remcos | bb9b5385a7d73e6861b0a2cbca600babbf36c961aa857b052f15d1d0177cd88c

General

Target

WHYYexe.exe
Size

469KB
MD5

0905830fb9416d08ec2009c8399ced22
SHA1

1f059b7251fe8b94da20758186cac84008d5c627
SHA256

bb9b5385a7d73e6861b0a2cbca600babbf36c961aa857b052f15d1d0177cd88c
SHA512

29a5ccb813551ba7050b4463620407c7c634c1074c3e2205ef281a45f09ea4c6a5f36e1b6135f01f4186d9c8e05a9db3e301dc936fa918ff6d04014b8b15a966
SSDEEP

12288:umnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSKn9:WiLJbpI7I2WhQqZ7K9

Score

10^/10

remcos remotehost discovery evasion persistence rat trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

camera-ms.gl.at.ply.gg:50534

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
system.exe
copy_folder
Remcos
delete_file
true
hide_file
true
hide_keylog_file
false
install_flag
true
install_path
%WinDir%\System32
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-U9W8K6
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WHYYexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
1548	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
2968	system.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Windows\\SysWOW64\\Remcos\\system.exe\""	WHYYexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Windows\\SysWOW64\\Remcos\\system.exe\""	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Windows\\SysWOW64\\Remcos\\system.exe\""	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Windows\\SysWOW64\\Remcos\\system.exe\""	WHYYexe.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Remcos\system.exe	WHYYexe.exe
File opened for modification	C:\Windows\SysWOW64\Remcos\system.exe	WHYYexe.exe
File opened for modification	C:\Windows\SysWOW64\Remcos	WHYYexe.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2968 set thread context of 408	2968	system.exe	95

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WHYYexe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	WHYYexe.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
1976	reg.exe
4148	reg.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2968	system.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3400 wrote to memory of 3560	3400	WHYYexe.exe	83
PID 3400 wrote to memory of 3560	3400	WHYYexe.exe	83
PID 3400 wrote to memory of 3560	3400	WHYYexe.exe	83
PID 3560 wrote to memory of 1976	3560	cmd.exe	85
PID 3560 wrote to memory of 1976	3560	cmd.exe	85
PID 3560 wrote to memory of 1976	3560	cmd.exe	85
PID 3400 wrote to memory of 1548	3400	WHYYexe.exe	86
PID 3400 wrote to memory of 1548	3400	WHYYexe.exe	86
PID 3400 wrote to memory of 1548	3400	WHYYexe.exe	86
PID 1548 wrote to memory of 1932	1548	WScript.exe	90
PID 1548 wrote to memory of 1932	1548	WScript.exe	90
PID 1548 wrote to memory of 1932	1548	WScript.exe	90
PID 1932 wrote to memory of 2968	1932	cmd.exe	92
PID 1932 wrote to memory of 2968	1932	cmd.exe	92
PID 1932 wrote to memory of 2968	1932	cmd.exe	92
PID 2968 wrote to memory of 1300	2968	system.exe	93
PID 2968 wrote to memory of 1300	2968	system.exe	93
PID 2968 wrote to memory of 1300	2968	system.exe	93
PID 2968 wrote to memory of 408	2968	system.exe	95
PID 2968 wrote to memory of 408	2968	system.exe	95
PID 2968 wrote to memory of 408	2968	system.exe	95
PID 2968 wrote to memory of 408	2968	system.exe	95
PID 1300 wrote to memory of 4148	1300	cmd.exe	96
PID 1300 wrote to memory of 4148	1300	cmd.exe	96
PID 1300 wrote to memory of 4148	1300	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\WHYYexe.exe
"C:\Users\Admin\AppData\Local\Temp\WHYYexe.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3400
- C:\Windows\SysWOW64\cmd.exe
  /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3560
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1976
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
  2⤵
  - Checks computer location settings
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Windows\SysWOW64\Remcos\system.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1932
  - - C:\Windows\SysWOW64\Remcos\system.exe
      C:\Windows\SysWOW64\Remcos\system.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2968
    - - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1300
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4148
    - - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe"
        5⤵
        
        PID:408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
522B

MD5
4874a83799d03083604c69c2c3568ba2

SHA1
8d4b5ab468fc918d293c3aad4d64412c773cbaac

SHA256
38ec0f7c3e031f2a7e0e9bd33dbd9b79bd8b74b153722cc92429cd41397a1c2a

SHA512
10ba468706da54da888a82aa9c0f283f0d2fb5bed95171935f8f63e490bb5022ca141a8ceac46e523dff03e36c969f5fc24bb0fab5f7ee7ff1b4aebe157857dd

Download Submit
C:\Windows\SysWOW64\Remcos\system.exe

Filesize
469KB

MD5
0905830fb9416d08ec2009c8399ced22

SHA1
1f059b7251fe8b94da20758186cac84008d5c627

SHA256
bb9b5385a7d73e6861b0a2cbca600babbf36c961aa857b052f15d1d0177cd88c

SHA512
29a5ccb813551ba7050b4463620407c7c634c1074c3e2205ef281a45f09ea4c6a5f36e1b6135f01f4186d9c8e05a9db3e301dc936fa918ff6d04014b8b15a966

Download Submit
memory/408-10-0x0000000001160000-0x00000000011DF000-memory.dmp

Filesize
508KB

Download
memory/408-9-0x0000000001160000-0x00000000011DF000-memory.dmp

Filesize
508KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads