remcos | e7683a0434d07f35f1be3a9726db68d250aa9b093ed922c2837c08efa719609c

General

Target

IMG-001GE-0HUE48E-001012-001.exe
Size

758KB
MD5

36f8772daaf3d5bef5f0168a8640e81a
SHA1

312435761f6749413ef260713e961fb4c5522cbf
SHA256

e7683a0434d07f35f1be3a9726db68d250aa9b093ed922c2837c08efa719609c
SHA512

23189c22c54459a5a9925f24a4152c34b96a8f1bf764b5d971b3bab4bb9489af757b28e81addedf1f8a5a0c84ef3fabf3d58a7c9d728e0bef68e537f637f317f

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

C2

www.maneediem.com:2404

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

owerrinta.exeowerrinta.exe

pid process

1152 owerrinta.exe
1008 owerrinta.exe
Deletes itself 1 IoCs

Processes:

WScript.exe

pid process

2192 WScript.exe

pid	process
1152	owerrinta.exe
1008	owerrinta.exe

pid	process
2192	WScript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

IMG-001GE-0HUE48E-001012-001.exeowerrinta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\	IMG-001GE-0HUE48E-001012-001.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\owerrita = "\"C:\\Users\\Admin\\AppData\\Roaming\\owerri\\owerrinta.exe\""	IMG-001GE-0HUE48E-001012-001.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\	owerrinta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\owerrita = "\"C:\\Users\\Admin\\AppData\\Roaming\\owerri\\owerrinta.exe\""	owerrinta.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

IMG-001GE-0HUE48E-001012-001.exeowerrinta.exe

description	pid	process	target process
PID 972 set thread context of 4076	972	IMG-001GE-0HUE48E-001012-001.exe	IMG-001GE-0HUE48E-001012-001.exe
PID 1152 set thread context of 1008	1152	owerrinta.exe	owerrinta.exe

Modifies registry class 1 IoCs

Processes:

IMG-001GE-0HUE48E-001012-001.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings IMG-001GE-0HUE48E-001012-001.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

owerrinta.exe

pid process

1008 owerrinta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	IMG-001GE-0HUE48E-001012-001.exe

pid	process
1008	owerrinta.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

IMG-001GE-0HUE48E-001012-001.exeIMG-001GE-0HUE48E-001012-001.exeWScript.execmd.exeowerrinta.exe

description	pid	process	target process
PID 972 wrote to memory of 4076	972	IMG-001GE-0HUE48E-001012-001.exe	IMG-001GE-0HUE48E-001012-001.exe
PID 972 wrote to memory of 4076	972	IMG-001GE-0HUE48E-001012-001.exe	IMG-001GE-0HUE48E-001012-001.exe
PID 972 wrote to memory of 4076	972	IMG-001GE-0HUE48E-001012-001.exe	IMG-001GE-0HUE48E-001012-001.exe
PID 972 wrote to memory of 4076	972	IMG-001GE-0HUE48E-001012-001.exe	IMG-001GE-0HUE48E-001012-001.exe
PID 972 wrote to memory of 4076	972	IMG-001GE-0HUE48E-001012-001.exe	IMG-001GE-0HUE48E-001012-001.exe
PID 972 wrote to memory of 4076	972	IMG-001GE-0HUE48E-001012-001.exe	IMG-001GE-0HUE48E-001012-001.exe
PID 972 wrote to memory of 4076	972	IMG-001GE-0HUE48E-001012-001.exe	IMG-001GE-0HUE48E-001012-001.exe
PID 972 wrote to memory of 4076	972	IMG-001GE-0HUE48E-001012-001.exe	IMG-001GE-0HUE48E-001012-001.exe
PID 972 wrote to memory of 4076	972	IMG-001GE-0HUE48E-001012-001.exe	IMG-001GE-0HUE48E-001012-001.exe
PID 972 wrote to memory of 4076	972	IMG-001GE-0HUE48E-001012-001.exe	IMG-001GE-0HUE48E-001012-001.exe
PID 4076 wrote to memory of 2192	4076	IMG-001GE-0HUE48E-001012-001.exe	WScript.exe
PID 4076 wrote to memory of 2192	4076	IMG-001GE-0HUE48E-001012-001.exe	WScript.exe
PID 4076 wrote to memory of 2192	4076	IMG-001GE-0HUE48E-001012-001.exe	WScript.exe
PID 2192 wrote to memory of 900	2192	WScript.exe	cmd.exe
PID 2192 wrote to memory of 900	2192	WScript.exe	cmd.exe
PID 2192 wrote to memory of 900	2192	WScript.exe	cmd.exe
PID 900 wrote to memory of 1152	900	cmd.exe	owerrinta.exe
PID 900 wrote to memory of 1152	900	cmd.exe	owerrinta.exe
PID 900 wrote to memory of 1152	900	cmd.exe	owerrinta.exe
PID 1152 wrote to memory of 1008	1152	owerrinta.exe	owerrinta.exe
PID 1152 wrote to memory of 1008	1152	owerrinta.exe	owerrinta.exe
PID 1152 wrote to memory of 1008	1152	owerrinta.exe	owerrinta.exe
PID 1152 wrote to memory of 1008	1152	owerrinta.exe	owerrinta.exe
PID 1152 wrote to memory of 1008	1152	owerrinta.exe	owerrinta.exe
PID 1152 wrote to memory of 1008	1152	owerrinta.exe	owerrinta.exe
PID 1152 wrote to memory of 1008	1152	owerrinta.exe	owerrinta.exe
PID 1152 wrote to memory of 1008	1152	owerrinta.exe	owerrinta.exe
PID 1152 wrote to memory of 1008	1152	owerrinta.exe	owerrinta.exe
PID 1152 wrote to memory of 1008	1152	owerrinta.exe	owerrinta.exe

C:\Users\Admin\AppData\Local\Temp\IMG-001GE-0HUE48E-001012-001.exe
"C:\Users\Admin\AppData\Local\Temp\IMG-001GE-0HUE48E-001012-001.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:972

C:\Users\Admin\AppData\Local\Temp\IMG-001GE-0HUE48E-001012-001.exe
"{path}"
2⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4076

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2192

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\owerri\owerrinta.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:900

C:\Users\Admin\AppData\Roaming\owerri\owerrinta.exe
C:\Users\Admin\AppData\Roaming\owerri\owerrinta.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1152

C:\Users\Admin\AppData\Roaming\owerri\owerrinta.exe
"{path}"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
85a1cbfcae8a841638237488e2a94c61

SHA1
65ee5f659a4acaa9861ade2ee67b92ff2384b126

SHA256
9dcdc7b867ae81ae39a56711f9380e3f80514ab31e7013b66434b62c6bdcecc1

SHA512
30f9686eab62e976ccb2528277de4b01ce8287099deeb0ff0d71853b2f174af6cfe6ec8418bac8e48d1b8238e41092ebd76d100f7d12a10d32aeb9c50d21d700

Download Submit
C:\Users\Admin\AppData\Roaming\owerri\owerrinta.exe
MD5
36f8772daaf3d5bef5f0168a8640e81a

SHA1
312435761f6749413ef260713e961fb4c5522cbf

SHA256
e7683a0434d07f35f1be3a9726db68d250aa9b093ed922c2837c08efa719609c

SHA512
23189c22c54459a5a9925f24a4152c34b96a8f1bf764b5d971b3bab4bb9489af757b28e81addedf1f8a5a0c84ef3fabf3d58a7c9d728e0bef68e537f637f317f

Download Submit
C:\Users\Admin\AppData\Roaming\owerri\owerrinta.exe
MD5
36f8772daaf3d5bef5f0168a8640e81a

SHA1
312435761f6749413ef260713e961fb4c5522cbf

SHA256
e7683a0434d07f35f1be3a9726db68d250aa9b093ed922c2837c08efa719609c

SHA512
23189c22c54459a5a9925f24a4152c34b96a8f1bf764b5d971b3bab4bb9489af757b28e81addedf1f8a5a0c84ef3fabf3d58a7c9d728e0bef68e537f637f317f

Download Submit
C:\Users\Admin\AppData\Roaming\owerri\owerrinta.exe
MD5
36f8772daaf3d5bef5f0168a8640e81a

SHA1
312435761f6749413ef260713e961fb4c5522cbf

SHA256
e7683a0434d07f35f1be3a9726db68d250aa9b093ed922c2837c08efa719609c

SHA512
23189c22c54459a5a9925f24a4152c34b96a8f1bf764b5d971b3bab4bb9489af757b28e81addedf1f8a5a0c84ef3fabf3d58a7c9d728e0bef68e537f637f317f

Download Submit
memory/900-16-0x0000000000000000-mapping.dmp

Download
memory/972-8-0x00000000074D0000-0x00000000074DE000-memory.dmp

Filesize
56KB

Download
memory/972-6-0x0000000005130000-0x0000000005131000-memory.dmp

Filesize
4KB

Download
memory/972-10-0x00000000078E0000-0x00000000078E1000-memory.dmp

Filesize
4KB

Download
memory/972-3-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/972-5-0x0000000005630000-0x0000000005631000-memory.dmp

Filesize
4KB

Download
memory/972-9-0x00000000077B0000-0x000000000783C000-memory.dmp

Filesize
560KB

Download
memory/972-7-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/972-2-0x0000000073A30000-0x000000007411E000-memory.dmp

Filesize
6.9MB

Download
memory/1008-30-0x0000000000413FA4-mapping.dmp

Download
memory/1008-32-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1152-17-0x0000000000000000-mapping.dmp

Download
memory/1152-20-0x0000000073A30000-0x000000007411E000-memory.dmp

Filesize
6.9MB

Download
memory/2192-14-0x0000000000000000-mapping.dmp

Download
memory/4076-13-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4076-12-0x0000000000413FA4-mapping.dmp

Download
memory/4076-11-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads