remcos | 1303812928a7f3ca5452a5d0758c2bbe3e876c892cbd90a6b6ca436f48e6940f

Analysis

max time kernel
150s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
10/09/2022, 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

1008KB
MD5

344a23d53906a0fe841f7a0a8126d75f
SHA1

278871bd3c21de399683e55bf8eec0317441a659
SHA256

1303812928a7f3ca5452a5d0758c2bbe3e876c892cbd90a6b6ca436f48e6940f
SHA512

cd5ed8ed25f84e70483a5e9febce10f6109287ccba72833ad218c219ee074d3b069c7e29a52bd4940458837673134852bb8976621125b4ed9b4e8cbf54ac77ce
SSDEEP

24576:E4444YyXDTaaHTDkr/LeBf6uG8yI0/dD+lPU3KqeMT/T7UCHdOWM4444:KKPezGb/jKqzf7r9O

Score

10^/10

remcos malymoney persistence rat

Malware Config

Extracted

Family

remcos

Botnet

MalyMoney

maly22333.ddnsking.com:3091

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
iys.exe
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-CQ4N0Z
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
gtr
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 5 IoCs

pid	Process
4852	iys.exe
1684	iys.exe
3400	iys.exe
3352	iys.exe
4468	iys.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	iys.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gtr = "\"C:\\Users\\Admin\\AppData\\Roaming\\iys.exe\""	iys.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gtr = "\"C:\\Users\\Admin\\AppData\\Roaming\\iys.exe\""	tmp.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2568 set thread context of 3760	2568	tmp.exe	90
PID 4852 set thread context of 4468	4852	iys.exe	102

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	tmp.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4852	iys.exe
4852	iys.exe
4852	iys.exe
4852	iys.exe
4852	iys.exe
4852	iys.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4852	iys.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4468	iys.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 3760	2568	tmp.exe	90
PID 2568 wrote to memory of 3760	2568	tmp.exe	90
PID 2568 wrote to memory of 3760	2568	tmp.exe	90
PID 2568 wrote to memory of 3760	2568	tmp.exe	90
PID 2568 wrote to memory of 3760	2568	tmp.exe	90
PID 2568 wrote to memory of 3760	2568	tmp.exe	90
PID 2568 wrote to memory of 3760	2568	tmp.exe	90
PID 2568 wrote to memory of 3760	2568	tmp.exe	90
PID 2568 wrote to memory of 3760	2568	tmp.exe	90
PID 2568 wrote to memory of 3760	2568	tmp.exe	90
PID 2568 wrote to memory of 3760	2568	tmp.exe	90
PID 2568 wrote to memory of 3760	2568	tmp.exe	90
PID 3760 wrote to memory of 4932	3760	tmp.exe	91
PID 3760 wrote to memory of 4932	3760	tmp.exe	91
PID 3760 wrote to memory of 4932	3760	tmp.exe	91
PID 4932 wrote to memory of 5108	4932	WScript.exe	92
PID 4932 wrote to memory of 5108	4932	WScript.exe	92
PID 4932 wrote to memory of 5108	4932	WScript.exe	92
PID 5108 wrote to memory of 4852	5108	cmd.exe	94
PID 5108 wrote to memory of 4852	5108	cmd.exe	94
PID 5108 wrote to memory of 4852	5108	cmd.exe	94
PID 4852 wrote to memory of 1684	4852	iys.exe	99
PID 4852 wrote to memory of 1684	4852	iys.exe	99
PID 4852 wrote to memory of 1684	4852	iys.exe	99
PID 4852 wrote to memory of 3400	4852	iys.exe	100
PID 4852 wrote to memory of 3400	4852	iys.exe	100
PID 4852 wrote to memory of 3400	4852	iys.exe	100
PID 4852 wrote to memory of 3352	4852	iys.exe	101
PID 4852 wrote to memory of 3352	4852	iys.exe	101
PID 4852 wrote to memory of 3352	4852	iys.exe	101
PID 4852 wrote to memory of 4468	4852	iys.exe	102
PID 4852 wrote to memory of 4468	4852	iys.exe	102
PID 4852 wrote to memory of 4468	4852	iys.exe	102
PID 4852 wrote to memory of 4468	4852	iys.exe	102
PID 4852 wrote to memory of 4468	4852	iys.exe	102
PID 4852 wrote to memory of 4468	4852	iys.exe	102
PID 4852 wrote to memory of 4468	4852	iys.exe	102
PID 4852 wrote to memory of 4468	4852	iys.exe	102
PID 4852 wrote to memory of 4468	4852	iys.exe	102
PID 4852 wrote to memory of 4468	4852	iys.exe	102
PID 4852 wrote to memory of 4468	4852	iys.exe	102
PID 4852 wrote to memory of 4468	4852	iys.exe	102

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3760
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4932
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\iys.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5108
    - - C:\Users\Admin\AppData\Roaming\iys.exe
        
        C:\Users\Admin\AppData\Roaming\iys.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4852
      - C:\Users\Admin\AppData\Roaming\iys.exe
        
        "C:\Users\Admin\AppData\Roaming\iys.exe"
        6⤵
        Executes dropped EXE
        
        PID:1684
      - C:\Users\Admin\AppData\Roaming\iys.exe
        
        "C:\Users\Admin\AppData\Roaming\iys.exe"
        6⤵
        Executes dropped EXE
        
        PID:3400
      - C:\Users\Admin\AppData\Roaming\iys.exe
        
        "C:\Users\Admin\AppData\Roaming\iys.exe"
        6⤵
        Executes dropped EXE
        
        PID:3352
      - C:\Users\Admin\AppData\Roaming\iys.exe
        
        "C:\Users\Admin\AppData\Roaming\iys.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        
        PID:4468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
398B

MD5
d1d78c43dd8979c231896f298ba28326

SHA1
f62fee4bb9bed07d062dd9f9618434d4417fa11d

SHA256
5a8ddad5dcf6071f62ad721ac553bafd90be9db146aa77d29bfc30a72415099b

SHA512
8a8baf664b75f7beb00abd3fc16286155850abfaa9d5d95687279244f0f5a3ceeef965e754de19614f7a18646ffea4c7b09d028e54fec2aaf42d896b2d93da6a

Download Submit
C:\Users\Admin\AppData\Roaming\iys.exe

Filesize
1008KB

MD5
344a23d53906a0fe841f7a0a8126d75f

SHA1
278871bd3c21de399683e55bf8eec0317441a659

SHA256
1303812928a7f3ca5452a5d0758c2bbe3e876c892cbd90a6b6ca436f48e6940f

SHA512
cd5ed8ed25f84e70483a5e9febce10f6109287ccba72833ad218c219ee074d3b069c7e29a52bd4940458837673134852bb8976621125b4ed9b4e8cbf54ac77ce

Download Submit
C:\Users\Admin\AppData\Roaming\iys.exe

Filesize
1008KB

MD5
344a23d53906a0fe841f7a0a8126d75f

SHA1
278871bd3c21de399683e55bf8eec0317441a659

SHA256
1303812928a7f3ca5452a5d0758c2bbe3e876c892cbd90a6b6ca436f48e6940f

SHA512
cd5ed8ed25f84e70483a5e9febce10f6109287ccba72833ad218c219ee074d3b069c7e29a52bd4940458837673134852bb8976621125b4ed9b4e8cbf54ac77ce

Download Submit
C:\Users\Admin\AppData\Roaming\iys.exe

Filesize
1008KB

MD5
344a23d53906a0fe841f7a0a8126d75f

SHA1
278871bd3c21de399683e55bf8eec0317441a659

SHA256
1303812928a7f3ca5452a5d0758c2bbe3e876c892cbd90a6b6ca436f48e6940f

SHA512
cd5ed8ed25f84e70483a5e9febce10f6109287ccba72833ad218c219ee074d3b069c7e29a52bd4940458837673134852bb8976621125b4ed9b4e8cbf54ac77ce

Download Submit
C:\Users\Admin\AppData\Roaming\iys.exe

Filesize
1008KB

MD5
344a23d53906a0fe841f7a0a8126d75f

SHA1
278871bd3c21de399683e55bf8eec0317441a659

SHA256
1303812928a7f3ca5452a5d0758c2bbe3e876c892cbd90a6b6ca436f48e6940f

SHA512
cd5ed8ed25f84e70483a5e9febce10f6109287ccba72833ad218c219ee074d3b069c7e29a52bd4940458837673134852bb8976621125b4ed9b4e8cbf54ac77ce

Download Submit
C:\Users\Admin\AppData\Roaming\iys.exe

Filesize
1008KB

MD5
344a23d53906a0fe841f7a0a8126d75f

SHA1
278871bd3c21de399683e55bf8eec0317441a659

SHA256
1303812928a7f3ca5452a5d0758c2bbe3e876c892cbd90a6b6ca436f48e6940f

SHA512
cd5ed8ed25f84e70483a5e9febce10f6109287ccba72833ad218c219ee074d3b069c7e29a52bd4940458837673134852bb8976621125b4ed9b4e8cbf54ac77ce

Download Submit
C:\Users\Admin\AppData\Roaming\iys.exe

Filesize
1008KB

MD5
344a23d53906a0fe841f7a0a8126d75f

SHA1
278871bd3c21de399683e55bf8eec0317441a659

SHA256
1303812928a7f3ca5452a5d0758c2bbe3e876c892cbd90a6b6ca436f48e6940f

SHA512
cd5ed8ed25f84e70483a5e9febce10f6109287ccba72833ad218c219ee074d3b069c7e29a52bd4940458837673134852bb8976621125b4ed9b4e8cbf54ac77ce

Download Submit
memory/2568-135-0x00000000054A0000-0x000000000553C000-memory.dmp

Filesize
624KB

Download
memory/2568-132-0x0000000000460000-0x0000000000562000-memory.dmp

Filesize
1.0MB

Download
memory/2568-136-0x00000000055F0000-0x0000000005656000-memory.dmp

Filesize
408KB

Download
memory/2568-134-0x0000000005160000-0x00000000051F2000-memory.dmp

Filesize
584KB

Download
memory/2568-133-0x0000000005670000-0x0000000005C14000-memory.dmp

Filesize
5.6MB

Download
memory/3760-139-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3760-142-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3760-140-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3760-138-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4468-158-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4468-157-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4468-159-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4468-160-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download