remcos | 9626b19106a81d22416acbbe7ea291de316ca3a8f359beb9fe09850649fd5292

General

Target

93d5a6c80343c85fb4aedd5b1de38613.exe
Size

128KB
MD5

93d5a6c80343c85fb4aedd5b1de38613
SHA1

12e13aba5ea9dc2d86030befeac7c124dc17a6eb
SHA256

9626b19106a81d22416acbbe7ea291de316ca3a8f359beb9fe09850649fd5292
SHA512

6d30c5c43db627499332d43c1bb0f176be5a26679554229ec493c44342e77093a03e6b5f5576df28cb17d2b6392b3e979d5551393519c187620c9e8856c68e52

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

C2

sandshoe.myfirewall.org:2415

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

1364 svchost.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1280 cmd.exe
1280 cmd.exe

pid	process
1364	svchost.exe

pid	process
1280	cmd.exe
1280	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

93d5a6c80343c85fb4aedd5b1de38613.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\	93d5a6c80343c85fb4aedd5b1de38613.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\svchost.exe\""	93d5a6c80343c85fb4aedd5b1de38613.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\svchost.exe\""	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 1364 set thread context of 396 1364 svchost.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

1364 svchost.exe

description	pid	process	target process
PID 1364 set thread context of 396	1364	svchost.exe	svchost.exe

pid	process
1364	svchost.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

93d5a6c80343c85fb4aedd5b1de38613.exeWScript.execmd.exesvchost.exe

description	pid	process	target process
PID 1748 wrote to memory of 2000	1748	93d5a6c80343c85fb4aedd5b1de38613.exe	WScript.exe
PID 1748 wrote to memory of 2000	1748	93d5a6c80343c85fb4aedd5b1de38613.exe	WScript.exe
PID 1748 wrote to memory of 2000	1748	93d5a6c80343c85fb4aedd5b1de38613.exe	WScript.exe
PID 1748 wrote to memory of 2000	1748	93d5a6c80343c85fb4aedd5b1de38613.exe	WScript.exe
PID 2000 wrote to memory of 1280	2000	WScript.exe	cmd.exe
PID 2000 wrote to memory of 1280	2000	WScript.exe	cmd.exe
PID 2000 wrote to memory of 1280	2000	WScript.exe	cmd.exe
PID 2000 wrote to memory of 1280	2000	WScript.exe	cmd.exe
PID 1280 wrote to memory of 1364	1280	cmd.exe	svchost.exe
PID 1280 wrote to memory of 1364	1280	cmd.exe	svchost.exe
PID 1280 wrote to memory of 1364	1280	cmd.exe	svchost.exe
PID 1280 wrote to memory of 1364	1280	cmd.exe	svchost.exe
PID 1364 wrote to memory of 396	1364	svchost.exe	svchost.exe
PID 1364 wrote to memory of 396	1364	svchost.exe	svchost.exe
PID 1364 wrote to memory of 396	1364	svchost.exe	svchost.exe
PID 1364 wrote to memory of 396	1364	svchost.exe	svchost.exe
PID 1364 wrote to memory of 396	1364	svchost.exe	svchost.exe
PID 1364 wrote to memory of 396	1364	svchost.exe	svchost.exe
PID 1364 wrote to memory of 396	1364	svchost.exe	svchost.exe
PID 1364 wrote to memory of 396	1364	svchost.exe	svchost.exe
PID 1364 wrote to memory of 396	1364	svchost.exe	svchost.exe
PID 1364 wrote to memory of 396	1364	svchost.exe	svchost.exe
PID 1364 wrote to memory of 396	1364	svchost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\93d5a6c80343c85fb4aedd5b1de38613.exe
"C:\Users\Admin\AppData\Local\Temp\93d5a6c80343c85fb4aedd5b1de38613.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1280

C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe
C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
5⤵
PID:396

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
19a866a859bf53960e0838991626b634

SHA1
068d247b78fcef6c5fdcd06a69479c1852d72b66

SHA256
4f19248011c8de17ee236772e367532e2fc946c209e3a777da4925eb86fdeab7

SHA512
9ff83f6ee2f8bba5effc9e596961a263c0397a0f286b2f54ad430486b607260f8e531e7e10617352fada3a4572a370e80522cdb136b56f480a95de42d4210520

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe
MD5
93d5a6c80343c85fb4aedd5b1de38613

SHA1
12e13aba5ea9dc2d86030befeac7c124dc17a6eb

SHA256
9626b19106a81d22416acbbe7ea291de316ca3a8f359beb9fe09850649fd5292

SHA512
6d30c5c43db627499332d43c1bb0f176be5a26679554229ec493c44342e77093a03e6b5f5576df28cb17d2b6392b3e979d5551393519c187620c9e8856c68e52

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe
MD5
93d5a6c80343c85fb4aedd5b1de38613

SHA1
12e13aba5ea9dc2d86030befeac7c124dc17a6eb

SHA256
9626b19106a81d22416acbbe7ea291de316ca3a8f359beb9fe09850649fd5292

SHA512
6d30c5c43db627499332d43c1bb0f176be5a26679554229ec493c44342e77093a03e6b5f5576df28cb17d2b6392b3e979d5551393519c187620c9e8856c68e52

Download Submit
\Users\Admin\AppData\Roaming\Remcos\svchost.exe
MD5
93d5a6c80343c85fb4aedd5b1de38613

SHA1
12e13aba5ea9dc2d86030befeac7c124dc17a6eb

SHA256
9626b19106a81d22416acbbe7ea291de316ca3a8f359beb9fe09850649fd5292

SHA512
6d30c5c43db627499332d43c1bb0f176be5a26679554229ec493c44342e77093a03e6b5f5576df28cb17d2b6392b3e979d5551393519c187620c9e8856c68e52

Download Submit
\Users\Admin\AppData\Roaming\Remcos\svchost.exe
MD5
93d5a6c80343c85fb4aedd5b1de38613

SHA1
12e13aba5ea9dc2d86030befeac7c124dc17a6eb

SHA256
9626b19106a81d22416acbbe7ea291de316ca3a8f359beb9fe09850649fd5292

SHA512
6d30c5c43db627499332d43c1bb0f176be5a26679554229ec493c44342e77093a03e6b5f5576df28cb17d2b6392b3e979d5551393519c187620c9e8856c68e52

Download Submit
memory/396-71-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/396-72-0x0000000000413FA4-mapping.dmp

Download
memory/396-74-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1280-64-0x0000000000000000-mapping.dmp

Download
memory/1364-68-0x0000000000000000-mapping.dmp

Download
memory/1748-60-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download
memory/2000-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing