remcos | 6c882aeb918e424cefe1068a6d3fbff5526c31e185716bf3a0d5ae0295772f09

Analysis

max time kernel
19s
max time network
86s
platform
windows7_x64
resource
win7
submitted
29-07-2020 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

V08514-2336-ç´…è˜¿è””æ ¸å° å–®.scr
Size

656KB
MD5

6466b9e657e38501048da7869b1de39f
SHA1

0d0598e1be9bd940734708769bfb1961303e7c0e
SHA256

6c882aeb918e424cefe1068a6d3fbff5526c31e185716bf3a0d5ae0295772f09
SHA512

cbd62e4742357ccc781627f8cc3e04581704ac70fcae42d3b1ebbe2ed05f2a01a69192917ea93bb060dd02d94bc97dc0cfc5ecab5588f58e9ef548bef2a47ae1

Score

10^/10

persistence rat remcos

Malware Config

Extracted

Family

remcos

188.72.124.143:2855

Signatures

Suspicious use of WriteProcessMemory 100 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 1552	1492	V08514-2336-ç´…è˜¿è””æ ¸å° å–®.scr	24
PID 1492 wrote to memory of 1552	1492	V08514-2336-ç´…è˜¿è””æ ¸å° å–®.scr	24
PID 1492 wrote to memory of 1552	1492	V08514-2336-ç´…è˜¿è””æ ¸å° å–®.scr	24
PID 1492 wrote to memory of 1552	1492	V08514-2336-ç´…è˜¿è””æ ¸å° å–®.scr	24
PID 1552 wrote to memory of 784	1552	V08514-2336-ç´…è˜¿è””æ ¸å° å–®.scr	25
PID 1552 wrote to memory of 784	1552	V08514-2336-ç´…è˜¿è””æ ¸å° å–®.scr	25
PID 1552 wrote to memory of 784	1552	V08514-2336-ç´…è˜¿è””æ ¸å° å–®.scr	25
PID 1552 wrote to memory of 784	1552	V08514-2336-ç´…è˜¿è””æ ¸å° å–®.scr	25
PID 784 wrote to memory of 1036	784	WScript.exe	26
PID 784 wrote to memory of 1036	784	WScript.exe	26
PID 784 wrote to memory of 1036	784	WScript.exe	26
PID 784 wrote to memory of 1036	784	WScript.exe	26
PID 1036 wrote to memory of 1512	1036	cmd.exe	28
PID 1036 wrote to memory of 1512	1036	cmd.exe	28
PID 1036 wrote to memory of 1512	1036	cmd.exe	28
PID 1036 wrote to memory of 1512	1036	cmd.exe	28
PID 1512 wrote to memory of 1296	1512	Fedex.exe	29
PID 1512 wrote to memory of 1296	1512	Fedex.exe	29
PID 1512 wrote to memory of 1296	1512	Fedex.exe	29
PID 1512 wrote to memory of 1296	1512	Fedex.exe	29
PID 1296 wrote to memory of 1764	1296	Fedex.exe	30
PID 1296 wrote to memory of 1764	1296	Fedex.exe	30
PID 1296 wrote to memory of 1764	1296	Fedex.exe	30
PID 1296 wrote to memory of 1764	1296	Fedex.exe	30
PID 1296 wrote to memory of 1764	1296	Fedex.exe	30
PID 1296 wrote to memory of 1764	1296	Fedex.exe	30
PID 1296 wrote to memory of 1764	1296	Fedex.exe	30
PID 1296 wrote to memory of 1764	1296	Fedex.exe	30
PID 1296 wrote to memory of 1764	1296	Fedex.exe	30
PID 1296 wrote to memory of 1764	1296	Fedex.exe	30
PID 1296 wrote to memory of 1764	1296	Fedex.exe	30
PID 1296 wrote to memory of 1764	1296	Fedex.exe	30
PID 1764 wrote to memory of 1848	1764	svchost.exe	31
PID 1764 wrote to memory of 1848	1764	svchost.exe	31
PID 1764 wrote to memory of 1848	1764	svchost.exe	31
PID 1764 wrote to memory of 1848	1764	svchost.exe	31
PID 1296 wrote to memory of 1872	1296	Fedex.exe	32
PID 1296 wrote to memory of 1872	1296	Fedex.exe	32
PID 1296 wrote to memory of 1872	1296	Fedex.exe	32
PID 1296 wrote to memory of 1872	1296	Fedex.exe	32
PID 1296 wrote to memory of 1872	1296	Fedex.exe	32
PID 1296 wrote to memory of 1872	1296	Fedex.exe	32
PID 1296 wrote to memory of 1872	1296	Fedex.exe	32
PID 1296 wrote to memory of 1872	1296	Fedex.exe	32
PID 1296 wrote to memory of 1872	1296	Fedex.exe	32
PID 1296 wrote to memory of 1872	1296	Fedex.exe	32
PID 1296 wrote to memory of 1872	1296	Fedex.exe	32
PID 1296 wrote to memory of 1872	1296	Fedex.exe	32
PID 1872 wrote to memory of 1888	1872	svchost.exe	33
PID 1872 wrote to memory of 1888	1872	svchost.exe	33
PID 1872 wrote to memory of 1888	1872	svchost.exe	33
PID 1872 wrote to memory of 1888	1872	svchost.exe	33
PID 1296 wrote to memory of 1908	1296	Fedex.exe	34
PID 1296 wrote to memory of 1908	1296	Fedex.exe	34
PID 1296 wrote to memory of 1908	1296	Fedex.exe	34
PID 1296 wrote to memory of 1908	1296	Fedex.exe	34
PID 1296 wrote to memory of 1908	1296	Fedex.exe	34
PID 1296 wrote to memory of 1908	1296	Fedex.exe	34
PID 1296 wrote to memory of 1908	1296	Fedex.exe	34
PID 1296 wrote to memory of 1908	1296	Fedex.exe	34
PID 1296 wrote to memory of 1908	1296	Fedex.exe	34
PID 1296 wrote to memory of 1908	1296	Fedex.exe	34
PID 1296 wrote to memory of 1908	1296	Fedex.exe	34
PID 1296 wrote to memory of 1908	1296	Fedex.exe	34
PID 1908 wrote to memory of 1132	1908	svchost.exe	35
PID 1908 wrote to memory of 1132	1908	svchost.exe	35
PID 1908 wrote to memory of 1132	1908	svchost.exe	35
PID 1908 wrote to memory of 1132	1908	svchost.exe	35
PID 1296 wrote to memory of 1836	1296	Fedex.exe	36
PID 1296 wrote to memory of 1836	1296	Fedex.exe	36
PID 1296 wrote to memory of 1836	1296	Fedex.exe	36
PID 1296 wrote to memory of 1836	1296	Fedex.exe	36
PID 1296 wrote to memory of 1836	1296	Fedex.exe	36
PID 1296 wrote to memory of 1836	1296	Fedex.exe	36
PID 1296 wrote to memory of 1836	1296	Fedex.exe	36
PID 1296 wrote to memory of 1836	1296	Fedex.exe	36
PID 1296 wrote to memory of 1836	1296	Fedex.exe	36
PID 1296 wrote to memory of 1836	1296	Fedex.exe	36
PID 1296 wrote to memory of 1836	1296	Fedex.exe	36
PID 1296 wrote to memory of 1836	1296	Fedex.exe	36
PID 1836 wrote to memory of 1860	1836	svchost.exe	37
PID 1836 wrote to memory of 1860	1836	svchost.exe	37
PID 1836 wrote to memory of 1860	1836	svchost.exe	37
PID 1836 wrote to memory of 1860	1836	svchost.exe	37
PID 1296 wrote to memory of 1732	1296	Fedex.exe	38
PID 1296 wrote to memory of 1732	1296	Fedex.exe	38
PID 1296 wrote to memory of 1732	1296	Fedex.exe	38
PID 1296 wrote to memory of 1732	1296	Fedex.exe	38
PID 1296 wrote to memory of 1732	1296	Fedex.exe	38
PID 1296 wrote to memory of 1732	1296	Fedex.exe	38
PID 1296 wrote to memory of 1732	1296	Fedex.exe	38
PID 1296 wrote to memory of 1732	1296	Fedex.exe	38
PID 1296 wrote to memory of 1732	1296	Fedex.exe	38
PID 1296 wrote to memory of 1732	1296	Fedex.exe	38
PID 1296 wrote to memory of 1732	1296	Fedex.exe	38
PID 1296 wrote to memory of 1732	1296	Fedex.exe	38
PID 1732 wrote to memory of 1560	1732	svchost.exe	39
PID 1732 wrote to memory of 1560	1732	svchost.exe	39
PID 1732 wrote to memory of 1560	1732	svchost.exe	39
PID 1732 wrote to memory of 1560	1732	svchost.exe	39

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
1492	V08514-2336-ç´…è˜¿è””æ ¸å° å–®.scr
1512	Fedex.exe
1764	svchost.exe
1872	svchost.exe
1908	svchost.exe
1836	svchost.exe
1732	svchost.exe

Suspicious use of SetThreadContext 12 IoCs

description	pid	Process	procid_target
PID 1492 set thread context of 1552	1492	V08514-2336-ç´…è˜¿è””æ ¸å° å–®.scr	24
PID 1512 set thread context of 1296	1512	Fedex.exe	29
PID 1296 set thread context of 1764	1296	Fedex.exe	30
PID 1764 set thread context of 1848	1764	svchost.exe	31
PID 1296 set thread context of 1872	1296	Fedex.exe	32
PID 1872 set thread context of 1888	1872	svchost.exe	33
PID 1296 set thread context of 1908	1296	Fedex.exe	34
PID 1908 set thread context of 1132	1908	svchost.exe	35
PID 1296 set thread context of 1836	1296	Fedex.exe	36
PID 1836 set thread context of 1860	1836	svchost.exe	37
PID 1296 set thread context of 1732	1296	Fedex.exe	38
PID 1732 set thread context of 1560	1732	svchost.exe	39

Loads dropped DLL 2 IoCs

pid	Process
1036	cmd.exe
1036	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1512	Fedex.exe
1296	Fedex.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\	V08514-2336-ç´…è˜¿è””æ ¸å° å–®.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fedex = "\"C:\\Users\\Admin\\AppData\\Roaming\\Fedex\\Fedex.exe\""	V08514-2336-ç´…è˜¿è””æ ¸å° å–®.scr
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\	Fedex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fedex = "\"C:\\Users\\Admin\\AppData\\Roaming\\Fedex\\Fedex.exe\""	Fedex.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1492	V08514-2336-ç´…è˜¿è””æ ¸å° å–®.scr
1512	Fedex.exe
1764	svchost.exe
1872	svchost.exe
1908	svchost.exe
1836	svchost.exe
1732	svchost.exe

C:\Users\Admin\AppData\Local\Temp\V08514-2336-ç´…è˜¿è””æ ¸å° å–®.scr
"C:\Users\Admin\AppData\Local\Temp\V08514-2336-ç´…è˜¿è””æ ¸å° å–®.scr" /S
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1492
- C:\Users\Admin\AppData\Local\Temp\V08514-2336-ç´…è˜¿è””æ ¸å° å–®.scr
  "C:\Users\Admin\AppData\Local\Temp\V08514-2336-ç´…è˜¿è””æ ¸å° å–®.scr" /S
  2⤵
  - Suspicious use of WriteProcessMemory
  - Adds Run key to start application
  PID:1552
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:784
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Fedex\Fedex.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      Loads dropped DLL
      PID:1036
    - - C:\Users\Admin\AppData\Roaming\Fedex\Fedex.exe
        
        C:\Users\Admin\AppData\Roaming\Fedex\Fedex.exe
        5⤵
        Suspicious use of WriteProcessMemory
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1512
      - C:\Users\Admin\AppData\Roaming\Fedex\Fedex.exe
        
        C:\Users\Admin\AppData\Roaming\Fedex\Fedex.exe
        6⤵
        Suspicious use of WriteProcessMemory
        Suspicious use of SetThreadContext
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1296
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        7⤵
        Suspicious use of WriteProcessMemory
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:1764
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        7⤵
        Suspicious use of WriteProcessMemory
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:1872
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        7⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:1908
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        7⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:1836
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        7⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:1732
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/784-6-0x00000000026C0000-0x00000000026C4000-memory.dmp

Filesize
16KB

Download
memory/1296-15-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1552-2-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1552-0-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1764-16-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/1764-18-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/1872-23-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download