Overview

overview

10

Static

static

Scan Copy06.js

windows7-x64

10

Scan Copy06.js

windows10-2004-x64

10

Analysis

  • max time kernel
    159s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/11/2022, 09:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Scan Copy06.js

  • Size

    873KB

  • MD5

    90a8d36688fde3d0e06e101388baf1e1

  • SHA1

    f36ba8657a332a72996c5aee51d3af45a68bbcb5

  • SHA256

    6a9869c98547c0566c4f3462ab529cc0a72e9c5f35f5767773575196f68f44ab

  • SHA512

    492e5d2e7a3a05906b6a521f6e6c8dafb6c32fd6da2a4075d69429f1750053302e81e96d5e282cd7281b3f9d53586f104ee6afbc59398d2d7b918e97d693c0dd

  • SSDEEP

    12288:nBi1CUqtHhlYWwP2r0dNB8wDzyNfQyp/Yx76SKFRtYFhAc/kdP1WgZwfraDCa:nBizUDOyid0p

Score
10/10
remcosvjw0rmremotehostevasionpersistencerattrojanworm

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

45.139.105.174:3132

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-Y0T2QT

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Modifies registry key 1 TTPs 3 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\Scan Copy06.js"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:860
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\TwZstDnUOX.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      PID:2348
    • C:\Users\Admin\AppData\Roaming\pwer.exe
      "C:\Users\Admin\AppData\Roaming\pwer.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Adds Run key to start application
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2652
      • C:\Windows\SysWOW64\cmd.exe
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5016
        • C:\Windows\SysWOW64\reg.exe
          C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
          4⤵
          • UAC bypass
          • Modifies registry key
          PID:116
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fnkmtlwmzyyxpattzrfffgri.vbs"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:3248
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\remcos.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4268
          • C:\ProgramData\Remcos\remcos.exe
            C:\ProgramData\Remcos\remcos.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of SetThreadContext
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:4476
            • C:\Windows\SysWOW64\cmd.exe
              /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2436
              • C:\Windows\SysWOW64\reg.exe
                C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                7⤵
                • UAC bypass
                • Modifies registry key
                PID:1496
            • \??\c:\program files (x86)\internet explorer\iexplore.exe
              "c:\program files (x86)\internet explorer\iexplore.exe"
              6⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:672
              • C:\Windows\SysWOW64\cmd.exe
                /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:1160
                • C:\Windows\SysWOW64\reg.exe
                  C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                  8⤵
                  • UAC bypass
                  • Modifies registry key
                  PID:5052
              • C:\Windows\SysWOW64\svchost.exe
                svchost.exe
                7⤵
                  PID:3604

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Remcos\remcos.exe
      Filesize

      470KB

      MD5

      cf76154a7257f8447b77350760a59481

      SHA1

      554ee677ee627f9361156e5d9e52c944d9eed971

      SHA256

      b55e1430bc8fd56b53d40e8dc1bb4a176f37f5d5b202fdbd6ea7ced8b73434ba

      SHA512

      32807dd9f6a82fda74e4057df65a6682fb2e97565d819dac2a6eb2aac2e15935417703e5c9ab9d3c30123980dd37e8677c982796736c15778d7fe468a260ed81

      Download Submit

    • C:\ProgramData\Remcos\remcos.exe
      Filesize

      470KB

      MD5

      cf76154a7257f8447b77350760a59481

      SHA1

      554ee677ee627f9361156e5d9e52c944d9eed971

      SHA256

      b55e1430bc8fd56b53d40e8dc1bb4a176f37f5d5b202fdbd6ea7ced8b73434ba

      SHA512

      32807dd9f6a82fda74e4057df65a6682fb2e97565d819dac2a6eb2aac2e15935417703e5c9ab9d3c30123980dd37e8677c982796736c15778d7fe468a260ed81

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\fnkmtlwmzyyxpattzrfffgri.vbs
      Filesize

      386B

      MD5

      1ec6289c6fd4c2ded6b2836ed28cbeb5

      SHA1

      c4e08195e6c640eb8860acc03fda1d649b4fe070

      SHA256

      6efdc40f9eb217f879607614e928b65bff759e424f3efb31faceb2a043c32dc2

      SHA512

      20bc46f4dee22f75f15c402c7c2eaee60fff7dd92548050585571dcbefd59485cc249c06bc3f1aac7a138e5ae67c0c3918b46ffa24c8b0f1b092e2f6b6e21288

      Download Submit

    • C:\Users\Admin\AppData\Roaming\TwZstDnUOX.js
      Filesize

      10KB

      MD5

      2e3decd57f43555d3d49623771f470f5

      SHA1

      ed2341ea6a3cfcbd2741404a13a22faded1920ba

      SHA256

      dcdbd17e3f9939f07f9438dc1cb6dab0ef36710553af33d3d09f2f27d58aaae3

      SHA512

      708510e75684765d59774ea3c964b2b970411f0b865adcd953bb1a9777d666b8909dd268c26a85b6e732d0246ae1173b79572ee19cf894df6e04cf7afbb81c83

      Download Submit

    • C:\Users\Admin\AppData\Roaming\pwer.exe
      Filesize

      470KB

      MD5

      cf76154a7257f8447b77350760a59481

      SHA1

      554ee677ee627f9361156e5d9e52c944d9eed971

      SHA256

      b55e1430bc8fd56b53d40e8dc1bb4a176f37f5d5b202fdbd6ea7ced8b73434ba

      SHA512

      32807dd9f6a82fda74e4057df65a6682fb2e97565d819dac2a6eb2aac2e15935417703e5c9ab9d3c30123980dd37e8677c982796736c15778d7fe468a260ed81

      Download Submit

    • C:\Users\Admin\AppData\Roaming\pwer.exe
      Filesize

      470KB

      MD5

      cf76154a7257f8447b77350760a59481

      SHA1

      554ee677ee627f9361156e5d9e52c944d9eed971

      SHA256

      b55e1430bc8fd56b53d40e8dc1bb4a176f37f5d5b202fdbd6ea7ced8b73434ba

      SHA512

      32807dd9f6a82fda74e4057df65a6682fb2e97565d819dac2a6eb2aac2e15935417703e5c9ab9d3c30123980dd37e8677c982796736c15778d7fe468a260ed81

      Download Submit

    • memory/672-149-0x0000000000B50000-0x0000000000BCF000-memory.dmp

      Filesize

      508KB

      Download

    • memory/672-153-0x0000000000B50000-0x0000000000BCF000-memory.dmp

      Filesize

      508KB

      Download

    • memory/3604-152-0x0000000000540000-0x00000000005BF000-memory.dmp

      Filesize

      508KB

      Download