remcos | e7683a0434d07f35f1be3a9726db68d250aa9b093ed922c2837c08efa719609c

General

Target

IMG-001GE-0HUE48E-001012-001.exe
Size

758KB
MD5

36f8772daaf3d5bef5f0168a8640e81a
SHA1

312435761f6749413ef260713e961fb4c5522cbf
SHA256

e7683a0434d07f35f1be3a9726db68d250aa9b093ed922c2837c08efa719609c
SHA512

23189c22c54459a5a9925f24a4152c34b96a8f1bf764b5d971b3bab4bb9489af757b28e81addedf1f8a5a0c84ef3fabf3d58a7c9d728e0bef68e537f637f317f

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

C2

www.maneediem.com:2404

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

owerrinta.exeowerrinta.exe

pid process

2024 owerrinta.exe
472 owerrinta.exe
Deletes itself 1 IoCs

Processes:

WScript.exe

pid process

1676 WScript.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1468 cmd.exe

pid	process
2024	owerrinta.exe
472	owerrinta.exe

pid	process
1676	WScript.exe

pid	process
1468	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

IMG-001GE-0HUE48E-001012-001.exeowerrinta.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\owerrita = "\"C:\\Users\\Admin\\AppData\\Roaming\\owerri\\owerrinta.exe\""	IMG-001GE-0HUE48E-001012-001.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	owerrinta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\owerrita = "\"C:\\Users\\Admin\\AppData\\Roaming\\owerri\\owerrinta.exe\""	owerrinta.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	IMG-001GE-0HUE48E-001012-001.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

IMG-001GE-0HUE48E-001012-001.exeowerrinta.exe

description	pid	process	target process
PID 932 set thread context of 1344	932	IMG-001GE-0HUE48E-001012-001.exe	IMG-001GE-0HUE48E-001012-001.exe
PID 2024 set thread context of 472	2024	owerrinta.exe	owerrinta.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

owerrinta.exe

pid process

472 owerrinta.exe

pid	process
472	owerrinta.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

IMG-001GE-0HUE48E-001012-001.exeIMG-001GE-0HUE48E-001012-001.exeWScript.execmd.exeowerrinta.exe

description	pid	process	target process
PID 932 wrote to memory of 1344	932	IMG-001GE-0HUE48E-001012-001.exe	IMG-001GE-0HUE48E-001012-001.exe
PID 932 wrote to memory of 1344	932	IMG-001GE-0HUE48E-001012-001.exe	IMG-001GE-0HUE48E-001012-001.exe
PID 932 wrote to memory of 1344	932	IMG-001GE-0HUE48E-001012-001.exe	IMG-001GE-0HUE48E-001012-001.exe
PID 932 wrote to memory of 1344	932	IMG-001GE-0HUE48E-001012-001.exe	IMG-001GE-0HUE48E-001012-001.exe
PID 932 wrote to memory of 1344	932	IMG-001GE-0HUE48E-001012-001.exe	IMG-001GE-0HUE48E-001012-001.exe
PID 932 wrote to memory of 1344	932	IMG-001GE-0HUE48E-001012-001.exe	IMG-001GE-0HUE48E-001012-001.exe
PID 932 wrote to memory of 1344	932	IMG-001GE-0HUE48E-001012-001.exe	IMG-001GE-0HUE48E-001012-001.exe
PID 932 wrote to memory of 1344	932	IMG-001GE-0HUE48E-001012-001.exe	IMG-001GE-0HUE48E-001012-001.exe
PID 932 wrote to memory of 1344	932	IMG-001GE-0HUE48E-001012-001.exe	IMG-001GE-0HUE48E-001012-001.exe
PID 932 wrote to memory of 1344	932	IMG-001GE-0HUE48E-001012-001.exe	IMG-001GE-0HUE48E-001012-001.exe
PID 932 wrote to memory of 1344	932	IMG-001GE-0HUE48E-001012-001.exe	IMG-001GE-0HUE48E-001012-001.exe
PID 1344 wrote to memory of 1676	1344	IMG-001GE-0HUE48E-001012-001.exe	WScript.exe
PID 1344 wrote to memory of 1676	1344	IMG-001GE-0HUE48E-001012-001.exe	WScript.exe
PID 1344 wrote to memory of 1676	1344	IMG-001GE-0HUE48E-001012-001.exe	WScript.exe
PID 1344 wrote to memory of 1676	1344	IMG-001GE-0HUE48E-001012-001.exe	WScript.exe
PID 1676 wrote to memory of 1468	1676	WScript.exe	cmd.exe
PID 1676 wrote to memory of 1468	1676	WScript.exe	cmd.exe
PID 1676 wrote to memory of 1468	1676	WScript.exe	cmd.exe
PID 1676 wrote to memory of 1468	1676	WScript.exe	cmd.exe
PID 1468 wrote to memory of 2024	1468	cmd.exe	owerrinta.exe
PID 1468 wrote to memory of 2024	1468	cmd.exe	owerrinta.exe
PID 1468 wrote to memory of 2024	1468	cmd.exe	owerrinta.exe
PID 1468 wrote to memory of 2024	1468	cmd.exe	owerrinta.exe
PID 2024 wrote to memory of 472	2024	owerrinta.exe	owerrinta.exe
PID 2024 wrote to memory of 472	2024	owerrinta.exe	owerrinta.exe
PID 2024 wrote to memory of 472	2024	owerrinta.exe	owerrinta.exe
PID 2024 wrote to memory of 472	2024	owerrinta.exe	owerrinta.exe
PID 2024 wrote to memory of 472	2024	owerrinta.exe	owerrinta.exe
PID 2024 wrote to memory of 472	2024	owerrinta.exe	owerrinta.exe
PID 2024 wrote to memory of 472	2024	owerrinta.exe	owerrinta.exe
PID 2024 wrote to memory of 472	2024	owerrinta.exe	owerrinta.exe
PID 2024 wrote to memory of 472	2024	owerrinta.exe	owerrinta.exe
PID 2024 wrote to memory of 472	2024	owerrinta.exe	owerrinta.exe
PID 2024 wrote to memory of 472	2024	owerrinta.exe	owerrinta.exe

C:\Users\Admin\AppData\Local\Temp\IMG-001GE-0HUE48E-001012-001.exe
"C:\Users\Admin\AppData\Local\Temp\IMG-001GE-0HUE48E-001012-001.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:932

C:\Users\Admin\AppData\Local\Temp\IMG-001GE-0HUE48E-001012-001.exe
"{path}"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1344

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\owerri\owerrinta.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1468

C:\Users\Admin\AppData\Roaming\owerri\owerrinta.exe
C:\Users\Admin\AppData\Roaming\owerri\owerrinta.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Roaming\owerri\owerrinta.exe
"{path}"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:472

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
85a1cbfcae8a841638237488e2a94c61

SHA1
65ee5f659a4acaa9861ade2ee67b92ff2384b126

SHA256
9dcdc7b867ae81ae39a56711f9380e3f80514ab31e7013b66434b62c6bdcecc1

SHA512
30f9686eab62e976ccb2528277de4b01ce8287099deeb0ff0d71853b2f174af6cfe6ec8418bac8e48d1b8238e41092ebd76d100f7d12a10d32aeb9c50d21d700

Download Submit
C:\Users\Admin\AppData\Roaming\owerri\owerrinta.exe
MD5
36f8772daaf3d5bef5f0168a8640e81a

SHA1
312435761f6749413ef260713e961fb4c5522cbf

SHA256
e7683a0434d07f35f1be3a9726db68d250aa9b093ed922c2837c08efa719609c

SHA512
23189c22c54459a5a9925f24a4152c34b96a8f1bf764b5d971b3bab4bb9489af757b28e81addedf1f8a5a0c84ef3fabf3d58a7c9d728e0bef68e537f637f317f

Download Submit
C:\Users\Admin\AppData\Roaming\owerri\owerrinta.exe
MD5
36f8772daaf3d5bef5f0168a8640e81a

SHA1
312435761f6749413ef260713e961fb4c5522cbf

SHA256
e7683a0434d07f35f1be3a9726db68d250aa9b093ed922c2837c08efa719609c

SHA512
23189c22c54459a5a9925f24a4152c34b96a8f1bf764b5d971b3bab4bb9489af757b28e81addedf1f8a5a0c84ef3fabf3d58a7c9d728e0bef68e537f637f317f

Download Submit
C:\Users\Admin\AppData\Roaming\owerri\owerrinta.exe
MD5
36f8772daaf3d5bef5f0168a8640e81a

SHA1
312435761f6749413ef260713e961fb4c5522cbf

SHA256
e7683a0434d07f35f1be3a9726db68d250aa9b093ed922c2837c08efa719609c

SHA512
23189c22c54459a5a9925f24a4152c34b96a8f1bf764b5d971b3bab4bb9489af757b28e81addedf1f8a5a0c84ef3fabf3d58a7c9d728e0bef68e537f637f317f

Download Submit
\Users\Admin\AppData\Roaming\owerri\owerrinta.exe
MD5
36f8772daaf3d5bef5f0168a8640e81a

SHA1
312435761f6749413ef260713e961fb4c5522cbf

SHA256
e7683a0434d07f35f1be3a9726db68d250aa9b093ed922c2837c08efa719609c

SHA512
23189c22c54459a5a9925f24a4152c34b96a8f1bf764b5d971b3bab4bb9489af757b28e81addedf1f8a5a0c84ef3fabf3d58a7c9d728e0bef68e537f637f317f

Download Submit
memory/472-24-0x0000000000413FA4-mapping.dmp

Download
memory/472-26-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/932-3-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/932-5-0x00000000008B0000-0x00000000008BE000-memory.dmp

Filesize
56KB

Download
memory/932-6-0x0000000005660000-0x00000000056EC000-memory.dmp

Filesize
560KB

Download
memory/932-2-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/1344-9-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1344-8-0x0000000000413FA4-mapping.dmp

Download
memory/1344-7-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1468-12-0x0000000000000000-mapping.dmp

Download
memory/1676-13-0x0000000002760000-0x0000000002764000-memory.dmp

Filesize
16KB

Download
memory/1676-10-0x0000000000000000-mapping.dmp

Download
memory/2024-19-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/2024-18-0x00000000734A0000-0x0000000073B8E000-memory.dmp

Filesize
6.9MB

Download
memory/2024-16-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads