remcos | cb77b93150cb0f7fe65ce8a7e2a5781e727419451355a7736db84109fa215a89

Analysis

max time kernel
172s
max time network
301s
platform
windows10_x64
resource
win10-en-20210920
submitted
29-09-2021 00:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

invoice_2818144.vbs
Size

226B
MD5

fce037aad780c08c85db2f24bff80cfa
SHA1

881fc64b6fe1dad9459327e931399635fc1fe27c
SHA256

cb77b93150cb0f7fe65ce8a7e2a5781e727419451355a7736db84109fa215a89
SHA512

cc3b7adfa276163c33fd5cb62dacf0ae754d53d749b0ed95686a42344ecd1cb94a712f89cc6a2ddaae2eaff90a6ac9913fd368ce196612a2a861fba9eecfbb95

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Version

3.2.1 Pro

Botnet

RemoteHost

snackebay.ddns.net:7676

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remasascos-LVXDHO
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Blocklisted process makes network request 3 IoCs

flow	pid	Process
5	3624	WScript.exe
7	3624	WScript.exe
9	3624	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\invoice_2818144.vbs	WSCRIPT.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\invoice_2818144.vbs	WSCRIPT.EXE

Loads dropped DLL 4 IoCs

pid	Process
3996	regsvr32.exe
4296	WSCRIPT.EXE
3968	regsvr32.exe
4360	regsvr32.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4296 set thread context of 4052	4296	WSCRIPT.EXE	73
PID 4296 set thread context of 4380	4296	WSCRIPT.EXE	75
PID 4296 set thread context of 4568	4296	WSCRIPT.EXE	77

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winhlp32.exe	winhlp32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\DynamicWrapperX\CLSID	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\DynamicWrapperX\CLSID	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\DynamicWrapperX	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\DynamicWrapperX\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings	winhlp32.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}"	regsvr32.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 3624 wrote to memory of 4296	3624	WScript.exe	71
PID 3624 wrote to memory of 4296	3624	WScript.exe	71
PID 3624 wrote to memory of 4296	3624	WScript.exe	71
PID 4296 wrote to memory of 3996	4296	WSCRIPT.EXE	72
PID 4296 wrote to memory of 3996	4296	WSCRIPT.EXE	72
PID 4296 wrote to memory of 3996	4296	WSCRIPT.EXE	72
PID 4296 wrote to memory of 4052	4296	WSCRIPT.EXE	73
PID 4296 wrote to memory of 4052	4296	WSCRIPT.EXE	73
PID 4296 wrote to memory of 4052	4296	WSCRIPT.EXE	73
PID 4296 wrote to memory of 4052	4296	WSCRIPT.EXE	73
PID 4296 wrote to memory of 4052	4296	WSCRIPT.EXE	73
PID 4296 wrote to memory of 4052	4296	WSCRIPT.EXE	73
PID 4296 wrote to memory of 4052	4296	WSCRIPT.EXE	73
PID 4296 wrote to memory of 4052	4296	WSCRIPT.EXE	73
PID 4296 wrote to memory of 4052	4296	WSCRIPT.EXE	73
PID 4296 wrote to memory of 4052	4296	WSCRIPT.EXE	73
PID 4296 wrote to memory of 4052	4296	WSCRIPT.EXE	73
PID 4296 wrote to memory of 4052	4296	WSCRIPT.EXE	73
PID 4296 wrote to memory of 3968	4296	WSCRIPT.EXE	74
PID 4296 wrote to memory of 3968	4296	WSCRIPT.EXE	74
PID 4296 wrote to memory of 3968	4296	WSCRIPT.EXE	74
PID 4296 wrote to memory of 4380	4296	WSCRIPT.EXE	75
PID 4296 wrote to memory of 4380	4296	WSCRIPT.EXE	75
PID 4296 wrote to memory of 4380	4296	WSCRIPT.EXE	75
PID 4296 wrote to memory of 4380	4296	WSCRIPT.EXE	75
PID 4296 wrote to memory of 4380	4296	WSCRIPT.EXE	75
PID 4296 wrote to memory of 4380	4296	WSCRIPT.EXE	75
PID 4296 wrote to memory of 4380	4296	WSCRIPT.EXE	75
PID 4296 wrote to memory of 4380	4296	WSCRIPT.EXE	75
PID 4296 wrote to memory of 4380	4296	WSCRIPT.EXE	75
PID 4296 wrote to memory of 4380	4296	WSCRIPT.EXE	75
PID 4296 wrote to memory of 4380	4296	WSCRIPT.EXE	75
PID 4296 wrote to memory of 4380	4296	WSCRIPT.EXE	75
PID 4296 wrote to memory of 4360	4296	WSCRIPT.EXE	76
PID 4296 wrote to memory of 4360	4296	WSCRIPT.EXE	76
PID 4296 wrote to memory of 4360	4296	WSCRIPT.EXE	76
PID 4296 wrote to memory of 4568	4296	WSCRIPT.EXE	77
PID 4296 wrote to memory of 4568	4296	WSCRIPT.EXE	77
PID 4296 wrote to memory of 4568	4296	WSCRIPT.EXE	77
PID 4296 wrote to memory of 4568	4296	WSCRIPT.EXE	77
PID 4296 wrote to memory of 4568	4296	WSCRIPT.EXE	77
PID 4296 wrote to memory of 4568	4296	WSCRIPT.EXE	77
PID 4296 wrote to memory of 4568	4296	WSCRIPT.EXE	77
PID 4296 wrote to memory of 4568	4296	WSCRIPT.EXE	77
PID 4296 wrote to memory of 4568	4296	WSCRIPT.EXE	77
PID 4296 wrote to memory of 4568	4296	WSCRIPT.EXE	77
PID 4296 wrote to memory of 4568	4296	WSCRIPT.EXE	77
PID 4296 wrote to memory of 4568	4296	WSCRIPT.EXE	77
PID 4052 wrote to memory of 736	4052	winhlp32.exe	78
PID 4052 wrote to memory of 736	4052	winhlp32.exe	78
PID 4052 wrote to memory of 736	4052	winhlp32.exe	78

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\invoice_2818144.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:3624
- C:\Windows\SYSWOW64\WSCRIPT.EXE
  "C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Admin\AppData\Local\Temp\invoice_2818144.vbs"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4296
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:3996
- - C:\Windows\winhlp32.exe
    "C:\Windows\winhlp32.exe"
    3⤵
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4052
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fknposccdrxufeqxvxheqn.vbs"
      4⤵
      PID:736
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:3968
- - C:\Windows\winhlp32.exe
    "C:\Windows\winhlp32.exe"
    3⤵
    PID:4380
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:4360
- - C:\Windows\winhlp32.exe
    "C:\Windows\winhlp32.exe"
    3⤵
    PID:4568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4052-128-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4052-121-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4296-127-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/4380-135-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4568-140-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download