Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-12-2024 20:34
Static task
static1
Behavioral task
behavioral1
Sample
WO-663071SabiyaPowerStationProject.vbs
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
WO-663071SabiyaPowerStationProject.vbs
Resource
win10v2004-20241007-en
General
-
Target
WO-663071SabiyaPowerStationProject.vbs
-
Size
2KB
-
MD5
29e1bb22ea494b25e915d1b72b50bfc8
-
SHA1
37b7b92709d22bfe4ae4c18258c3cf6751ae53d2
-
SHA256
9d5fab129071f6d09f1d45e80991c60459680aab2e6591f8b2cec9909e37a5eb
-
SHA512
5ac2953bf6868f7a99bcd97efd75d5fe679649ed7b796918e23f7f90a2441715034594c2080f02a2e80c22153b04a14fa3650bd2f8f732f91808864bbe8d6e30
Malware Config
Extracted
remcos
RemoteHost
162.251.122.87:2404
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-UOMZ21
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Blocklisted process makes network request 3 IoCs
flow pid Process 4 3532 WScript.exe 6 3532 WScript.exe 11 3532 WScript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutoRunScript.lnk WScript.exe -
Executes dropped EXE 1 IoCs
pid Process 3820 x.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3820 set thread context of 4672 3820 x.exe 87 -
pid Process 5068 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aspnet_compiler.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5068 powershell.exe 5068 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5068 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4672 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3532 wrote to memory of 5068 3532 WScript.exe 84 PID 3532 wrote to memory of 5068 3532 WScript.exe 84 PID 5068 wrote to memory of 3820 5068 powershell.exe 86 PID 5068 wrote to memory of 3820 5068 powershell.exe 86 PID 5068 wrote to memory of 3820 5068 powershell.exe 86 PID 3820 wrote to memory of 4672 3820 x.exe 87 PID 3820 wrote to memory of 4672 3820 x.exe 87 PID 3820 wrote to memory of 4672 3820 x.exe 87 PID 3820 wrote to memory of 4672 3820 x.exe 87 PID 3820 wrote to memory of 4672 3820 x.exe 87 PID 3820 wrote to memory of 4672 3820 x.exe 87 PID 3820 wrote to memory of 4672 3820 x.exe 87 PID 3820 wrote to memory of 4672 3820 x.exe 87 PID 3820 wrote to memory of 4672 3820 x.exe 87 PID 3820 wrote to memory of 4672 3820 x.exe 87
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WO-663071SabiyaPowerStationProject.vbs"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Users\Admin\AppData\Local\Temp\x.exe"C:\Users\Admin\AppData\Local\Temp\x.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4672
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5158300f8c2a1eab67f6f1d3aa759190b
SHA11d8c1ed3c73dff5b4dbf76ce6afd8554fdbce39d
SHA256429aabc2d1079eee575c279bf1c7ee728673d7c3100aef4aed514f73daab1382
SHA512d997bbc616661e12e6862c7b9f9989102095ae2863acf6af302888425ab9831d7c5449da2b2b0ccc5c4bd7afa94980883aa1fc95e1514dc053832b110678409e
-
Filesize
701KB
MD5cf9811311721d98ced8580790789851b
SHA15d90e48e9508e7d01b2472f818b42570e1252fdb
SHA256586bb76a51dc382f8df76aebaedd944f262fc2cb0b5d328f069a8708f2a6679e
SHA512dc8aaf19002413b0bc9f6374b6da913e0f5e995922fcb1390c4b65aed3503a1fdb19870a84c0d8ab785992b9f58849520a4b2535b22bd67907a12efb0bc553a0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
526KB
MD52c248753c0d81181227bb95c0bc614cf
SHA186a24f456da864a009edbc5b3a95877fcb9479a4
SHA25665ec50ac4d13e4386d497e33d20d5e679a0460727795eb3e8a2f7dfecdf8c4f3
SHA512f22685e9da58f9a044799a527cb5a9e1da3067875ebc8e4fd4200a4647918a5b1241b4c05aa964b8615ca8f03a99006da69d30935dcee80d2959183daf29fa40