remcos | f08283e69eef4b48bec25a82962517ead7c998619d431b6b9eb9b227ad520e84

General

Target

4d7715c57054b475521b9528f50d5585.exe
Size

1.3MB
MD5

4d7715c57054b475521b9528f50d5585
SHA1

38a843f92b5d06d522bb06b3b2c158eb45ec5f26
SHA256

f08283e69eef4b48bec25a82962517ead7c998619d431b6b9eb9b227ad520e84
SHA512

011264fdb4ad9009095ff231961d250953b4736fa5b0dd3eb2b2c50d93670d4645bf53ed26bad67aabf548388b9eea330df5fe6616d91b8a42ce9c503ad3bc84

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

C2

wedsazxcvfghyuiokjhbnvfcdsaweyplmhbvrtud.ydns.eu:1996

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

win.exewin.exe

pid process

1036 win.exe
3520 win.exe

pid	process
1036	win.exe
3520	win.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

win.exe4d7715c57054b475521b9528f50d5585.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\win = "\"C:\\Users\\Admin\\AppData\\Roaming\\win.exe\""	win.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\	4d7715c57054b475521b9528f50d5585.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\win = "\"C:\\Users\\Admin\\AppData\\Roaming\\win.exe\""	4d7715c57054b475521b9528f50d5585.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\	win.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 25 IoCs

Processes:

4d7715c57054b475521b9528f50d5585.exewin.exe

pid	process
1108	4d7715c57054b475521b9528f50d5585.exe
1108	4d7715c57054b475521b9528f50d5585.exe
1108	4d7715c57054b475521b9528f50d5585.exe
1108	4d7715c57054b475521b9528f50d5585.exe
1108	4d7715c57054b475521b9528f50d5585.exe
1108	4d7715c57054b475521b9528f50d5585.exe
1108	4d7715c57054b475521b9528f50d5585.exe
1108	4d7715c57054b475521b9528f50d5585.exe
1108	4d7715c57054b475521b9528f50d5585.exe
1108	4d7715c57054b475521b9528f50d5585.exe
1108	4d7715c57054b475521b9528f50d5585.exe
1108	4d7715c57054b475521b9528f50d5585.exe
1108	4d7715c57054b475521b9528f50d5585.exe
1036	win.exe
1036	win.exe
1036	win.exe
1036	win.exe
1036	win.exe
1036	win.exe
1036	win.exe
1036	win.exe
1036	win.exe
1036	win.exe
1036	win.exe
1036	win.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

4d7715c57054b475521b9528f50d5585.exewin.exe

description	pid	process	target process
PID 1108 set thread context of 2152	1108	4d7715c57054b475521b9528f50d5585.exe	4d7715c57054b475521b9528f50d5585.exe
PID 1036 set thread context of 3520	1036	win.exe	win.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

420 1108 WerFault.exe 4d7715c57054b475521b9528f50d5585.exe
1576 1036 WerFault.exe win.exe
Delays execution with timeout.exe 6 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

2096 timeout.exe
3024 timeout.exe
4016 timeout.exe
512 timeout.exe
3616 timeout.exe
8 timeout.exe

pid	pid_target	process	target process
420	1108	WerFault.exe	4d7715c57054b475521b9528f50d5585.exe
1576	1036	WerFault.exe	win.exe

pid	process
2096	timeout.exe
3024	timeout.exe
4016	timeout.exe
512	timeout.exe
3616	timeout.exe
8	timeout.exe

Modifies registry class 1 IoCs

Processes:

4d7715c57054b475521b9528f50d5585.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	4d7715c57054b475521b9528f50d5585.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

4d7715c57054b475521b9528f50d5585.exeWerFault.exewin.exeWerFault.exe

pid	process
1108	4d7715c57054b475521b9528f50d5585.exe
1108	4d7715c57054b475521b9528f50d5585.exe
1108	4d7715c57054b475521b9528f50d5585.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
420	WerFault.exe
1036	win.exe
1036	win.exe
1036	win.exe
1576	WerFault.exe
1576	WerFault.exe
1576	WerFault.exe
1576	WerFault.exe
1576	WerFault.exe
1576	WerFault.exe
1576	WerFault.exe
1576	WerFault.exe
1576	WerFault.exe
1576	WerFault.exe
1576	WerFault.exe
1576	WerFault.exe
1576	WerFault.exe
1576	WerFault.exe
1576	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

win.exe

pid process

3520 win.exe

pid	process
3520	win.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

4d7715c57054b475521b9528f50d5585.exeWerFault.exewin.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	1108	4d7715c57054b475521b9528f50d5585.exe
Token: SeRestorePrivilege	420	WerFault.exe
Token: SeBackupPrivilege	420	WerFault.exe
Token: SeDebugPrivilege	420	WerFault.exe
Token: SeDebugPrivilege	1036	win.exe
Token: SeDebugPrivilege	1576	WerFault.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

win.exe

pid process

3520 win.exe

pid	process
3520	win.exe

Suspicious use of WriteProcessMemory 65 IoCs

Processes:

4d7715c57054b475521b9528f50d5585.execmd.execmd.execmd.exe4d7715c57054b475521b9528f50d5585.exeWScript.execmd.exewin.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1108 wrote to memory of 2760	1108	4d7715c57054b475521b9528f50d5585.exe	cmd.exe
PID 1108 wrote to memory of 2760	1108	4d7715c57054b475521b9528f50d5585.exe	cmd.exe
PID 1108 wrote to memory of 2760	1108	4d7715c57054b475521b9528f50d5585.exe	cmd.exe
PID 2760 wrote to memory of 8	2760	cmd.exe	timeout.exe
PID 2760 wrote to memory of 8	2760	cmd.exe	timeout.exe
PID 2760 wrote to memory of 8	2760	cmd.exe	timeout.exe
PID 1108 wrote to memory of 3944	1108	4d7715c57054b475521b9528f50d5585.exe	cmd.exe
PID 1108 wrote to memory of 3944	1108	4d7715c57054b475521b9528f50d5585.exe	cmd.exe
PID 1108 wrote to memory of 3944	1108	4d7715c57054b475521b9528f50d5585.exe	cmd.exe
PID 3944 wrote to memory of 2096	3944	cmd.exe	timeout.exe
PID 3944 wrote to memory of 2096	3944	cmd.exe	timeout.exe
PID 3944 wrote to memory of 2096	3944	cmd.exe	timeout.exe
PID 1108 wrote to memory of 3668	1108	4d7715c57054b475521b9528f50d5585.exe	cmd.exe
PID 1108 wrote to memory of 3668	1108	4d7715c57054b475521b9528f50d5585.exe	cmd.exe
PID 1108 wrote to memory of 3668	1108	4d7715c57054b475521b9528f50d5585.exe	cmd.exe
PID 3668 wrote to memory of 3024	3668	cmd.exe	timeout.exe
PID 3668 wrote to memory of 3024	3668	cmd.exe	timeout.exe
PID 3668 wrote to memory of 3024	3668	cmd.exe	timeout.exe
PID 1108 wrote to memory of 2152	1108	4d7715c57054b475521b9528f50d5585.exe	4d7715c57054b475521b9528f50d5585.exe
PID 1108 wrote to memory of 2152	1108	4d7715c57054b475521b9528f50d5585.exe	4d7715c57054b475521b9528f50d5585.exe
PID 1108 wrote to memory of 2152	1108	4d7715c57054b475521b9528f50d5585.exe	4d7715c57054b475521b9528f50d5585.exe
PID 1108 wrote to memory of 2152	1108	4d7715c57054b475521b9528f50d5585.exe	4d7715c57054b475521b9528f50d5585.exe
PID 1108 wrote to memory of 2152	1108	4d7715c57054b475521b9528f50d5585.exe	4d7715c57054b475521b9528f50d5585.exe
PID 1108 wrote to memory of 2152	1108	4d7715c57054b475521b9528f50d5585.exe	4d7715c57054b475521b9528f50d5585.exe
PID 1108 wrote to memory of 2152	1108	4d7715c57054b475521b9528f50d5585.exe	4d7715c57054b475521b9528f50d5585.exe
PID 1108 wrote to memory of 2152	1108	4d7715c57054b475521b9528f50d5585.exe	4d7715c57054b475521b9528f50d5585.exe
PID 1108 wrote to memory of 2152	1108	4d7715c57054b475521b9528f50d5585.exe	4d7715c57054b475521b9528f50d5585.exe
PID 1108 wrote to memory of 2152	1108	4d7715c57054b475521b9528f50d5585.exe	4d7715c57054b475521b9528f50d5585.exe
PID 2152 wrote to memory of 740	2152	4d7715c57054b475521b9528f50d5585.exe	WScript.exe
PID 2152 wrote to memory of 740	2152	4d7715c57054b475521b9528f50d5585.exe	WScript.exe
PID 2152 wrote to memory of 740	2152	4d7715c57054b475521b9528f50d5585.exe	WScript.exe
PID 740 wrote to memory of 2520	740	WScript.exe	cmd.exe
PID 740 wrote to memory of 2520	740	WScript.exe	cmd.exe
PID 740 wrote to memory of 2520	740	WScript.exe	cmd.exe
PID 2520 wrote to memory of 1036	2520	cmd.exe	win.exe
PID 2520 wrote to memory of 1036	2520	cmd.exe	win.exe
PID 2520 wrote to memory of 1036	2520	cmd.exe	win.exe
PID 1036 wrote to memory of 1468	1036	win.exe	cmd.exe
PID 1036 wrote to memory of 1468	1036	win.exe	cmd.exe
PID 1036 wrote to memory of 1468	1036	win.exe	cmd.exe
PID 1468 wrote to memory of 4016	1468	cmd.exe	timeout.exe
PID 1468 wrote to memory of 4016	1468	cmd.exe	timeout.exe
PID 1468 wrote to memory of 4016	1468	cmd.exe	timeout.exe
PID 1036 wrote to memory of 3100	1036	win.exe	cmd.exe
PID 1036 wrote to memory of 3100	1036	win.exe	cmd.exe
PID 1036 wrote to memory of 3100	1036	win.exe	cmd.exe
PID 3100 wrote to memory of 512	3100	cmd.exe	timeout.exe
PID 3100 wrote to memory of 512	3100	cmd.exe	timeout.exe
PID 3100 wrote to memory of 512	3100	cmd.exe	timeout.exe
PID 1036 wrote to memory of 200	1036	win.exe	cmd.exe
PID 1036 wrote to memory of 200	1036	win.exe	cmd.exe
PID 1036 wrote to memory of 200	1036	win.exe	cmd.exe
PID 200 wrote to memory of 3616	200	cmd.exe	timeout.exe
PID 200 wrote to memory of 3616	200	cmd.exe	timeout.exe
PID 200 wrote to memory of 3616	200	cmd.exe	timeout.exe
PID 1036 wrote to memory of 3520	1036	win.exe	win.exe
PID 1036 wrote to memory of 3520	1036	win.exe	win.exe
PID 1036 wrote to memory of 3520	1036	win.exe	win.exe
PID 1036 wrote to memory of 3520	1036	win.exe	win.exe
PID 1036 wrote to memory of 3520	1036	win.exe	win.exe
PID 1036 wrote to memory of 3520	1036	win.exe	win.exe
PID 1036 wrote to memory of 3520	1036	win.exe	win.exe
PID 1036 wrote to memory of 3520	1036	win.exe	win.exe
PID 1036 wrote to memory of 3520	1036	win.exe	win.exe

C:\Users\Admin\AppData\Local\Temp\4d7715c57054b475521b9528f50d5585.exe
"C:\Users\Admin\AppData\Local\Temp\4d7715c57054b475521b9528f50d5585.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
- Suspicious use of WriteProcessMemory
PID:2760

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:8

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
- Suspicious use of WriteProcessMemory
PID:3944

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2096

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
- Suspicious use of WriteProcessMemory
PID:3668

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:3024

C:\Users\Admin\AppData\Local\Temp\4d7715c57054b475521b9528f50d5585.exe
"C:\Users\Admin\AppData\Local\Temp\4d7715c57054b475521b9528f50d5585.exe"
2⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2152

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\win.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2520

C:\Users\Admin\AppData\Roaming\win.exe
C:\Users\Admin\AppData\Roaming\win.exe
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1036

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
6⤵
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\SysWOW64\timeout.exe
timeout 1
7⤵
- Delays execution with timeout.exe
PID:4016

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
6⤵
- Suspicious use of WriteProcessMemory
PID:3100

C:\Windows\SysWOW64\timeout.exe
timeout 1
7⤵
- Delays execution with timeout.exe
PID:512

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
6⤵
- Suspicious use of WriteProcessMemory
PID:200

C:\Windows\SysWOW64\timeout.exe
timeout 1
7⤵
- Delays execution with timeout.exe
PID:3616

C:\Users\Admin\AppData\Roaming\win.exe
"C:\Users\Admin\AppData\Roaming\win.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 1564
6⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1556
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:420

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
4a74e626596d6e66b4bbc59ee6848f2d

SHA1
047849ac8735ecc0943428c7cd5e00b52eee06ed

SHA256
98bd6dc219a7a3e04d3d67bbec9f0b4d4640831a3a6be0a0078b050041088b0e

SHA512
1cd943482d0f1ce2ffaf6ee4a82895e4d57c52051bb14bbda0548cf072b4c5cbe719d2cdb549b5ae7c0241dd9c68dd9d1674acd26aed684b8145500079cc5403

Download Submit
C:\Users\Admin\AppData\Roaming\win.exe
MD5
4d7715c57054b475521b9528f50d5585

SHA1
38a843f92b5d06d522bb06b3b2c158eb45ec5f26

SHA256
f08283e69eef4b48bec25a82962517ead7c998619d431b6b9eb9b227ad520e84

SHA512
011264fdb4ad9009095ff231961d250953b4736fa5b0dd3eb2b2c50d93670d4645bf53ed26bad67aabf548388b9eea330df5fe6616d91b8a42ce9c503ad3bc84

Download Submit
C:\Users\Admin\AppData\Roaming\win.exe
MD5
4d7715c57054b475521b9528f50d5585

SHA1
38a843f92b5d06d522bb06b3b2c158eb45ec5f26

SHA256
f08283e69eef4b48bec25a82962517ead7c998619d431b6b9eb9b227ad520e84

SHA512
011264fdb4ad9009095ff231961d250953b4736fa5b0dd3eb2b2c50d93670d4645bf53ed26bad67aabf548388b9eea330df5fe6616d91b8a42ce9c503ad3bc84

Download Submit
C:\Users\Admin\AppData\Roaming\win.exe
MD5
4d7715c57054b475521b9528f50d5585

SHA1
38a843f92b5d06d522bb06b3b2c158eb45ec5f26

SHA256
f08283e69eef4b48bec25a82962517ead7c998619d431b6b9eb9b227ad520e84

SHA512
011264fdb4ad9009095ff231961d250953b4736fa5b0dd3eb2b2c50d93670d4645bf53ed26bad67aabf548388b9eea330df5fe6616d91b8a42ce9c503ad3bc84

Download Submit
memory/8-11-0x0000000000000000-mapping.dmp

Download
memory/200-43-0x0000000000000000-mapping.dmp

Download
memory/420-21-0x0000000004460000-0x0000000004461000-memory.dmp

Filesize
4KB

Download
memory/420-22-0x0000000004460000-0x0000000004461000-memory.dmp

Filesize
4KB

Download
memory/512-42-0x0000000000000000-mapping.dmp

Download
memory/740-19-0x0000000000000000-mapping.dmp

Download
memory/1036-27-0x0000000000000000-mapping.dmp

Download
memory/1036-30-0x0000000073290000-0x000000007397E000-memory.dmp

Filesize
6.9MB

Download
memory/1036-38-0x0000000005430000-0x0000000005431000-memory.dmp

Filesize
4KB

Download
memory/1108-12-0x0000000005AB0000-0x0000000005AB1000-memory.dmp

Filesize
4KB

Download
memory/1108-9-0x00000000059C0000-0x00000000059EF000-memory.dmp

Filesize
188KB

Download
memory/1108-3-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/1108-5-0x0000000005620000-0x0000000005621000-memory.dmp

Filesize
4KB

Download
memory/1108-6-0x0000000005BC0000-0x0000000005BC1000-memory.dmp

Filesize
4KB

Download
memory/1108-7-0x0000000005860000-0x0000000005861000-memory.dmp

Filesize
4KB

Download
memory/1108-8-0x0000000005840000-0x0000000005841000-memory.dmp

Filesize
4KB

Download
memory/1108-2-0x0000000073290000-0x000000007397E000-memory.dmp

Filesize
6.9MB

Download
memory/1468-39-0x0000000000000000-mapping.dmp

Download
memory/1576-48-0x0000000004830000-0x0000000004831000-memory.dmp

Filesize
4KB

Download
memory/2096-14-0x0000000000000000-mapping.dmp

Download
memory/2152-20-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2152-18-0x0000000000413FA4-mapping.dmp

Download
memory/2152-17-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2520-26-0x0000000000000000-mapping.dmp

Download
memory/2760-10-0x0000000000000000-mapping.dmp

Download
memory/3024-16-0x0000000000000000-mapping.dmp

Download
memory/3100-41-0x0000000000000000-mapping.dmp

Download
memory/3520-46-0x0000000000413FA4-mapping.dmp

Download
memory/3520-49-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3616-44-0x0000000000000000-mapping.dmp

Download
memory/3668-15-0x0000000000000000-mapping.dmp

Download
memory/3944-13-0x0000000000000000-mapping.dmp

Download
memory/4016-40-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads