remcos | 3f80d6ff7a276e68731118c6021ee6c5ac84ed0f2c4a7cf2031f549e2130df97

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-08-2024 13:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Remittance Advice.vbs
Size

1.5MB
MD5

6bd142a5c2cb38a2bcf50811b39a90cf
SHA1

dc6311e5e2dc00c74d80c0cbe7287c5f206744ac
SHA256

3f80d6ff7a276e68731118c6021ee6c5ac84ed0f2c4a7cf2031f549e2130df97
SHA512

845fa1fdf22683e2d8b35b17622c914a75c94af5943ac2476288ea1b9368fe95bc75b38506f4145b32cdd5aab16532050db5a40af9cb73745398fc096acb1f35
SSDEEP

24576:HE6rtaRsFIhaLFJfCF9MSStwCv7FaBb2PJUMKh3a+3PSCZhau5TqFOe1B:NwQC00BCy9zJY3z

Score

10^/10

remcos volcanic eruption discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

VOLCANIC ERUPTION

127.0.0.1:1282

www.naichihardware.com:1282

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
media
mouse_option
false
mutex
Rmc-N7BV4S
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4512	powershell.exe
3524	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	x.exe

Executes dropped EXE 1 IoCs

pid	Process
3432	x.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3432 set thread context of 4728	3432	x.exe	101

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1068	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
3432	x.exe
3524	powershell.exe
3524	powershell.exe
4512	powershell.exe
4512	powershell.exe
3432	x.exe
3432	x.exe
3524	powershell.exe
4512	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3432	x.exe
Token: SeDebugPrivilege	4512	powershell.exe
Token: SeDebugPrivilege	3524	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4728	vbc.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 924 wrote to memory of 3432	924	WScript.exe	84
PID 924 wrote to memory of 3432	924	WScript.exe	84
PID 924 wrote to memory of 3432	924	WScript.exe	84
PID 3432 wrote to memory of 4512	3432	x.exe	95
PID 3432 wrote to memory of 4512	3432	x.exe	95
PID 3432 wrote to memory of 4512	3432	x.exe	95
PID 3432 wrote to memory of 3524	3432	x.exe	97
PID 3432 wrote to memory of 3524	3432	x.exe	97
PID 3432 wrote to memory of 3524	3432	x.exe	97
PID 3432 wrote to memory of 1068	3432	x.exe	99
PID 3432 wrote to memory of 1068	3432	x.exe	99
PID 3432 wrote to memory of 1068	3432	x.exe	99
PID 3432 wrote to memory of 4728	3432	x.exe	101
PID 3432 wrote to memory of 4728	3432	x.exe	101
PID 3432 wrote to memory of 4728	3432	x.exe	101
PID 3432 wrote to memory of 4728	3432	x.exe	101
PID 3432 wrote to memory of 4728	3432	x.exe	101
PID 3432 wrote to memory of 4728	3432	x.exe	101
PID 3432 wrote to memory of 4728	3432	x.exe	101
PID 3432 wrote to memory of 4728	3432	x.exe	101
PID 3432 wrote to memory of 4728	3432	x.exe	101
PID 3432 wrote to memory of 4728	3432	x.exe	101
PID 3432 wrote to memory of 4728	3432	x.exe	101
PID 3432 wrote to memory of 4728	3432	x.exe	101

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Remittance Advice.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:924
- C:\Users\Admin\AppData\Local\Temp\x.exe
  "C:\Users\Admin\AppData\Local\Temp\x.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3432
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\x.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4512
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\aeZVqqCgfhag.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3524
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aeZVqqCgfhag" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBAA5.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1068
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Scripting

T1064

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\media\logs.dat

Filesize
144B

MD5
15e28864e0a59d1d453113e01cd270df

SHA1
c9b7c51edd493c76771ec5484bd83848c6997cda

SHA256
6552b0ac69c0aace41731b6e93da83b058903d50f8911ed728a7a17c3820f6e4

SHA512
86c7c293867cc684bfe2034dbd105dcb7006cda49c97becdf97f2dca674d524e8cad643c9f818bd1b95044fe6402aab51534cca495150afdb2e3e7256288076c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
2df62e6bc973a8b0f3c904e6c42c00ec

SHA1
0c6d79964318fe8841e1407b3990737c67d72245

SHA256
af9ef6f2a974b84d27fb67c749c6d2f4a04ae01438b6dc54ccf5b41340a02f53

SHA512
929f23baefce1629608467cc5ebe89a6acd85d86b853debaa073233ed09a473f34e247a7d6c28bb8538f23378d7399b48dd2d26ebac23c2c6e8504ba1d226e96

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1xpvsjvh.5z4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBAA5.tmp

Filesize
1KB

MD5
cff1b3bfb32d108f870e65e4f290a734

SHA1
cbac8b498c400e81ca6b427837348aaabe3dffb0

SHA256
ddbd9d91c5bb78f5963a5b87bb6919428235e7bd63a31e4a0a291a89392a4ade

SHA512
9bf1778dfcb91e04fe2e0e4e50f420345120e1a6c65e6685ec6ba4141babf992fe28d2d3674e3331e72435ea59f80dbdf0f9c6122f2fd2bd500d1f6c68060cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.exe

Filesize
1.0MB

MD5
f50c076cefaf9217bff4c4f1aa50b50a

SHA1
d083846bbcfee5befaa9359193756d6037a454b0

SHA256
8da7bdec3fa3feb571d19c0c02bff613d09274113ce1211ece1405ee35d13b7b

SHA512
3bdebcfa15a09f59b4e5e7cd200f8a7c02fe9b0df65ba2ec599a1012b9045f89bc3c1ebc81e69f1b3f0d2777df4e7671572baab0030e8e5b89588f33b32e36fb

Download Submit
memory/3432-18-0x0000000074D0E000-0x0000000074D0F000-memory.dmp

Filesize
4KB

Download
memory/3432-17-0x0000000005670000-0x0000000005682000-memory.dmp

Filesize
72KB

Download
memory/3432-16-0x0000000005590000-0x000000000559A000-memory.dmp

Filesize
40KB

Download
memory/3432-19-0x0000000074D00000-0x00000000754B0000-memory.dmp

Filesize
7.7MB

Download
memory/3432-20-0x00000000057D0000-0x00000000057E0000-memory.dmp

Filesize
64KB

Download
memory/3432-21-0x00000000066C0000-0x0000000006780000-memory.dmp

Filesize
768KB

Download
memory/3432-22-0x00000000068C0000-0x000000000695C000-memory.dmp

Filesize
624KB

Download
memory/3432-15-0x0000000074D00000-0x00000000754B0000-memory.dmp

Filesize
7.7MB

Download
memory/3432-14-0x00000000053E0000-0x0000000005472000-memory.dmp

Filesize
584KB

Download
memory/3432-13-0x0000000005A50000-0x0000000005FF4000-memory.dmp

Filesize
5.6MB

Download
memory/3432-12-0x00000000008E0000-0x00000000009E6000-memory.dmp

Filesize
1.0MB

Download
memory/3432-60-0x0000000074D00000-0x00000000754B0000-memory.dmp

Filesize
7.7MB

Download
memory/3432-11-0x0000000074D0E000-0x0000000074D0F000-memory.dmp

Filesize
4KB

Download
memory/3524-94-0x0000000007D30000-0x0000000007D4A000-memory.dmp

Filesize
104KB

Download
memory/3524-86-0x0000000008040000-0x00000000086BA000-memory.dmp

Filesize
6.5MB

Download
memory/3524-29-0x0000000005710000-0x0000000005732000-memory.dmp

Filesize
136KB

Download
memory/3524-95-0x0000000007D10000-0x0000000007D18000-memory.dmp

Filesize
32KB

Download
memory/3524-30-0x0000000005F00000-0x0000000005F66000-memory.dmp

Filesize
408KB

Download
memory/3524-93-0x0000000007C30000-0x0000000007C44000-memory.dmp

Filesize
80KB

Download
memory/3524-90-0x0000000007BF0000-0x0000000007C01000-memory.dmp

Filesize
68KB

Download
memory/3524-31-0x0000000005F70000-0x0000000005FD6000-memory.dmp

Filesize
408KB

Download
memory/3524-61-0x00000000066D0000-0x00000000066EE000-memory.dmp

Filesize
120KB

Download
memory/3524-62-0x0000000006700000-0x000000000674C000-memory.dmp

Filesize
304KB

Download
memory/3524-42-0x0000000006060000-0x00000000063B4000-memory.dmp

Filesize
3.3MB

Download
memory/3524-88-0x0000000007A60000-0x0000000007A6A000-memory.dmp

Filesize
40KB

Download
memory/3524-87-0x00000000079F0000-0x0000000007A0A000-memory.dmp

Filesize
104KB

Download
memory/3524-75-0x00000000755B0000-0x00000000755FC000-memory.dmp

Filesize
304KB

Download
memory/4512-63-0x00000000072A0000-0x00000000072D2000-memory.dmp

Filesize
200KB

Download
memory/4512-64-0x00000000755B0000-0x00000000755FC000-memory.dmp

Filesize
304KB

Download
memory/4512-76-0x0000000007540000-0x00000000075E3000-memory.dmp

Filesize
652KB

Download
memory/4512-74-0x00000000074E0000-0x00000000074FE000-memory.dmp

Filesize
120KB

Download
memory/4512-89-0x00000000078D0000-0x0000000007966000-memory.dmp

Filesize
600KB

Download
memory/4512-27-0x0000000004DD0000-0x0000000004E06000-memory.dmp

Filesize
216KB

Download
memory/4512-91-0x0000000007880000-0x000000000788E000-memory.dmp

Filesize
56KB

Download
memory/4512-28-0x0000000005440000-0x0000000005A68000-memory.dmp

Filesize
6.2MB

Download
memory/4728-96-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4728-114-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4728-53-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4728-58-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4728-52-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4728-92-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4728-59-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4728-55-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4728-115-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4728-117-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4728-118-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4728-131-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4728-132-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4728-134-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4728-133-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download