remcos | eadcb694c90b03001c2f276e59f56167138a77726f18e422ae942b8a518ca8c2

Analysis

max time kernel
158s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2022, 14:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UUS.exe
Size

1.1MB
MD5

a3cc5b79c80fdc265d97ea7c73ae8017
SHA1

b9514255b5aebb6b07a133a0f70124c9a456ade0
SHA256

eadcb694c90b03001c2f276e59f56167138a77726f18e422ae942b8a518ca8c2
SHA512

b83b71b05075ae581330e1113fc6bfba325cb1147f560bb97b4d0317d9a646f5c495222545a56d96d8e3255eab84e09d9d70e632a2951bd82fb14c47dca16730
SSDEEP

24576:/ekPPpLnSJQwtTdFoBKvq4wL404YIE1Zu7/s8b/dROp6HlzF:DhneQwTFykqfL4wIE1U7JSEHlzF

Score

10^/10

remcos ud-host persistence rat

Malware Config

Extracted

Family

remcos

Botnet

UD-Host

amegroupofschoos32.sytes.net:4820

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
dos.exe
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
mouse_option
false
mutex
Rmc-7F587C
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
ax
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 2 IoCs

pid	Process
2932	dos.exe
796	dos.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	UUS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	dos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ax = "\"C:\\Users\\Admin\\AppData\\Roaming\\dos.exe\""	dos.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run\	UUS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ax = "\"C:\\Users\\Admin\\AppData\\Roaming\\dos.exe\""	UUS.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	UUS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ax = "\"C:\\Users\\Admin\\AppData\\Roaming\\dos.exe\""	UUS.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run\	dos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ax = "\"C:\\Users\\Admin\\AppData\\Roaming\\dos.exe\""	dos.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2092 set thread context of 400	2092	UUS.exe	92
PID 2932 set thread context of 796	2932	dos.exe	99

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	UUS.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
796	dos.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 400	2092	UUS.exe	92
PID 2092 wrote to memory of 400	2092	UUS.exe	92
PID 2092 wrote to memory of 400	2092	UUS.exe	92
PID 2092 wrote to memory of 400	2092	UUS.exe	92
PID 2092 wrote to memory of 400	2092	UUS.exe	92
PID 2092 wrote to memory of 400	2092	UUS.exe	92
PID 2092 wrote to memory of 400	2092	UUS.exe	92
PID 2092 wrote to memory of 400	2092	UUS.exe	92
PID 2092 wrote to memory of 400	2092	UUS.exe	92
PID 2092 wrote to memory of 400	2092	UUS.exe	92
PID 2092 wrote to memory of 400	2092	UUS.exe	92
PID 2092 wrote to memory of 400	2092	UUS.exe	92
PID 400 wrote to memory of 3744	400	UUS.exe	93
PID 400 wrote to memory of 3744	400	UUS.exe	93
PID 400 wrote to memory of 3744	400	UUS.exe	93
PID 3744 wrote to memory of 2024	3744	WScript.exe	94
PID 3744 wrote to memory of 2024	3744	WScript.exe	94
PID 3744 wrote to memory of 2024	3744	WScript.exe	94
PID 2024 wrote to memory of 2932	2024	cmd.exe	96
PID 2024 wrote to memory of 2932	2024	cmd.exe	96
PID 2024 wrote to memory of 2932	2024	cmd.exe	96
PID 2932 wrote to memory of 796	2932	dos.exe	99
PID 2932 wrote to memory of 796	2932	dos.exe	99
PID 2932 wrote to memory of 796	2932	dos.exe	99
PID 2932 wrote to memory of 796	2932	dos.exe	99
PID 2932 wrote to memory of 796	2932	dos.exe	99
PID 2932 wrote to memory of 796	2932	dos.exe	99
PID 2932 wrote to memory of 796	2932	dos.exe	99
PID 2932 wrote to memory of 796	2932	dos.exe	99
PID 2932 wrote to memory of 796	2932	dos.exe	99
PID 2932 wrote to memory of 796	2932	dos.exe	99
PID 2932 wrote to memory of 796	2932	dos.exe	99
PID 2932 wrote to memory of 796	2932	dos.exe	99

C:\Users\Admin\AppData\Local\Temp\UUS.exe
"C:\Users\Admin\AppData\Local\Temp\UUS.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Users\Admin\AppData\Local\Temp\UUS.exe
  "C:\Users\Admin\AppData\Local\Temp\UUS.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:400
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:3744
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\dos.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2024
    - - C:\Users\Admin\AppData\Roaming\dos.exe
        
        C:\Users\Admin\AppData\Roaming\dos.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2932
      - C:\Users\Admin\AppData\Roaming\dos.exe
        
        "C:\Users\Admin\AppData\Roaming\dos.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        
        PID:796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
398B

MD5
900bef8cebe89717a150a46ada498865

SHA1
f56e326209561a9baffeae921deefad15bb7a699

SHA256
65be12a911de0a8ca2019e4bc52118fc2521b257aafae055bf6b1dff9247fa5c

SHA512
eccf6ddd112f2219d52ef1feb70cab487d7d88bf8ca8637ca2f2cb5121da781dc9268bda45617191c1624957cd5df0b6b086e01fe868a325cac48f2e5f284e11

Download Submit
C:\Users\Admin\AppData\Roaming\dos.exe

Filesize
1.1MB

MD5
a3cc5b79c80fdc265d97ea7c73ae8017

SHA1
b9514255b5aebb6b07a133a0f70124c9a456ade0

SHA256
eadcb694c90b03001c2f276e59f56167138a77726f18e422ae942b8a518ca8c2

SHA512
b83b71b05075ae581330e1113fc6bfba325cb1147f560bb97b4d0317d9a646f5c495222545a56d96d8e3255eab84e09d9d70e632a2951bd82fb14c47dca16730

Download Submit
C:\Users\Admin\AppData\Roaming\dos.exe

Filesize
1.1MB

MD5
a3cc5b79c80fdc265d97ea7c73ae8017

SHA1
b9514255b5aebb6b07a133a0f70124c9a456ade0

SHA256
eadcb694c90b03001c2f276e59f56167138a77726f18e422ae942b8a518ca8c2

SHA512
b83b71b05075ae581330e1113fc6bfba325cb1147f560bb97b4d0317d9a646f5c495222545a56d96d8e3255eab84e09d9d70e632a2951bd82fb14c47dca16730

Download Submit
C:\Users\Admin\AppData\Roaming\dos.exe

Filesize
1.1MB

MD5
a3cc5b79c80fdc265d97ea7c73ae8017

SHA1
b9514255b5aebb6b07a133a0f70124c9a456ade0

SHA256
eadcb694c90b03001c2f276e59f56167138a77726f18e422ae942b8a518ca8c2

SHA512
b83b71b05075ae581330e1113fc6bfba325cb1147f560bb97b4d0317d9a646f5c495222545a56d96d8e3255eab84e09d9d70e632a2951bd82fb14c47dca16730

Download Submit
memory/400-142-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/400-139-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/400-140-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/400-141-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/400-144-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/796-155-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/796-154-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/796-153-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2092-136-0x0000000001020000-0x00000000010BC000-memory.dmp

Filesize
624KB

Download
memory/2092-134-0x00000000051A0000-0x0000000005232000-memory.dmp

Filesize
584KB

Download
memory/2092-135-0x0000000005160000-0x000000000516A000-memory.dmp

Filesize
40KB

Download
memory/2092-133-0x0000000005820000-0x0000000005DC4000-memory.dmp

Filesize
5.6MB

Download
memory/2092-137-0x00000000076A0000-0x0000000007706000-memory.dmp

Filesize
408KB

Download
memory/2092-132-0x00000000006B0000-0x00000000007C6000-memory.dmp

Filesize
1.1MB

Download