remcos | 5968501b6456f12a9f36071f5e663bc48214007b9ff78601cb3e5585b8df29e9

General

Target

Scan_Documents-001HD4847DHD346G.exe
Size

838KB
MD5

303c5d6aa71eede673d90225146fba07
SHA1

61e24b0ec1a6933259565c21788e0ccbacd4c630
SHA256

6018d6795b86aef8d39205698ca166c8c5d413d06a8a1fa346741bd56ff0e307
SHA512

bc584d8b598bf59e4ec1a3b494556df46730fdf31175ac6fdfd4fe8c72781e539d9d082998d7df0b292a3c4212ab16a46a4e734a28b2d0291a016e3bdebd728a

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

C2

www.swqrn.com:16108

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Scan_Documents-001HD4847DHD346G.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wfwilj = "C:\\Users\\Public\\Libraries\\jliwfW.url"	Scan_Documents-001HD4847DHD346G.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Scan_Documents-001HD4847DHD346G.exe

description	ioc	process
File opened (read-only)	\??\A:	Scan_Documents-001HD4847DHD346G.exe
File opened (read-only)	\??\B:	Scan_Documents-001HD4847DHD346G.exe
File opened (read-only)	\??\E:	Scan_Documents-001HD4847DHD346G.exe
File opened (read-only)	\??\G:	Scan_Documents-001HD4847DHD346G.exe
File opened (read-only)	\??\L:	Scan_Documents-001HD4847DHD346G.exe
File opened (read-only)	\??\Q:	Scan_Documents-001HD4847DHD346G.exe
File opened (read-only)	\??\S:	Scan_Documents-001HD4847DHD346G.exe
File opened (read-only)	\??\F:	Scan_Documents-001HD4847DHD346G.exe
File opened (read-only)	\??\I:	Scan_Documents-001HD4847DHD346G.exe
File opened (read-only)	\??\K:	Scan_Documents-001HD4847DHD346G.exe
File opened (read-only)	\??\M:	Scan_Documents-001HD4847DHD346G.exe
File opened (read-only)	\??\P:	Scan_Documents-001HD4847DHD346G.exe
File opened (read-only)	\??\T:	Scan_Documents-001HD4847DHD346G.exe
File opened (read-only)	\??\V:	Scan_Documents-001HD4847DHD346G.exe
File opened (read-only)	\??\J:	Scan_Documents-001HD4847DHD346G.exe
File opened (read-only)	\??\N:	Scan_Documents-001HD4847DHD346G.exe
File opened (read-only)	\??\O:	Scan_Documents-001HD4847DHD346G.exe
File opened (read-only)	\??\R:	Scan_Documents-001HD4847DHD346G.exe
File opened (read-only)	\??\U:	Scan_Documents-001HD4847DHD346G.exe
File opened (read-only)	\??\W:	Scan_Documents-001HD4847DHD346G.exe
File opened (read-only)	\??\Y:	Scan_Documents-001HD4847DHD346G.exe
File opened (read-only)	\??\Z:	Scan_Documents-001HD4847DHD346G.exe
File opened (read-only)	\??\H:	Scan_Documents-001HD4847DHD346G.exe
File opened (read-only)	\??\X:	Scan_Documents-001HD4847DHD346G.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Scan_Documents-001HD4847DHD346G.exe

description pid process target process

PID 1848 set thread context of 952 1848 Scan_Documents-001HD4847DHD346G.exe Scan_Documents-001HD4847DHD346G.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Scan_Documents-001HD4847DHD346G.exe

pid process

952 Scan_Documents-001HD4847DHD346G.exe

description	pid	process	target process
PID 1848 set thread context of 952	1848	Scan_Documents-001HD4847DHD346G.exe	Scan_Documents-001HD4847DHD346G.exe

pid	process
952	Scan_Documents-001HD4847DHD346G.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Scan_Documents-001HD4847DHD346G.exe

description	pid	process	target process
PID 1848 wrote to memory of 952	1848	Scan_Documents-001HD4847DHD346G.exe	Scan_Documents-001HD4847DHD346G.exe
PID 1848 wrote to memory of 952	1848	Scan_Documents-001HD4847DHD346G.exe	Scan_Documents-001HD4847DHD346G.exe
PID 1848 wrote to memory of 952	1848	Scan_Documents-001HD4847DHD346G.exe	Scan_Documents-001HD4847DHD346G.exe
PID 1848 wrote to memory of 952	1848	Scan_Documents-001HD4847DHD346G.exe	Scan_Documents-001HD4847DHD346G.exe
PID 1848 wrote to memory of 952	1848	Scan_Documents-001HD4847DHD346G.exe	Scan_Documents-001HD4847DHD346G.exe
PID 1848 wrote to memory of 952	1848	Scan_Documents-001HD4847DHD346G.exe	Scan_Documents-001HD4847DHD346G.exe

C:\Users\Admin\AppData\Local\Temp\Scan_Documents-001HD4847DHD346G.exe
"C:\Users\Admin\AppData\Local\Temp\Scan_Documents-001HD4847DHD346G.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1848

C:\Users\Admin\AppData\Local\Temp\Scan_Documents-001HD4847DHD346G.exe
C:\Users\Admin\AppData\Local\Temp\Scan_Documents-001HD4847DHD346G.exe
2⤵
- Suspicious use of SetWindowsHookEx
PID:952

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x588
1⤵
PID:1260

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/952-65-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/952-66-0x000000000042F08F-mapping.dmp

Download
memory/952-68-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1848-59-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1848-61-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/1848-64-0x00000000757C1000-0x00000000757C3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads