The first thing Remcos does is to decrypt the configuration block, which will be referred to throughout Remcos lifetime. As shown in Figure 7, it is about to call API CreateProcessA() to create a suspended RegAsm.exe process from Lime.dll.Įvery Remcos contains an RC4 encrypted configuration block in its PE resource section, named “SETTINGS” as shown in Figure 8, where the first byte “B1” is the size of the following RC4 key that is in a red box and the rest data is the encrypted Remcos configuration block. ![]() ![]() In my testing environment, it has this file at "C:\Windows\\Microsoft.NET\Framework\v9\RegAsm.exe".Īs you may know, it needs to call several APIs to finish the process hollowing, which are: CreateProcess() with CREATE_SUSPENDED flag, WriteProcessMemory(), GetThreadContext(), SetThreadContext() and so on. In case that it fails to find the file, it exits from PowerShell without running the Remcos.Īrray = "C:\\WINDOWS\\syswow64\\" Īrray = "C:\\WINDOWS\\system32\\" Īrray = "C:\\WINDOWS\\" Īrray = "C:\\WINDOWS\\syswow64\\WindowsPowerShell\\v1.0\\" Īrray = "C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\" Īrray = "C:\\Windows\\Microsoft.NET\\Framework\\v9\\" Once the function (k78er0sdfffff.o70sdaf45gfg()) is invoked, it finds “RegAsm.exe” from below locations on the victim’s device. Actually, this Dll is used to perform the process hollowing that is injecting the Remcos payload into a newly-created “RegAsm.exe” process. Next, it decompresses the Remcos payload, which will be passed to a function called "k78er0sdfffff.o70sdaf45gfg(System.String, Byte)" that is from lime.dll at the time the function is called. According to my analysis, it first dynamically extracts another Dll from its resource section named lime.dll. ![]() ![]() The two passed parameters are shown in “Locals”. Net Dll is named GC.dll as you can see in Figure 6.
0 Comments
Leave a Reply. |