remcos | 641a1d0d54fc5d0facf1c2c20d1cb54f60705d67b5990b3be3cfcb7e8c1269a4

Analysis

max time kernel
148s
max time network
150s
platform
windows10_x64
resource
win10v20201028
submitted
24-12-2020 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.GenericKD.45131634.12155.15985.exe
Size

573KB
MD5

7b80992176d91fe6ccb5301fb16e3e40
SHA1

77bee4b3b07c367f45ea8ecd87eb65b317900fd9
SHA256

641a1d0d54fc5d0facf1c2c20d1cb54f60705d67b5990b3be3cfcb7e8c1269a4
SHA512

154b6a62df5c058c49ad58ddf0fefedb7675c9e8c06f5a637fd50d9869409772c954271de6f4791b774eb921030afc4d40e50f1523194c86b1c6e795aca258fd

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

whatgodcannotdodoestnotexist.duckdns.org:2889

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 5 IoCs

Processes:

mgiy.exeAddInProcess32.exeFB_8492.tmp.exeFB_853F.tmp.exeremcos.exe

pid process

1332 mgiy.exe
3832 AddInProcess32.exe
3980 FB_8492.tmp.exe
760 FB_853F.tmp.exe
3804 remcos.exe

pid	process
1332	mgiy.exe
3832	AddInProcess32.exe
3980	FB_8492.tmp.exe
760	FB_853F.tmp.exe
3804	remcos.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\bqpd = "C:\\Users\\Admin\\mgiy.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

mgiy.exe

description pid process target process

PID 1332 set thread context of 3832 1332 mgiy.exe AddInProcess32.exe
Modifies registry class 1 IoCs

Processes:

FB_853F.tmp.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings FB_853F.tmp.exe

description	pid	process	target process
PID 1332 set thread context of 3832	1332	mgiy.exe	AddInProcess32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	FB_853F.tmp.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

SecuriteInfo.com.Trojan.GenericKD.45131634.12155.15985.exemgiy.exe

pid	process
656	SecuriteInfo.com.Trojan.GenericKD.45131634.12155.15985.exe
656	SecuriteInfo.com.Trojan.GenericKD.45131634.12155.15985.exe
656	SecuriteInfo.com.Trojan.GenericKD.45131634.12155.15985.exe
656	SecuriteInfo.com.Trojan.GenericKD.45131634.12155.15985.exe
656	SecuriteInfo.com.Trojan.GenericKD.45131634.12155.15985.exe
656	SecuriteInfo.com.Trojan.GenericKD.45131634.12155.15985.exe
656	SecuriteInfo.com.Trojan.GenericKD.45131634.12155.15985.exe
656	SecuriteInfo.com.Trojan.GenericKD.45131634.12155.15985.exe
656	SecuriteInfo.com.Trojan.GenericKD.45131634.12155.15985.exe
656	SecuriteInfo.com.Trojan.GenericKD.45131634.12155.15985.exe
656	SecuriteInfo.com.Trojan.GenericKD.45131634.12155.15985.exe
656	SecuriteInfo.com.Trojan.GenericKD.45131634.12155.15985.exe
656	SecuriteInfo.com.Trojan.GenericKD.45131634.12155.15985.exe
656	SecuriteInfo.com.Trojan.GenericKD.45131634.12155.15985.exe
656	SecuriteInfo.com.Trojan.GenericKD.45131634.12155.15985.exe
1332	mgiy.exe
1332	mgiy.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

SecuriteInfo.com.Trojan.GenericKD.45131634.12155.15985.exemgiy.exe

description pid process

Token: SeDebugPrivilege 656 SecuriteInfo.com.Trojan.GenericKD.45131634.12155.15985.exe
Token: SeDebugPrivilege 1332 mgiy.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

remcos.exe

pid process

3804 remcos.exe

description	pid	process
Token: SeDebugPrivilege	656	SecuriteInfo.com.Trojan.GenericKD.45131634.12155.15985.exe
Token: SeDebugPrivilege	1332	mgiy.exe

pid	process
3804	remcos.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

SecuriteInfo.com.Trojan.GenericKD.45131634.12155.15985.execmd.exemgiy.exeAddInProcess32.exeFB_853F.tmp.exeWScript.execmd.exe

description	pid	process	target process
PID 656 wrote to memory of 3252	656	SecuriteInfo.com.Trojan.GenericKD.45131634.12155.15985.exe	cmd.exe
PID 656 wrote to memory of 3252	656	SecuriteInfo.com.Trojan.GenericKD.45131634.12155.15985.exe	cmd.exe
PID 656 wrote to memory of 3252	656	SecuriteInfo.com.Trojan.GenericKD.45131634.12155.15985.exe	cmd.exe
PID 3252 wrote to memory of 2916	3252	cmd.exe	reg.exe
PID 3252 wrote to memory of 2916	3252	cmd.exe	reg.exe
PID 3252 wrote to memory of 2916	3252	cmd.exe	reg.exe
PID 656 wrote to memory of 1332	656	SecuriteInfo.com.Trojan.GenericKD.45131634.12155.15985.exe	mgiy.exe
PID 656 wrote to memory of 1332	656	SecuriteInfo.com.Trojan.GenericKD.45131634.12155.15985.exe	mgiy.exe
PID 656 wrote to memory of 1332	656	SecuriteInfo.com.Trojan.GenericKD.45131634.12155.15985.exe	mgiy.exe
PID 1332 wrote to memory of 3832	1332	mgiy.exe	AddInProcess32.exe
PID 1332 wrote to memory of 3832	1332	mgiy.exe	AddInProcess32.exe
PID 1332 wrote to memory of 3832	1332	mgiy.exe	AddInProcess32.exe
PID 1332 wrote to memory of 3832	1332	mgiy.exe	AddInProcess32.exe
PID 1332 wrote to memory of 3832	1332	mgiy.exe	AddInProcess32.exe
PID 1332 wrote to memory of 3832	1332	mgiy.exe	AddInProcess32.exe
PID 1332 wrote to memory of 3832	1332	mgiy.exe	AddInProcess32.exe
PID 1332 wrote to memory of 3832	1332	mgiy.exe	AddInProcess32.exe
PID 1332 wrote to memory of 3832	1332	mgiy.exe	AddInProcess32.exe
PID 3832 wrote to memory of 3980	3832	AddInProcess32.exe	FB_8492.tmp.exe
PID 3832 wrote to memory of 3980	3832	AddInProcess32.exe	FB_8492.tmp.exe
PID 3832 wrote to memory of 3980	3832	AddInProcess32.exe	FB_8492.tmp.exe
PID 3832 wrote to memory of 760	3832	AddInProcess32.exe	FB_853F.tmp.exe
PID 3832 wrote to memory of 760	3832	AddInProcess32.exe	FB_853F.tmp.exe
PID 3832 wrote to memory of 760	3832	AddInProcess32.exe	FB_853F.tmp.exe
PID 760 wrote to memory of 2928	760	FB_853F.tmp.exe	WScript.exe
PID 760 wrote to memory of 2928	760	FB_853F.tmp.exe	WScript.exe
PID 760 wrote to memory of 2928	760	FB_853F.tmp.exe	WScript.exe
PID 2928 wrote to memory of 1848	2928	WScript.exe	cmd.exe
PID 2928 wrote to memory of 1848	2928	WScript.exe	cmd.exe
PID 2928 wrote to memory of 1848	2928	WScript.exe	cmd.exe
PID 1848 wrote to memory of 3804	1848	cmd.exe	remcos.exe
PID 1848 wrote to memory of 3804	1848	cmd.exe	remcos.exe
PID 1848 wrote to memory of 3804	1848	cmd.exe	remcos.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.45131634.12155.15985.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.45131634.12155.15985.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:656

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "bqpd" /t REG_SZ /d "C:\Users\Admin\mgiy.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3252

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "bqpd" /t REG_SZ /d "C:\Users\Admin\mgiy.exe"
3⤵
- Adds Run key to start application
PID:2916

C:\Users\Admin\mgiy.exe
"C:\Users\Admin\mgiy.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1332

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3832

C:\Users\Admin\AppData\Local\Temp\FB_8492.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\FB_8492.tmp.exe"
4⤵
- Executes dropped EXE
PID:3980

C:\Users\Admin\AppData\Local\Temp\FB_853F.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\FB_853F.tmp.exe"
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
5⤵
- Suspicious use of WriteProcessMemory
PID:2928

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
6⤵
- Suspicious use of WriteProcessMemory
PID:1848

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_8492.tmp.exe

MD5
74bafb3e707c7b0c63938ac200f99c7f

SHA1
10c5506337845ed9bf25c73d2506f9c15ab8e608

SHA256
129450ba06ad589cf6846a455a5b6b5f55e164ee4906e409eb692ab465269689

SHA512
5b24dc5acd14f812658e832b587b60695fb16954fca006c2c3a7382ef0ec65c3bd1aaf699425c49ff3cceef16869e75dd6f00ec189b9f673f08f7e1b80cf7781

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_8492.tmp.exe

MD5
74bafb3e707c7b0c63938ac200f99c7f

SHA1
10c5506337845ed9bf25c73d2506f9c15ab8e608

SHA256
129450ba06ad589cf6846a455a5b6b5f55e164ee4906e409eb692ab465269689

SHA512
5b24dc5acd14f812658e832b587b60695fb16954fca006c2c3a7382ef0ec65c3bd1aaf699425c49ff3cceef16869e75dd6f00ec189b9f673f08f7e1b80cf7781

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_853F.tmp.exe

MD5
7d6e5c79b45e0fba39a39cd9a527170c

SHA1
bbb55e8fee57adef35682d42bcd4912a9882f8ae

SHA256
8c1e3481810bb7479e777a08969828c8d68ab73ea629026fc2e490c51f6e950e

SHA512
3f7cd86bd21fcd44a6463da47bdf88bad6864da4125eebf0dd57be9864afecc065c83fffbb3e4bf21c2b52fe4b0c5cfc172563d15cbc8f94132a9d6ad004223b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_853F.tmp.exe

MD5
7d6e5c79b45e0fba39a39cd9a527170c

SHA1
bbb55e8fee57adef35682d42bcd4912a9882f8ae

SHA256
8c1e3481810bb7479e777a08969828c8d68ab73ea629026fc2e490c51f6e950e

SHA512
3f7cd86bd21fcd44a6463da47bdf88bad6864da4125eebf0dd57be9864afecc065c83fffbb3e4bf21c2b52fe4b0c5cfc172563d15cbc8f94132a9d6ad004223b

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

MD5
b92d64fe5b1d1f59df4b738262aea8df

SHA1
c8fb1981759c2d9bb2ec91b705985fba5fc7af63

SHA256
fa20e9aab03dc8e9f1910aaf0cf42662379fa16ae3a22642084fb97fa3d4f83a

SHA512
2566248b93c0cfb0414f033b8dd18bbd4f88180093eac2861107289bcb4ee160f9593706ff1f7d1f2e4ecea430d67a5a2897551a4f9ebd82b707243e300520e2

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

MD5
7d6e5c79b45e0fba39a39cd9a527170c

SHA1
bbb55e8fee57adef35682d42bcd4912a9882f8ae

SHA256
8c1e3481810bb7479e777a08969828c8d68ab73ea629026fc2e490c51f6e950e

SHA512
3f7cd86bd21fcd44a6463da47bdf88bad6864da4125eebf0dd57be9864afecc065c83fffbb3e4bf21c2b52fe4b0c5cfc172563d15cbc8f94132a9d6ad004223b

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

MD5
7d6e5c79b45e0fba39a39cd9a527170c

SHA1
bbb55e8fee57adef35682d42bcd4912a9882f8ae

SHA256
8c1e3481810bb7479e777a08969828c8d68ab73ea629026fc2e490c51f6e950e

SHA512
3f7cd86bd21fcd44a6463da47bdf88bad6864da4125eebf0dd57be9864afecc065c83fffbb3e4bf21c2b52fe4b0c5cfc172563d15cbc8f94132a9d6ad004223b

Download Submit
C:\Users\Admin\mgiy.exe

MD5
7b80992176d91fe6ccb5301fb16e3e40

SHA1
77bee4b3b07c367f45ea8ecd87eb65b317900fd9

SHA256
641a1d0d54fc5d0facf1c2c20d1cb54f60705d67b5990b3be3cfcb7e8c1269a4

SHA512
154b6a62df5c058c49ad58ddf0fefedb7675c9e8c06f5a637fd50d9869409772c954271de6f4791b774eb921030afc4d40e50f1523194c86b1c6e795aca258fd

Download Submit
C:\Users\Admin\mgiy.exe

MD5
7b80992176d91fe6ccb5301fb16e3e40

SHA1
77bee4b3b07c367f45ea8ecd87eb65b317900fd9

SHA256
641a1d0d54fc5d0facf1c2c20d1cb54f60705d67b5990b3be3cfcb7e8c1269a4

SHA512
154b6a62df5c058c49ad58ddf0fefedb7675c9e8c06f5a637fd50d9869409772c954271de6f4791b774eb921030afc4d40e50f1523194c86b1c6e795aca258fd

Download Submit
memory/656-8-0x0000000007DC0000-0x0000000007DC1000-memory.dmp

Filesize
4KB

Download
memory/656-2-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/656-7-0x0000000001550000-0x0000000001551000-memory.dmp

Filesize
4KB

Download
memory/656-6-0x0000000001580000-0x000000000159E000-memory.dmp

Filesize
120KB

Download
memory/656-5-0x0000000005440000-0x0000000005441000-memory.dmp

Filesize
4KB

Download
memory/656-3-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/760-30-0x0000000000000000-mapping.dmp

Download
memory/1332-14-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/1332-21-0x0000000005220000-0x000000000522B000-memory.dmp

Filesize
44KB

Download
memory/1332-22-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download
memory/1332-11-0x0000000000000000-mapping.dmp

Download
memory/1848-35-0x0000000000000000-mapping.dmp

Download
memory/2916-10-0x0000000000000000-mapping.dmp

Download
memory/2928-33-0x0000000000000000-mapping.dmp

Download
memory/3252-9-0x0000000000000000-mapping.dmp

Download
memory/3804-36-0x0000000000000000-mapping.dmp

Download
memory/3832-26-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3832-24-0x0000000000401190-mapping.dmp

Download
memory/3832-23-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3980-27-0x0000000000000000-mapping.dmp

Download