Analysis
-
max time kernel
148s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
05-10-2022 08:10
Static task
static1
Behavioral task
behavioral1
Sample
attack.ps1
Resource
win7-20220901-en
General
-
Target
attack.ps1
-
Size
4KB
-
MD5
176f540c8e71f960c63b239859ec05d2
-
SHA1
c517eed5e7a5609f90933840094e78db12a4c68f
-
SHA256
9986a5a295dcbcf5ca4b5c70f8f7a160316d20c7073956ad4ac636506b14bf18
-
SHA512
726d248fd0f86487fe4b392b79ef0b7ef636cd9442d2bd8cebafb68520076153f07e4bb4318e155f1df36458dec570769af4f3817ecec8428d381e3753285cb4
-
SSDEEP
96:w8vjRjNL3nxnBHbHXdb/p3FPPtLfhTbbfLThzZZTXP7CKx:w8vjRjNL3nxnBHbHXdb/p3FPPtLfhTbh
Malware Config
Extracted
remcos
tampabay
zelthin.dvrlists.com:6268
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-MOJ319
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 4 3012 powershell.exe -
Loads dropped DLL 1 IoCs
Processes:
powershell.exepid process 3012 powershell.exe -
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{07C4C629-C01A-4F63-9AF0-503B442A4E74}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{0CA00E3D-5E1F-4371-83EB-0E5613B90FC3}.catalogItem svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 3012 set thread context of 4684 3012 powershell.exe notepad.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 3012 powershell.exe 3012 powershell.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 3012 powershell.exe Token: SeIncreaseQuotaPrivilege 3012 powershell.exe Token: SeSecurityPrivilege 3012 powershell.exe Token: SeTakeOwnershipPrivilege 3012 powershell.exe Token: SeLoadDriverPrivilege 3012 powershell.exe Token: SeSystemProfilePrivilege 3012 powershell.exe Token: SeSystemtimePrivilege 3012 powershell.exe Token: SeProfSingleProcessPrivilege 3012 powershell.exe Token: SeIncBasePriorityPrivilege 3012 powershell.exe Token: SeCreatePagefilePrivilege 3012 powershell.exe Token: SeBackupPrivilege 3012 powershell.exe Token: SeRestorePrivilege 3012 powershell.exe Token: SeShutdownPrivilege 3012 powershell.exe Token: SeDebugPrivilege 3012 powershell.exe Token: SeSystemEnvironmentPrivilege 3012 powershell.exe Token: SeRemoteShutdownPrivilege 3012 powershell.exe Token: SeUndockPrivilege 3012 powershell.exe Token: SeManageVolumePrivilege 3012 powershell.exe Token: 33 3012 powershell.exe Token: 34 3012 powershell.exe Token: 35 3012 powershell.exe Token: 36 3012 powershell.exe Token: SeIncreaseQuotaPrivilege 3012 powershell.exe Token: SeSecurityPrivilege 3012 powershell.exe Token: SeTakeOwnershipPrivilege 3012 powershell.exe Token: SeLoadDriverPrivilege 3012 powershell.exe Token: SeSystemProfilePrivilege 3012 powershell.exe Token: SeSystemtimePrivilege 3012 powershell.exe Token: SeProfSingleProcessPrivilege 3012 powershell.exe Token: SeIncBasePriorityPrivilege 3012 powershell.exe Token: SeCreatePagefilePrivilege 3012 powershell.exe Token: SeBackupPrivilege 3012 powershell.exe Token: SeRestorePrivilege 3012 powershell.exe Token: SeShutdownPrivilege 3012 powershell.exe Token: SeDebugPrivilege 3012 powershell.exe Token: SeSystemEnvironmentPrivilege 3012 powershell.exe Token: SeRemoteShutdownPrivilege 3012 powershell.exe Token: SeUndockPrivilege 3012 powershell.exe Token: SeManageVolumePrivilege 3012 powershell.exe Token: 33 3012 powershell.exe Token: 34 3012 powershell.exe Token: 35 3012 powershell.exe Token: 36 3012 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
powershell.exedescription pid process target process PID 3012 wrote to memory of 4684 3012 powershell.exe notepad.exe PID 3012 wrote to memory of 4684 3012 powershell.exe notepad.exe PID 3012 wrote to memory of 4684 3012 powershell.exe notepad.exe PID 3012 wrote to memory of 4684 3012 powershell.exe notepad.exe PID 3012 wrote to memory of 4684 3012 powershell.exe notepad.exe PID 3012 wrote to memory of 4684 3012 powershell.exe notepad.exe PID 3012 wrote to memory of 4684 3012 powershell.exe notepad.exe PID 3012 wrote to memory of 4684 3012 powershell.exe notepad.exe PID 3012 wrote to memory of 4684 3012 powershell.exe notepad.exe PID 3012 wrote to memory of 4684 3012 powershell.exe notepad.exe PID 3012 wrote to memory of 4684 3012 powershell.exe notepad.exe PID 3012 wrote to memory of 4684 3012 powershell.exe notepad.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\attack.ps11⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\syswow64\notepad.exe"C:\WINDOWS\syswow64\notepad.exe"2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\73ab9a28-0688-49e7-b77d-eacdd07237df\AgileDotNetRT64.dllFilesize
75KB
MD542b2c266e49a3acd346b91e3b0e638c0
SHA12bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1
SHA256adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29
SHA512770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81
-
memory/3012-132-0x000002347A1F0000-0x000002347A212000-memory.dmpFilesize
136KB
-
memory/3012-133-0x00007FFD6C980000-0x00007FFD6D441000-memory.dmpFilesize
10.8MB
-
memory/3012-135-0x00007FFD66490000-0x00007FFD665DE000-memory.dmpFilesize
1.3MB
-
memory/3012-141-0x00007FFD6C980000-0x00007FFD6D441000-memory.dmpFilesize
10.8MB
-
memory/4684-136-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/4684-137-0x00000000004327A4-mapping.dmp
-
memory/4684-138-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/4684-139-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/4684-140-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/4684-142-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB