remcos | 13d2043597d9277e97a4996c4f04266e462b4332a0df325417bf7ac578376c7c

General

Target

IMG-20210406-WA0004-55YH701.exe
Size

761KB
MD5

d7de799d728a8effd9e4ef0f6a776e88
SHA1

4b4a18a2c6d6e0b9ea6cfd6175b064f1622f4620
SHA256

770239e721583e7852323517a01a9bc5ec4922e612104b48ae79ae442c0c697f
SHA512

77b29325453c72bd997b199fa728e5d8572f274a856ed2a0989a46c34f3bc101b12cf27d9c9f67b5dd3704e2a74151e4f657bb4b1f33439bc92d853d389f1b4f

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

C2

www.swqrn.com:16108

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

Netplwiz.exeNetplwiz.exe

pid process

336 Netplwiz.exe
1048 Netplwiz.exe

pid	process
336	Netplwiz.exe
1048	Netplwiz.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

IMG-20210406-WA0004-55YH701.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nuhfgj = "C:\\Users\\Public\\Libraries\\jgfhuN.url"	IMG-20210406-WA0004-55YH701.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

IMG-20210406-WA0004-55YH701.exe

description pid process target process

PID 1848 set thread context of 1468 1848 IMG-20210406-WA0004-55YH701.exe IMG-20210406-WA0004-55YH701.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

IMG-20210406-WA0004-55YH701.exe

pid process

1468 IMG-20210406-WA0004-55YH701.exe

description	pid	process	target process
PID 1848 set thread context of 1468	1848	IMG-20210406-WA0004-55YH701.exe	IMG-20210406-WA0004-55YH701.exe

pid	process
1468	IMG-20210406-WA0004-55YH701.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

IMG-20210406-WA0004-55YH701.execmd.exe

description	pid	process	target process
PID 1848 wrote to memory of 1468	1848	IMG-20210406-WA0004-55YH701.exe	IMG-20210406-WA0004-55YH701.exe
PID 1848 wrote to memory of 1468	1848	IMG-20210406-WA0004-55YH701.exe	IMG-20210406-WA0004-55YH701.exe
PID 1848 wrote to memory of 1468	1848	IMG-20210406-WA0004-55YH701.exe	IMG-20210406-WA0004-55YH701.exe
PID 1848 wrote to memory of 1468	1848	IMG-20210406-WA0004-55YH701.exe	IMG-20210406-WA0004-55YH701.exe
PID 1848 wrote to memory of 1468	1848	IMG-20210406-WA0004-55YH701.exe	IMG-20210406-WA0004-55YH701.exe
PID 1848 wrote to memory of 1468	1848	IMG-20210406-WA0004-55YH701.exe	IMG-20210406-WA0004-55YH701.exe
PID 1848 wrote to memory of 952	1848	IMG-20210406-WA0004-55YH701.exe	cmd.exe
PID 1848 wrote to memory of 952	1848	IMG-20210406-WA0004-55YH701.exe	cmd.exe
PID 1848 wrote to memory of 952	1848	IMG-20210406-WA0004-55YH701.exe	cmd.exe
PID 1848 wrote to memory of 952	1848	IMG-20210406-WA0004-55YH701.exe	cmd.exe
PID 952 wrote to memory of 972	952	cmd.exe	cmd.exe
PID 952 wrote to memory of 972	952	cmd.exe	cmd.exe
PID 952 wrote to memory of 972	952	cmd.exe	cmd.exe
PID 952 wrote to memory of 972	952	cmd.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\IMG-20210406-WA0004-55YH701.exe
"C:\Users\Admin\AppData\Local\Temp\IMG-20210406-WA0004-55YH701.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1848

C:\Users\Admin\AppData\Local\Temp\IMG-20210406-WA0004-55YH701.exe
C:\Users\Admin\AppData\Local\Temp\IMG-20210406-WA0004-55YH701.exe
2⤵
- Suspicious use of SetWindowsHookEx
PID:1468

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Public\stt.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Public\PXOR.bat
3⤵
PID:972

C:\Windows \System32\Netplwiz.exe
"C:\Windows \System32\Netplwiz.exe"
4⤵
- Executes dropped EXE
PID:336

C:\Windows \System32\Netplwiz.exe
"C:\Windows \System32\Netplwiz.exe"
4⤵
- Executes dropped EXE
PID:1048

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\NETUTILS.dll
MD5
39507d772c63ca496a25a14a8b5d14b2

SHA1
5b603f5c11eb9ab4313694315b4d4894ff4641d4

SHA256
36d1fa474cd8271f9b74b9481025614b6ff309f767f69d9f1ff3960c7205ad12

SHA512
0c740fd7b6d67d9938b0d8e1ea7d6c41910dd6d0b85b4ec8b6015ff8c0c73798dee01f01da0b5b0c07038663aca7945faca0e2b5afc1cb751aaba7567d332f5f

Download Submit
C:\Users\Public\Netplwiz.exe
MD5
f94b7fb6dac49844d03c7087b2d8b472

SHA1
0e84139fced0ee8ef929d0bd5f01559a7dcf1db0

SHA256
46e31f337ed0d9a6fe3f159abc91c9b9b6a6062982bbcd84a51784d7128e7ae4

SHA512
d63878f94f7699e4cc63c2cd885c29455e0c423d32dba750e4fc3aa74dbaca80a1a4b176719213b9fc6584de6a40cddff7864c7fb4cfba13dfcb437a36e41b80

Download Submit
C:\Users\Public\PXOR.bat
MD5
0d8aef656413642f55e0902cc5df5e6f

SHA1
73ec56d08bd9b3c45d55c97bd1c1286b77c8ff49

SHA256
670f94b92f45bc2f3f44a80c7f3021f874aa16fde38ed7d7f3ebed13ae09fa11

SHA512
efe690b1bcf06e16be469622b45c98b5dc1f1e06410cbf7e7dccb2975524c4d6bc7e23de9a129d50d73cd924f02e23f925555894f2c7da1064dcc57151f50876

Download Submit
C:\Users\Public\stt.bat
MD5
8a850253c31df9a7e1c00c80df2630d5

SHA1
e3da74081b027a3b591488b28da22742bcfe8495

SHA256
8fdeba3ec903bde700342083d16f72452366aa0b1b30d0e58dee0af74cebfa35

SHA512
30510bdc34680a0865a0811d9be29dec91c74717feccd58c9b4d88e77be9e5d13a539806a1b2901aff595b2fe2cc45926b69ed42e899d2dd2913c78a732e84d1

Download Submit
C:\Windows \System32\Netplwiz.exe
MD5
f94b7fb6dac49844d03c7087b2d8b472

SHA1
0e84139fced0ee8ef929d0bd5f01559a7dcf1db0

SHA256
46e31f337ed0d9a6fe3f159abc91c9b9b6a6062982bbcd84a51784d7128e7ae4

SHA512
d63878f94f7699e4cc63c2cd885c29455e0c423d32dba750e4fc3aa74dbaca80a1a4b176719213b9fc6584de6a40cddff7864c7fb4cfba13dfcb437a36e41b80

Download Submit
C:\Windows \System32\Netplwiz.exe
MD5
f94b7fb6dac49844d03c7087b2d8b472

SHA1
0e84139fced0ee8ef929d0bd5f01559a7dcf1db0

SHA256
46e31f337ed0d9a6fe3f159abc91c9b9b6a6062982bbcd84a51784d7128e7ae4

SHA512
d63878f94f7699e4cc63c2cd885c29455e0c423d32dba750e4fc3aa74dbaca80a1a4b176719213b9fc6584de6a40cddff7864c7fb4cfba13dfcb437a36e41b80

Download Submit
memory/952-64-0x0000000000000000-mapping.dmp

Download
memory/972-66-0x0000000000000000-mapping.dmp

Download
memory/972-74-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/1468-62-0x000000000042F08F-mapping.dmp

Download
memory/1468-61-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1468-73-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1848-59-0x00000000757C1000-0x00000000757C3000-memory.dmp

Filesize
8KB

Download
memory/1848-60-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing