Analysis
-
max time kernel
148s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-12-2024 20:30
Static task
static1
Behavioral task
behavioral1
Sample
WO-663071 Sabiya Power Station Project.vbs
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
WO-663071 Sabiya Power Station Project.vbs
Resource
win10v2004-20241007-en
General
-
Target
WO-663071 Sabiya Power Station Project.vbs
-
Size
2KB
-
MD5
29e1bb22ea494b25e915d1b72b50bfc8
-
SHA1
37b7b92709d22bfe4ae4c18258c3cf6751ae53d2
-
SHA256
9d5fab129071f6d09f1d45e80991c60459680aab2e6591f8b2cec9909e37a5eb
-
SHA512
5ac2953bf6868f7a99bcd97efd75d5fe679649ed7b796918e23f7f90a2441715034594c2080f02a2e80c22153b04a14fa3650bd2f8f732f91808864bbe8d6e30
Malware Config
Extracted
remcos
RemoteHost
162.251.122.87:2404
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-UOMZ21
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Blocklisted process makes network request 3 IoCs
flow pid Process 4 2264 WScript.exe 6 2264 WScript.exe 8 2264 WScript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutoRunScript.lnk WScript.exe -
Executes dropped EXE 1 IoCs
pid Process 5068 x.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5068 set thread context of 5072 5068 x.exe 87 -
pid Process 2636 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aspnet_compiler.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2636 powershell.exe 2636 powershell.exe 5068 x.exe 5068 x.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2636 powershell.exe Token: SeDebugPrivilege 5068 x.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5072 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2264 wrote to memory of 2636 2264 WScript.exe 83 PID 2264 wrote to memory of 2636 2264 WScript.exe 83 PID 2636 wrote to memory of 5068 2636 powershell.exe 85 PID 2636 wrote to memory of 5068 2636 powershell.exe 85 PID 2636 wrote to memory of 5068 2636 powershell.exe 85 PID 5068 wrote to memory of 1624 5068 x.exe 86 PID 5068 wrote to memory of 1624 5068 x.exe 86 PID 5068 wrote to memory of 1624 5068 x.exe 86 PID 5068 wrote to memory of 5072 5068 x.exe 87 PID 5068 wrote to memory of 5072 5068 x.exe 87 PID 5068 wrote to memory of 5072 5068 x.exe 87 PID 5068 wrote to memory of 5072 5068 x.exe 87 PID 5068 wrote to memory of 5072 5068 x.exe 87 PID 5068 wrote to memory of 5072 5068 x.exe 87 PID 5068 wrote to memory of 5072 5068 x.exe 87 PID 5068 wrote to memory of 5072 5068 x.exe 87 PID 5068 wrote to memory of 5072 5068 x.exe 87 PID 5068 wrote to memory of 5072 5068 x.exe 87
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WO-663071 Sabiya Power Station Project.vbs"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Users\Admin\AppData\Local\Temp\x.exe"C:\Users\Admin\AppData\Local\Temp\x.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"4⤵PID:1624
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5072
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5993bb737938dc93bb9a9ff564b2f8582
SHA148ddcc0c1d958e77198ada712bee68e8eb9f3da7
SHA2569e5f1b1e9918af9de37f3977d017fb29ab333b900f15d0bd8cea79bbd3f5ce49
SHA5128824e021f81983c2bc78564250c5fe7cad3cbff6cbeaab70e2ee4bf5c683b1535dc24b71b9caf52d0e0a749a2c6d2577dfcac261438f4c9b0d47c7eae47383e0
-
Filesize
701KB
MD5cf9811311721d98ced8580790789851b
SHA15d90e48e9508e7d01b2472f818b42570e1252fdb
SHA256586bb76a51dc382f8df76aebaedd944f262fc2cb0b5d328f069a8708f2a6679e
SHA512dc8aaf19002413b0bc9f6374b6da913e0f5e995922fcb1390c4b65aed3503a1fdb19870a84c0d8ab785992b9f58849520a4b2535b22bd67907a12efb0bc553a0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
526KB
MD52c248753c0d81181227bb95c0bc614cf
SHA186a24f456da864a009edbc5b3a95877fcb9479a4
SHA25665ec50ac4d13e4386d497e33d20d5e679a0460727795eb3e8a2f7dfecdf8c4f3
SHA512f22685e9da58f9a044799a527cb5a9e1da3067875ebc8e4fd4200a4647918a5b1241b4c05aa964b8615ca8f03a99006da69d30935dcee80d2959183daf29fa40