Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
12-12-2024 20:30
Static task
static1
Behavioral task
behavioral1
Sample
WO-663071 Sabiya Power Station Project.vbs
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
WO-663071 Sabiya Power Station Project.vbs
Resource
win10v2004-20241007-en
General
-
Target
WO-663071 Sabiya Power Station Project.vbs
-
Size
2KB
-
MD5
29e1bb22ea494b25e915d1b72b50bfc8
-
SHA1
37b7b92709d22bfe4ae4c18258c3cf6751ae53d2
-
SHA256
9d5fab129071f6d09f1d45e80991c60459680aab2e6591f8b2cec9909e37a5eb
-
SHA512
5ac2953bf6868f7a99bcd97efd75d5fe679649ed7b796918e23f7f90a2441715034594c2080f02a2e80c22153b04a14fa3650bd2f8f732f91808864bbe8d6e30
Malware Config
Extracted
remcos
RemoteHost
162.251.122.87:2404
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-UOMZ21
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Blocklisted process makes network request 2 IoCs
flow pid Process 4 2792 WScript.exe 7 2792 WScript.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutoRunScript.lnk WScript.exe -
Executes dropped EXE 1 IoCs
pid Process 2616 x.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2616 set thread context of 1064 2616 x.exe 33 -
pid Process 2636 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aspnet_compiler.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2636 powershell.exe 2636 powershell.exe 2636 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2636 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1064 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2792 wrote to memory of 2636 2792 WScript.exe 29 PID 2792 wrote to memory of 2636 2792 WScript.exe 29 PID 2792 wrote to memory of 2636 2792 WScript.exe 29 PID 2636 wrote to memory of 2616 2636 powershell.exe 32 PID 2636 wrote to memory of 2616 2636 powershell.exe 32 PID 2636 wrote to memory of 2616 2636 powershell.exe 32 PID 2636 wrote to memory of 2616 2636 powershell.exe 32 PID 2616 wrote to memory of 1064 2616 x.exe 33 PID 2616 wrote to memory of 1064 2616 x.exe 33 PID 2616 wrote to memory of 1064 2616 x.exe 33 PID 2616 wrote to memory of 1064 2616 x.exe 33 PID 2616 wrote to memory of 1064 2616 x.exe 33 PID 2616 wrote to memory of 1064 2616 x.exe 33 PID 2616 wrote to memory of 1064 2616 x.exe 33 PID 2616 wrote to memory of 1064 2616 x.exe 33 PID 2616 wrote to memory of 1064 2616 x.exe 33 PID 2616 wrote to memory of 1064 2616 x.exe 33 PID 2616 wrote to memory of 1064 2616 x.exe 33
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WO-663071 Sabiya Power Station Project.vbs"1⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Users\Admin\AppData\Local\Temp\x.exe"C:\Users\Admin\AppData\Local\Temp\x.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1064
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5109dfb59bd57680105c91307b1622563
SHA15fc4f6bec093fb91099e0eb37b3b260620c066d0
SHA25633794dcb0582a52b2768e48d5aca5a84d0937c5246fec23544254adef5447f2e
SHA5120fb814f88d1e3139cd3c7b0cb348ca6f314c79de7ebd0d373c9cd1c37209f7e94b8649d52e2b076b98eaba136ff99f6be0ec9e954afac9dd1157b8a693a70270
-
Filesize
701KB
MD5cf9811311721d98ced8580790789851b
SHA15d90e48e9508e7d01b2472f818b42570e1252fdb
SHA256586bb76a51dc382f8df76aebaedd944f262fc2cb0b5d328f069a8708f2a6679e
SHA512dc8aaf19002413b0bc9f6374b6da913e0f5e995922fcb1390c4b65aed3503a1fdb19870a84c0d8ab785992b9f58849520a4b2535b22bd67907a12efb0bc553a0
-
Filesize
526KB
MD52c248753c0d81181227bb95c0bc614cf
SHA186a24f456da864a009edbc5b3a95877fcb9479a4
SHA25665ec50ac4d13e4386d497e33d20d5e679a0460727795eb3e8a2f7dfecdf8c4f3
SHA512f22685e9da58f9a044799a527cb5a9e1da3067875ebc8e4fd4200a4647918a5b1241b4c05aa964b8615ca8f03a99006da69d30935dcee80d2959183daf29fa40