remcos | d3f4d352d63d7565acc222c50c0fccf56a7d90ad1623ae32e3a7f0e3b9ea5dfc

Analysis

max time kernel
150s
max time network
156s
platform
windows10_x64
resource
win10v20201028
submitted
20-02-2021 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f0f5ac2a08c4746186a79f3afe48a614b1ed180ce830058805354bfa8cb1e8e.exe
Size

412KB
MD5

3932f812b26f3bff1d20070c58468f2e
SHA1

cbbd717f6fc0efebb051ca6329b90d8473dc5366
SHA256

6f0f5ac2a08c4746186a79f3afe48a614b1ed180ce830058805354bfa8cb1e8e
SHA512

9b3b414a5552635e111d97b4f3bb458ca778eeaed38b30d9236ff9cd095e9f2e5a28666756e5382adfcaf04b0692b00cec6ea42d984609f1d1f3b2e75377f104

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

capriteam.ddns.net:1010

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

remcos.exeremcos.exe

pid process

1568 remcos.exe
3096 remcos.exe
Deletes itself 1 IoCs

Processes:

WScript.exe

pid process

1020 WScript.exe

pid	process
1568	remcos.exe
3096	remcos.exe

pid	process
1020	WScript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

remcos.exe6f0f5ac2a08c4746186a79f3afe48a614b1ed180ce830058805354bfa8cb1e8e.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	remcos.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\	6f0f5ac2a08c4746186a79f3afe48a614b1ed180ce830058805354bfa8cb1e8e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	6f0f5ac2a08c4746186a79f3afe48a614b1ed180ce830058805354bfa8cb1e8e.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

6f0f5ac2a08c4746186a79f3afe48a614b1ed180ce830058805354bfa8cb1e8e.exeremcos.exe

description	pid	process	target process
PID 496 set thread context of 2868	496	6f0f5ac2a08c4746186a79f3afe48a614b1ed180ce830058805354bfa8cb1e8e.exe	6f0f5ac2a08c4746186a79f3afe48a614b1ed180ce830058805354bfa8cb1e8e.exe
PID 1568 set thread context of 3096	1568	remcos.exe	remcos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

6f0f5ac2a08c4746186a79f3afe48a614b1ed180ce830058805354bfa8cb1e8e.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	6f0f5ac2a08c4746186a79f3afe48a614b1ed180ce830058805354bfa8cb1e8e.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

6f0f5ac2a08c4746186a79f3afe48a614b1ed180ce830058805354bfa8cb1e8e.exeremcos.exe

pid process

496 6f0f5ac2a08c4746186a79f3afe48a614b1ed180ce830058805354bfa8cb1e8e.exe
1568 remcos.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

6f0f5ac2a08c4746186a79f3afe48a614b1ed180ce830058805354bfa8cb1e8e.exeremcos.exe

pid process

496 6f0f5ac2a08c4746186a79f3afe48a614b1ed180ce830058805354bfa8cb1e8e.exe
1568 remcos.exe

pid	process
496	6f0f5ac2a08c4746186a79f3afe48a614b1ed180ce830058805354bfa8cb1e8e.exe
1568	remcos.exe

pid	process
496	6f0f5ac2a08c4746186a79f3afe48a614b1ed180ce830058805354bfa8cb1e8e.exe
1568	remcos.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

6f0f5ac2a08c4746186a79f3afe48a614b1ed180ce830058805354bfa8cb1e8e.exe6f0f5ac2a08c4746186a79f3afe48a614b1ed180ce830058805354bfa8cb1e8e.exeWScript.execmd.exeremcos.exe

description	pid	process	target process
PID 496 wrote to memory of 2868	496	6f0f5ac2a08c4746186a79f3afe48a614b1ed180ce830058805354bfa8cb1e8e.exe	6f0f5ac2a08c4746186a79f3afe48a614b1ed180ce830058805354bfa8cb1e8e.exe
PID 496 wrote to memory of 2868	496	6f0f5ac2a08c4746186a79f3afe48a614b1ed180ce830058805354bfa8cb1e8e.exe	6f0f5ac2a08c4746186a79f3afe48a614b1ed180ce830058805354bfa8cb1e8e.exe
PID 496 wrote to memory of 2868	496	6f0f5ac2a08c4746186a79f3afe48a614b1ed180ce830058805354bfa8cb1e8e.exe	6f0f5ac2a08c4746186a79f3afe48a614b1ed180ce830058805354bfa8cb1e8e.exe
PID 496 wrote to memory of 2868	496	6f0f5ac2a08c4746186a79f3afe48a614b1ed180ce830058805354bfa8cb1e8e.exe	6f0f5ac2a08c4746186a79f3afe48a614b1ed180ce830058805354bfa8cb1e8e.exe
PID 2868 wrote to memory of 1020	2868	6f0f5ac2a08c4746186a79f3afe48a614b1ed180ce830058805354bfa8cb1e8e.exe	WScript.exe
PID 2868 wrote to memory of 1020	2868	6f0f5ac2a08c4746186a79f3afe48a614b1ed180ce830058805354bfa8cb1e8e.exe	WScript.exe
PID 2868 wrote to memory of 1020	2868	6f0f5ac2a08c4746186a79f3afe48a614b1ed180ce830058805354bfa8cb1e8e.exe	WScript.exe
PID 1020 wrote to memory of 4016	1020	WScript.exe	cmd.exe
PID 1020 wrote to memory of 4016	1020	WScript.exe	cmd.exe
PID 1020 wrote to memory of 4016	1020	WScript.exe	cmd.exe
PID 4016 wrote to memory of 1568	4016	cmd.exe	remcos.exe
PID 4016 wrote to memory of 1568	4016	cmd.exe	remcos.exe
PID 4016 wrote to memory of 1568	4016	cmd.exe	remcos.exe
PID 1568 wrote to memory of 3096	1568	remcos.exe	remcos.exe
PID 1568 wrote to memory of 3096	1568	remcos.exe	remcos.exe
PID 1568 wrote to memory of 3096	1568	remcos.exe	remcos.exe
PID 1568 wrote to memory of 3096	1568	remcos.exe	remcos.exe

C:\Users\Admin\AppData\Local\Temp\6f0f5ac2a08c4746186a79f3afe48a614b1ed180ce830058805354bfa8cb1e8e.exe
"C:\Users\Admin\AppData\Local\Temp\6f0f5ac2a08c4746186a79f3afe48a614b1ed180ce830058805354bfa8cb1e8e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:496
- C:\Users\Admin\AppData\Local\Temp\6f0f5ac2a08c4746186a79f3afe48a614b1ed180ce830058805354bfa8cb1e8e.exe
  "C:\Users\Admin\AppData\Local\Temp\6f0f5ac2a08c4746186a79f3afe48a614b1ed180ce830058805354bfa8cb1e8e.exe"
  2⤵
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:1020
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4016
    - - C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1568
      - C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
        
        "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3096

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

MD5
abc68e986f1d4fbc3aefa840bc91ddfd

SHA1
79acf82b04699262bb74ae2b772a99c1bf68c691

SHA256
5b9eedf4b27fc5c907cfae4cd93e54acdff5cb036617c7f9283d8cf3b6c6fb57

SHA512
41e219ebcd48bc186773ed5b88c762e4138c8bb60deb0c69afb735d3c42cc66a39cb2b811247ec3929e620222682719db4eac5ce0e6541e9d0c19ac3bd0f1790

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

MD5
3932f812b26f3bff1d20070c58468f2e

SHA1
cbbd717f6fc0efebb051ca6329b90d8473dc5366

SHA256
6f0f5ac2a08c4746186a79f3afe48a614b1ed180ce830058805354bfa8cb1e8e

SHA512
9b3b414a5552635e111d97b4f3bb458ca778eeaed38b30d9236ff9cd095e9f2e5a28666756e5382adfcaf04b0692b00cec6ea42d984609f1d1f3b2e75377f104

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

MD5
3932f812b26f3bff1d20070c58468f2e

SHA1
cbbd717f6fc0efebb051ca6329b90d8473dc5366

SHA256
6f0f5ac2a08c4746186a79f3afe48a614b1ed180ce830058805354bfa8cb1e8e

SHA512
9b3b414a5552635e111d97b4f3bb458ca778eeaed38b30d9236ff9cd095e9f2e5a28666756e5382adfcaf04b0692b00cec6ea42d984609f1d1f3b2e75377f104

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

MD5
3932f812b26f3bff1d20070c58468f2e

SHA1
cbbd717f6fc0efebb051ca6329b90d8473dc5366

SHA256
6f0f5ac2a08c4746186a79f3afe48a614b1ed180ce830058805354bfa8cb1e8e

SHA512
9b3b414a5552635e111d97b4f3bb458ca778eeaed38b30d9236ff9cd095e9f2e5a28666756e5382adfcaf04b0692b00cec6ea42d984609f1d1f3b2e75377f104

Download Submit
memory/496-6-0x0000000000620000-0x0000000000625000-memory.dmp

Filesize
20KB

Download
memory/496-4-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/1020-9-0x0000000000000000-mapping.dmp

Download
memory/1568-12-0x0000000000000000-mapping.dmp

Download
memory/2868-8-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/2868-7-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2868-5-0x000000000042ED62-mapping.dmp

Download
memory/3096-18-0x000000000042ED62-mapping.dmp

Download
memory/3096-21-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3096-22-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/4016-11-0x0000000000000000-mapping.dmp

Download