remcos | 8c6cae9078b175b331c1d6154045deea386850a75e4e2a250fe4f4d920cf1a4a

General

Target

NEWORDERrefno0992883jpg.exe
Size

96KB
MD5

55124bc60c871581f110b6f09e8ee902
SHA1

a198c5115c4d7f9e61a06020c814c2b5b4fba0f8
SHA256

8c6cae9078b175b331c1d6154045deea386850a75e4e2a250fe4f4d920cf1a4a
SHA512

50d7e57ead5baba4435f06111885b77656da56719da1fcdcda4993e9cd1a95ef34dcd106ee665f0c347a761e357d2faee089840de3cfb098df87f378f5341543

Score

10^/10

remcos persistence rat

Malware Config

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

NEWORDERrefno0992883jpg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	NEWORDERrefno0992883jpg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\unturbid = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BILTMORE\\PILGRIMIZES.vbs"	NEWORDERrefno0992883jpg.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

NEWORDERrefno0992883jpg.exeNEWORDERrefno0992883jpg.exe

pid process

3116 NEWORDERrefno0992883jpg.exe
3144 NEWORDERrefno0992883jpg.exe
3144 NEWORDERrefno0992883jpg.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

NEWORDERrefno0992883jpg.exe

description pid process target process

PID 3116 set thread context of 3144 3116 NEWORDERrefno0992883jpg.exe NEWORDERrefno0992883jpg.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

NEWORDERrefno0992883jpg.exe

pid process

3116 NEWORDERrefno0992883jpg.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

NEWORDERrefno0992883jpg.exeNEWORDERrefno0992883jpg.exe

pid process

3116 NEWORDERrefno0992883jpg.exe
3144 NEWORDERrefno0992883jpg.exe

pid	process
3116	NEWORDERrefno0992883jpg.exe
3144	NEWORDERrefno0992883jpg.exe
3144	NEWORDERrefno0992883jpg.exe

description	pid	process	target process
PID 3116 set thread context of 3144	3116	NEWORDERrefno0992883jpg.exe	NEWORDERrefno0992883jpg.exe

pid	process
3116	NEWORDERrefno0992883jpg.exe

pid	process
3116	NEWORDERrefno0992883jpg.exe
3144	NEWORDERrefno0992883jpg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

NEWORDERrefno0992883jpg.exe

description	pid	process	target process
PID 3116 wrote to memory of 3144	3116	NEWORDERrefno0992883jpg.exe	NEWORDERrefno0992883jpg.exe
PID 3116 wrote to memory of 3144	3116	NEWORDERrefno0992883jpg.exe	NEWORDERrefno0992883jpg.exe
PID 3116 wrote to memory of 3144	3116	NEWORDERrefno0992883jpg.exe	NEWORDERrefno0992883jpg.exe
PID 3116 wrote to memory of 3144	3116	NEWORDERrefno0992883jpg.exe	NEWORDERrefno0992883jpg.exe

C:\Users\Admin\AppData\Local\Temp\NEWORDERrefno0992883jpg.exe
"C:\Users\Admin\AppData\Local\Temp\NEWORDERrefno0992883jpg.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3116

C:\Users\Admin\AppData\Local\Temp\NEWORDERrefno0992883jpg.exe
"C:\Users\Admin\AppData\Local\Temp\NEWORDERrefno0992883jpg.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:3144

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3116-4-0x0000000002180000-0x000000000218E000-memory.dmp

Filesize
56KB

Download
memory/3144-5-0x0000000000401480-mapping.dmp

Download
memory/3144-6-0x0000000000401000-0x00000000004FD000-memory.dmp

Filesize
1008KB

Download
memory/3144-7-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/3144-8-0x0000000000401000-0x0000000000541000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing