Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
12-12-2024 20:34
Static task
static1
Behavioral task
behavioral1
Sample
WO-663071SabiyaPowerStationProject.vbs
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
WO-663071SabiyaPowerStationProject.vbs
Resource
win10v2004-20241007-en
General
-
Target
WO-663071SabiyaPowerStationProject.vbs
-
Size
2KB
-
MD5
29e1bb22ea494b25e915d1b72b50bfc8
-
SHA1
37b7b92709d22bfe4ae4c18258c3cf6751ae53d2
-
SHA256
9d5fab129071f6d09f1d45e80991c60459680aab2e6591f8b2cec9909e37a5eb
-
SHA512
5ac2953bf6868f7a99bcd97efd75d5fe679649ed7b796918e23f7f90a2441715034594c2080f02a2e80c22153b04a14fa3650bd2f8f732f91808864bbe8d6e30
Malware Config
Extracted
remcos
RemoteHost
162.251.122.87:2404
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-UOMZ21
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Blocklisted process makes network request 2 IoCs
flow pid Process 3 1800 WScript.exe 7 1800 WScript.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutoRunScript.lnk WScript.exe -
Executes dropped EXE 1 IoCs
pid Process 2492 x.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2492 set thread context of 1996 2492 x.exe 34 -
pid Process 2872 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aspnet_compiler.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2872 powershell.exe 2872 powershell.exe 2872 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2872 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1996 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1800 wrote to memory of 2872 1800 WScript.exe 30 PID 1800 wrote to memory of 2872 1800 WScript.exe 30 PID 1800 wrote to memory of 2872 1800 WScript.exe 30 PID 2872 wrote to memory of 2492 2872 powershell.exe 33 PID 2872 wrote to memory of 2492 2872 powershell.exe 33 PID 2872 wrote to memory of 2492 2872 powershell.exe 33 PID 2872 wrote to memory of 2492 2872 powershell.exe 33 PID 2492 wrote to memory of 1996 2492 x.exe 34 PID 2492 wrote to memory of 1996 2492 x.exe 34 PID 2492 wrote to memory of 1996 2492 x.exe 34 PID 2492 wrote to memory of 1996 2492 x.exe 34 PID 2492 wrote to memory of 1996 2492 x.exe 34 PID 2492 wrote to memory of 1996 2492 x.exe 34 PID 2492 wrote to memory of 1996 2492 x.exe 34 PID 2492 wrote to memory of 1996 2492 x.exe 34 PID 2492 wrote to memory of 1996 2492 x.exe 34 PID 2492 wrote to memory of 1996 2492 x.exe 34 PID 2492 wrote to memory of 1996 2492 x.exe 34
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WO-663071SabiyaPowerStationProject.vbs"1⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Users\Admin\AppData\Local\Temp\x.exe"C:\Users\Admin\AppData\Local\Temp\x.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1996
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD515a1aec84e8238aa8e10a1c789a287db
SHA1c4037101a5faa692d00192fdff339ddb52e1cc37
SHA25615fbded60b0ff3bb0dbcc89c7829a8bd7b409afbc87d5af8bcf1cd211fff9279
SHA5129f1b74b6894d5ba618028110b4c5968388c14386bf9d185fa7129c107c29151ea2083aab2896aba9d7370184c626cab8c58598478c38d5a6137fa1daaa457a31
-
Filesize
701KB
MD5cf9811311721d98ced8580790789851b
SHA15d90e48e9508e7d01b2472f818b42570e1252fdb
SHA256586bb76a51dc382f8df76aebaedd944f262fc2cb0b5d328f069a8708f2a6679e
SHA512dc8aaf19002413b0bc9f6374b6da913e0f5e995922fcb1390c4b65aed3503a1fdb19870a84c0d8ab785992b9f58849520a4b2535b22bd67907a12efb0bc553a0
-
Filesize
526KB
MD52c248753c0d81181227bb95c0bc614cf
SHA186a24f456da864a009edbc5b3a95877fcb9479a4
SHA25665ec50ac4d13e4386d497e33d20d5e679a0460727795eb3e8a2f7dfecdf8c4f3
SHA512f22685e9da58f9a044799a527cb5a9e1da3067875ebc8e4fd4200a4647918a5b1241b4c05aa964b8615ca8f03a99006da69d30935dcee80d2959183daf29fa40