remcos | 69f0e95e4441f1a88b1cc9698991452f678a7b4d3b712054e786b6e3dd3ea873

General

Target

patohacker.exe
Size

469KB
MD5

4e08c810778fede0ab6457273e34277c
SHA1

e96f2e0f560cf6572be028a7206a6698ca8e4cb8
SHA256

69f0e95e4441f1a88b1cc9698991452f678a7b4d3b712054e786b6e3dd3ea873
SHA512

7d0804c76e2c5779f0d0bb48a7bc4b0b145371401654af3e1992cdb61c82c60a707bf33d99505cf5ceb78b3fa7955776221561b4484d493b0a537b0a497ee047
SSDEEP

12288:Omnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSHn9:2iLJbpI7I2WhQqZ7H9

Score

10^/10

remcos remotehost discovery evasion persistence rat trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

camera-ms.gl.at.ply.gg:50534

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
system.exe
copy_folder
Remcos
delete_file
true
hide_file
true
hide_keylog_file
false
install_flag
true
install_path
%WinDir%\System32
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-VSIH4G
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation	patohacker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
5020	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
4484	system.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Windows\\SysWOW64\\Remcos\\system.exe\""	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Windows\\SysWOW64\\Remcos\\system.exe\""	patohacker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Windows\\SysWOW64\\Remcos\\system.exe\""	patohacker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Windows\\SysWOW64\\Remcos\\system.exe\""	system.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Remcos\system.exe	patohacker.exe
File opened for modification	C:\Windows\SysWOW64\Remcos\system.exe	patohacker.exe
File opened for modification	C:\Windows\SysWOW64\Remcos	patohacker.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4484 set thread context of 3852	4484	system.exe	90

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patohacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings	patohacker.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2064	reg.exe
2316	reg.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4484	system.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4488 wrote to memory of 420	4488	patohacker.exe	81
PID 4488 wrote to memory of 420	4488	patohacker.exe	81
PID 4488 wrote to memory of 420	4488	patohacker.exe	81
PID 420 wrote to memory of 2064	420	cmd.exe	83
PID 420 wrote to memory of 2064	420	cmd.exe	83
PID 420 wrote to memory of 2064	420	cmd.exe	83
PID 4488 wrote to memory of 5020	4488	patohacker.exe	84
PID 4488 wrote to memory of 5020	4488	patohacker.exe	84
PID 4488 wrote to memory of 5020	4488	patohacker.exe	84
PID 5020 wrote to memory of 356	5020	WScript.exe	86
PID 5020 wrote to memory of 356	5020	WScript.exe	86
PID 5020 wrote to memory of 356	5020	WScript.exe	86
PID 356 wrote to memory of 4484	356	cmd.exe	88
PID 356 wrote to memory of 4484	356	cmd.exe	88
PID 356 wrote to memory of 4484	356	cmd.exe	88
PID 4484 wrote to memory of 2244	4484	system.exe	89
PID 4484 wrote to memory of 2244	4484	system.exe	89
PID 4484 wrote to memory of 2244	4484	system.exe	89
PID 4484 wrote to memory of 3852	4484	system.exe	90
PID 4484 wrote to memory of 3852	4484	system.exe	90
PID 4484 wrote to memory of 3852	4484	system.exe	90
PID 4484 wrote to memory of 3852	4484	system.exe	90
PID 2244 wrote to memory of 2316	2244	cmd.exe	92
PID 2244 wrote to memory of 2316	2244	cmd.exe	92
PID 2244 wrote to memory of 2316	2244	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\patohacker.exe
"C:\Users\Admin\AppData\Local\Temp\patohacker.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4488
- C:\Windows\SysWOW64\cmd.exe
  /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:420
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2064
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
  2⤵
  - Checks computer location settings
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5020
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Windows\SysWOW64\Remcos\system.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:356
  - - C:\Windows\SysWOW64\Remcos\system.exe
      C:\Windows\SysWOW64\Remcos\system.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:4484
    - - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2244
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2316
    - - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe"
        5⤵
        
        PID:3852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
528B

MD5
ce7d7a671e67405f2aef52fc20005692

SHA1
3f12cea828fb0d87ef06bc9051132c9f855b7bd0

SHA256
f4554277181cbb0d4cabf422ca9c229f755a71ce874120fb939ab34ae674418b

SHA512
f975073fefe4b325c1012da8fa2dccc0f895ee0835a01929c0f8493e0efa075b3a3429ed6f1214bd8d8e9f58c38cf2197664ef4d922e5c58c671746798826854

Download Submit
C:\Windows\SysWOW64\Remcos\system.exe

Filesize
469KB

MD5
4e08c810778fede0ab6457273e34277c

SHA1
e96f2e0f560cf6572be028a7206a6698ca8e4cb8

SHA256
69f0e95e4441f1a88b1cc9698991452f678a7b4d3b712054e786b6e3dd3ea873

SHA512
7d0804c76e2c5779f0d0bb48a7bc4b0b145371401654af3e1992cdb61c82c60a707bf33d99505cf5ceb78b3fa7955776221561b4484d493b0a537b0a497ee047

Download Submit
memory/3852-9-0x0000000000C00000-0x0000000000C7F000-memory.dmp

Filesize
508KB

Download
memory/3852-8-0x0000000000C00000-0x0000000000C7F000-memory.dmp

Filesize
508KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads