remcos | 54c9967a2b3467f1a5961630d0bd429400e781de19866a383267c40e0f9acf2f

Analysis

max time kernel
149s
max time network
151s
platform
windows10_x64
resource
win10v200430
submitted
15-07-2020 05:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

logo.gif.exe
Size

334KB
MD5

2dba5eaa753b51add319fae08b7f1b4a
SHA1

83ae229398bc6b01e781dd84e737232302bcff07
SHA256

54c9967a2b3467f1a5961630d0bd429400e781de19866a383267c40e0f9acf2f
SHA512

43d758807c85f5421d89b286778c0319f6ed2d3e9e59fe4c29324655a1d493bf83a01336fe459c8ac9c6e94fb4433ab219bcbb54e786c988fa48521e6c4ba361

Score

10^/10

rat remcos persistence

Malware Config

Extracted

Family

remcos

update.huobibtc.net:443

Signatures

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
3812	logo.gif.exe
3812	logo.gif.exe
3812	logo.gif.exe
3812	logo.gif.exe
3812	logo.gif.exe
3812	logo.gif.exe
3812	logo.gif.exe
3812	logo.gif.exe
3812	logo.gif.exe
3812	logo.gif.exe
3812	logo.gif.exe
3812	logo.gif.exe
3812	logo.gif.exe
3812	logo.gif.exe
3812	logo.gif.exe
3812	logo.gif.exe
3812	logo.gif.exe
3812	logo.gif.exe
1716	VideoPlayer.exe
1716	VideoPlayer.exe
1716	VideoPlayer.exe
1716	VideoPlayer.exe
1716	VideoPlayer.exe
1716	VideoPlayer.exe
1716	VideoPlayer.exe
1716	VideoPlayer.exe
1716	VideoPlayer.exe
1716	VideoPlayer.exe
1716	VideoPlayer.exe
1716	VideoPlayer.exe
1716	VideoPlayer.exe
1716	VideoPlayer.exe
1716	VideoPlayer.exe
1716	VideoPlayer.exe
1716	VideoPlayer.exe
1716	VideoPlayer.exe

Executes dropped EXE 5 IoCs

pid	Process
812	logo.gif.exe
916	logo.gif.exe
1716	VideoPlayer.exe
1552	VideoPlayer.exe
2196	VideoPlayer.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\	VideoPlayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\VideoPlayer = "\"C:\\Users\\Admin\\AppData\\Roaming\\VideoPlayer\\VideoPlayer.exe\""	VideoPlayer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	VideoPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VideoPlayer = "\"C:\\Users\\Admin\\AppData\\Roaming\\VideoPlayer\\VideoPlayer.exe\""	VideoPlayer.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\	logo.gif.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\VideoPlayer = "\"C:\\Users\\Admin\\AppData\\Roaming\\VideoPlayer\\VideoPlayer.exe\""	logo.gif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	logo.gif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VideoPlayer = "\"C:\\Users\\Admin\\AppData\\Roaming\\VideoPlayer\\VideoPlayer.exe\""	logo.gif.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	VideoPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VideoPlayer = "\"C:\\Users\\Admin\\AppData\\Roaming\\VideoPlayer\\VideoPlayer.exe\""	VideoPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	logo.gif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VideoPlayer = "\"C:\\Users\\Admin\\AppData\\Roaming\\VideoPlayer\\VideoPlayer.exe\""	logo.gif.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings	logo.gif.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3812	logo.gif.exe
Token: SeDebugPrivilege	1716	VideoPlayer.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 3812 wrote to memory of 812	3812	logo.gif.exe	67
PID 3812 wrote to memory of 812	3812	logo.gif.exe	67
PID 3812 wrote to memory of 812	3812	logo.gif.exe	67
PID 3812 wrote to memory of 916	3812	logo.gif.exe	68
PID 3812 wrote to memory of 916	3812	logo.gif.exe	68
PID 3812 wrote to memory of 916	3812	logo.gif.exe	68
PID 3812 wrote to memory of 916	3812	logo.gif.exe	68
PID 3812 wrote to memory of 916	3812	logo.gif.exe	68
PID 3812 wrote to memory of 916	3812	logo.gif.exe	68
PID 3812 wrote to memory of 916	3812	logo.gif.exe	68
PID 3812 wrote to memory of 916	3812	logo.gif.exe	68
PID 3812 wrote to memory of 916	3812	logo.gif.exe	68
PID 3812 wrote to memory of 916	3812	logo.gif.exe	68
PID 916 wrote to memory of 1176	916	logo.gif.exe	69
PID 916 wrote to memory of 1176	916	logo.gif.exe	69
PID 916 wrote to memory of 1176	916	logo.gif.exe	69
PID 1176 wrote to memory of 1472	1176	WScript.exe	70
PID 1176 wrote to memory of 1472	1176	WScript.exe	70
PID 1176 wrote to memory of 1472	1176	WScript.exe	70
PID 1472 wrote to memory of 1716	1472	cmd.exe	72
PID 1472 wrote to memory of 1716	1472	cmd.exe	72
PID 1472 wrote to memory of 1716	1472	cmd.exe	72
PID 1716 wrote to memory of 1552	1716	VideoPlayer.exe	73
PID 1716 wrote to memory of 1552	1716	VideoPlayer.exe	73
PID 1716 wrote to memory of 1552	1716	VideoPlayer.exe	73
PID 1716 wrote to memory of 2196	1716	VideoPlayer.exe	74
PID 1716 wrote to memory of 2196	1716	VideoPlayer.exe	74
PID 1716 wrote to memory of 2196	1716	VideoPlayer.exe	74
PID 1716 wrote to memory of 2196	1716	VideoPlayer.exe	74
PID 1716 wrote to memory of 2196	1716	VideoPlayer.exe	74
PID 1716 wrote to memory of 2196	1716	VideoPlayer.exe	74
PID 1716 wrote to memory of 2196	1716	VideoPlayer.exe	74
PID 1716 wrote to memory of 2196	1716	VideoPlayer.exe	74
PID 1716 wrote to memory of 2196	1716	VideoPlayer.exe	74
PID 1716 wrote to memory of 2196	1716	VideoPlayer.exe	74

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3812 set thread context of 916	3812	logo.gif.exe	68
PID 1716 set thread context of 2196	1716	VideoPlayer.exe	74

Deletes itself 1 IoCs

pid	Process
1176	WScript.exe

C:\Users\Admin\AppData\Local\Temp\logo.gif.exe
"C:\Users\Admin\AppData\Local\Temp\logo.gif.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:3812
- C:\Users\Admin\AppData\Local\Temp\logo.gif.exe
  "C:\Users\Admin\AppData\Local\Temp\logo.gif.exe"
  2⤵
  - Executes dropped EXE
  PID:812
- C:\Users\Admin\AppData\Local\Temp\logo.gif.exe
  "C:\Users\Admin\AppData\Local\Temp\logo.gif.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Adds policy Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    - Deletes itself
    PID:1176
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\VideoPlayer\VideoPlayer.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1472
    - - C:\Users\Admin\AppData\Roaming\VideoPlayer\VideoPlayer.exe
        
        C:\Users\Admin\AppData\Roaming\VideoPlayer\VideoPlayer.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        Suspicious use of SetThreadContext
        
        PID:1716
      - C:\Users\Admin\AppData\Roaming\VideoPlayer\VideoPlayer.exe
        
        "C:\Users\Admin\AppData\Roaming\VideoPlayer\VideoPlayer.exe"
        6⤵
        Executes dropped EXE
        
        PID:1552
      - C:\Users\Admin\AppData\Roaming\VideoPlayer\VideoPlayer.exe
        
        "C:\Users\Admin\AppData\Roaming\VideoPlayer\VideoPlayer.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Adds policy Run key to start application
        
        PID:2196

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/916-4-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/916-1-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2196-15-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download