remcos | 6a9869c98547c0566c4f3462ab529cc0a72e9c5f35f5767773575196f68f44ab

Analysis

max time kernel
149s
max time network
147s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
21/11/2022, 09:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Scan Copy06.js
Size

873KB
MD5

90a8d36688fde3d0e06e101388baf1e1
SHA1

f36ba8657a332a72996c5aee51d3af45a68bbcb5
SHA256

6a9869c98547c0566c4f3462ab529cc0a72e9c5f35f5767773575196f68f44ab
SHA512

492e5d2e7a3a05906b6a521f6e6c8dafb6c32fd6da2a4075d69429f1750053302e81e96d5e282cd7281b3f9d53586f104ee6afbc59398d2d7b918e97d693c0dd
SSDEEP

12288:nBi1CUqtHhlYWwP2r0dNB8wDzyNfQyp/Yx76SKFRtYFhAc/kdP1WgZwfraDCa:nBizUDOyid0p

Score

10^/10

remcos vjw0rm remotehost evasion persistence rat trojan worm

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

45.139.105.174:3132

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-Y0T2QT
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 5 IoCs

flow	pid	Process
8	868	wscript.exe
11	868	wscript.exe
12	868	wscript.exe
15	868	wscript.exe
16	868	wscript.exe

Executes dropped EXE 2 IoCs

pid	Process
1192	pwer.exe
1656	remcos.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TwZstDnUOX.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TwZstDnUOX.js	wscript.exe

Loads dropped DLL 2 IoCs

pid	Process
1464	cmd.exe
1464	cmd.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\	pwer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	pwer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	pwer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	pwer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1656 set thread context of 808	1656	remcos.exe	40
PID 808 set thread context of 1428	808	iexplore.exe	44

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
892	reg.exe
1824	reg.exe
684	reg.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1656	remcos.exe
808	iexplore.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
808	iexplore.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 868	1756	wscript.exe	28
PID 1756 wrote to memory of 868	1756	wscript.exe	28
PID 1756 wrote to memory of 868	1756	wscript.exe	28
PID 1756 wrote to memory of 1192	1756	wscript.exe	29
PID 1756 wrote to memory of 1192	1756	wscript.exe	29
PID 1756 wrote to memory of 1192	1756	wscript.exe	29
PID 1756 wrote to memory of 1192	1756	wscript.exe	29
PID 1192 wrote to memory of 1816	1192	pwer.exe	31
PID 1192 wrote to memory of 1816	1192	pwer.exe	31
PID 1192 wrote to memory of 1816	1192	pwer.exe	31
PID 1192 wrote to memory of 1816	1192	pwer.exe	31
PID 1816 wrote to memory of 892	1816	cmd.exe	33
PID 1816 wrote to memory of 892	1816	cmd.exe	33
PID 1816 wrote to memory of 892	1816	cmd.exe	33
PID 1816 wrote to memory of 892	1816	cmd.exe	33
PID 1192 wrote to memory of 1576	1192	pwer.exe	34
PID 1192 wrote to memory of 1576	1192	pwer.exe	34
PID 1192 wrote to memory of 1576	1192	pwer.exe	34
PID 1192 wrote to memory of 1576	1192	pwer.exe	34
PID 1576 wrote to memory of 1464	1576	WScript.exe	35
PID 1576 wrote to memory of 1464	1576	WScript.exe	35
PID 1576 wrote to memory of 1464	1576	WScript.exe	35
PID 1576 wrote to memory of 1464	1576	WScript.exe	35
PID 1464 wrote to memory of 1656	1464	cmd.exe	37
PID 1464 wrote to memory of 1656	1464	cmd.exe	37
PID 1464 wrote to memory of 1656	1464	cmd.exe	37
PID 1464 wrote to memory of 1656	1464	cmd.exe	37
PID 1656 wrote to memory of 2012	1656	remcos.exe	38
PID 1656 wrote to memory of 2012	1656	remcos.exe	38
PID 1656 wrote to memory of 2012	1656	remcos.exe	38
PID 1656 wrote to memory of 2012	1656	remcos.exe	38
PID 1656 wrote to memory of 808	1656	remcos.exe	40
PID 1656 wrote to memory of 808	1656	remcos.exe	40
PID 1656 wrote to memory of 808	1656	remcos.exe	40
PID 1656 wrote to memory of 808	1656	remcos.exe	40
PID 1656 wrote to memory of 808	1656	remcos.exe	40
PID 808 wrote to memory of 1652	808	iexplore.exe	41
PID 808 wrote to memory of 1652	808	iexplore.exe	41
PID 808 wrote to memory of 1652	808	iexplore.exe	41
PID 808 wrote to memory of 1652	808	iexplore.exe	41
PID 2012 wrote to memory of 1824	2012	cmd.exe	42
PID 2012 wrote to memory of 1824	2012	cmd.exe	42
PID 2012 wrote to memory of 1824	2012	cmd.exe	42
PID 2012 wrote to memory of 1824	2012	cmd.exe	42
PID 808 wrote to memory of 1428	808	iexplore.exe	44
PID 808 wrote to memory of 1428	808	iexplore.exe	44
PID 808 wrote to memory of 1428	808	iexplore.exe	44
PID 808 wrote to memory of 1428	808	iexplore.exe	44
PID 1652 wrote to memory of 684	1652	cmd.exe	45
PID 1652 wrote to memory of 684	1652	cmd.exe	45
PID 1652 wrote to memory of 684	1652	cmd.exe	45
PID 1652 wrote to memory of 684	1652	cmd.exe	45
PID 808 wrote to memory of 1428	808	iexplore.exe	44

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Scan Copy06.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\TwZstDnUOX.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:868
- C:\Users\Admin\AppData\Roaming\pwer.exe
  "C:\Users\Admin\AppData\Roaming\pwer.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1192
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1816
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:892
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\jydctbkdvp.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1576
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\remcos.exe"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1464
    - - C:\ProgramData\Remcos\remcos.exe
        
        C:\ProgramData\Remcos\remcos.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1656
      - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        7⤵
        UAC bypass
        Modifies registry key
        
        PID:1824
      - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:684
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        7⤵
        
        PID:1428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Remcos\remcos.exe

Filesize
470KB

MD5
cf76154a7257f8447b77350760a59481

SHA1
554ee677ee627f9361156e5d9e52c944d9eed971

SHA256
b55e1430bc8fd56b53d40e8dc1bb4a176f37f5d5b202fdbd6ea7ced8b73434ba

SHA512
32807dd9f6a82fda74e4057df65a6682fb2e97565d819dac2a6eb2aac2e15935417703e5c9ab9d3c30123980dd37e8677c982796736c15778d7fe468a260ed81

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
470KB

MD5
cf76154a7257f8447b77350760a59481

SHA1
554ee677ee627f9361156e5d9e52c944d9eed971

SHA256
b55e1430bc8fd56b53d40e8dc1bb4a176f37f5d5b202fdbd6ea7ced8b73434ba

SHA512
32807dd9f6a82fda74e4057df65a6682fb2e97565d819dac2a6eb2aac2e15935417703e5c9ab9d3c30123980dd37e8677c982796736c15778d7fe468a260ed81

Download Submit
C:\Users\Admin\AppData\Local\Temp\jydctbkdvp.vbs

Filesize
386B

MD5
1ec6289c6fd4c2ded6b2836ed28cbeb5

SHA1
c4e08195e6c640eb8860acc03fda1d649b4fe070

SHA256
6efdc40f9eb217f879607614e928b65bff759e424f3efb31faceb2a043c32dc2

SHA512
20bc46f4dee22f75f15c402c7c2eaee60fff7dd92548050585571dcbefd59485cc249c06bc3f1aac7a138e5ae67c0c3918b46ffa24c8b0f1b092e2f6b6e21288

Download Submit
C:\Users\Admin\AppData\Roaming\TwZstDnUOX.js

Filesize
10KB

MD5
2e3decd57f43555d3d49623771f470f5

SHA1
ed2341ea6a3cfcbd2741404a13a22faded1920ba

SHA256
dcdbd17e3f9939f07f9438dc1cb6dab0ef36710553af33d3d09f2f27d58aaae3

SHA512
708510e75684765d59774ea3c964b2b970411f0b865adcd953bb1a9777d666b8909dd268c26a85b6e732d0246ae1173b79572ee19cf894df6e04cf7afbb81c83

Download Submit
C:\Users\Admin\AppData\Roaming\pwer.exe

Filesize
470KB

MD5
cf76154a7257f8447b77350760a59481

SHA1
554ee677ee627f9361156e5d9e52c944d9eed971

SHA256
b55e1430bc8fd56b53d40e8dc1bb4a176f37f5d5b202fdbd6ea7ced8b73434ba

SHA512
32807dd9f6a82fda74e4057df65a6682fb2e97565d819dac2a6eb2aac2e15935417703e5c9ab9d3c30123980dd37e8677c982796736c15778d7fe468a260ed81

Download Submit
C:\Users\Admin\AppData\Roaming\pwer.exe

Filesize
470KB

MD5
cf76154a7257f8447b77350760a59481

SHA1
554ee677ee627f9361156e5d9e52c944d9eed971

SHA256
b55e1430bc8fd56b53d40e8dc1bb4a176f37f5d5b202fdbd6ea7ced8b73434ba

SHA512
32807dd9f6a82fda74e4057df65a6682fb2e97565d819dac2a6eb2aac2e15935417703e5c9ab9d3c30123980dd37e8677c982796736c15778d7fe468a260ed81

Download Submit
\ProgramData\Remcos\remcos.exe

Filesize
470KB

MD5
cf76154a7257f8447b77350760a59481

SHA1
554ee677ee627f9361156e5d9e52c944d9eed971

SHA256
b55e1430bc8fd56b53d40e8dc1bb4a176f37f5d5b202fdbd6ea7ced8b73434ba

SHA512
32807dd9f6a82fda74e4057df65a6682fb2e97565d819dac2a6eb2aac2e15935417703e5c9ab9d3c30123980dd37e8677c982796736c15778d7fe468a260ed81

Download Submit
\ProgramData\Remcos\remcos.exe

Filesize
470KB

MD5
cf76154a7257f8447b77350760a59481

SHA1
554ee677ee627f9361156e5d9e52c944d9eed971

SHA256
b55e1430bc8fd56b53d40e8dc1bb4a176f37f5d5b202fdbd6ea7ced8b73434ba

SHA512
32807dd9f6a82fda74e4057df65a6682fb2e97565d819dac2a6eb2aac2e15935417703e5c9ab9d3c30123980dd37e8677c982796736c15778d7fe468a260ed81

Download Submit
memory/808-84-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/808-82-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/1192-59-0x0000000076941000-0x0000000076943000-memory.dmp

Filesize
8KB

Download
memory/1428-83-0x00000000000C0000-0x000000000013F000-memory.dmp

Filesize
508KB

Download
memory/1756-54-0x000007FEFC181000-0x000007FEFC183000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads