remcos | 473b4ab8742767a11514ea136e35f227add4d742c06ae7ceefc93553c8931e7b

General

Target

DHL-E-NOTIFICATION.scr
Size

80KB
MD5

dd1695e8557df09f1104d4a77155de69
SHA1

d17f5e33f9c9bef7eb2bf8f8b8d0596e7a1ae70a
SHA256

473b4ab8742767a11514ea136e35f227add4d742c06ae7ceefc93553c8931e7b
SHA512

f80ef0f993f270dedc2b266594ddf61963efd3fa2479941fb96eaff805c3ff3c54a26bd24460fca80775cd7a641fecbbf0503eae432991830906225fceea7f2f

Score

10^/10

remcos evasion persistence rat trojan

Malware Config

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

DHL-E-NOTIFICATION.scr

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	DHL-E-NOTIFICATION.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Trioicous = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TRABECULA\\tjrnebuskes.vbs"	DHL-E-NOTIFICATION.scr

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

DHL-E-NOTIFICATION.scrDHL-E-NOTIFICATION.scr

pid process

1852 DHL-E-NOTIFICATION.scr
1644 DHL-E-NOTIFICATION.scr
1644 DHL-E-NOTIFICATION.scr
Suspicious use of SetThreadContext 1 IoCs

Processes:

DHL-E-NOTIFICATION.scr

description pid process target process

PID 1852 set thread context of 1644 1852 DHL-E-NOTIFICATION.scr DHL-E-NOTIFICATION.scr
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

428 reg.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

DHL-E-NOTIFICATION.scr

pid process

1852 DHL-E-NOTIFICATION.scr
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

DHL-E-NOTIFICATION.scrDHL-E-NOTIFICATION.scr

pid process

1852 DHL-E-NOTIFICATION.scr
1644 DHL-E-NOTIFICATION.scr

pid	process
1852	DHL-E-NOTIFICATION.scr
1644	DHL-E-NOTIFICATION.scr
1644	DHL-E-NOTIFICATION.scr

description	pid	process	target process
PID 1852 set thread context of 1644	1852	DHL-E-NOTIFICATION.scr	DHL-E-NOTIFICATION.scr

pid	process
428	reg.exe

pid	process
1852	DHL-E-NOTIFICATION.scr

pid	process
1852	DHL-E-NOTIFICATION.scr
1644	DHL-E-NOTIFICATION.scr

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

DHL-E-NOTIFICATION.scrDHL-E-NOTIFICATION.scrcmd.exe

description	pid	process	target process
PID 1852 wrote to memory of 1644	1852	DHL-E-NOTIFICATION.scr	DHL-E-NOTIFICATION.scr
PID 1852 wrote to memory of 1644	1852	DHL-E-NOTIFICATION.scr	DHL-E-NOTIFICATION.scr
PID 1852 wrote to memory of 1644	1852	DHL-E-NOTIFICATION.scr	DHL-E-NOTIFICATION.scr
PID 1852 wrote to memory of 1644	1852	DHL-E-NOTIFICATION.scr	DHL-E-NOTIFICATION.scr
PID 1852 wrote to memory of 1644	1852	DHL-E-NOTIFICATION.scr	DHL-E-NOTIFICATION.scr
PID 1644 wrote to memory of 1060	1644	DHL-E-NOTIFICATION.scr	cmd.exe
PID 1644 wrote to memory of 1060	1644	DHL-E-NOTIFICATION.scr	cmd.exe
PID 1644 wrote to memory of 1060	1644	DHL-E-NOTIFICATION.scr	cmd.exe
PID 1644 wrote to memory of 1060	1644	DHL-E-NOTIFICATION.scr	cmd.exe
PID 1060 wrote to memory of 428	1060	cmd.exe	reg.exe
PID 1060 wrote to memory of 428	1060	cmd.exe	reg.exe
PID 1060 wrote to memory of 428	1060	cmd.exe	reg.exe
PID 1060 wrote to memory of 428	1060	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\DHL-E-NOTIFICATION.scr
"C:\Users\Admin\AppData\Local\Temp\DHL-E-NOTIFICATION.scr" /S
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1852

C:\Users\Admin\AppData\Local\Temp\DHL-E-NOTIFICATION.scr
"C:\Users\Admin\AppData\Local\Temp\DHL-E-NOTIFICATION.scr" /S
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
4⤵
- Modifies registry key
PID:428

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/428-7-0x0000000000000000-mapping.dmp

Download
memory/1060-6-0x0000000000000000-mapping.dmp

Download
memory/1164-5-0x000007FEF7810000-0x000007FEF7A8A000-memory.dmp

Filesize
2.5MB

Download
memory/1644-4-0x0000000000401530-mapping.dmp

Download

Analysis

Sharing