Overview

overview

10

Static

static

10

2313.docx

windows7-x64

8

2313.docx

windows10-2004-x64

1

O.rtf

windows7-x64

8

O.rtf

windows10-2004-x64

1

vbc.exe

windows7-x64

7

vbc.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Remcos.zip

  • Size

    337KB

  • Sample

    230215-w5hqssdc75

  • MD5

    1199843047c57c199c303a83143ad1cf

  • SHA1

    18ad4fa9efe176ddf2b18c390360cb6ff929dd0f

  • SHA256

    56ac909a9052c965c797e92ce321b03b2855c2cc1df3c73c0f7b524bb86b5ef6

  • SHA512

    078fbcfc683cdb1676580f3469592ea0b2f0955745ce76100bdd79f19b4c760f5508d41da9fe04790f2f49c7e1cb816771c8e466395f13156ca69fe234ff8648

  • SSDEEP

    6144:l8Lc3wrhZtQ/+WFWAP0pgzkWm6N6p+MKCviMxIi5EEpcNxMMDyGQ4YlStMehHx:8ZqspI/NZavimpMxMHGQ4GSMOR

Score
10/10
discoverywebsettings

Malware Config

Extracted

Rule
Microsoft Office WebSettings Relationship
C2

http:/QQQQWWWWQWWWWQWWQWQWQWQQWQWQQWQWQWQWQWQWQWQQQQQQQQOQQQQQOOOOOOOOQOQQQQOQOQOQOQOQOQQWWWWQWQWQWQWQWQWQWQWQQWQ@2901773865/O.DOC

Targets

    • Target

      2313.docx

    • Size

      10KB

    • MD5

      253d6b141a5a985f978106a7d58a42df

    • SHA1

      41702863a0540a764ecbbdb82c868d916af650c6

    • SHA256

      d8575bd0c37f55d47438827c191ede404b8e8f764cb5a4d288322692715a423f

    • SHA512

      53fa8efc63978e1a7ded63a688533002c6cbc11d2529d167a6a232acbf9fa901568fc42401d21f9d284dc08e4ccccf7439ab29e349100994d9d798fe4c4e0e0d

    • SSDEEP

      192:ScIMmtP5hG/b7XN+eOzO+5+5F7Jar/YEChI32x:SPXRE7XtOz7wtar/YECOy

    Score
    8/10
    discovery

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Abuses OpenXML format to download file from external location

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

    • Target

      O.DOC

    • Size

      12KB

    • MD5

      da8eb6ff1d52db618e68d00cf92aac8c

    • SHA1

      c7751371a5db07bc364741ac87d13e77970ed395

    • SHA256

      ed2a734bcb14e0b0b60a187591a6df2077fc9d72a9f65316d6edf33bbfc4c790

    • SHA512

      e0445adde446d3e7838045de7c4f9b09d4bf9a22371edf31e3e2e811d804c8b9845c280d9163a7b0f3975ba712e42ff4398d64b0b549ad97356558fc022e759c

    • SSDEEP

      384:JmhstH6gc35Lbr7jfYNBZmHTq0Om2cs+eH:JB613V3UBmHGe2z+eH

    Score
    8/10
    discovery

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral3behavioral4

    • Target

      vbc.exe

    • Size

      381KB

    • MD5

      c42bd43f9c9d353cfc49d5b795ecd8a9

    • SHA1

      f98c3be5642f443a07186e4958b255ad0fc128f6

    • SHA256

      638e98a58de88b8add87b99d13aea148e1cd7b4035e9ca0e7b5596f2888fc983

    • SHA512

      a1020c9c52802a0d1b76fafaab33952d2be67578292ed1aae1270ffe67561d2f88b5f1bc102a474c1fa1f0da304b8e1625b66f3e31cad06f6c91c9af33aec210

    • SSDEEP

      6144:fC2+8+wt3bWVWAPApgXOWm6L6pMMKCvCMxIq5EENcNxMMDy0Q4Y3ShiF:f3ZpCtLFkvC6NMxMH0Q42H

    Score
    7/10
    discovery

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral5behavioral6

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

3
T1064

Exploitation for Client Execution

2
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

3
T1064

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

7
T1012

System Information Discovery

7
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks