remcos | e7df824addac322647a4fe1939335084a4c72620d94c4fd7b8665e703e3f7fde

General

Target

PURCHASE ORDER NO4 pdf.js
Size

867KB
MD5

2fe5245098354f7815f23996a250917a
SHA1

0ce8e1c4b93001d61aea6959daa71bed65544900
SHA256

e7df824addac322647a4fe1939335084a4c72620d94c4fd7b8665e703e3f7fde
SHA512

1226bec6e600114353c9c733cc8362e4a3b66fd90e42a890153b9e828201a503128a5aed308ca586069ff71e9a7567ae765b0aa517811a81eda71ecc634bb0bb
SSDEEP

12288:pk7NfBYCQ7TWo3g3C23BpIJ0qcpJpqIsIwGjzgtDIWihh0Kd22vuepMSZ1VA7SqS:Qxp2DI/Z1VA/S

Score

10^/10

remcos vjw0rm remotehost persistence rat trojan worm

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

45.139.105.174:3111

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-XI5CH7
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 6 IoCs

flow	pid	Process
10	1820	wscript.exe
40	1820	wscript.exe
48	1820	wscript.exe
52	1820	wscript.exe
53	1820	wscript.exe
54	1820	wscript.exe

Executes dropped EXE 2 IoCs

pid	Process
2292	3am.exe
3464	remcos.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3am.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NfdRFaNTqV.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NfdRFaNTqV.js	wscript.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\	3am.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	3am.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	3am.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	3am.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3464 set thread context of 3720	3464	remcos.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3am.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3464	remcos.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3544 wrote to memory of 1820	3544	wscript.exe	81
PID 3544 wrote to memory of 1820	3544	wscript.exe	81
PID 3544 wrote to memory of 2292	3544	wscript.exe	82
PID 3544 wrote to memory of 2292	3544	wscript.exe	82
PID 3544 wrote to memory of 2292	3544	wscript.exe	82
PID 2292 wrote to memory of 444	2292	3am.exe	83
PID 2292 wrote to memory of 444	2292	3am.exe	83
PID 2292 wrote to memory of 444	2292	3am.exe	83
PID 444 wrote to memory of 376	444	WScript.exe	86
PID 444 wrote to memory of 376	444	WScript.exe	86
PID 444 wrote to memory of 376	444	WScript.exe	86
PID 376 wrote to memory of 3464	376	cmd.exe	88
PID 376 wrote to memory of 3464	376	cmd.exe	88
PID 376 wrote to memory of 3464	376	cmd.exe	88
PID 3464 wrote to memory of 3720	3464	remcos.exe	89
PID 3464 wrote to memory of 3720	3464	remcos.exe	89
PID 3464 wrote to memory of 3720	3464	remcos.exe	89
PID 3464 wrote to memory of 3720	3464	remcos.exe	89

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER NO4 pdf.js"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3544
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\NfdRFaNTqV.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:1820
- C:\Users\Admin\AppData\Roaming\3am.exe
  "C:\Users\Admin\AppData\Roaming\3am.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\skhbtvaoinftdwusbsxj.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:444
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\remcos.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:376
    - - C:\ProgramData\Remcos\remcos.exe
        
        C:\ProgramData\Remcos\remcos.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:3464
      - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe"
        6⤵
        
        PID:3720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Remcos\remcos.exe

Filesize
470KB

MD5
8f6f561ec65b393126f5b648f890e78a

SHA1
cea6ff88ba56fcfdcf5992b5b35ec2accbd234a3

SHA256
8acb8ff6a5565f9d8b56e2712858db04e577c53906c8045fa43bdf1e7669120a

SHA512
58e2544db5c4a9771d3cfef8364e80f4b0fb954f7ace2585fbb619d5b9de641eaac6956127d61d5808874633033d3c6d4322fb250a47a7dce5a3c8f2e7f8b27b

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
470KB

MD5
8f6f561ec65b393126f5b648f890e78a

SHA1
cea6ff88ba56fcfdcf5992b5b35ec2accbd234a3

SHA256
8acb8ff6a5565f9d8b56e2712858db04e577c53906c8045fa43bdf1e7669120a

SHA512
58e2544db5c4a9771d3cfef8364e80f4b0fb954f7ace2585fbb619d5b9de641eaac6956127d61d5808874633033d3c6d4322fb250a47a7dce5a3c8f2e7f8b27b

Download Submit
C:\Users\Admin\AppData\Local\Temp\skhbtvaoinftdwusbsxj.vbs

Filesize
386B

MD5
1ec6289c6fd4c2ded6b2836ed28cbeb5

SHA1
c4e08195e6c640eb8860acc03fda1d649b4fe070

SHA256
6efdc40f9eb217f879607614e928b65bff759e424f3efb31faceb2a043c32dc2

SHA512
20bc46f4dee22f75f15c402c7c2eaee60fff7dd92548050585571dcbefd59485cc249c06bc3f1aac7a138e5ae67c0c3918b46ffa24c8b0f1b092e2f6b6e21288

Download Submit
C:\Users\Admin\AppData\Roaming\3am.exe

Filesize
470KB

MD5
8f6f561ec65b393126f5b648f890e78a

SHA1
cea6ff88ba56fcfdcf5992b5b35ec2accbd234a3

SHA256
8acb8ff6a5565f9d8b56e2712858db04e577c53906c8045fa43bdf1e7669120a

SHA512
58e2544db5c4a9771d3cfef8364e80f4b0fb954f7ace2585fbb619d5b9de641eaac6956127d61d5808874633033d3c6d4322fb250a47a7dce5a3c8f2e7f8b27b

Download Submit
C:\Users\Admin\AppData\Roaming\3am.exe

Filesize
470KB

MD5
8f6f561ec65b393126f5b648f890e78a

SHA1
cea6ff88ba56fcfdcf5992b5b35ec2accbd234a3

SHA256
8acb8ff6a5565f9d8b56e2712858db04e577c53906c8045fa43bdf1e7669120a

SHA512
58e2544db5c4a9771d3cfef8364e80f4b0fb954f7ace2585fbb619d5b9de641eaac6956127d61d5808874633033d3c6d4322fb250a47a7dce5a3c8f2e7f8b27b

Download Submit
C:\Users\Admin\AppData\Roaming\NfdRFaNTqV.js

Filesize
8KB

MD5
6b5b268c221e96503a59756be7d696e7

SHA1
d9d40ca54aa3d21de66a23a4207e35f64c2111f1

SHA256
0b73692a7eef086fb0d4f9af58c48316273873f2b176324abd8b8fa3e9124d8b

SHA512
7b066f9661a5b0dd848c36ad0a1e6fb69f205f95cc1137de7a79375934d8349c9540e59331ed6497c0530b98c41585de109876c755bd6a83b4bf49511b3036b2

Download Submit
memory/3720-144-0x0000000001140000-0x00000000011BF000-memory.dmp

Filesize
508KB

Download
memory/3720-145-0x0000000001140000-0x00000000011BF000-memory.dmp

Filesize
508KB

Download

Analysis

Sharing