remcos | 77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2

General

Target

77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe
Size

337KB
MD5

54be0c733c2f2ec0d17da28bd5f5d229
SHA1

2018ec1b9b4040d304d76ae8e0cb66edc0c5ce50
SHA256

77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2
SHA512

f259c6f49c680afa464b0b7c341ca90fc33b28fcb219cf8d75eb36f9592975973751bef476d7332e6d4c4473cd60779f5c5b62f41db83816079a2e5559578721

Score

10^/10

remcos coreentity persistence rat rezer0

Malware Config

Extracted

Family

remcos

C2

servr.killifabuse1.xyz:8643

Signatures

CoreEntity .NET Packer 1 IoCs

A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

coreentity

Processes:

resource	yara_rule
behavioral2/memory/4632-6-0x00000000072B0000-0x00000000072B2000-memory.dmp	coreentity

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

rezer0 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral2/memory/4632-7-0x000000000A670000-0x000000000A697000-memory.dmp	rezer0

Executes dropped EXE 2 IoCs

Processes:

remcos.exeremcos.exe

pid process

3932 remcos.exe
660 remcos.exe

pid	process
3932	remcos.exe
660	remcos.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

remcos.exe77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exeremcos.exeremcos.exe

description	pid	process	target process
PID 4632 set thread context of 3672	4632	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe
PID 3932 set thread context of 660	3932	remcos.exe	remcos.exe
PID 660 set thread context of 1052	660	remcos.exe	svchost.exe

Modifies registry class 1 IoCs

Processes:

77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exeremcos.exe

pid	process
4632	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe
4632	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe
4632	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe
3932	remcos.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

remcos.exe

pid process

660 remcos.exe

pid	process
660	remcos.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exeremcos.exe

description	pid	process
Token: SeDebugPrivilege	4632	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe
Token: SeDebugPrivilege	3932	remcos.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

remcos.exe

pid process

660 remcos.exe

pid	process
660	remcos.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exeWScript.execmd.exeremcos.exeremcos.exe

description	pid	process	target process
PID 4632 wrote to memory of 3568	4632	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe
PID 4632 wrote to memory of 3568	4632	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe
PID 4632 wrote to memory of 3568	4632	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe
PID 4632 wrote to memory of 3672	4632	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe
PID 4632 wrote to memory of 3672	4632	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe
PID 4632 wrote to memory of 3672	4632	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe
PID 4632 wrote to memory of 3672	4632	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe
PID 4632 wrote to memory of 3672	4632	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe
PID 4632 wrote to memory of 3672	4632	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe
PID 4632 wrote to memory of 3672	4632	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe
PID 4632 wrote to memory of 3672	4632	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe
PID 4632 wrote to memory of 3672	4632	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe
PID 4632 wrote to memory of 3672	4632	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe
PID 3672 wrote to memory of 3288	3672	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe	WScript.exe
PID 3672 wrote to memory of 3288	3672	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe	WScript.exe
PID 3672 wrote to memory of 3288	3672	77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe	WScript.exe
PID 3288 wrote to memory of 4188	3288	WScript.exe	cmd.exe
PID 3288 wrote to memory of 4188	3288	WScript.exe	cmd.exe
PID 3288 wrote to memory of 4188	3288	WScript.exe	cmd.exe
PID 4188 wrote to memory of 3932	4188	cmd.exe	remcos.exe
PID 4188 wrote to memory of 3932	4188	cmd.exe	remcos.exe
PID 4188 wrote to memory of 3932	4188	cmd.exe	remcos.exe
PID 3932 wrote to memory of 660	3932	remcos.exe	remcos.exe
PID 3932 wrote to memory of 660	3932	remcos.exe	remcos.exe
PID 3932 wrote to memory of 660	3932	remcos.exe	remcos.exe
PID 3932 wrote to memory of 660	3932	remcos.exe	remcos.exe
PID 3932 wrote to memory of 660	3932	remcos.exe	remcos.exe
PID 3932 wrote to memory of 660	3932	remcos.exe	remcos.exe
PID 3932 wrote to memory of 660	3932	remcos.exe	remcos.exe
PID 3932 wrote to memory of 660	3932	remcos.exe	remcos.exe
PID 3932 wrote to memory of 660	3932	remcos.exe	remcos.exe
PID 3932 wrote to memory of 660	3932	remcos.exe	remcos.exe
PID 660 wrote to memory of 1052	660	remcos.exe	svchost.exe
PID 660 wrote to memory of 1052	660	remcos.exe	svchost.exe
PID 660 wrote to memory of 1052	660	remcos.exe	svchost.exe
PID 660 wrote to memory of 1052	660	remcos.exe	svchost.exe
PID 660 wrote to memory of 1052	660	remcos.exe	svchost.exe
PID 660 wrote to memory of 1052	660	remcos.exe	svchost.exe
PID 660 wrote to memory of 1052	660	remcos.exe	svchost.exe
PID 660 wrote to memory of 1052	660	remcos.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe
"C:\Users\Admin\AppData\Local\Temp\77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4632

C:\Users\Admin\AppData\Local\Temp\77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe
"{path}"
2⤵
PID:3568

C:\Users\Admin\AppData\Local\Temp\77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2.exe
"{path}"
2⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3672

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:3288

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:4188

C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3932

C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
"{path}"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:660

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
PID:1052

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
ff449f6f7bc5e2d800eb30e2d2c56611

SHA1
93419ea805b9ce35a766e5c56db50d54c2d3f94b

SHA256
655787cf79040ee701963986320556a834d6345e850e03653e4852d94eb09416

SHA512
02a17064c837d36ba241fb8edf9266e33479a10eb8652b974158a3227878a801da29db1108413bb2c298a105b3c19bd20c3a3100f19444189f434706825766a6

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
MD5
54be0c733c2f2ec0d17da28bd5f5d229

SHA1
2018ec1b9b4040d304d76ae8e0cb66edc0c5ce50

SHA256
77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2

SHA512
f259c6f49c680afa464b0b7c341ca90fc33b28fcb219cf8d75eb36f9592975973751bef476d7332e6d4c4473cd60779f5c5b62f41db83816079a2e5559578721

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
MD5
54be0c733c2f2ec0d17da28bd5f5d229

SHA1
2018ec1b9b4040d304d76ae8e0cb66edc0c5ce50

SHA256
77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2

SHA512
f259c6f49c680afa464b0b7c341ca90fc33b28fcb219cf8d75eb36f9592975973751bef476d7332e6d4c4473cd60779f5c5b62f41db83816079a2e5559578721

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
MD5
54be0c733c2f2ec0d17da28bd5f5d229

SHA1
2018ec1b9b4040d304d76ae8e0cb66edc0c5ce50

SHA256
77f25549a1a3f0bc29ca746125f0ad306418ee9699c1b7cd57c36d29488134d2

SHA512
f259c6f49c680afa464b0b7c341ca90fc33b28fcb219cf8d75eb36f9592975973751bef476d7332e6d4c4473cd60779f5c5b62f41db83816079a2e5559578721

Download Submit
memory/660-30-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/660-28-0x0000000000413A84-mapping.dmp

Download
memory/1052-32-0x000000000044D11E-mapping.dmp

Download
memory/1052-31-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3288-12-0x0000000000000000-mapping.dmp

Download
memory/3672-11-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3672-10-0x0000000000413A84-mapping.dmp

Download
memory/3672-9-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3932-18-0x0000000073DA0000-0x000000007448E000-memory.dmp

Filesize
6.9MB

Download
memory/3932-15-0x0000000000000000-mapping.dmp

Download
memory/4188-14-0x0000000000000000-mapping.dmp

Download
memory/4632-7-0x000000000A670000-0x000000000A697000-memory.dmp

Filesize
156KB

Download
memory/4632-0-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/4632-8-0x000000000A760000-0x000000000A761000-memory.dmp

Filesize
4KB

Download
memory/4632-6-0x00000000072B0000-0x00000000072B2000-memory.dmp

Filesize
8KB

Download
memory/4632-5-0x0000000006E70000-0x0000000006E71000-memory.dmp

Filesize
4KB

Download
memory/4632-4-0x0000000006EA0000-0x0000000006EA1000-memory.dmp

Filesize
4KB

Download
memory/4632-3-0x00000000072C0000-0x00000000072C1000-memory.dmp

Filesize
4KB

Download
memory/4632-1-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads