remcos | 6c882aeb918e424cefe1068a6d3fbff5526c31e185716bf3a0d5ae0295772f09

General

Target

V08514-2336-ç´…è˜¿è””æ ¸å° å–®.scr
Size

656KB
MD5

6466b9e657e38501048da7869b1de39f
SHA1

0d0598e1be9bd940734708769bfb1961303e7c0e
SHA256

6c882aeb918e424cefe1068a6d3fbff5526c31e185716bf3a0d5ae0295772f09
SHA512

cbd62e4742357ccc781627f8cc3e04581704ac70fcae42d3b1ebbe2ed05f2a01a69192917ea93bb060dd02d94bc97dc0cfc5ecab5588f58e9ef548bef2a47ae1

Score

10^/10

persistence rat remcos

Malware Config

Extracted

Family

remcos

C2

188.72.124.143:2855

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
512	V08514-2336-ç´…è˜¿è””æ ¸å° å–®.scr
512	V08514-2336-ç´…è˜¿è””æ ¸å° å–®.scr
1520	Fedex.exe
1520	Fedex.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 512 wrote to memory of 648	512	V08514-2336-ç´…è˜¿è””æ ¸å° å–®.scr	67
PID 512 wrote to memory of 648	512	V08514-2336-ç´…è˜¿è””æ ¸å° å–®.scr	67
PID 512 wrote to memory of 648	512	V08514-2336-ç´…è˜¿è””æ ¸å° å–®.scr	67
PID 648 wrote to memory of 688	648	V08514-2336-ç´…è˜¿è””æ ¸å° å–®.scr	68
PID 648 wrote to memory of 688	648	V08514-2336-ç´…è˜¿è””æ ¸å° å–®.scr	68
PID 648 wrote to memory of 688	648	V08514-2336-ç´…è˜¿è””æ ¸å° å–®.scr	68
PID 688 wrote to memory of 1272	688	WScript.exe	69
PID 688 wrote to memory of 1272	688	WScript.exe	69
PID 688 wrote to memory of 1272	688	WScript.exe	69
PID 1272 wrote to memory of 1520	1272	cmd.exe	71
PID 1272 wrote to memory of 1520	1272	cmd.exe	71
PID 1272 wrote to memory of 1520	1272	cmd.exe	71
PID 1520 wrote to memory of 1636	1520	Fedex.exe	72
PID 1520 wrote to memory of 1636	1520	Fedex.exe	72
PID 1520 wrote to memory of 1636	1520	Fedex.exe	72
PID 1636 wrote to memory of 1916	1636	Fedex.exe	73
PID 1636 wrote to memory of 1916	1636	Fedex.exe	73
PID 1636 wrote to memory of 1916	1636	Fedex.exe	73

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
512	V08514-2336-ç´…è˜¿è””æ ¸å° å–®.scr
1520	Fedex.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 512 set thread context of 648	512	V08514-2336-ç´…è˜¿è””æ ¸å° å–®.scr	67
PID 1520 set thread context of 1636	1520	Fedex.exe	72

Executes dropped EXE 2 IoCs

pid	Process
1520	Fedex.exe
1636	Fedex.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run\	V08514-2336-ç´…è˜¿è””æ ¸å° å–®.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fedex = "\"C:\\Users\\Admin\\AppData\\Roaming\\Fedex\\Fedex.exe\""	V08514-2336-ç´…è˜¿è””æ ¸å° å–®.scr
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run\	Fedex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fedex = "\"C:\\Users\\Admin\\AppData\\Roaming\\Fedex\\Fedex.exe\""	Fedex.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings	V08514-2336-ç´…è˜¿è””æ ¸å° å–®.scr

C:\Users\Admin\AppData\Local\Temp\V08514-2336-ç´…è˜¿è””æ ¸å° å–®.scr
"C:\Users\Admin\AppData\Local\Temp\V08514-2336-ç´…è˜¿è””æ ¸å° å–®.scr" /S
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:512
- C:\Users\Admin\AppData\Local\Temp\V08514-2336-ç´…è˜¿è””æ ¸å° å–®.scr
  "C:\Users\Admin\AppData\Local\Temp\V08514-2336-ç´…è˜¿è””æ ¸å° å–®.scr" /S
  2⤵
  - Suspicious use of WriteProcessMemory
  - Adds Run key to start application
  - Modifies registry class
  PID:648
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:688
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Fedex\Fedex.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1272
    - - C:\Users\Admin\AppData\Roaming\Fedex\Fedex.exe
        
        C:\Users\Admin\AppData\Roaming\Fedex\Fedex.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetThreadContext
        Executes dropped EXE
        
        PID:1520
      - C:\Users\Admin\AppData\Roaming\Fedex\Fedex.exe
        
        C:\Users\Admin\AppData\Roaming\Fedex\Fedex.exe
        6⤵
        Suspicious use of WriteProcessMemory
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1636
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        7⤵
        
        PID:1916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/648-0-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/648-2-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1636-12-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing