remcos | 4c61692f5b36f6b2b136958c7c315113899a1bdb1cfe7415f37c0acfdaab01a7

General

Target

PO-Scan-Documents00012910993993.exe
Size

177KB
MD5

a2c17f6556ae89a8a1683f889bffc7e9
SHA1

cf2aa59cc8e074dfd3d72b052beef746aba1fe6a
SHA256

4c61692f5b36f6b2b136958c7c315113899a1bdb1cfe7415f37c0acfdaab01a7
SHA512

9f18670e24387969db2fee5cbc9698cfdac86997d1b5ac63e39cf973e0170473440ed3cd0a130ab00b339bf89802b14da425f52bb5c62c651eea0c486a993b37

Score

10^/10

remcos persistence rat

Malware Config

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 3 IoCs

Processes:

owerrinta.exeowerrinta.exeowerrinta.exe

pid process

752 owerrinta.exe
860 owerrinta.exe
1180 owerrinta.exe
Deletes itself 1 IoCs

Processes:

WScript.exe

pid process

1816 WScript.exe

pid	process
752	owerrinta.exe
860	owerrinta.exe
1180	owerrinta.exe

pid	process
1816	WScript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

PO-Scan-Documents00012910993993.exeowerrinta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\	PO-Scan-Documents00012910993993.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\owerrita = "\"C:\\Users\\Admin\\AppData\\Roaming\\owerri\\owerrinta.exe\""	PO-Scan-Documents00012910993993.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\	owerrinta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\owerrita = "\"C:\\Users\\Admin\\AppData\\Roaming\\owerri\\owerrinta.exe\""	owerrinta.exe

Modifies registry class 1 IoCs

Processes:

PO-Scan-Documents00012910993993.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	PO-Scan-Documents00012910993993.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

owerrinta.exe

pid process

1180 owerrinta.exe

pid	process
1180	owerrinta.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

PO-Scan-Documents00012910993993.exePO-Scan-Documents00012910993993.exeWScript.execmd.exeowerrinta.exeowerrinta.exe

description	pid	process	target process
PID 756 wrote to memory of 3024	756	PO-Scan-Documents00012910993993.exe	PO-Scan-Documents00012910993993.exe
PID 756 wrote to memory of 3024	756	PO-Scan-Documents00012910993993.exe	PO-Scan-Documents00012910993993.exe
PID 756 wrote to memory of 3024	756	PO-Scan-Documents00012910993993.exe	PO-Scan-Documents00012910993993.exe
PID 3024 wrote to memory of 1816	3024	PO-Scan-Documents00012910993993.exe	WScript.exe
PID 3024 wrote to memory of 1816	3024	PO-Scan-Documents00012910993993.exe	WScript.exe
PID 3024 wrote to memory of 1816	3024	PO-Scan-Documents00012910993993.exe	WScript.exe
PID 1816 wrote to memory of 3292	1816	WScript.exe	cmd.exe
PID 1816 wrote to memory of 3292	1816	WScript.exe	cmd.exe
PID 1816 wrote to memory of 3292	1816	WScript.exe	cmd.exe
PID 3292 wrote to memory of 752	3292	cmd.exe	owerrinta.exe
PID 3292 wrote to memory of 752	3292	cmd.exe	owerrinta.exe
PID 3292 wrote to memory of 752	3292	cmd.exe	owerrinta.exe
PID 752 wrote to memory of 860	752	owerrinta.exe	owerrinta.exe
PID 752 wrote to memory of 860	752	owerrinta.exe	owerrinta.exe
PID 752 wrote to memory of 860	752	owerrinta.exe	owerrinta.exe
PID 860 wrote to memory of 1180	860	owerrinta.exe	owerrinta.exe
PID 860 wrote to memory of 1180	860	owerrinta.exe	owerrinta.exe
PID 860 wrote to memory of 1180	860	owerrinta.exe	owerrinta.exe

C:\Users\Admin\AppData\Local\Temp\PO-Scan-Documents00012910993993.exe
"C:\Users\Admin\AppData\Local\Temp\PO-Scan-Documents00012910993993.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:756
- C:\Users\Admin\AppData\Local\Temp\PO-Scan-Documents00012910993993.exe
  "C:\Users\Admin\AppData\Local\Temp\PO-Scan-Documents00012910993993.exe"
  2⤵
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:1816
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\owerri\owerrinta.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3292
    - - C:\Users\Admin\AppData\Roaming\owerri\owerrinta.exe
        
        C:\Users\Admin\AppData\Roaming\owerri\owerrinta.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:752
      - C:\Users\Admin\AppData\Roaming\owerri\owerrinta.exe
        
        "C:\Users\Admin\AppData\Roaming\owerri\owerrinta.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Users\Admin\AppData\Roaming\owerri\owerrinta.exe
        
        "C:\Users\Admin\AppData\Roaming\owerri\owerrinta.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        
        PID:1180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

MD5
9e135ae175d8ca757b78131835f5e729

SHA1
fcd3722e6c77d35886a83c05fa3cd7bf5f43619d

SHA256
17558302b8a73bb2bd3da41948c3e6285ffa13c365fdc401b9ca69a49caac031

SHA512
9c28aa019fe942d81bdee0ae100e27c155c588c5328446935858ffffaaf9656974e0b161180ec35e76f5f161b4f7a8bf289f735c93ab907aea1d2340b3b316ae

Download Submit
C:\Users\Admin\AppData\Roaming\owerri\owerrinta.exe

MD5
a2c17f6556ae89a8a1683f889bffc7e9

SHA1
cf2aa59cc8e074dfd3d72b052beef746aba1fe6a

SHA256
4c61692f5b36f6b2b136958c7c315113899a1bdb1cfe7415f37c0acfdaab01a7

SHA512
9f18670e24387969db2fee5cbc9698cfdac86997d1b5ac63e39cf973e0170473440ed3cd0a130ab00b339bf89802b14da425f52bb5c62c651eea0c486a993b37

Download Submit
C:\Users\Admin\AppData\Roaming\owerri\owerrinta.exe

MD5
a2c17f6556ae89a8a1683f889bffc7e9

SHA1
cf2aa59cc8e074dfd3d72b052beef746aba1fe6a

SHA256
4c61692f5b36f6b2b136958c7c315113899a1bdb1cfe7415f37c0acfdaab01a7

SHA512
9f18670e24387969db2fee5cbc9698cfdac86997d1b5ac63e39cf973e0170473440ed3cd0a130ab00b339bf89802b14da425f52bb5c62c651eea0c486a993b37

Download Submit
C:\Users\Admin\AppData\Roaming\owerri\owerrinta.exe

MD5
a2c17f6556ae89a8a1683f889bffc7e9

SHA1
cf2aa59cc8e074dfd3d72b052beef746aba1fe6a

SHA256
4c61692f5b36f6b2b136958c7c315113899a1bdb1cfe7415f37c0acfdaab01a7

SHA512
9f18670e24387969db2fee5cbc9698cfdac86997d1b5ac63e39cf973e0170473440ed3cd0a130ab00b339bf89802b14da425f52bb5c62c651eea0c486a993b37

Download Submit
C:\Users\Admin\AppData\Roaming\owerri\owerrinta.exe

MD5
a2c17f6556ae89a8a1683f889bffc7e9

SHA1
cf2aa59cc8e074dfd3d72b052beef746aba1fe6a

SHA256
4c61692f5b36f6b2b136958c7c315113899a1bdb1cfe7415f37c0acfdaab01a7

SHA512
9f18670e24387969db2fee5cbc9698cfdac86997d1b5ac63e39cf973e0170473440ed3cd0a130ab00b339bf89802b14da425f52bb5c62c651eea0c486a993b37

Download Submit
memory/752-6-0x0000000000000000-mapping.dmp

Download
memory/860-9-0x0000000000000000-mapping.dmp

Download
memory/1180-11-0x0000000000000000-mapping.dmp

Download
memory/1816-3-0x0000000000000000-mapping.dmp

Download
memory/3024-2-0x0000000000000000-mapping.dmp

Download
memory/3292-5-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads