remcos | 491cff43b259addd44a312094b15674d2c33c9ab901500130fead03e7d9d6530

Analysis

max time kernel
142s
max time network
155s
platform
windows7_x64
resource
win7
submitted
10-07-2020 12:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe
Size

1.5MB
MD5

0c6a22a028ce02e10608bb44b7b4c66f
SHA1

686ca5b3fdb1606769054107783ab4ad49a3acec
SHA256

491cff43b259addd44a312094b15674d2c33c9ab901500130fead03e7d9d6530
SHA512

dbee8252a20e0e90242282b14c76ca8256700055b65f27f3b19131bd27613a5168363d4507daac641234504f15b3b6d4a53140b5c591e6df732aa253087ffaaa

Score

10^/10

persistence rat remcos

Malware Config

Extracted

Family

remcos

karimgoussd.ug:6969

fgdjhksdfsdxcbv.ru:6969

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of WriteProcessMemory 527 IoCs

Processes:

SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe

description	pid	process	target process
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe
PID 1448 wrote to memory of 1820	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	TapiUnattend.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe

description pid process target process

PID 1448 set thread context of 2360 1448 SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe ieinstal.exe
Executes dropped EXE 2 IoCs

Processes:

fodhelper.exefodhelper.exe

pid process

2588 fodhelper.exe
2608 fodhelper.exe

description	pid	process	target process
PID 1448 set thread context of 2360	1448	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe	ieinstal.exe

pid	process
2588	fodhelper.exe
2608	fodhelper.exe

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Ghsb = "C:\\Users\\Admin\\AppData\\Local\\Ghsb\\Ghsb.hta"	SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exe

pid process

2480 reg.exe
2516 reg.exe
2460 reg.exe

pid	process
2480	reg.exe
2516	reg.exe
2460	reg.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Artemis0C6A22A028CE.16359.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Adds Run entry to start application
PID:1448

C:\Windows\SysWOW64\TapiUnattend.exe
"C:\Windows\System32\TapiUnattend.exe"
2⤵
PID:1820

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Public\Natso.bat
3⤵
PID:2348

C:\Windows\SysWOW64\reg.exe
reg delete hkcu\Environment /v windir /f
4⤵
- Modifies registry key
PID:2460

C:\Windows\SysWOW64\reg.exe
reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM "
4⤵
- Modifies registry key
PID:2480

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
4⤵
PID:2500

C:\Windows\SysWOW64\reg.exe
reg delete hkcu\Environment /v windir /f
4⤵
- Modifies registry key
PID:2516

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Public\Runex.bat
3⤵
PID:2548

C:\Windows \System32\fodhelper.exe
"C:\Windows \System32\fodhelper.exe"
4⤵
- Executes dropped EXE
PID:2588

C:\Windows \System32\fodhelper.exe
"C:\Windows \System32\fodhelper.exe"
4⤵
- Executes dropped EXE
PID:2608

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
2⤵
PID:2360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Natso.bat

Download Submit
C:\Users\Public\Runex.bat

Download Submit
C:\Users\Public\fodhelper.exe

Download Submit
C:\Users\Public\propsys.dll

Download Submit
C:\Windows \System32\fodhelper.exe

Download Submit
C:\Windows \System32\fodhelper.exe

Download Submit
memory/1448-124-0x0000000010410000-0x0000000010450000-memory.dmp

Filesize
256KB

Download
memory/1820-66-0x0000000000000000-mapping.dmp

Download
memory/1820-28-0x0000000000000000-mapping.dmp

Download
memory/1820-5-0x0000000000000000-mapping.dmp

Download
memory/1820-6-0x0000000000000000-mapping.dmp

Download
memory/1820-7-0x0000000000000000-mapping.dmp

Download
memory/1820-8-0x0000000000000000-mapping.dmp

Download
memory/1820-9-0x0000000000000000-mapping.dmp

Download
memory/1820-10-0x0000000000000000-mapping.dmp

Download
memory/1820-11-0x0000000000000000-mapping.dmp

Download
memory/1820-12-0x0000000000000000-mapping.dmp

Download
memory/1820-13-0x0000000000000000-mapping.dmp

Download
memory/1820-14-0x0000000000000000-mapping.dmp

Download
memory/1820-15-0x0000000000000000-mapping.dmp

Download
memory/1820-16-0x0000000000000000-mapping.dmp

Download
memory/1820-17-0x0000000000000000-mapping.dmp

Download
memory/1820-18-0x0000000000000000-mapping.dmp

Download
memory/1820-19-0x0000000000000000-mapping.dmp

Download
memory/1820-20-0x0000000000000000-mapping.dmp

Download
memory/1820-21-0x0000000000000000-mapping.dmp

Download
memory/1820-22-0x0000000000000000-mapping.dmp

Download
memory/1820-23-0x0000000000000000-mapping.dmp

Download
memory/1820-24-0x0000000000000000-mapping.dmp

Download
memory/1820-25-0x0000000000000000-mapping.dmp

Download
memory/1820-26-0x0000000000000000-mapping.dmp

Download
memory/1820-27-0x0000000000000000-mapping.dmp

Download
memory/1820-70-0x0000000000000000-mapping.dmp

Download
memory/1820-29-0x0000000000000000-mapping.dmp

Download
memory/1820-30-0x0000000000000000-mapping.dmp

Download
memory/1820-31-0x0000000000000000-mapping.dmp

Download
memory/1820-32-0x0000000000000000-mapping.dmp

Download
memory/1820-33-0x0000000000000000-mapping.dmp

Download
memory/1820-34-0x0000000000000000-mapping.dmp

Download
memory/1820-35-0x0000000000000000-mapping.dmp

Download
memory/1820-36-0x0000000000000000-mapping.dmp

Download
memory/1820-37-0x0000000000000000-mapping.dmp

Download
memory/1820-38-0x0000000000000000-mapping.dmp

Download
memory/1820-39-0x0000000000000000-mapping.dmp

Download
memory/1820-40-0x0000000000000000-mapping.dmp

Download
memory/1820-41-0x0000000000000000-mapping.dmp

Download
memory/1820-42-0x0000000000000000-mapping.dmp

Download
memory/1820-43-0x0000000000000000-mapping.dmp

Download
memory/1820-44-0x0000000000000000-mapping.dmp

Download
memory/1820-45-0x0000000000000000-mapping.dmp

Download
memory/1820-47-0x0000000000000000-mapping.dmp

Download
memory/1820-46-0x0000000000000000-mapping.dmp

Download
memory/1820-48-0x0000000000000000-mapping.dmp

Download
memory/1820-69-0x0000000000000000-mapping.dmp

Download
memory/1820-50-0x0000000000000000-mapping.dmp

Download
memory/1820-51-0x0000000000000000-mapping.dmp

Download
memory/1820-53-0x0000000000000000-mapping.dmp

Download
memory/1820-52-0x0000000000000000-mapping.dmp

Download
memory/1820-54-0x0000000000000000-mapping.dmp

Download
memory/1820-55-0x0000000000000000-mapping.dmp

Download
memory/1820-56-0x0000000000000000-mapping.dmp

Download
memory/1820-57-0x0000000000000000-mapping.dmp

Download
memory/1820-58-0x0000000000000000-mapping.dmp

Download
memory/1820-59-0x0000000000000000-mapping.dmp

Download
memory/1820-60-0x0000000000000000-mapping.dmp

Download
memory/1820-61-0x0000000000000000-mapping.dmp

Download
memory/1820-62-0x0000000000000000-mapping.dmp

Download
memory/1820-63-0x0000000000000000-mapping.dmp

Download
memory/1820-64-0x0000000000000000-mapping.dmp

Download
memory/1820-65-0x0000000000000000-mapping.dmp

Download
memory/1820-3-0x0000000000000000-mapping.dmp

Download
memory/1820-67-0x0000000000000000-mapping.dmp

Download
memory/1820-68-0x0000000000000000-mapping.dmp

Download
memory/1820-49-0x0000000000000000-mapping.dmp

Download
memory/1820-4-0x0000000000000000-mapping.dmp

Download
memory/1820-101-0x0000000000000000-mapping.dmp

Download
memory/1820-72-0x0000000000000000-mapping.dmp

Download
memory/1820-73-0x0000000000000000-mapping.dmp

Download
memory/1820-74-0x0000000000000000-mapping.dmp

Download
memory/1820-75-0x0000000000000000-mapping.dmp

Download
memory/1820-76-0x0000000000000000-mapping.dmp

Download
memory/1820-77-0x0000000000000000-mapping.dmp

Download
memory/1820-78-0x0000000000000000-mapping.dmp

Download
memory/1820-79-0x0000000000000000-mapping.dmp

Download
memory/1820-80-0x0000000000000000-mapping.dmp

Download
memory/1820-81-0x0000000000000000-mapping.dmp

Download
memory/1820-82-0x0000000000000000-mapping.dmp

Download
memory/1820-83-0x0000000000000000-mapping.dmp

Download
memory/1820-84-0x0000000000000000-mapping.dmp

Download
memory/1820-85-0x0000000000000000-mapping.dmp

Download
memory/1820-86-0x0000000000000000-mapping.dmp

Download
memory/1820-87-0x0000000000000000-mapping.dmp

Download
memory/1820-88-0x0000000000000000-mapping.dmp

Download
memory/1820-89-0x0000000000000000-mapping.dmp

Download
memory/1820-90-0x0000000000000000-mapping.dmp

Download
memory/1820-91-0x0000000000000000-mapping.dmp

Download
memory/1820-92-0x0000000000000000-mapping.dmp

Download
memory/1820-93-0x0000000000000000-mapping.dmp

Download
memory/1820-94-0x0000000000000000-mapping.dmp

Download
memory/1820-95-0x0000000000000000-mapping.dmp

Download
memory/1820-96-0x0000000000000000-mapping.dmp

Download
memory/1820-97-0x0000000000000000-mapping.dmp

Download
memory/1820-98-0x0000000000000000-mapping.dmp

Download
memory/1820-99-0x0000000000000000-mapping.dmp

Download
memory/1820-100-0x0000000000000000-mapping.dmp

Download
memory/1820-71-0x0000000000000000-mapping.dmp

Download
memory/1820-102-0x0000000000000000-mapping.dmp

Download
memory/1820-103-0x0000000000000000-mapping.dmp

Download
memory/1820-104-0x0000000000000000-mapping.dmp

Download
memory/1820-105-0x0000000000000000-mapping.dmp

Download
memory/1820-106-0x0000000000000000-mapping.dmp

Download
memory/1820-107-0x0000000000000000-mapping.dmp

Download
memory/1820-108-0x0000000000000000-mapping.dmp

Download
memory/1820-109-0x0000000000000000-mapping.dmp

Download
memory/1820-110-0x0000000000000000-mapping.dmp

Download
memory/1820-111-0x0000000000000000-mapping.dmp

Download
memory/1820-112-0x0000000000000000-mapping.dmp

Download
memory/1820-113-0x0000000000000000-mapping.dmp

Download
memory/1820-114-0x0000000000000000-mapping.dmp

Download
memory/1820-115-0x0000000000000000-mapping.dmp

Download
memory/1820-116-0x0000000000000000-mapping.dmp

Download
memory/1820-117-0x0000000000000000-mapping.dmp

Download
memory/1820-118-0x0000000000000000-mapping.dmp

Download
memory/1820-119-0x0000000000000000-mapping.dmp

Download
memory/1820-120-0x0000000000000000-mapping.dmp

Download
memory/1820-121-0x0000000000000000-mapping.dmp

Download
memory/1820-122-0x0000000000000000-mapping.dmp

Download
memory/1820-123-0x0000000000000000-mapping.dmp

Download
memory/1820-125-0x0000000000000000-mapping.dmp

Download
memory/1820-0-0x0000000000000000-mapping.dmp

Download
memory/1820-1-0x0000000000000000-mapping.dmp

Download
memory/1820-2-0x0000000000000000-mapping.dmp

Download
memory/2348-126-0x0000000000000000-mapping.dmp

Download
memory/2360-129-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2360-128-0x000000000040D7D4-mapping.dmp

Download
memory/2360-127-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2460-131-0x0000000000000000-mapping.dmp

Download
memory/2480-132-0x0000000000000000-mapping.dmp

Download
memory/2500-133-0x0000000000000000-mapping.dmp

Download
memory/2516-134-0x0000000000000000-mapping.dmp

Download
memory/2548-135-0x0000000000000000-mapping.dmp

Download