remcos | 54c9967a2b3467f1a5961630d0bd429400e781de19866a383267c40e0f9acf2f

Analysis

max time kernel
149s
max time network
139s
platform
windows7_x64
resource
win7
submitted
15-07-2020 05:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

logo.gif.exe
Size

334KB
MD5

2dba5eaa753b51add319fae08b7f1b4a
SHA1

83ae229398bc6b01e781dd84e737232302bcff07
SHA256

54c9967a2b3467f1a5961630d0bd429400e781de19866a383267c40e0f9acf2f
SHA512

43d758807c85f5421d89b286778c0319f6ed2d3e9e59fe4c29324655a1d493bf83a01336fe459c8ac9c6e94fb4433ab219bcbb54e786c988fa48521e6c4ba361

Score

10^/10

persistence rat remcos

Malware Config

Extracted

Family

remcos

update.huobibtc.net:443

Signatures

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	616	logo.gif.exe
Token: SeDebugPrivilege	1812	VideoPlayer.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	logo.gif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VideoPlayer = "\"C:\\Users\\Admin\\AppData\\Roaming\\VideoPlayer\\VideoPlayer.exe\""	logo.gif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	VideoPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VideoPlayer = "\"C:\\Users\\Admin\\AppData\\Roaming\\VideoPlayer\\VideoPlayer.exe\""	VideoPlayer.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 616 set thread context of 1608	616	logo.gif.exe	25
PID 1812 set thread context of 1328	1812	VideoPlayer.exe	30

Executes dropped EXE 3 IoCs

pid	Process
1608	logo.gif.exe
1812	VideoPlayer.exe
1328	VideoPlayer.exe

Deletes itself 1 IoCs

pid	Process
1644	WScript.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\VideoPlayer = "\"C:\\Users\\Admin\\AppData\\Roaming\\VideoPlayer\\VideoPlayer.exe\""	VideoPlayer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	VideoPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VideoPlayer = "\"C:\\Users\\Admin\\AppData\\Roaming\\VideoPlayer\\VideoPlayer.exe\""	VideoPlayer.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\	logo.gif.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\VideoPlayer = "\"C:\\Users\\Admin\\AppData\\Roaming\\VideoPlayer\\VideoPlayer.exe\""	logo.gif.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	logo.gif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VideoPlayer = "\"C:\\Users\\Admin\\AppData\\Roaming\\VideoPlayer\\VideoPlayer.exe\""	logo.gif.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\	VideoPlayer.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
616	logo.gif.exe
616	logo.gif.exe
616	logo.gif.exe
616	logo.gif.exe
616	logo.gif.exe
616	logo.gif.exe
616	logo.gif.exe
616	logo.gif.exe
616	logo.gif.exe
616	logo.gif.exe
616	logo.gif.exe
616	logo.gif.exe
616	logo.gif.exe
616	logo.gif.exe
616	logo.gif.exe
616	logo.gif.exe
1812	VideoPlayer.exe
1812	VideoPlayer.exe
1812	VideoPlayer.exe
1812	VideoPlayer.exe
1812	VideoPlayer.exe
1812	VideoPlayer.exe
1812	VideoPlayer.exe
1812	VideoPlayer.exe
1812	VideoPlayer.exe
1812	VideoPlayer.exe
1812	VideoPlayer.exe
1812	VideoPlayer.exe
1812	VideoPlayer.exe
1812	VideoPlayer.exe
1812	VideoPlayer.exe
1812	VideoPlayer.exe

Loads dropped DLL 2 IoCs

pid	Process
616	logo.gif.exe
1496	cmd.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 616 wrote to memory of 1608	616	logo.gif.exe	25
PID 616 wrote to memory of 1608	616	logo.gif.exe	25
PID 616 wrote to memory of 1608	616	logo.gif.exe	25
PID 616 wrote to memory of 1608	616	logo.gif.exe	25
PID 616 wrote to memory of 1608	616	logo.gif.exe	25
PID 616 wrote to memory of 1608	616	logo.gif.exe	25
PID 616 wrote to memory of 1608	616	logo.gif.exe	25
PID 616 wrote to memory of 1608	616	logo.gif.exe	25
PID 616 wrote to memory of 1608	616	logo.gif.exe	25
PID 616 wrote to memory of 1608	616	logo.gif.exe	25
PID 616 wrote to memory of 1608	616	logo.gif.exe	25
PID 1608 wrote to memory of 1644	1608	logo.gif.exe	26
PID 1608 wrote to memory of 1644	1608	logo.gif.exe	26
PID 1608 wrote to memory of 1644	1608	logo.gif.exe	26
PID 1608 wrote to memory of 1644	1608	logo.gif.exe	26
PID 1644 wrote to memory of 1496	1644	WScript.exe	27
PID 1644 wrote to memory of 1496	1644	WScript.exe	27
PID 1644 wrote to memory of 1496	1644	WScript.exe	27
PID 1644 wrote to memory of 1496	1644	WScript.exe	27
PID 1496 wrote to memory of 1812	1496	cmd.exe	29
PID 1496 wrote to memory of 1812	1496	cmd.exe	29
PID 1496 wrote to memory of 1812	1496	cmd.exe	29
PID 1496 wrote to memory of 1812	1496	cmd.exe	29
PID 1812 wrote to memory of 1328	1812	VideoPlayer.exe	30
PID 1812 wrote to memory of 1328	1812	VideoPlayer.exe	30
PID 1812 wrote to memory of 1328	1812	VideoPlayer.exe	30
PID 1812 wrote to memory of 1328	1812	VideoPlayer.exe	30
PID 1812 wrote to memory of 1328	1812	VideoPlayer.exe	30
PID 1812 wrote to memory of 1328	1812	VideoPlayer.exe	30
PID 1812 wrote to memory of 1328	1812	VideoPlayer.exe	30
PID 1812 wrote to memory of 1328	1812	VideoPlayer.exe	30
PID 1812 wrote to memory of 1328	1812	VideoPlayer.exe	30
PID 1812 wrote to memory of 1328	1812	VideoPlayer.exe	30
PID 1812 wrote to memory of 1328	1812	VideoPlayer.exe	30

C:\Users\Admin\AppData\Local\Temp\logo.gif.exe
"C:\Users\Admin\AppData\Local\Temp\logo.gif.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:616
- C:\Users\Admin\AppData\Local\Temp\logo.gif.exe
  "C:\Users\Admin\AppData\Local\Temp\logo.gif.exe"
  2⤵
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:1644
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\VideoPlayer\VideoPlayer.exe"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1496
    - - C:\Users\Admin\AppData\Roaming\VideoPlayer\VideoPlayer.exe
        
        C:\Users\Admin\AppData\Roaming\VideoPlayer\VideoPlayer.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetThreadContext
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1812
      - C:\Users\Admin\AppData\Roaming\VideoPlayer\VideoPlayer.exe
        
        "C:\Users\Admin\AppData\Roaming\VideoPlayer\VideoPlayer.exe"
        6⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1328-16-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1608-4-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1608-1-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1644-8-0x00000000025A0000-0x00000000025A4000-memory.dmp

Filesize
16KB

Download