remcos | cb77b93150cb0f7fe65ce8a7e2a5781e727419451355a7736db84109fa215a89

General

Target

invoice_2818144.vbs
Size

226B
MD5

fce037aad780c08c85db2f24bff80cfa
SHA1

881fc64b6fe1dad9459327e931399635fc1fe27c
SHA256

cb77b93150cb0f7fe65ce8a7e2a5781e727419451355a7736db84109fa215a89
SHA512

cc3b7adfa276163c33fd5cb62dacf0ae754d53d749b0ed95686a42344ecd1cb94a712f89cc6a2ddaae2eaff90a6ac9913fd368ce196612a2a861fba9eecfbb95

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Version

3.2.1 Pro

Botnet

RemoteHost

C2

snackebay.ddns.net:7676

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remasascos-LVXDHO
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 3 IoCs

Processes:

WScript.exe

flow pid process

5 3624 WScript.exe
7 3624 WScript.exe
9 3624 WScript.exe

flow	pid	process
5	3624	WScript.exe
7	3624	WScript.exe
9	3624	WScript.exe

Drops startup file 2 IoCs

Processes:

WSCRIPT.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\invoice_2818144.vbs	WSCRIPT.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\invoice_2818144.vbs	WSCRIPT.EXE

Loads dropped DLL 4 IoCs

Processes:

regsvr32.exeWSCRIPT.EXEregsvr32.exeregsvr32.exe

pid process

3996 regsvr32.exe
4296 WSCRIPT.EXE
3968 regsvr32.exe
4360 regsvr32.exe

pid	process
3996	regsvr32.exe
4296	WSCRIPT.EXE
3968	regsvr32.exe
4360	regsvr32.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

WSCRIPT.EXE

description	pid	process	target process
PID 4296 set thread context of 4052	4296	WSCRIPT.EXE	winhlp32.exe
PID 4296 set thread context of 4380	4296	WSCRIPT.EXE	winhlp32.exe
PID 4296 set thread context of 4568	4296	WSCRIPT.EXE	winhlp32.exe

Drops file in Windows directory 1 IoCs

Processes:

winhlp32.exe

description ioc process

File opened for modification C:\Windows\winhlp32.exe winhlp32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\winhlp32.exe	winhlp32.exe

Modifies registry class 17 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exewinhlp32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\DynamicWrapperX\CLSID	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\DynamicWrapperX\CLSID	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\DynamicWrapperX	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\DynamicWrapperX\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings	winhlp32.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}"	regsvr32.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

WScript.exeWSCRIPT.EXEwinhlp32.exe

description	pid	process	target process
PID 3624 wrote to memory of 4296	3624	WScript.exe	WSCRIPT.EXE
PID 3624 wrote to memory of 4296	3624	WScript.exe	WSCRIPT.EXE
PID 3624 wrote to memory of 4296	3624	WScript.exe	WSCRIPT.EXE
PID 4296 wrote to memory of 3996	4296	WSCRIPT.EXE	regsvr32.exe
PID 4296 wrote to memory of 3996	4296	WSCRIPT.EXE	regsvr32.exe
PID 4296 wrote to memory of 3996	4296	WSCRIPT.EXE	regsvr32.exe
PID 4296 wrote to memory of 4052	4296	WSCRIPT.EXE	winhlp32.exe
PID 4296 wrote to memory of 4052	4296	WSCRIPT.EXE	winhlp32.exe
PID 4296 wrote to memory of 4052	4296	WSCRIPT.EXE	winhlp32.exe
PID 4296 wrote to memory of 4052	4296	WSCRIPT.EXE	winhlp32.exe
PID 4296 wrote to memory of 4052	4296	WSCRIPT.EXE	winhlp32.exe
PID 4296 wrote to memory of 4052	4296	WSCRIPT.EXE	winhlp32.exe
PID 4296 wrote to memory of 4052	4296	WSCRIPT.EXE	winhlp32.exe
PID 4296 wrote to memory of 4052	4296	WSCRIPT.EXE	winhlp32.exe
PID 4296 wrote to memory of 4052	4296	WSCRIPT.EXE	winhlp32.exe
PID 4296 wrote to memory of 4052	4296	WSCRIPT.EXE	winhlp32.exe
PID 4296 wrote to memory of 4052	4296	WSCRIPT.EXE	winhlp32.exe
PID 4296 wrote to memory of 4052	4296	WSCRIPT.EXE	winhlp32.exe
PID 4296 wrote to memory of 3968	4296	WSCRIPT.EXE	regsvr32.exe
PID 4296 wrote to memory of 3968	4296	WSCRIPT.EXE	regsvr32.exe
PID 4296 wrote to memory of 3968	4296	WSCRIPT.EXE	regsvr32.exe
PID 4296 wrote to memory of 4380	4296	WSCRIPT.EXE	winhlp32.exe
PID 4296 wrote to memory of 4380	4296	WSCRIPT.EXE	winhlp32.exe
PID 4296 wrote to memory of 4380	4296	WSCRIPT.EXE	winhlp32.exe
PID 4296 wrote to memory of 4380	4296	WSCRIPT.EXE	winhlp32.exe
PID 4296 wrote to memory of 4380	4296	WSCRIPT.EXE	winhlp32.exe
PID 4296 wrote to memory of 4380	4296	WSCRIPT.EXE	winhlp32.exe
PID 4296 wrote to memory of 4380	4296	WSCRIPT.EXE	winhlp32.exe
PID 4296 wrote to memory of 4380	4296	WSCRIPT.EXE	winhlp32.exe
PID 4296 wrote to memory of 4380	4296	WSCRIPT.EXE	winhlp32.exe
PID 4296 wrote to memory of 4380	4296	WSCRIPT.EXE	winhlp32.exe
PID 4296 wrote to memory of 4380	4296	WSCRIPT.EXE	winhlp32.exe
PID 4296 wrote to memory of 4380	4296	WSCRIPT.EXE	winhlp32.exe
PID 4296 wrote to memory of 4360	4296	WSCRIPT.EXE	regsvr32.exe
PID 4296 wrote to memory of 4360	4296	WSCRIPT.EXE	regsvr32.exe
PID 4296 wrote to memory of 4360	4296	WSCRIPT.EXE	regsvr32.exe
PID 4296 wrote to memory of 4568	4296	WSCRIPT.EXE	winhlp32.exe
PID 4296 wrote to memory of 4568	4296	WSCRIPT.EXE	winhlp32.exe
PID 4296 wrote to memory of 4568	4296	WSCRIPT.EXE	winhlp32.exe
PID 4296 wrote to memory of 4568	4296	WSCRIPT.EXE	winhlp32.exe
PID 4296 wrote to memory of 4568	4296	WSCRIPT.EXE	winhlp32.exe
PID 4296 wrote to memory of 4568	4296	WSCRIPT.EXE	winhlp32.exe
PID 4296 wrote to memory of 4568	4296	WSCRIPT.EXE	winhlp32.exe
PID 4296 wrote to memory of 4568	4296	WSCRIPT.EXE	winhlp32.exe
PID 4296 wrote to memory of 4568	4296	WSCRIPT.EXE	winhlp32.exe
PID 4296 wrote to memory of 4568	4296	WSCRIPT.EXE	winhlp32.exe
PID 4296 wrote to memory of 4568	4296	WSCRIPT.EXE	winhlp32.exe
PID 4296 wrote to memory of 4568	4296	WSCRIPT.EXE	winhlp32.exe
PID 4052 wrote to memory of 736	4052	winhlp32.exe	WScript.exe
PID 4052 wrote to memory of 736	4052	winhlp32.exe	WScript.exe
PID 4052 wrote to memory of 736	4052	winhlp32.exe	WScript.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\invoice_2818144.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:3624
- C:\Windows\SYSWOW64\WSCRIPT.EXE
  "C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Admin\AppData\Local\Temp\invoice_2818144.vbs"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4296
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:3996
- - C:\Windows\winhlp32.exe
    "C:\Windows\winhlp32.exe"
    3⤵
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4052
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fknposccdrxufeqxvxheqn.vbs"
      4⤵
      PID:736
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:3968
- - C:\Windows\winhlp32.exe
    "C:\Windows\winhlp32.exe"
    3⤵
    PID:4380
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:4360
- - C:\Windows\winhlp32.exe
    "C:\Windows\winhlp32.exe"
    3⤵
    PID:4568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QT2UOKDP\tS4yR[1].txt

MD5
59001a5614e309d1a6819cab35eeb377

SHA1
21561ee502a20a001a444e6c325021e2f7925fd1

SHA256
0d718ab19003d61ffece45beef64680d2543d64db8533eccc4ec522777bfd2f1

SHA512
bc4ff36ec2a80c0bdda848465370c2315a9ff42005342d54275b74c6d7356d8f53ecd41b1119dd3ad5e38b18d555d8d19e263d331edad828918c1f949336712a

Download Submit
C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll

MD5
e0b8dfd17b8e7de760b273d18e58b142

SHA1
801509fb6783c9e57edc67a72dde3c62080ffbaf

SHA256
4ef3a6703abc6b2b8e2cac3031c1e5b86fe8b377fde92737349ee52bd2604379

SHA512
443359da27b3c87e81ae4f4b9a2ab7e7bf6abfa93551fc62347a0b79b36d79635131abc14d4deddab3ace12fdf973496518f67e1be8dc4903b35fd465835556b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fknposccdrxufeqxvxheqn.vbs

MD5
2fcc53839a07381c433bebe1f3bd1b7f

SHA1
07bcf6958c15af4b3d5ef8e93cf508da996d1e77

SHA256
71f0a43e515536c7786776aeaedb1087e4675d4e7edc83b36bc89327cf2571dd

SHA512
494be1560e61ad79e324ba0ec65e67af28780b2ff19f5ea1107a8f2b09ba9055591e835c6e39dade08840dd7125d25cd2d3710fcd5a1afa4767f18177d521b25

Download Submit
\Users\Admin\AppData\Local\Temp\dynwrapx.dll

MD5
e0b8dfd17b8e7de760b273d18e58b142

SHA1
801509fb6783c9e57edc67a72dde3c62080ffbaf

SHA256
4ef3a6703abc6b2b8e2cac3031c1e5b86fe8b377fde92737349ee52bd2604379

SHA512
443359da27b3c87e81ae4f4b9a2ab7e7bf6abfa93551fc62347a0b79b36d79635131abc14d4deddab3ace12fdf973496518f67e1be8dc4903b35fd465835556b

Download Submit
\Users\Admin\AppData\Local\Temp\dynwrapx.dll

MD5
e0b8dfd17b8e7de760b273d18e58b142

SHA1
801509fb6783c9e57edc67a72dde3c62080ffbaf

SHA256
4ef3a6703abc6b2b8e2cac3031c1e5b86fe8b377fde92737349ee52bd2604379

SHA512
443359da27b3c87e81ae4f4b9a2ab7e7bf6abfa93551fc62347a0b79b36d79635131abc14d4deddab3ace12fdf973496518f67e1be8dc4903b35fd465835556b

Download Submit
\Users\Admin\AppData\Local\Temp\dynwrapx.dll

MD5
e0b8dfd17b8e7de760b273d18e58b142

SHA1
801509fb6783c9e57edc67a72dde3c62080ffbaf

SHA256
4ef3a6703abc6b2b8e2cac3031c1e5b86fe8b377fde92737349ee52bd2604379

SHA512
443359da27b3c87e81ae4f4b9a2ab7e7bf6abfa93551fc62347a0b79b36d79635131abc14d4deddab3ace12fdf973496518f67e1be8dc4903b35fd465835556b

Download Submit
\Users\Admin\AppData\Local\Temp\dynwrapx.dll

MD5
e0b8dfd17b8e7de760b273d18e58b142

SHA1
801509fb6783c9e57edc67a72dde3c62080ffbaf

SHA256
4ef3a6703abc6b2b8e2cac3031c1e5b86fe8b377fde92737349ee52bd2604379

SHA512
443359da27b3c87e81ae4f4b9a2ab7e7bf6abfa93551fc62347a0b79b36d79635131abc14d4deddab3ace12fdf973496518f67e1be8dc4903b35fd465835556b

Download Submit
memory/736-141-0x0000000000000000-mapping.dmp

Download
memory/3968-125-0x0000000000000000-mapping.dmp

Download
memory/3996-117-0x0000000000000000-mapping.dmp

Download
memory/4052-128-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4052-122-0x000000000042F71D-mapping.dmp

Download
memory/4052-121-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4296-127-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/4296-115-0x0000000000000000-mapping.dmp

Download
memory/4360-132-0x0000000000000000-mapping.dmp

Download
memory/4380-130-0x000000000042F71D-mapping.dmp

Download
memory/4380-135-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4568-137-0x000000000042F71D-mapping.dmp

Download
memory/4568-140-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads