remcos | a466e005e900687100fef0e6f22cbab359eff61ed4721d2faa0759ea0b59203a

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2024 09:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

stub.exe
Size

469KB
MD5

52b30da6d3eeb564edbf295bd1bf4cdd
SHA1

1cac726321f8aa11d5ba89264854aaf70ccd75fe
SHA256

a466e005e900687100fef0e6f22cbab359eff61ed4721d2faa0759ea0b59203a
SHA512

6b9eb6b49b07150bc49a4b288c08990661188aca94c98c9db558ffe07a059ce4d29fe4d7ed1881a97eb97487486ee99bd8a79bdb1e4e3e2218f6bcabb00419b2
SSDEEP

12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSYn9:uiLJbpI7I2WhQqZ7Y9

Score

10^/10

remcos remotehost discovery evasion persistence rat trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

me-intranet.gl.at.ply.gg:13055

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
SecurityHealthSystray.exe
copy_folder
SecurityHealthSystray
delete_file
true
hide_file
true
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-OH5SD2
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
SecurityHealthSystray.exe
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

stub.exeSecurityHealthSystray.exeiexplore.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	stub.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\SecurityHealthSystray.exe = "\"C:\\ProgramData\\SecurityHealthSystray\\SecurityHealthSystray.exe\""	stub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	SecurityHealthSystray.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\SecurityHealthSystray.exe = "\"C:\\ProgramData\\SecurityHealthSystray\\SecurityHealthSystray.exe\""	SecurityHealthSystray.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\SecurityHealthSystray.exe = "\"C:\\ProgramData\\SecurityHealthSystray\\SecurityHealthSystray.exe\""	iexplore.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

stub.exeWScript.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	stub.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

Processes:

WScript.exe

pid	Process
2092	WScript.exe

Executes dropped EXE 1 IoCs

Processes:

SecurityHealthSystray.exe

pid	Process
728	SecurityHealthSystray.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

SecurityHealthSystray.exeiexplore.exestub.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray.exe = "\"C:\\ProgramData\\SecurityHealthSystray\\SecurityHealthSystray.exe\""	SecurityHealthSystray.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray.exe = "\"C:\\ProgramData\\SecurityHealthSystray\\SecurityHealthSystray.exe\""	SecurityHealthSystray.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray.exe = "\"C:\\ProgramData\\SecurityHealthSystray\\SecurityHealthSystray.exe\""	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray.exe = "\"C:\\ProgramData\\SecurityHealthSystray\\SecurityHealthSystray.exe\""	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray.exe = "\"C:\\ProgramData\\SecurityHealthSystray\\SecurityHealthSystray.exe\""	stub.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray.exe = "\"C:\\ProgramData\\SecurityHealthSystray\\SecurityHealthSystray.exe\""	stub.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

SecurityHealthSystray.exeiexplore.exe

description	pid	Process	procid_target
PID 728 set thread context of 3492	728	SecurityHealthSystray.exe	91
PID 3492 set thread context of 1688	3492	iexplore.exe	94

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

reg.execmd.exeiexplore.execmd.exereg.exestub.execmd.exereg.execmd.exeWScript.exeSecurityHealthSystray.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stub.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecurityHealthSystray.exe

Modifies registry class 1 IoCs

Processes:

stub.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	stub.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exe

pid	Process
2368	reg.exe
224	reg.exe
3332	reg.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

SecurityHealthSystray.exeiexplore.exe

pid	Process
728	SecurityHealthSystray.exe
3492	iexplore.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

stub.execmd.exeWScript.execmd.exeSecurityHealthSystray.exeiexplore.execmd.execmd.exe

description	pid	Process	procid_target
PID 4688 wrote to memory of 4920	4688	stub.exe	83
PID 4688 wrote to memory of 4920	4688	stub.exe	83
PID 4688 wrote to memory of 4920	4688	stub.exe	83
PID 4920 wrote to memory of 2368	4920	cmd.exe	85
PID 4920 wrote to memory of 2368	4920	cmd.exe	85
PID 4920 wrote to memory of 2368	4920	cmd.exe	85
PID 4688 wrote to memory of 2092	4688	stub.exe	86
PID 4688 wrote to memory of 2092	4688	stub.exe	86
PID 4688 wrote to memory of 2092	4688	stub.exe	86
PID 2092 wrote to memory of 2636	2092	WScript.exe	87
PID 2092 wrote to memory of 2636	2092	WScript.exe	87
PID 2092 wrote to memory of 2636	2092	WScript.exe	87
PID 2636 wrote to memory of 728	2636	cmd.exe	89
PID 2636 wrote to memory of 728	2636	cmd.exe	89
PID 2636 wrote to memory of 728	2636	cmd.exe	89
PID 728 wrote to memory of 4676	728	SecurityHealthSystray.exe	90
PID 728 wrote to memory of 4676	728	SecurityHealthSystray.exe	90
PID 728 wrote to memory of 4676	728	SecurityHealthSystray.exe	90
PID 728 wrote to memory of 3492	728	SecurityHealthSystray.exe	91
PID 728 wrote to memory of 3492	728	SecurityHealthSystray.exe	91
PID 728 wrote to memory of 3492	728	SecurityHealthSystray.exe	91
PID 728 wrote to memory of 3492	728	SecurityHealthSystray.exe	91
PID 3492 wrote to memory of 2612	3492	iexplore.exe	93
PID 3492 wrote to memory of 2612	3492	iexplore.exe	93
PID 3492 wrote to memory of 2612	3492	iexplore.exe	93
PID 3492 wrote to memory of 1688	3492	iexplore.exe	94
PID 3492 wrote to memory of 1688	3492	iexplore.exe	94
PID 3492 wrote to memory of 1688	3492	iexplore.exe	94
PID 3492 wrote to memory of 1688	3492	iexplore.exe	94
PID 4676 wrote to memory of 224	4676	cmd.exe	96
PID 4676 wrote to memory of 224	4676	cmd.exe	96
PID 4676 wrote to memory of 224	4676	cmd.exe	96
PID 2612 wrote to memory of 3332	2612	cmd.exe	97
PID 2612 wrote to memory of 3332	2612	cmd.exe	97
PID 2612 wrote to memory of 3332	2612	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\stub.exe
"C:\Users\Admin\AppData\Local\Temp\stub.exe"
1⤵
- Adds policy Run key to start application
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4688
- C:\Windows\SysWOW64\cmd.exe
  /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4920
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2368
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
  2⤵
  - Checks computer location settings
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\SecurityHealthSystray\SecurityHealthSystray.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\ProgramData\SecurityHealthSystray\SecurityHealthSystray.exe
      C:\ProgramData\SecurityHealthSystray\SecurityHealthSystray.exe
      4⤵
      Adds policy Run key to start application
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:728
    - - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4676
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:224
    - - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe"
        5⤵
        Adds policy Run key to start application
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:3492
      - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        7⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3332
      - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        6⤵
        
        PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SecurityHealthSystray\SecurityHealthSystray.exe

Filesize
469KB

MD5
52b30da6d3eeb564edbf295bd1bf4cdd

SHA1
1cac726321f8aa11d5ba89264854aaf70ccd75fe

SHA256
a466e005e900687100fef0e6f22cbab359eff61ed4721d2faa0759ea0b59203a

SHA512
6b9eb6b49b07150bc49a4b288c08990661188aca94c98c9db558ffe07a059ce4d29fe4d7ed1881a97eb97487486ee99bd8a79bdb1e4e3e2218f6bcabb00419b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
566B

MD5
533b5f2c2e4e34e9f53d6ee16e056551

SHA1
4245bb269a6c61ceb998d461b58f5f1c05ca9310

SHA256
08198007354e0ee9053e7924e306a88ebdbd82527e95bc85a769f6be42c8358e

SHA512
b43006eea158c1c2909ce96e83e814db11d3731d184814c5f25c31ceb00575b5f072207ef1362c1e94979b270d9562c9073ed43f5ff64c87c41ef272693bc19d

Download Submit
memory/1688-14-0x00000000004D0000-0x000000000054F000-memory.dmp

Filesize
508KB

Download
memory/1688-15-0x00000000004D0000-0x000000000054F000-memory.dmp

Filesize
508KB

Download
memory/3492-19-0x0000000001100000-0x000000000117F000-memory.dmp

Filesize
508KB

Download
memory/3492-20-0x0000000001100000-0x000000000117F000-memory.dmp

Filesize
508KB

Download
memory/3492-10-0x0000000001100000-0x000000000117F000-memory.dmp

Filesize
508KB

Download
memory/3492-16-0x0000000001100000-0x000000000117F000-memory.dmp

Filesize
508KB

Download
memory/3492-17-0x0000000001100000-0x000000000117F000-memory.dmp

Filesize
508KB

Download
memory/3492-18-0x0000000001100000-0x000000000117F000-memory.dmp

Filesize
508KB

Download
memory/3492-9-0x0000000001100000-0x000000000117F000-memory.dmp

Filesize
508KB

Download
memory/3492-11-0x0000000001100000-0x000000000117F000-memory.dmp

Filesize
508KB

Download
memory/3492-21-0x0000000001100000-0x000000000117F000-memory.dmp

Filesize
508KB

Download
memory/3492-22-0x0000000001100000-0x000000000117F000-memory.dmp

Filesize
508KB

Download
memory/3492-23-0x0000000001100000-0x000000000117F000-memory.dmp

Filesize
508KB

Download
memory/3492-24-0x0000000001100000-0x000000000117F000-memory.dmp

Filesize
508KB

Download
memory/3492-25-0x0000000001100000-0x000000000117F000-memory.dmp

Filesize
508KB

Download
memory/3492-26-0x0000000001100000-0x000000000117F000-memory.dmp

Filesize
508KB

Download
memory/3492-27-0x0000000001100000-0x000000000117F000-memory.dmp

Filesize
508KB

Download
memory/3492-28-0x0000000001100000-0x000000000117F000-memory.dmp

Filesize
508KB

Download