remcos | 86c9b8f7003a77106c1746a855da645783d6ed30fffa45350554ab2edd0e1290

General

Target

75288df36386c8ce9ad16ff78d6cf3ca.exe
Size

1.3MB
MD5

75288df36386c8ce9ad16ff78d6cf3ca
SHA1

3f8553a2bfeac57bb76cb4e2050d3aa7fa0a111a
SHA256

86c9b8f7003a77106c1746a855da645783d6ed30fffa45350554ab2edd0e1290
SHA512

7701c1630fa0c19afb98321dc9af635e64080dcbefb356f95051165e84dd27405a919a8ae77e5d38a568a7ce24b9977cd61c45920315c82a73b760080704b0f6

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

C2

swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu:2017

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

vlc.exevlc.exe

pid process

748 vlc.exe
476 vlc.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

600 cmd.exe
600 cmd.exe

pid	process
748	vlc.exe
476	vlc.exe

pid	process
600	cmd.exe
600	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vlc.exe75288df36386c8ce9ad16ff78d6cf3ca.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	vlc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\win = "\"C:\\Users\\Admin\\AppData\\Roaming\\vlc.exe\""	vlc.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	75288df36386c8ce9ad16ff78d6cf3ca.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\win = "\"C:\\Users\\Admin\\AppData\\Roaming\\vlc.exe\""	75288df36386c8ce9ad16ff78d6cf3ca.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 18 IoCs

Processes:

75288df36386c8ce9ad16ff78d6cf3ca.exevlc.exe

pid	process
1576	75288df36386c8ce9ad16ff78d6cf3ca.exe
1576	75288df36386c8ce9ad16ff78d6cf3ca.exe
1576	75288df36386c8ce9ad16ff78d6cf3ca.exe
1576	75288df36386c8ce9ad16ff78d6cf3ca.exe
1576	75288df36386c8ce9ad16ff78d6cf3ca.exe
1576	75288df36386c8ce9ad16ff78d6cf3ca.exe
1576	75288df36386c8ce9ad16ff78d6cf3ca.exe
1576	75288df36386c8ce9ad16ff78d6cf3ca.exe
748	vlc.exe
748	vlc.exe
748	vlc.exe
748	vlc.exe
748	vlc.exe
748	vlc.exe
748	vlc.exe
748	vlc.exe
748	vlc.exe
748	vlc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

75288df36386c8ce9ad16ff78d6cf3ca.exevlc.exe

description	pid	process	target process
PID 1576 set thread context of 1984	1576	75288df36386c8ce9ad16ff78d6cf3ca.exe	75288df36386c8ce9ad16ff78d6cf3ca.exe
PID 748 set thread context of 476	748	vlc.exe	vlc.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

824 1576 WerFault.exe 75288df36386c8ce9ad16ff78d6cf3ca.exe
Delays execution with timeout.exe 6 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

1916 timeout.exe
1440 timeout.exe
1064 timeout.exe
1996 timeout.exe
1416 timeout.exe
576 timeout.exe

pid	pid_target	process	target process
824	1576	WerFault.exe	75288df36386c8ce9ad16ff78d6cf3ca.exe

pid	process
1916	timeout.exe
1440	timeout.exe
1064	timeout.exe
1996	timeout.exe
1416	timeout.exe
576	timeout.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

75288df36386c8ce9ad16ff78d6cf3ca.exeWerFault.exevlc.exe

pid	process
1576	75288df36386c8ce9ad16ff78d6cf3ca.exe
1576	75288df36386c8ce9ad16ff78d6cf3ca.exe
1576	75288df36386c8ce9ad16ff78d6cf3ca.exe
824	WerFault.exe
824	WerFault.exe
824	WerFault.exe
824	WerFault.exe
824	WerFault.exe
748	vlc.exe
748	vlc.exe
748	vlc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

75288df36386c8ce9ad16ff78d6cf3ca.exeWerFault.exevlc.exe

description	pid	process
Token: SeDebugPrivilege	1576	75288df36386c8ce9ad16ff78d6cf3ca.exe
Token: SeDebugPrivilege	824	WerFault.exe
Token: SeDebugPrivilege	748	vlc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vlc.exe

pid process

476 vlc.exe

pid	process
476	vlc.exe

Suspicious use of WriteProcessMemory 86 IoCs

Processes:

75288df36386c8ce9ad16ff78d6cf3ca.execmd.execmd.execmd.exe75288df36386c8ce9ad16ff78d6cf3ca.exeWScript.execmd.exevlc.execmd.execmd.exe

description	pid	process	target process
PID 1576 wrote to memory of 1916	1576	75288df36386c8ce9ad16ff78d6cf3ca.exe	cmd.exe
PID 1576 wrote to memory of 1916	1576	75288df36386c8ce9ad16ff78d6cf3ca.exe	cmd.exe
PID 1576 wrote to memory of 1916	1576	75288df36386c8ce9ad16ff78d6cf3ca.exe	cmd.exe
PID 1576 wrote to memory of 1916	1576	75288df36386c8ce9ad16ff78d6cf3ca.exe	cmd.exe
PID 1916 wrote to memory of 1996	1916	cmd.exe	timeout.exe
PID 1916 wrote to memory of 1996	1916	cmd.exe	timeout.exe
PID 1916 wrote to memory of 1996	1916	cmd.exe	timeout.exe
PID 1916 wrote to memory of 1996	1916	cmd.exe	timeout.exe
PID 1576 wrote to memory of 1320	1576	75288df36386c8ce9ad16ff78d6cf3ca.exe	cmd.exe
PID 1576 wrote to memory of 1320	1576	75288df36386c8ce9ad16ff78d6cf3ca.exe	cmd.exe
PID 1576 wrote to memory of 1320	1576	75288df36386c8ce9ad16ff78d6cf3ca.exe	cmd.exe
PID 1576 wrote to memory of 1320	1576	75288df36386c8ce9ad16ff78d6cf3ca.exe	cmd.exe
PID 1320 wrote to memory of 1416	1320	cmd.exe	timeout.exe
PID 1320 wrote to memory of 1416	1320	cmd.exe	timeout.exe
PID 1320 wrote to memory of 1416	1320	cmd.exe	timeout.exe
PID 1320 wrote to memory of 1416	1320	cmd.exe	timeout.exe
PID 1576 wrote to memory of 1536	1576	75288df36386c8ce9ad16ff78d6cf3ca.exe	cmd.exe
PID 1576 wrote to memory of 1536	1576	75288df36386c8ce9ad16ff78d6cf3ca.exe	cmd.exe
PID 1576 wrote to memory of 1536	1576	75288df36386c8ce9ad16ff78d6cf3ca.exe	cmd.exe
PID 1576 wrote to memory of 1536	1576	75288df36386c8ce9ad16ff78d6cf3ca.exe	cmd.exe
PID 1536 wrote to memory of 576	1536	cmd.exe	timeout.exe
PID 1536 wrote to memory of 576	1536	cmd.exe	timeout.exe
PID 1536 wrote to memory of 576	1536	cmd.exe	timeout.exe
PID 1536 wrote to memory of 576	1536	cmd.exe	timeout.exe
PID 1576 wrote to memory of 1984	1576	75288df36386c8ce9ad16ff78d6cf3ca.exe	75288df36386c8ce9ad16ff78d6cf3ca.exe
PID 1576 wrote to memory of 1984	1576	75288df36386c8ce9ad16ff78d6cf3ca.exe	75288df36386c8ce9ad16ff78d6cf3ca.exe
PID 1576 wrote to memory of 1984	1576	75288df36386c8ce9ad16ff78d6cf3ca.exe	75288df36386c8ce9ad16ff78d6cf3ca.exe
PID 1576 wrote to memory of 1984	1576	75288df36386c8ce9ad16ff78d6cf3ca.exe	75288df36386c8ce9ad16ff78d6cf3ca.exe
PID 1576 wrote to memory of 1984	1576	75288df36386c8ce9ad16ff78d6cf3ca.exe	75288df36386c8ce9ad16ff78d6cf3ca.exe
PID 1576 wrote to memory of 1984	1576	75288df36386c8ce9ad16ff78d6cf3ca.exe	75288df36386c8ce9ad16ff78d6cf3ca.exe
PID 1576 wrote to memory of 1984	1576	75288df36386c8ce9ad16ff78d6cf3ca.exe	75288df36386c8ce9ad16ff78d6cf3ca.exe
PID 1576 wrote to memory of 1984	1576	75288df36386c8ce9ad16ff78d6cf3ca.exe	75288df36386c8ce9ad16ff78d6cf3ca.exe
PID 1576 wrote to memory of 1984	1576	75288df36386c8ce9ad16ff78d6cf3ca.exe	75288df36386c8ce9ad16ff78d6cf3ca.exe
PID 1576 wrote to memory of 1984	1576	75288df36386c8ce9ad16ff78d6cf3ca.exe	75288df36386c8ce9ad16ff78d6cf3ca.exe
PID 1576 wrote to memory of 1984	1576	75288df36386c8ce9ad16ff78d6cf3ca.exe	75288df36386c8ce9ad16ff78d6cf3ca.exe
PID 1576 wrote to memory of 824	1576	75288df36386c8ce9ad16ff78d6cf3ca.exe	WerFault.exe
PID 1576 wrote to memory of 824	1576	75288df36386c8ce9ad16ff78d6cf3ca.exe	WerFault.exe
PID 1576 wrote to memory of 824	1576	75288df36386c8ce9ad16ff78d6cf3ca.exe	WerFault.exe
PID 1576 wrote to memory of 824	1576	75288df36386c8ce9ad16ff78d6cf3ca.exe	WerFault.exe
PID 1984 wrote to memory of 868	1984	75288df36386c8ce9ad16ff78d6cf3ca.exe	WScript.exe
PID 1984 wrote to memory of 868	1984	75288df36386c8ce9ad16ff78d6cf3ca.exe	WScript.exe
PID 1984 wrote to memory of 868	1984	75288df36386c8ce9ad16ff78d6cf3ca.exe	WScript.exe
PID 1984 wrote to memory of 868	1984	75288df36386c8ce9ad16ff78d6cf3ca.exe	WScript.exe
PID 868 wrote to memory of 600	868	WScript.exe	cmd.exe
PID 868 wrote to memory of 600	868	WScript.exe	cmd.exe
PID 868 wrote to memory of 600	868	WScript.exe	cmd.exe
PID 868 wrote to memory of 600	868	WScript.exe	cmd.exe
PID 600 wrote to memory of 748	600	cmd.exe	vlc.exe
PID 600 wrote to memory of 748	600	cmd.exe	vlc.exe
PID 600 wrote to memory of 748	600	cmd.exe	vlc.exe
PID 600 wrote to memory of 748	600	cmd.exe	vlc.exe
PID 748 wrote to memory of 1888	748	vlc.exe	cmd.exe
PID 748 wrote to memory of 1888	748	vlc.exe	cmd.exe
PID 748 wrote to memory of 1888	748	vlc.exe	cmd.exe
PID 748 wrote to memory of 1888	748	vlc.exe	cmd.exe
PID 1888 wrote to memory of 1916	1888	cmd.exe	timeout.exe
PID 1888 wrote to memory of 1916	1888	cmd.exe	timeout.exe
PID 1888 wrote to memory of 1916	1888	cmd.exe	timeout.exe
PID 1888 wrote to memory of 1916	1888	cmd.exe	timeout.exe
PID 748 wrote to memory of 1632	748	vlc.exe	cmd.exe
PID 748 wrote to memory of 1632	748	vlc.exe	cmd.exe
PID 748 wrote to memory of 1632	748	vlc.exe	cmd.exe
PID 748 wrote to memory of 1632	748	vlc.exe	cmd.exe
PID 1632 wrote to memory of 1440	1632	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\75288df36386c8ce9ad16ff78d6cf3ca.exe
"C:\Users\Admin\AppData\Local\Temp\75288df36386c8ce9ad16ff78d6cf3ca.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1996

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1416

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:576

C:\Users\Admin\AppData\Local\Temp\75288df36386c8ce9ad16ff78d6cf3ca.exe
"C:\Users\Admin\AppData\Local\Temp\75288df36386c8ce9ad16ff78d6cf3ca.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\vlc.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:600

C:\Users\Admin\AppData\Roaming\vlc.exe
C:\Users\Admin\AppData\Roaming\vlc.exe
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
6⤵
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\SysWOW64\timeout.exe
timeout 1
7⤵
- Delays execution with timeout.exe
PID:1916

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
6⤵
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\SysWOW64\timeout.exe
timeout 1
7⤵
- Delays execution with timeout.exe
PID:1440

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
6⤵
PID:1828

C:\Windows\SysWOW64\timeout.exe
timeout 1
7⤵
- Delays execution with timeout.exe
PID:1064

C:\Users\Admin\AppData\Roaming\vlc.exe
"C:\Users\Admin\AppData\Roaming\vlc.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 932
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

MD5
0fd303b21c1a43c6a9078e6f5280ca85

SHA1
0db8f1ae34f4e2e72184e337951fde826c0bd26f

SHA256
5d8c6cfdf8fc198c4fd279487e5c1620ece89e39781c6337f4cb5e111e606ddc

SHA512
be4cdd48940bead0274c7cf08abd9bc75b5db468159cbf883198712d0bb15ad81a069638c628eba62237cfa0a197f845c0d9e1f4727c9608a8d642f7aba38671

Download Submit
C:\Users\Admin\AppData\Roaming\vlc.exe

MD5
75288df36386c8ce9ad16ff78d6cf3ca

SHA1
3f8553a2bfeac57bb76cb4e2050d3aa7fa0a111a

SHA256
86c9b8f7003a77106c1746a855da645783d6ed30fffa45350554ab2edd0e1290

SHA512
7701c1630fa0c19afb98321dc9af635e64080dcbefb356f95051165e84dd27405a919a8ae77e5d38a568a7ce24b9977cd61c45920315c82a73b760080704b0f6

Download Submit
C:\Users\Admin\AppData\Roaming\vlc.exe

MD5
75288df36386c8ce9ad16ff78d6cf3ca

SHA1
3f8553a2bfeac57bb76cb4e2050d3aa7fa0a111a

SHA256
86c9b8f7003a77106c1746a855da645783d6ed30fffa45350554ab2edd0e1290

SHA512
7701c1630fa0c19afb98321dc9af635e64080dcbefb356f95051165e84dd27405a919a8ae77e5d38a568a7ce24b9977cd61c45920315c82a73b760080704b0f6

Download Submit
C:\Users\Admin\AppData\Roaming\vlc.exe

MD5
75288df36386c8ce9ad16ff78d6cf3ca

SHA1
3f8553a2bfeac57bb76cb4e2050d3aa7fa0a111a

SHA256
86c9b8f7003a77106c1746a855da645783d6ed30fffa45350554ab2edd0e1290

SHA512
7701c1630fa0c19afb98321dc9af635e64080dcbefb356f95051165e84dd27405a919a8ae77e5d38a568a7ce24b9977cd61c45920315c82a73b760080704b0f6

Download Submit
\Users\Admin\AppData\Roaming\vlc.exe

MD5
75288df36386c8ce9ad16ff78d6cf3ca

SHA1
3f8553a2bfeac57bb76cb4e2050d3aa7fa0a111a

SHA256
86c9b8f7003a77106c1746a855da645783d6ed30fffa45350554ab2edd0e1290

SHA512
7701c1630fa0c19afb98321dc9af635e64080dcbefb356f95051165e84dd27405a919a8ae77e5d38a568a7ce24b9977cd61c45920315c82a73b760080704b0f6

Download Submit
\Users\Admin\AppData\Roaming\vlc.exe

MD5
75288df36386c8ce9ad16ff78d6cf3ca

SHA1
3f8553a2bfeac57bb76cb4e2050d3aa7fa0a111a

SHA256
86c9b8f7003a77106c1746a855da645783d6ed30fffa45350554ab2edd0e1290

SHA512
7701c1630fa0c19afb98321dc9af635e64080dcbefb356f95051165e84dd27405a919a8ae77e5d38a568a7ce24b9977cd61c45920315c82a73b760080704b0f6

Download Submit
memory/476-46-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/476-44-0x0000000000413FA4-mapping.dmp

Download
memory/576-11-0x0000000000000000-mapping.dmp

Download
memory/600-21-0x0000000000000000-mapping.dmp

Download
memory/748-26-0x0000000000000000-mapping.dmp

Download
memory/748-31-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/748-29-0x00000000010F0000-0x00000000010F1000-memory.dmp

Filesize
4KB

Download
memory/748-28-0x00000000744C0000-0x0000000074BAE000-memory.dmp

Filesize
6.9MB

Download
memory/824-15-0x0000000000000000-mapping.dmp

Download
memory/824-17-0x0000000001E20000-0x0000000001E31000-memory.dmp

Filesize
68KB

Download
memory/868-16-0x0000000000000000-mapping.dmp

Download
memory/868-22-0x0000000002640000-0x0000000002644000-memory.dmp

Filesize
16KB

Download
memory/1064-42-0x0000000000000000-mapping.dmp

Download
memory/1320-8-0x0000000000000000-mapping.dmp

Download
memory/1416-9-0x0000000000000000-mapping.dmp

Download
memory/1440-40-0x0000000000000000-mapping.dmp

Download
memory/1536-10-0x0000000000000000-mapping.dmp

Download
memory/1576-2-0x00000000744C0000-0x0000000074BAE000-memory.dmp

Filesize
6.9MB

Download
memory/1576-5-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/1576-3-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/1632-39-0x0000000000000000-mapping.dmp

Download
memory/1828-41-0x0000000000000000-mapping.dmp

Download
memory/1888-37-0x0000000000000000-mapping.dmp

Download
memory/1916-38-0x0000000000000000-mapping.dmp

Download
memory/1916-6-0x0000000000000000-mapping.dmp

Download
memory/1984-13-0x0000000000413FA4-mapping.dmp

Download
memory/1984-12-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1984-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1996-7-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads