remcos | f19755963c94dc74b9f91b947ed0e54f7045d07d1acaa94faab62cdcb8f3cd27

General

Target

SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe
Size

1.4MB
MD5

fecaf29f4b5fa02b801f7dcaf13472d8
SHA1

ed394790fbd6c2adb6db9f4dc44d54dd85cc4171
SHA256

f19755963c94dc74b9f91b947ed0e54f7045d07d1acaa94faab62cdcb8f3cd27
SHA512

993cc7f3055adf6e9ced61b4b4a1beb0f97a81e69dee6ba676229716d97a25ba63c3458485b618cdee4df8997d3e7828b98371494cbf0627d6f0ae8244f4032e
SSDEEP

24576:Kg7AqlKSw+m74B/WHoUdSs/B1pfk4Nor1JbamMdGT8i:F7AxJ74BfUkQB1Vkxl0dS8

Score

10^/10

remcos uc persistence rat

Malware Config

Extracted

Family

remcos

Botnet

UC

C2

ucremcz1.ddns.net:1823

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
BIN.exe
copy_folder
BIN
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Rmc-TYHMFA
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
bin
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 1 IoCs

Processes:

BIN.exe

pid process

3132 BIN.exe

pid	process
3132	BIN.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exeSecuriteInfo.com.Win32.PWSX-gen.18196.4017.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bin = "\"C:\\Users\\Admin\\AppData\\Roaming\\BIN\\BIN.exe\""	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Run\	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bin = "\"C:\\Users\\Admin\\AppData\\Roaming\\BIN\\BIN.exe\""	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe

description	pid	process	target process
PID 3456 set thread context of 2136	3456	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1504 schtasks.exe

pid	process
1504	schtasks.exe

Modifies registry class 1 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe

pid process

3456 SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe
3456 SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe

description pid process

Token: SeDebugPrivilege 3456 SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe

pid	process
3456	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe
3456	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe

description	pid	process
Token: SeDebugPrivilege	3456	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exeSecuriteInfo.com.Win32.PWSX-gen.18196.4017.exeWScript.execmd.exe

description	pid	process	target process
PID 3456 wrote to memory of 1504	3456	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe	schtasks.exe
PID 3456 wrote to memory of 1504	3456	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe	schtasks.exe
PID 3456 wrote to memory of 1504	3456	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe	schtasks.exe
PID 3456 wrote to memory of 816	3456	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe
PID 3456 wrote to memory of 816	3456	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe
PID 3456 wrote to memory of 816	3456	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe
PID 3456 wrote to memory of 2136	3456	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe
PID 3456 wrote to memory of 2136	3456	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe
PID 3456 wrote to memory of 2136	3456	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe
PID 3456 wrote to memory of 2136	3456	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe
PID 3456 wrote to memory of 2136	3456	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe
PID 3456 wrote to memory of 2136	3456	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe
PID 3456 wrote to memory of 2136	3456	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe
PID 3456 wrote to memory of 2136	3456	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe
PID 3456 wrote to memory of 2136	3456	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe
PID 3456 wrote to memory of 2136	3456	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe
PID 3456 wrote to memory of 2136	3456	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe
PID 3456 wrote to memory of 2136	3456	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe
PID 2136 wrote to memory of 3896	2136	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe	WScript.exe
PID 2136 wrote to memory of 3896	2136	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe	WScript.exe
PID 2136 wrote to memory of 3896	2136	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe	WScript.exe
PID 3896 wrote to memory of 1336	3896	WScript.exe	cmd.exe
PID 3896 wrote to memory of 1336	3896	WScript.exe	cmd.exe
PID 3896 wrote to memory of 1336	3896	WScript.exe	cmd.exe
PID 1336 wrote to memory of 3132	1336	cmd.exe	BIN.exe
PID 1336 wrote to memory of 3132	1336	cmd.exe	BIN.exe
PID 1336 wrote to memory of 3132	1336	cmd.exe	BIN.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3456

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LASJvAOXx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8C6C.tmp"
2⤵
- Creates scheduled task(s)
PID:1504

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe
"{path}"
2⤵
PID:816

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe
"{path}"
2⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2136

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3896

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\BIN\BIN.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1336

C:\Users\Admin\AppData\Roaming\BIN\BIN.exe
C:\Users\Admin\AppData\Roaming\BIN\BIN.exe
5⤵
- Executes dropped EXE
PID:3132

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
Filesize
406B

MD5
6635e7fa26b296a61475e4fc7fa2033b

SHA1
29ae9f05ce79a4239df1fa3f4a0426d1af269678

SHA256
1ed12f7480bbdc0450b1385ebb3559eb8369f69508f314bf2b31f3b399179b31

SHA512
7ae5d38eeb8c865033fda364f40f14c96e00bd45b4dac47c48bc9303b822dfb9a547bebc973ea6b96e9e1937affea541ba17689da6c6fe3462ea22e4b2bd868e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8C6C.tmp
Filesize
1KB

MD5
89ff55dc654420718adbfebddf17f6a0

SHA1
c1f1b3975e45b3a4e12bdb0b96c163895093524b

SHA256
4ce27a9cfc0cbe0c7e52a09b5e9d2263e119b8bfc1703c97aa3832013e41a719

SHA512
7b3e173095244163f66bcac277dbb56ec694b0c1379823570e4b90e3c8a45b284ebbdeded49e33a33cd087b7bbd4c630ba27632b631b9f82603cf19eb266c2f8

Download Submit
C:\Users\Admin\AppData\Roaming\BIN\BIN.exe
Filesize
1.4MB

MD5
fecaf29f4b5fa02b801f7dcaf13472d8

SHA1
ed394790fbd6c2adb6db9f4dc44d54dd85cc4171

SHA256
f19755963c94dc74b9f91b947ed0e54f7045d07d1acaa94faab62cdcb8f3cd27

SHA512
993cc7f3055adf6e9ced61b4b4a1beb0f97a81e69dee6ba676229716d97a25ba63c3458485b618cdee4df8997d3e7828b98371494cbf0627d6f0ae8244f4032e

Download Submit
C:\Users\Admin\AppData\Roaming\BIN\BIN.exe
Filesize
1.4MB

MD5
fecaf29f4b5fa02b801f7dcaf13472d8

SHA1
ed394790fbd6c2adb6db9f4dc44d54dd85cc4171

SHA256
f19755963c94dc74b9f91b947ed0e54f7045d07d1acaa94faab62cdcb8f3cd27

SHA512
993cc7f3055adf6e9ced61b4b4a1beb0f97a81e69dee6ba676229716d97a25ba63c3458485b618cdee4df8997d3e7828b98371494cbf0627d6f0ae8244f4032e

Download Submit
memory/816-139-0x0000000000000000-mapping.dmp

Download
memory/1336-147-0x0000000000000000-mapping.dmp

Download
memory/1504-137-0x0000000000000000-mapping.dmp

Download
memory/2136-141-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2136-140-0x0000000000000000-mapping.dmp

Download
memory/2136-145-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2136-142-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2136-143-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3132-148-0x0000000000000000-mapping.dmp

Download
memory/3456-136-0x0000000005AF0000-0x0000000005AFA000-memory.dmp

Filesize
40KB

Download
memory/3456-132-0x0000000000FE0000-0x0000000001148000-memory.dmp

Filesize
1.4MB

Download
memory/3456-135-0x0000000005BE0000-0x0000000005C7C000-memory.dmp

Filesize
624KB

Download
memory/3456-134-0x0000000005B40000-0x0000000005BD2000-memory.dmp

Filesize
584KB

Download
memory/3456-133-0x0000000006050000-0x00000000065F4000-memory.dmp

Filesize
5.6MB

Download
memory/3896-144-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads