remcos | a2925ab4b7c0267fb273b9125b81673c84525a2e974119dd6c6f3c10ac6675f5

General

Target

Sydler_Remedies_PO-SCAN-3K4RQ4WPJ4.exe
Size

290KB
MD5

e8f7d121f3d4e0d641a12895c7b287ac
SHA1

17757b821ee9b081fcc142dcc7aff5a147de6095
SHA256

a2925ab4b7c0267fb273b9125b81673c84525a2e974119dd6c6f3c10ac6675f5
SHA512

2ff90e19afd3e9cc902c105ec861b0927b0b665c38b908f4a6f619a75f6568dfa0538900ce44699a7f2e6897d8ae6dabf7addb88b39d47f66edfadf241bdb2ed

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

C2

www.maneediem.com:2404

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 4 IoCs

Processes:

owerrinta.exeowerrinta.exeowerrinta.exeowerrinta.exe

pid process

2252 owerrinta.exe
3640 owerrinta.exe
812 owerrinta.exe
1140 owerrinta.exe
Deletes itself 1 IoCs

Processes:

WScript.exe

pid process

696 WScript.exe

pid	process
2252	owerrinta.exe
3640	owerrinta.exe
812	owerrinta.exe
1140	owerrinta.exe

pid	process
696	WScript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Sydler_Remedies_PO-SCAN-3K4RQ4WPJ4.exeowerrinta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\	Sydler_Remedies_PO-SCAN-3K4RQ4WPJ4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\owerrita = "\"C:\\Users\\Admin\\AppData\\Roaming\\owerri\\owerrinta.exe\""	Sydler_Remedies_PO-SCAN-3K4RQ4WPJ4.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\	owerrinta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\owerrita = "\"C:\\Users\\Admin\\AppData\\Roaming\\owerri\\owerrinta.exe\""	owerrinta.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Sydler_Remedies_PO-SCAN-3K4RQ4WPJ4.exeowerrinta.exe

description	pid	process	target process
PID 648 set thread context of 4068	648	Sydler_Remedies_PO-SCAN-3K4RQ4WPJ4.exe	Sydler_Remedies_PO-SCAN-3K4RQ4WPJ4.exe
PID 812 set thread context of 1140	812	owerrinta.exe	owerrinta.exe

Modifies registry class 1 IoCs

Processes:

Sydler_Remedies_PO-SCAN-3K4RQ4WPJ4.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	Sydler_Remedies_PO-SCAN-3K4RQ4WPJ4.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

Sydler_Remedies_PO-SCAN-3K4RQ4WPJ4.exeowerrinta.exeowerrinta.exe

pid process

648 Sydler_Remedies_PO-SCAN-3K4RQ4WPJ4.exe
2252 owerrinta.exe
812 owerrinta.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

owerrinta.exe

pid process

1140 owerrinta.exe

pid	process
648	Sydler_Remedies_PO-SCAN-3K4RQ4WPJ4.exe
2252	owerrinta.exe
812	owerrinta.exe

pid	process
1140	owerrinta.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

Sydler_Remedies_PO-SCAN-3K4RQ4WPJ4.exeSydler_Remedies_PO-SCAN-3K4RQ4WPJ4.exeWScript.execmd.exeowerrinta.exeowerrinta.exe

description	pid	process	target process
PID 648 wrote to memory of 4068	648	Sydler_Remedies_PO-SCAN-3K4RQ4WPJ4.exe	Sydler_Remedies_PO-SCAN-3K4RQ4WPJ4.exe
PID 648 wrote to memory of 4068	648	Sydler_Remedies_PO-SCAN-3K4RQ4WPJ4.exe	Sydler_Remedies_PO-SCAN-3K4RQ4WPJ4.exe
PID 648 wrote to memory of 4068	648	Sydler_Remedies_PO-SCAN-3K4RQ4WPJ4.exe	Sydler_Remedies_PO-SCAN-3K4RQ4WPJ4.exe
PID 648 wrote to memory of 4068	648	Sydler_Remedies_PO-SCAN-3K4RQ4WPJ4.exe	Sydler_Remedies_PO-SCAN-3K4RQ4WPJ4.exe
PID 4068 wrote to memory of 696	4068	Sydler_Remedies_PO-SCAN-3K4RQ4WPJ4.exe	WScript.exe
PID 4068 wrote to memory of 696	4068	Sydler_Remedies_PO-SCAN-3K4RQ4WPJ4.exe	WScript.exe
PID 4068 wrote to memory of 696	4068	Sydler_Remedies_PO-SCAN-3K4RQ4WPJ4.exe	WScript.exe
PID 696 wrote to memory of 2308	696	WScript.exe	cmd.exe
PID 696 wrote to memory of 2308	696	WScript.exe	cmd.exe
PID 696 wrote to memory of 2308	696	WScript.exe	cmd.exe
PID 2308 wrote to memory of 2252	2308	cmd.exe	owerrinta.exe
PID 2308 wrote to memory of 2252	2308	cmd.exe	owerrinta.exe
PID 2308 wrote to memory of 2252	2308	cmd.exe	owerrinta.exe
PID 2252 wrote to memory of 3640	2252	owerrinta.exe	owerrinta.exe
PID 2252 wrote to memory of 3640	2252	owerrinta.exe	owerrinta.exe
PID 2252 wrote to memory of 3640	2252	owerrinta.exe	owerrinta.exe
PID 2252 wrote to memory of 812	2252	owerrinta.exe	owerrinta.exe
PID 2252 wrote to memory of 812	2252	owerrinta.exe	owerrinta.exe
PID 2252 wrote to memory of 812	2252	owerrinta.exe	owerrinta.exe
PID 812 wrote to memory of 1140	812	owerrinta.exe	owerrinta.exe
PID 812 wrote to memory of 1140	812	owerrinta.exe	owerrinta.exe
PID 812 wrote to memory of 1140	812	owerrinta.exe	owerrinta.exe
PID 812 wrote to memory of 1140	812	owerrinta.exe	owerrinta.exe

C:\Users\Admin\AppData\Local\Temp\Sydler_Remedies_PO-SCAN-3K4RQ4WPJ4.exe
"C:\Users\Admin\AppData\Local\Temp\Sydler_Remedies_PO-SCAN-3K4RQ4WPJ4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:648

C:\Users\Admin\AppData\Local\Temp\Sydler_Remedies_PO-SCAN-3K4RQ4WPJ4.exe
"C:\Users\Admin\AppData\Local\Temp\Sydler_Remedies_PO-SCAN-3K4RQ4WPJ4.exe"
2⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4068

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:696

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\owerri\owerrinta.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2308

C:\Users\Admin\AppData\Roaming\owerri\owerrinta.exe
C:\Users\Admin\AppData\Roaming\owerri\owerrinta.exe
5⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2252

C:\Users\Admin\AppData\Roaming\owerri\owerrinta.exe
C:\Users\Admin\AppData\Roaming\owerri\owerrinta.exe
6⤵
- Executes dropped EXE
PID:3640

C:\Users\Admin\AppData\Roaming\owerri\owerrinta.exe
"C:\Users\Admin\AppData\Roaming\owerri\owerrinta.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:812

C:\Users\Admin\AppData\Roaming\owerri\owerrinta.exe
"C:\Users\Admin\AppData\Roaming\owerri\owerrinta.exe"
7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1140

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
cf41587b4d8b0e225200704be70b24fe

SHA1
0036c9bfb6fd7f8ac76620e051fb98a09a6bfa1f

SHA256
7bf6b05f5d0dd921e35ddefc7ea7c84c29ab7b27f30f8e3e918a591b4ff97dcd

SHA512
8aae23f935e3f167890c4a2add610bf696b74618aa1f40c65560df48f38f79b04a7155217497cd402cab7bd5f401211a8721fd90fa3a76e1f96aa9d919e61935

Download Submit
C:\Users\Admin\AppData\Roaming\owerri\owerrinta.exe
MD5
e8f7d121f3d4e0d641a12895c7b287ac

SHA1
17757b821ee9b081fcc142dcc7aff5a147de6095

SHA256
a2925ab4b7c0267fb273b9125b81673c84525a2e974119dd6c6f3c10ac6675f5

SHA512
2ff90e19afd3e9cc902c105ec861b0927b0b665c38b908f4a6f619a75f6568dfa0538900ce44699a7f2e6897d8ae6dabf7addb88b39d47f66edfadf241bdb2ed

Download Submit
C:\Users\Admin\AppData\Roaming\owerri\owerrinta.exe
MD5
e8f7d121f3d4e0d641a12895c7b287ac

SHA1
17757b821ee9b081fcc142dcc7aff5a147de6095

SHA256
a2925ab4b7c0267fb273b9125b81673c84525a2e974119dd6c6f3c10ac6675f5

SHA512
2ff90e19afd3e9cc902c105ec861b0927b0b665c38b908f4a6f619a75f6568dfa0538900ce44699a7f2e6897d8ae6dabf7addb88b39d47f66edfadf241bdb2ed

Download Submit
C:\Users\Admin\AppData\Roaming\owerri\owerrinta.exe
MD5
e8f7d121f3d4e0d641a12895c7b287ac

SHA1
17757b821ee9b081fcc142dcc7aff5a147de6095

SHA256
a2925ab4b7c0267fb273b9125b81673c84525a2e974119dd6c6f3c10ac6675f5

SHA512
2ff90e19afd3e9cc902c105ec861b0927b0b665c38b908f4a6f619a75f6568dfa0538900ce44699a7f2e6897d8ae6dabf7addb88b39d47f66edfadf241bdb2ed

Download Submit
C:\Users\Admin\AppData\Roaming\owerri\owerrinta.exe
MD5
e8f7d121f3d4e0d641a12895c7b287ac

SHA1
17757b821ee9b081fcc142dcc7aff5a147de6095

SHA256
a2925ab4b7c0267fb273b9125b81673c84525a2e974119dd6c6f3c10ac6675f5

SHA512
2ff90e19afd3e9cc902c105ec861b0927b0b665c38b908f4a6f619a75f6568dfa0538900ce44699a7f2e6897d8ae6dabf7addb88b39d47f66edfadf241bdb2ed

Download Submit
C:\Users\Admin\AppData\Roaming\owerri\owerrinta.exe
MD5
e8f7d121f3d4e0d641a12895c7b287ac

SHA1
17757b821ee9b081fcc142dcc7aff5a147de6095

SHA256
a2925ab4b7c0267fb273b9125b81673c84525a2e974119dd6c6f3c10ac6675f5

SHA512
2ff90e19afd3e9cc902c105ec861b0927b0b665c38b908f4a6f619a75f6568dfa0538900ce44699a7f2e6897d8ae6dabf7addb88b39d47f66edfadf241bdb2ed

Download Submit
memory/696-3-0x0000000000000000-mapping.dmp

Download
memory/812-11-0x0000000000000000-mapping.dmp

Download
memory/1140-13-0x0000000000413FA4-mapping.dmp

Download
memory/1140-15-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2252-7-0x0000000000000000-mapping.dmp

Download
memory/2308-6-0x0000000000000000-mapping.dmp

Download
memory/4068-2-0x0000000000413FA4-mapping.dmp

Download
memory/4068-5-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads