remcos | fd16b4767d7764fde593f6b7d6449ccb233c18270bf45d67edde500c5028dc94

General

Target

Oral-Action.scr
Size

1.7MB
MD5

1ba47e918f50f837096de2379c5d5150
SHA1

97e59f85f0bcc0bdd6635ad21d1c43d4dfc28676
SHA256

fd16b4767d7764fde593f6b7d6449ccb233c18270bf45d67edde500c5028dc94
SHA512

f44c243db8e7434bf19216fa473a5d8b0b6202cfeb8b1fa42148c3af8cfb97086ab043a5216c2768a1e6b9b1d705365d0564cedb1399dc1833e0284efed4b270

Score

10^/10

remcos evasion persistence rat trojan

Malware Config

Extracted

Family

remcos

C2

masters4733.sytes.net:8686

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 2 IoCs

Processes:

start.exestart.exe

pid process

1116 start.exe
1424 start.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1224 cmd.exe
1224 cmd.exe

pid	process
1116	start.exe
1424	start.exe

pid	process
1224	cmd.exe
1224	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Oral-Action.scrstart.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	Oral-Action.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\start = "\"C:\\Users\\Admin\\AppData\\Roaming\\start\\start.exe\""	Oral-Action.scr
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	start.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\start = "\"C:\\Users\\Admin\\AppData\\Roaming\\start\\start.exe\""	start.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Oral-Action.scrstart.exe

description	pid	process	target process
PID 784 set thread context of 1176	784	Oral-Action.scr	Oral-Action.scr
PID 1116 set thread context of 1424	1116	start.exe	start.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

1264 reg.exe
632 reg.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

start.exe

pid process

1424 start.exe

pid	process
1264	reg.exe
632	reg.exe

pid	process
1424	start.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

Oral-Action.scrOral-Action.scrcmd.exeWScript.execmd.exestart.exestart.execmd.exe

description	pid	process	target process
PID 784 wrote to memory of 1176	784	Oral-Action.scr	Oral-Action.scr
PID 784 wrote to memory of 1176	784	Oral-Action.scr	Oral-Action.scr
PID 784 wrote to memory of 1176	784	Oral-Action.scr	Oral-Action.scr
PID 784 wrote to memory of 1176	784	Oral-Action.scr	Oral-Action.scr
PID 784 wrote to memory of 1176	784	Oral-Action.scr	Oral-Action.scr
PID 784 wrote to memory of 1176	784	Oral-Action.scr	Oral-Action.scr
PID 784 wrote to memory of 1176	784	Oral-Action.scr	Oral-Action.scr
PID 784 wrote to memory of 1176	784	Oral-Action.scr	Oral-Action.scr
PID 784 wrote to memory of 1176	784	Oral-Action.scr	Oral-Action.scr
PID 784 wrote to memory of 1176	784	Oral-Action.scr	Oral-Action.scr
PID 784 wrote to memory of 1176	784	Oral-Action.scr	Oral-Action.scr
PID 1176 wrote to memory of 1212	1176	Oral-Action.scr	cmd.exe
PID 1176 wrote to memory of 1212	1176	Oral-Action.scr	cmd.exe
PID 1176 wrote to memory of 1212	1176	Oral-Action.scr	cmd.exe
PID 1176 wrote to memory of 1212	1176	Oral-Action.scr	cmd.exe
PID 1212 wrote to memory of 1264	1212	cmd.exe	reg.exe
PID 1212 wrote to memory of 1264	1212	cmd.exe	reg.exe
PID 1212 wrote to memory of 1264	1212	cmd.exe	reg.exe
PID 1212 wrote to memory of 1264	1212	cmd.exe	reg.exe
PID 1176 wrote to memory of 1364	1176	Oral-Action.scr	WScript.exe
PID 1176 wrote to memory of 1364	1176	Oral-Action.scr	WScript.exe
PID 1176 wrote to memory of 1364	1176	Oral-Action.scr	WScript.exe
PID 1176 wrote to memory of 1364	1176	Oral-Action.scr	WScript.exe
PID 1364 wrote to memory of 1224	1364	WScript.exe	cmd.exe
PID 1364 wrote to memory of 1224	1364	WScript.exe	cmd.exe
PID 1364 wrote to memory of 1224	1364	WScript.exe	cmd.exe
PID 1364 wrote to memory of 1224	1364	WScript.exe	cmd.exe
PID 1224 wrote to memory of 1116	1224	cmd.exe	start.exe
PID 1224 wrote to memory of 1116	1224	cmd.exe	start.exe
PID 1224 wrote to memory of 1116	1224	cmd.exe	start.exe
PID 1224 wrote to memory of 1116	1224	cmd.exe	start.exe
PID 1116 wrote to memory of 1424	1116	start.exe	start.exe
PID 1116 wrote to memory of 1424	1116	start.exe	start.exe
PID 1116 wrote to memory of 1424	1116	start.exe	start.exe
PID 1116 wrote to memory of 1424	1116	start.exe	start.exe
PID 1116 wrote to memory of 1424	1116	start.exe	start.exe
PID 1116 wrote to memory of 1424	1116	start.exe	start.exe
PID 1116 wrote to memory of 1424	1116	start.exe	start.exe
PID 1116 wrote to memory of 1424	1116	start.exe	start.exe
PID 1116 wrote to memory of 1424	1116	start.exe	start.exe
PID 1116 wrote to memory of 1424	1116	start.exe	start.exe
PID 1116 wrote to memory of 1424	1116	start.exe	start.exe
PID 1424 wrote to memory of 304	1424	start.exe	cmd.exe
PID 1424 wrote to memory of 304	1424	start.exe	cmd.exe
PID 1424 wrote to memory of 304	1424	start.exe	cmd.exe
PID 1424 wrote to memory of 304	1424	start.exe	cmd.exe
PID 304 wrote to memory of 632	304	cmd.exe	reg.exe
PID 304 wrote to memory of 632	304	cmd.exe	reg.exe
PID 304 wrote to memory of 632	304	cmd.exe	reg.exe
PID 304 wrote to memory of 632	304	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\Oral-Action.scr
"C:\Users\Admin\AppData\Local\Temp\Oral-Action.scr" /S
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:784

C:\Users\Admin\AppData\Local\Temp\Oral-Action.scr
"C:\Users\Admin\AppData\Local\Temp\Oral-Action.scr"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
4⤵
- Modifies registry key
PID:1264

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\start\start.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1224

C:\Users\Admin\AppData\Roaming\start\start.exe
C:\Users\Admin\AppData\Roaming\start\start.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1116

C:\Users\Admin\AppData\Roaming\start\start.exe
"C:\Users\Admin\AppData\Roaming\start\start.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
7⤵
- Suspicious use of WriteProcessMemory
PID:304

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
8⤵
- Modifies registry key
PID:632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
a9df62f02c776af7a9eb2a1f9a4fb408

SHA1
e6f5add446a134ff353d10eff8ea26f30b7cd839

SHA256
196620c6cc4a5f5382d44d597229d72ac5fe42e1e4e9faa63527d414fedc8e86

SHA512
8c7d143dc9c623246148b8e7dd8e0487fb6988a12e9614b37c48246e501c88c946001edcdf019201c89b8fe5dd3604674dfd8d96c4ae1b706ac48c64c09dae07

Download Submit
C:\Users\Admin\AppData\Roaming\start\start.exe
MD5
1ba47e918f50f837096de2379c5d5150

SHA1
97e59f85f0bcc0bdd6635ad21d1c43d4dfc28676

SHA256
fd16b4767d7764fde593f6b7d6449ccb233c18270bf45d67edde500c5028dc94

SHA512
f44c243db8e7434bf19216fa473a5d8b0b6202cfeb8b1fa42148c3af8cfb97086ab043a5216c2768a1e6b9b1d705365d0564cedb1399dc1833e0284efed4b270

Download Submit
C:\Users\Admin\AppData\Roaming\start\start.exe
MD5
1ba47e918f50f837096de2379c5d5150

SHA1
97e59f85f0bcc0bdd6635ad21d1c43d4dfc28676

SHA256
fd16b4767d7764fde593f6b7d6449ccb233c18270bf45d67edde500c5028dc94

SHA512
f44c243db8e7434bf19216fa473a5d8b0b6202cfeb8b1fa42148c3af8cfb97086ab043a5216c2768a1e6b9b1d705365d0564cedb1399dc1833e0284efed4b270

Download Submit
C:\Users\Admin\AppData\Roaming\start\start.exe
MD5
1ba47e918f50f837096de2379c5d5150

SHA1
97e59f85f0bcc0bdd6635ad21d1c43d4dfc28676

SHA256
fd16b4767d7764fde593f6b7d6449ccb233c18270bf45d67edde500c5028dc94

SHA512
f44c243db8e7434bf19216fa473a5d8b0b6202cfeb8b1fa42148c3af8cfb97086ab043a5216c2768a1e6b9b1d705365d0564cedb1399dc1833e0284efed4b270

Download Submit
\Users\Admin\AppData\Roaming\start\start.exe
MD5
1ba47e918f50f837096de2379c5d5150

SHA1
97e59f85f0bcc0bdd6635ad21d1c43d4dfc28676

SHA256
fd16b4767d7764fde593f6b7d6449ccb233c18270bf45d67edde500c5028dc94

SHA512
f44c243db8e7434bf19216fa473a5d8b0b6202cfeb8b1fa42148c3af8cfb97086ab043a5216c2768a1e6b9b1d705365d0564cedb1399dc1833e0284efed4b270

Download Submit
\Users\Admin\AppData\Roaming\start\start.exe
MD5
1ba47e918f50f837096de2379c5d5150

SHA1
97e59f85f0bcc0bdd6635ad21d1c43d4dfc28676

SHA256
fd16b4767d7764fde593f6b7d6449ccb233c18270bf45d67edde500c5028dc94

SHA512
f44c243db8e7434bf19216fa473a5d8b0b6202cfeb8b1fa42148c3af8cfb97086ab043a5216c2768a1e6b9b1d705365d0564cedb1399dc1833e0284efed4b270

Download Submit
memory/304-32-0x0000000000000000-mapping.dmp

Download
memory/632-33-0x0000000000000000-mapping.dmp

Download
memory/784-2-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Filesize
6.9MB

Download
memory/784-6-0x0000000000570000-0x0000000000581000-memory.dmp

Filesize
68KB

Download
memory/784-5-0x0000000000410000-0x000000000044A000-memory.dmp

Filesize
232KB

Download
memory/784-3-0x00000000010D0000-0x00000000010D1000-memory.dmp

Filesize
4KB

Download
memory/1116-24-0x0000000073B70000-0x000000007425E000-memory.dmp

Filesize
6.9MB

Download
memory/1116-25-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/1116-22-0x0000000000000000-mapping.dmp

Download
memory/1176-12-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1176-11-0x0000000000413FA4-mapping.dmp

Download
memory/1176-10-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1212-13-0x0000000000000000-mapping.dmp

Download
memory/1224-17-0x0000000000000000-mapping.dmp

Download
memory/1264-14-0x0000000000000000-mapping.dmp

Download
memory/1364-18-0x0000000002830000-0x0000000002834000-memory.dmp

Filesize
16KB

Download
memory/1364-15-0x0000000000000000-mapping.dmp

Download
memory/1424-29-0x0000000000413FA4-mapping.dmp

Download
memory/1424-31-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads