remcos | 20f140b6b03ab5318a5c9ce920528c982184ea1fa5e4e51dd3925eedf36ea924

General

Target

SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe
Size

1.0MB
MD5

18fba1571b2ef85ee29d7629b0360f8b
SHA1

160a5e70d376d45de6f8ca69cf00bdfe0530ce72
SHA256

20f140b6b03ab5318a5c9ce920528c982184ea1fa5e4e51dd3925eedf36ea924
SHA512

0ff5e16ddc13cdcfe5624f3eb7d2535ef40a825f1dfc758cf3d41c390c6ce73c06d501be5c4ed16927dc2f8a6d6287ba06c5d8c43e51595f461a2552b1dd2d2b
SSDEEP

24576:1VsubUUqO599RV00dK3mtjs/c9+NHU8koM/EmRHGzY:LsubUUqOz9f0Fmtwv/O/BGzY

Score

10^/10

remcos elka persistence rat

Malware Config

Extracted

Family

remcos

Botnet

ELKA

C2

republic-fountain.gl.at.ply.gg:17113

everyone-clinic.gl.at.ply.gg:17632

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
0
copy_file
adobe.exe
copy_folder
system
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
files
keylog_path
%UserProfile%
mouse_option
false
mutex
RM-RMasj21984u31e3u2jdas9d21-OU6GOC
screenshot_crypt
true
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
60
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

4468 svchost.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
4468	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 4468 set thread context of 2056 4468 svchost.exe ilasm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3096 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1772 timeout.exe

description	pid	process	target process
PID 4468 set thread context of 2056	4468	svchost.exe	ilasm.exe

pid	process
3096	schtasks.exe

pid	process
1772	timeout.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exesvchost.exe

pid	process
1968	SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe
1968	SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe
1968	SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe
1968	SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe
1968	SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe
1968	SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe
1968	SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe
1968	SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe
1968	SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe
1968	SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe
1968	SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe
1968	SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe
1968	SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe
1968	SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe
1968	SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe
1968	SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe
1968	SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe
1968	SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe
1968	SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe
1968	SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe
1968	SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe
1968	SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe
1968	SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe
1968	SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe
4468	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exesvchost.exe

description pid process

Token: SeDebugPrivilege 1968 SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe
Token: SeDebugPrivilege 4468 svchost.exe

description	pid	process
Token: SeDebugPrivilege	1968	SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe
Token: SeDebugPrivilege	4468	svchost.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

SecuriteInfo.com.Win64.PWSX-gen.30087.11508.execmd.execmd.exesvchost.exe

description	pid	process	target process
PID 1968 wrote to memory of 3928	1968	SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe	cmd.exe
PID 1968 wrote to memory of 3928	1968	SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe	cmd.exe
PID 1968 wrote to memory of 3448	1968	SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe	cmd.exe
PID 1968 wrote to memory of 3448	1968	SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe	cmd.exe
PID 3448 wrote to memory of 1772	3448	cmd.exe	timeout.exe
PID 3448 wrote to memory of 1772	3448	cmd.exe	timeout.exe
PID 3928 wrote to memory of 3096	3928	cmd.exe	schtasks.exe
PID 3928 wrote to memory of 3096	3928	cmd.exe	schtasks.exe
PID 3448 wrote to memory of 4468	3448	cmd.exe	svchost.exe
PID 3448 wrote to memory of 4468	3448	cmd.exe	svchost.exe
PID 4468 wrote to memory of 2312	4468	svchost.exe	notepad.exe
PID 4468 wrote to memory of 2312	4468	svchost.exe	notepad.exe
PID 4468 wrote to memory of 2312	4468	svchost.exe	notepad.exe
PID 4468 wrote to memory of 2312	4468	svchost.exe	notepad.exe
PID 4468 wrote to memory of 2312	4468	svchost.exe	notepad.exe
PID 4468 wrote to memory of 2312	4468	svchost.exe	notepad.exe
PID 4468 wrote to memory of 2312	4468	svchost.exe	notepad.exe
PID 4468 wrote to memory of 2312	4468	svchost.exe	notepad.exe
PID 4468 wrote to memory of 2312	4468	svchost.exe	notepad.exe
PID 4468 wrote to memory of 2312	4468	svchost.exe	notepad.exe
PID 4468 wrote to memory of 2044	4468	svchost.exe	vbc.exe
PID 4468 wrote to memory of 2044	4468	svchost.exe	vbc.exe
PID 4468 wrote to memory of 2044	4468	svchost.exe	vbc.exe
PID 4468 wrote to memory of 3208	4468	svchost.exe	cmd.exe
PID 4468 wrote to memory of 3208	4468	svchost.exe	cmd.exe
PID 4468 wrote to memory of 3208	4468	svchost.exe	cmd.exe
PID 4468 wrote to memory of 3208	4468	svchost.exe	cmd.exe
PID 4468 wrote to memory of 3208	4468	svchost.exe	cmd.exe
PID 4468 wrote to memory of 3208	4468	svchost.exe	cmd.exe
PID 4468 wrote to memory of 3208	4468	svchost.exe	cmd.exe
PID 4468 wrote to memory of 3208	4468	svchost.exe	cmd.exe
PID 4468 wrote to memory of 3208	4468	svchost.exe	cmd.exe
PID 4468 wrote to memory of 3208	4468	svchost.exe	cmd.exe
PID 4468 wrote to memory of 2056	4468	svchost.exe	ilasm.exe
PID 4468 wrote to memory of 2056	4468	svchost.exe	ilasm.exe
PID 4468 wrote to memory of 2056	4468	svchost.exe	ilasm.exe
PID 4468 wrote to memory of 2056	4468	svchost.exe	ilasm.exe
PID 4468 wrote to memory of 2056	4468	svchost.exe	ilasm.exe
PID 4468 wrote to memory of 2056	4468	svchost.exe	ilasm.exe
PID 4468 wrote to memory of 2056	4468	svchost.exe	ilasm.exe
PID 4468 wrote to memory of 2056	4468	svchost.exe	ilasm.exe
PID 4468 wrote to memory of 2056	4468	svchost.exe	ilasm.exe
PID 4468 wrote to memory of 2056	4468	svchost.exe	ilasm.exe
PID 4468 wrote to memory of 2056	4468	svchost.exe	ilasm.exe
PID 4468 wrote to memory of 2056	4468	svchost.exe	ilasm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.PWSX-gen.30087.11508.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:3928

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
3⤵
- Creates scheduled task(s)
PID:3096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp20A2.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:3448

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1772

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4468

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
4⤵
PID:2312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
4⤵
PID:2044

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
4⤵
PID:3208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
4⤵
PID:2056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2804 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
1⤵
PID:3520

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp20A2.tmp.bat
Filesize
151B

MD5
7706c02db0e1314fc101dace8adec5ef

SHA1
9e2147c3cb6b06e4ccff98d90a2a9a5c88502d69

SHA256
96003890ed516c940f968999ee8355306daef0534dba076d6a03de70723dfd50

SHA512
e8f8c49e9d024d5a0a6e3ffad4ed8a184551c3d566e333a124eeaa4f1a5c92cf9a2b3e14d84291f279544ca18ad701301d664d9cbbdbc9ee6dcb1a9e86e4525a

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
1.0MB

MD5
18fba1571b2ef85ee29d7629b0360f8b

SHA1
160a5e70d376d45de6f8ca69cf00bdfe0530ce72

SHA256
20f140b6b03ab5318a5c9ce920528c982184ea1fa5e4e51dd3925eedf36ea924

SHA512
0ff5e16ddc13cdcfe5624f3eb7d2535ef40a825f1dfc758cf3d41c390c6ce73c06d501be5c4ed16927dc2f8a6d6287ba06c5d8c43e51595f461a2552b1dd2d2b

Download Submit
memory/1968-0-0x0000017CB8D30000-0x0000017CB8D62000-memory.dmp

Filesize
200KB

Download
memory/1968-1-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp

Filesize
10.8MB

Download
memory/1968-2-0x0000017CD3220000-0x0000017CD3230000-memory.dmp

Filesize
64KB

Download
memory/1968-3-0x0000017CD30D0000-0x0000017CD31A4000-memory.dmp

Filesize
848KB

Download
memory/1968-8-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp

Filesize
10.8MB

Download
memory/2056-16-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2056-23-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2056-15-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2056-31-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2056-17-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2056-18-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2056-19-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2056-29-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2056-27-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2056-22-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2056-14-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2056-24-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2056-25-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4468-21-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp

Filesize
10.8MB

Download
memory/4468-20-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp

Filesize
10.8MB

Download
memory/4468-13-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads