remcos | 17b4d4ca21f00476cc685afc5d3e50c05dee6cb254bed429993ee57750abf6be

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	Product Catalogue.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	svchost.exe

Looks for VMWare Tools registry key 2 TTPs 2 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	Product Catalogue.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	svchost.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys"	svchost.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Product Catalogue.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Product Catalogue.exe

Executes dropped EXE 1 IoCs

pid	Process
1564	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
552	cmd.exe
552	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	Product Catalogue.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Product Catalogue.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	Product Catalogue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1564 set thread context of 748	1564	svchost.exe	38

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
340	schtasks.exe

Delays execution with timeout.exe 1 IoCs

pid	Process
1240	timeout.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1460	Product Catalogue.exe
1564	svchost.exe
1564	svchost.exe
1564	svchost.exe
1564	svchost.exe
1620	powershell.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
1564	svchost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1460	Product Catalogue.exe
Token: SeDebugPrivilege	1564	svchost.exe
Token: SeDebugPrivilege	1564	svchost.exe
Token: SeLoadDriverPrivilege	1564	svchost.exe
Token: SeDebugPrivilege	1620	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
748	jsc.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 1700	1460	Product Catalogue.exe	28
PID 1460 wrote to memory of 1700	1460	Product Catalogue.exe	28
PID 1460 wrote to memory of 1700	1460	Product Catalogue.exe	28
PID 1460 wrote to memory of 552	1460	Product Catalogue.exe	30
PID 1460 wrote to memory of 552	1460	Product Catalogue.exe	30
PID 1460 wrote to memory of 552	1460	Product Catalogue.exe	30
PID 1700 wrote to memory of 340	1700	cmd.exe	32
PID 1700 wrote to memory of 340	1700	cmd.exe	32
PID 1700 wrote to memory of 340	1700	cmd.exe	32
PID 552 wrote to memory of 1240	552	cmd.exe	33
PID 552 wrote to memory of 1240	552	cmd.exe	33
PID 552 wrote to memory of 1240	552	cmd.exe	33
PID 552 wrote to memory of 1564	552	cmd.exe	34
PID 552 wrote to memory of 1564	552	cmd.exe	34
PID 552 wrote to memory of 1564	552	cmd.exe	34
PID 1564 wrote to memory of 1620	1564	svchost.exe	35
PID 1564 wrote to memory of 1620	1564	svchost.exe	35
PID 1564 wrote to memory of 1620	1564	svchost.exe	35
PID 1564 wrote to memory of 1268	1564	svchost.exe	37
PID 1564 wrote to memory of 1268	1564	svchost.exe	37
PID 1564 wrote to memory of 1268	1564	svchost.exe	37
PID 1564 wrote to memory of 1148	1564	svchost.exe	39
PID 1564 wrote to memory of 1148	1564	svchost.exe	39
PID 1564 wrote to memory of 1148	1564	svchost.exe	39
PID 1564 wrote to memory of 748	1564	svchost.exe	38
PID 1564 wrote to memory of 748	1564	svchost.exe	38
PID 1564 wrote to memory of 748	1564	svchost.exe	38
PID 1564 wrote to memory of 748	1564	svchost.exe	38
PID 1564 wrote to memory of 748	1564	svchost.exe	38
PID 1564 wrote to memory of 748	1564	svchost.exe	38
PID 1564 wrote to memory of 748	1564	svchost.exe	38
PID 1564 wrote to memory of 748	1564	svchost.exe	38
PID 1564 wrote to memory of 748	1564	svchost.exe	38
PID 1564 wrote to memory of 748	1564	svchost.exe	38
PID 1564 wrote to memory of 748	1564	svchost.exe	38
PID 1564 wrote to memory of 748	1564	svchost.exe	38
PID 1564 wrote to memory of 748	1564	svchost.exe	38

System policy modification 1 TTPs 1 IoCs

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Product Catalogue.exe
"C:\Users\Admin\AppData\Local\Temp\Product Catalogue.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:340
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3FB0.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:552
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1240
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - UAC bypass
    - Looks for VirtualBox Guest Additions in registry
    - Looks for VMWare Tools registry key
    - Sets service image path in registry
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Maps connected drives based on registry
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1564
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1620
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
      4⤵
      PID:1268
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:748
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:1148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion