66490000-0x00007FFD665DE000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3012-141-0x00007FFD6C980000-0x00007FFD6D441000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4684-136-0x0000000000400000-0x000000000047F000-memory.dmp
      Filesize

      508KB

      Download
    • memory/4684-137-0x00000000004327A4-mapping.dmp
      Download
    • memory/4684-138-0x0000000000400000-0x000000000047F000-memory.dmp
      Filesize

      508KB

      Download
    • memory/4684-139-0x0000000000400000-0x000000000047F000-memory.dmp
      Filesize

      508KB

      Download
    • memory/4684-140-0x0000000000400000-0x000000000047F000-memory.dmp
      Filesize

      508KB

      Download
    • memory/4684-142-0x0000000000400000-0x000000000047F000-memory.dmp
      Filesize

      508KB

      Download