remcos | 79e70809a85e291f9da3d391131208ce7645dd512eb6bb71811154b43da23222

Analysis

max time kernel
149s
max time network
149s
platform
windows10_x64
resource
win10v20201028
submitted
17-02-2021 23:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quote.exe
Size

233KB
MD5

a96067cac28b1f5c3de4e1b6c7d0a402
SHA1

51c65c8ece4bfd5c7d1b09105440f3f02d3b14ca
SHA256

79e70809a85e291f9da3d391131208ce7645dd512eb6bb71811154b43da23222
SHA512

1627058a9a884965bce4ece1ccf03c24a849cd79fe883c923ae2eb56c8e0bbb730cf823e550c080685af1f906a38f2847a65dc8ed236181d97eee9ddcfc3f96e

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

103.89.88.238:4299

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Loads dropped DLL 2 IoCs

pid	Process
4684	Quote.exe
4684	Quote.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz = "C:\\Users\\Admin\\AppData\\Roaming\\abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstu"	Quote.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4684 set thread context of 5076	4684	Quote.exe	73

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4684	Quote.exe
4684	Quote.exe
4684	Quote.exe
4684	Quote.exe
4684	Quote.exe
4684	Quote.exe
4684	Quote.exe
4684	Quote.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4684	Quote.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5076	Quote.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4684 wrote to memory of 5076	4684	Quote.exe	73
PID 4684 wrote to memory of 5076	4684	Quote.exe	73
PID 4684 wrote to memory of 5076	4684	Quote.exe	73
PID 4684 wrote to memory of 5076	4684	Quote.exe	73

C:\Users\Admin\AppData\Local\Temp\Quote.exe
"C:\Users\Admin\AppData\Local\Temp\Quote.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4684
- C:\Users\Admin\AppData\Local\Temp\Quote.exe
  "C:\Users\Admin\AppData\Local\Temp\Quote.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:5076

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5076-5-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download