remcos | f08283e69eef4b48bec25a82962517ead7c998619d431b6b9eb9b227ad520e84

General

Target

4d7715c57054b475521b9528f50d5585.exe
Size

1.3MB
MD5

4d7715c57054b475521b9528f50d5585
SHA1

38a843f92b5d06d522bb06b3b2c158eb45ec5f26
SHA256

f08283e69eef4b48bec25a82962517ead7c998619d431b6b9eb9b227ad520e84
SHA512

011264fdb4ad9009095ff231961d250953b4736fa5b0dd3eb2b2c50d93670d4645bf53ed26bad67aabf548388b9eea330df5fe6616d91b8a42ce9c503ad3bc84

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

C2

wedsazxcvfghyuiokjhbnvfcdsaweyplmhbvrtud.ydns.eu:1996

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 3 IoCs

Processes:

win.exewin.exewin.exe

pid process

340 win.exe
760 win.exe
1204 win.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

436 cmd.exe
436 cmd.exe

pid	process
340	win.exe
760	win.exe
1204	win.exe

pid	process
436	cmd.exe
436	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4d7715c57054b475521b9528f50d5585.exewin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\	4d7715c57054b475521b9528f50d5585.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\win = "\"C:\\Users\\Admin\\AppData\\Roaming\\win.exe\""	4d7715c57054b475521b9528f50d5585.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\	win.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\win = "\"C:\\Users\\Admin\\AppData\\Roaming\\win.exe\""	win.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs

Processes:

4d7715c57054b475521b9528f50d5585.exewin.exe

pid	process
1688	4d7715c57054b475521b9528f50d5585.exe
1688	4d7715c57054b475521b9528f50d5585.exe
1688	4d7715c57054b475521b9528f50d5585.exe
1688	4d7715c57054b475521b9528f50d5585.exe
1688	4d7715c57054b475521b9528f50d5585.exe
1688	4d7715c57054b475521b9528f50d5585.exe
1688	4d7715c57054b475521b9528f50d5585.exe
340	win.exe
340	win.exe
340	win.exe
340	win.exe
340	win.exe
340	win.exe
340	win.exe
340	win.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

4d7715c57054b475521b9528f50d5585.exewin.exe

description	pid	process	target process
PID 1688 set thread context of 1088	1688	4d7715c57054b475521b9528f50d5585.exe	4d7715c57054b475521b9528f50d5585.exe
PID 340 set thread context of 1204	340	win.exe	win.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

628 1688 WerFault.exe 4d7715c57054b475521b9528f50d5585.exe
Delays execution with timeout.exe 6 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

1320 timeout.exe
1704 timeout.exe
324 timeout.exe
1392 timeout.exe
872 timeout.exe
296 timeout.exe

pid	pid_target	process	target process
628	1688	WerFault.exe	4d7715c57054b475521b9528f50d5585.exe

pid	process
1320	timeout.exe
1704	timeout.exe
324	timeout.exe
1392	timeout.exe
872	timeout.exe
296	timeout.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

4d7715c57054b475521b9528f50d5585.exeWerFault.exewin.exe

pid	process
1688	4d7715c57054b475521b9528f50d5585.exe
1688	4d7715c57054b475521b9528f50d5585.exe
1688	4d7715c57054b475521b9528f50d5585.exe
628	WerFault.exe
628	WerFault.exe
628	WerFault.exe
628	WerFault.exe
628	WerFault.exe
340	win.exe
340	win.exe
340	win.exe
340	win.exe
340	win.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

4d7715c57054b475521b9528f50d5585.exeWerFault.exewin.exe

description	pid	process
Token: SeDebugPrivilege	1688	4d7715c57054b475521b9528f50d5585.exe
Token: SeDebugPrivilege	628	WerFault.exe
Token: SeDebugPrivilege	340	win.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

win.exe

pid process

1204 win.exe

pid	process
1204	win.exe

Suspicious use of WriteProcessMemory 90 IoCs

Processes:

4d7715c57054b475521b9528f50d5585.execmd.execmd.execmd.exe4d7715c57054b475521b9528f50d5585.exeWScript.execmd.exewin.execmd.execmd.exe

description	pid	process	target process
PID 1688 wrote to memory of 1768	1688	4d7715c57054b475521b9528f50d5585.exe	cmd.exe
PID 1688 wrote to memory of 1768	1688	4d7715c57054b475521b9528f50d5585.exe	cmd.exe
PID 1688 wrote to memory of 1768	1688	4d7715c57054b475521b9528f50d5585.exe	cmd.exe
PID 1688 wrote to memory of 1768	1688	4d7715c57054b475521b9528f50d5585.exe	cmd.exe
PID 1768 wrote to memory of 1392	1768	cmd.exe	timeout.exe
PID 1768 wrote to memory of 1392	1768	cmd.exe	timeout.exe
PID 1768 wrote to memory of 1392	1768	cmd.exe	timeout.exe
PID 1768 wrote to memory of 1392	1768	cmd.exe	timeout.exe
PID 1688 wrote to memory of 1664	1688	4d7715c57054b475521b9528f50d5585.exe	cmd.exe
PID 1688 wrote to memory of 1664	1688	4d7715c57054b475521b9528f50d5585.exe	cmd.exe
PID 1688 wrote to memory of 1664	1688	4d7715c57054b475521b9528f50d5585.exe	cmd.exe
PID 1688 wrote to memory of 1664	1688	4d7715c57054b475521b9528f50d5585.exe	cmd.exe
PID 1664 wrote to memory of 872	1664	cmd.exe	timeout.exe
PID 1664 wrote to memory of 872	1664	cmd.exe	timeout.exe
PID 1664 wrote to memory of 872	1664	cmd.exe	timeout.exe
PID 1664 wrote to memory of 872	1664	cmd.exe	timeout.exe
PID 1688 wrote to memory of 1496	1688	4d7715c57054b475521b9528f50d5585.exe	cmd.exe
PID 1688 wrote to memory of 1496	1688	4d7715c57054b475521b9528f50d5585.exe	cmd.exe
PID 1688 wrote to memory of 1496	1688	4d7715c57054b475521b9528f50d5585.exe	cmd.exe
PID 1688 wrote to memory of 1496	1688	4d7715c57054b475521b9528f50d5585.exe	cmd.exe
PID 1496 wrote to memory of 296	1496	cmd.exe	timeout.exe
PID 1496 wrote to memory of 296	1496	cmd.exe	timeout.exe
PID 1496 wrote to memory of 296	1496	cmd.exe	timeout.exe
PID 1496 wrote to memory of 296	1496	cmd.exe	timeout.exe
PID 1688 wrote to memory of 1088	1688	4d7715c57054b475521b9528f50d5585.exe	4d7715c57054b475521b9528f50d5585.exe
PID 1688 wrote to memory of 1088	1688	4d7715c57054b475521b9528f50d5585.exe	4d7715c57054b475521b9528f50d5585.exe
PID 1688 wrote to memory of 1088	1688	4d7715c57054b475521b9528f50d5585.exe	4d7715c57054b475521b9528f50d5585.exe
PID 1688 wrote to memory of 1088	1688	4d7715c57054b475521b9528f50d5585.exe	4d7715c57054b475521b9528f50d5585.exe
PID 1688 wrote to memory of 1088	1688	4d7715c57054b475521b9528f50d5585.exe	4d7715c57054b475521b9528f50d5585.exe
PID 1688 wrote to memory of 1088	1688	4d7715c57054b475521b9528f50d5585.exe	4d7715c57054b475521b9528f50d5585.exe
PID 1688 wrote to memory of 1088	1688	4d7715c57054b475521b9528f50d5585.exe	4d7715c57054b475521b9528f50d5585.exe
PID 1688 wrote to memory of 1088	1688	4d7715c57054b475521b9528f50d5585.exe	4d7715c57054b475521b9528f50d5585.exe
PID 1688 wrote to memory of 1088	1688	4d7715c57054b475521b9528f50d5585.exe	4d7715c57054b475521b9528f50d5585.exe
PID 1688 wrote to memory of 1088	1688	4d7715c57054b475521b9528f50d5585.exe	4d7715c57054b475521b9528f50d5585.exe
PID 1688 wrote to memory of 1088	1688	4d7715c57054b475521b9528f50d5585.exe	4d7715c57054b475521b9528f50d5585.exe
PID 1088 wrote to memory of 1336	1088	4d7715c57054b475521b9528f50d5585.exe	WScript.exe
PID 1088 wrote to memory of 1336	1088	4d7715c57054b475521b9528f50d5585.exe	WScript.exe
PID 1088 wrote to memory of 1336	1088	4d7715c57054b475521b9528f50d5585.exe	WScript.exe
PID 1088 wrote to memory of 1336	1088	4d7715c57054b475521b9528f50d5585.exe	WScript.exe
PID 1688 wrote to memory of 628	1688	4d7715c57054b475521b9528f50d5585.exe	WerFault.exe
PID 1688 wrote to memory of 628	1688	4d7715c57054b475521b9528f50d5585.exe	WerFault.exe
PID 1688 wrote to memory of 628	1688	4d7715c57054b475521b9528f50d5585.exe	WerFault.exe
PID 1688 wrote to memory of 628	1688	4d7715c57054b475521b9528f50d5585.exe	WerFault.exe
PID 1336 wrote to memory of 436	1336	WScript.exe	cmd.exe
PID 1336 wrote to memory of 436	1336	WScript.exe	cmd.exe
PID 1336 wrote to memory of 436	1336	WScript.exe	cmd.exe
PID 1336 wrote to memory of 436	1336	WScript.exe	cmd.exe
PID 436 wrote to memory of 340	436	cmd.exe	win.exe
PID 436 wrote to memory of 340	436	cmd.exe	win.exe
PID 436 wrote to memory of 340	436	cmd.exe	win.exe
PID 436 wrote to memory of 340	436	cmd.exe	win.exe
PID 340 wrote to memory of 1376	340	win.exe	cmd.exe
PID 340 wrote to memory of 1376	340	win.exe	cmd.exe
PID 340 wrote to memory of 1376	340	win.exe	cmd.exe
PID 340 wrote to memory of 1376	340	win.exe	cmd.exe
PID 1376 wrote to memory of 1320	1376	cmd.exe	timeout.exe
PID 1376 wrote to memory of 1320	1376	cmd.exe	timeout.exe
PID 1376 wrote to memory of 1320	1376	cmd.exe	timeout.exe
PID 1376 wrote to memory of 1320	1376	cmd.exe	timeout.exe
PID 340 wrote to memory of 620	340	win.exe	cmd.exe
PID 340 wrote to memory of 620	340	win.exe	cmd.exe
PID 340 wrote to memory of 620	340	win.exe	cmd.exe
PID 340 wrote to memory of 620	340	win.exe	cmd.exe
PID 620 wrote to memory of 1704	620	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\4d7715c57054b475521b9528f50d5585.exe
"C:\Users\Admin\AppData\Local\Temp\4d7715c57054b475521b9528f50d5585.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1392

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:872

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:296

C:\Users\Admin\AppData\Local\Temp\4d7715c57054b475521b9528f50d5585.exe
"C:\Users\Admin\AppData\Local\Temp\4d7715c57054b475521b9528f50d5585.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1336

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\win.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:436

C:\Users\Admin\AppData\Roaming\win.exe
C:\Users\Admin\AppData\Roaming\win.exe
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:340

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
6⤵
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\SysWOW64\timeout.exe
timeout 1
7⤵
- Delays execution with timeout.exe
PID:1320

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
6⤵
- Suspicious use of WriteProcessMemory
PID:620

C:\Windows\SysWOW64\timeout.exe
timeout 1
7⤵
- Delays execution with timeout.exe
PID:1704

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
6⤵
PID:1124

C:\Windows\SysWOW64\timeout.exe
timeout 1
7⤵
- Delays execution with timeout.exe
PID:324

C:\Users\Admin\AppData\Roaming\win.exe
"C:\Users\Admin\AppData\Roaming\win.exe"
6⤵
- Executes dropped EXE
PID:760

C:\Users\Admin\AppData\Roaming\win.exe
"C:\Users\Admin\AppData\Roaming\win.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 952
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
4a74e626596d6e66b4bbc59ee6848f2d

SHA1
047849ac8735ecc0943428c7cd5e00b52eee06ed

SHA256
98bd6dc219a7a3e04d3d67bbec9f0b4d4640831a3a6be0a0078b050041088b0e

SHA512
1cd943482d0f1ce2ffaf6ee4a82895e4d57c52051bb14bbda0548cf072b4c5cbe719d2cdb549b5ae7c0241dd9c68dd9d1674acd26aed684b8145500079cc5403

Download Submit
C:\Users\Admin\AppData\Roaming\win.exe
MD5
4d7715c57054b475521b9528f50d5585

SHA1
38a843f92b5d06d522bb06b3b2c158eb45ec5f26

SHA256
f08283e69eef4b48bec25a82962517ead7c998619d431b6b9eb9b227ad520e84

SHA512
011264fdb4ad9009095ff231961d250953b4736fa5b0dd3eb2b2c50d93670d4645bf53ed26bad67aabf548388b9eea330df5fe6616d91b8a42ce9c503ad3bc84

Download Submit
C:\Users\Admin\AppData\Roaming\win.exe
MD5
4d7715c57054b475521b9528f50d5585

SHA1
38a843f92b5d06d522bb06b3b2c158eb45ec5f26

SHA256
f08283e69eef4b48bec25a82962517ead7c998619d431b6b9eb9b227ad520e84

SHA512
011264fdb4ad9009095ff231961d250953b4736fa5b0dd3eb2b2c50d93670d4645bf53ed26bad67aabf548388b9eea330df5fe6616d91b8a42ce9c503ad3bc84

Download Submit
C:\Users\Admin\AppData\Roaming\win.exe
MD5
4d7715c57054b475521b9528f50d5585

SHA1
38a843f92b5d06d522bb06b3b2c158eb45ec5f26

SHA256
f08283e69eef4b48bec25a82962517ead7c998619d431b6b9eb9b227ad520e84

SHA512
011264fdb4ad9009095ff231961d250953b4736fa5b0dd3eb2b2c50d93670d4645bf53ed26bad67aabf548388b9eea330df5fe6616d91b8a42ce9c503ad3bc84

Download Submit
C:\Users\Admin\AppData\Roaming\win.exe
MD5
4d7715c57054b475521b9528f50d5585

SHA1
38a843f92b5d06d522bb06b3b2c158eb45ec5f26

SHA256
f08283e69eef4b48bec25a82962517ead7c998619d431b6b9eb9b227ad520e84

SHA512
011264fdb4ad9009095ff231961d250953b4736fa5b0dd3eb2b2c50d93670d4645bf53ed26bad67aabf548388b9eea330df5fe6616d91b8a42ce9c503ad3bc84

Download Submit
\Users\Admin\AppData\Roaming\win.exe
MD5
4d7715c57054b475521b9528f50d5585

SHA1
38a843f92b5d06d522bb06b3b2c158eb45ec5f26

SHA256
f08283e69eef4b48bec25a82962517ead7c998619d431b6b9eb9b227ad520e84

SHA512
011264fdb4ad9009095ff231961d250953b4736fa5b0dd3eb2b2c50d93670d4645bf53ed26bad67aabf548388b9eea330df5fe6616d91b8a42ce9c503ad3bc84

Download Submit
\Users\Admin\AppData\Roaming\win.exe
MD5
4d7715c57054b475521b9528f50d5585

SHA1
38a843f92b5d06d522bb06b3b2c158eb45ec5f26

SHA256
f08283e69eef4b48bec25a82962517ead7c998619d431b6b9eb9b227ad520e84

SHA512
011264fdb4ad9009095ff231961d250953b4736fa5b0dd3eb2b2c50d93670d4645bf53ed26bad67aabf548388b9eea330df5fe6616d91b8a42ce9c503ad3bc84

Download Submit
memory/296-12-0x0000000000000000-mapping.dmp

Download
memory/324-42-0x0000000000000000-mapping.dmp

Download
memory/340-33-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/340-38-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/340-32-0x0000000074110000-0x00000000747FE000-memory.dmp

Filesize
6.9MB

Download
memory/340-29-0x0000000000000000-mapping.dmp

Download
memory/436-24-0x0000000000000000-mapping.dmp

Download
memory/620-39-0x0000000000000000-mapping.dmp

Download
memory/628-31-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/628-17-0x0000000000000000-mapping.dmp

Download
memory/628-18-0x0000000001E90000-0x0000000001EA1000-memory.dmp

Filesize
68KB

Download
memory/872-10-0x0000000000000000-mapping.dmp

Download
memory/1088-23-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1088-14-0x0000000000413FA4-mapping.dmp

Download
memory/1088-13-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1088-15-0x0000000074B31000-0x0000000074B33000-memory.dmp

Filesize
8KB

Download
memory/1124-41-0x0000000000000000-mapping.dmp

Download
memory/1204-45-0x0000000000413FA4-mapping.dmp

Download
memory/1204-48-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1320-37-0x0000000000000000-mapping.dmp

Download
memory/1336-25-0x00000000026A0000-0x00000000026A4000-memory.dmp

Filesize
16KB

Download
memory/1336-16-0x0000000000000000-mapping.dmp

Download
memory/1376-36-0x0000000000000000-mapping.dmp

Download
memory/1392-8-0x0000000000000000-mapping.dmp

Download
memory/1496-11-0x0000000000000000-mapping.dmp

Download
memory/1664-9-0x0000000000000000-mapping.dmp

Download
memory/1688-2-0x0000000074110000-0x00000000747FE000-memory.dmp

Filesize
6.9MB

Download
memory/1688-6-0x0000000000930000-0x000000000095F000-memory.dmp

Filesize
188KB

Download
memory/1688-5-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/1688-3-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/1704-40-0x0000000000000000-mapping.dmp

Download
memory/1768-7-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads