remcos | ebb506967720e7ba4938f575c161ce84db952133b0a55bc0f5624fbde4b8c824

General

Target

RgEfFMWH7mMuuke.exe
Size

940KB
MD5

c6732c2482863d217118f778c68aae25
SHA1

9adf978d5110db664677c0a1fad0fc0e38acdd8b
SHA256

ebb506967720e7ba4938f575c161ce84db952133b0a55bc0f5624fbde4b8c824
SHA512

38a82659a7ad67c69be5094147d6d97b1541642c61977ba17c5e90a4e67b8ebe0639866d9fb84f5a8f074fa434941a63589de21a72d4efabc2058cc21c92752f

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

C2

217.138.212.58:52667

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 1 IoCs

Processes:

remcos.exe

pid process

2684 remcos.exe

pid	process
2684	remcos.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RgEfFMWH7mMuuke.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\	RgEfFMWH7mMuuke.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	RgEfFMWH7mMuuke.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

RgEfFMWH7mMuuke.exe

description pid process target process

PID 1736 set thread context of 1332 1736 RgEfFMWH7mMuuke.exe RgEfFMWH7mMuuke.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

RgEfFMWH7mMuuke.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings RgEfFMWH7mMuuke.exe

description	pid	process	target process
PID 1736 set thread context of 1332	1736	RgEfFMWH7mMuuke.exe	RgEfFMWH7mMuuke.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	RgEfFMWH7mMuuke.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

RgEfFMWH7mMuuke.exepowershell.exe

pid	process
1736	RgEfFMWH7mMuuke.exe
1736	RgEfFMWH7mMuuke.exe
1736	RgEfFMWH7mMuuke.exe
1736	RgEfFMWH7mMuuke.exe
1736	RgEfFMWH7mMuuke.exe
1736	RgEfFMWH7mMuuke.exe
2268	powershell.exe
2268	powershell.exe
2268	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RgEfFMWH7mMuuke.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1736 RgEfFMWH7mMuuke.exe
Token: SeDebugPrivilege 2268 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1736	RgEfFMWH7mMuuke.exe
Token: SeDebugPrivilege	2268	powershell.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

RgEfFMWH7mMuuke.exeRgEfFMWH7mMuuke.exeWScript.execmd.exe

description	pid	process	target process
PID 1736 wrote to memory of 2268	1736	RgEfFMWH7mMuuke.exe	powershell.exe
PID 1736 wrote to memory of 2268	1736	RgEfFMWH7mMuuke.exe	powershell.exe
PID 1736 wrote to memory of 2268	1736	RgEfFMWH7mMuuke.exe	powershell.exe
PID 1736 wrote to memory of 2276	1736	RgEfFMWH7mMuuke.exe	RgEfFMWH7mMuuke.exe
PID 1736 wrote to memory of 2276	1736	RgEfFMWH7mMuuke.exe	RgEfFMWH7mMuuke.exe
PID 1736 wrote to memory of 2276	1736	RgEfFMWH7mMuuke.exe	RgEfFMWH7mMuuke.exe
PID 1736 wrote to memory of 1332	1736	RgEfFMWH7mMuuke.exe	RgEfFMWH7mMuuke.exe
PID 1736 wrote to memory of 1332	1736	RgEfFMWH7mMuuke.exe	RgEfFMWH7mMuuke.exe
PID 1736 wrote to memory of 1332	1736	RgEfFMWH7mMuuke.exe	RgEfFMWH7mMuuke.exe
PID 1736 wrote to memory of 1332	1736	RgEfFMWH7mMuuke.exe	RgEfFMWH7mMuuke.exe
PID 1736 wrote to memory of 1332	1736	RgEfFMWH7mMuuke.exe	RgEfFMWH7mMuuke.exe
PID 1736 wrote to memory of 1332	1736	RgEfFMWH7mMuuke.exe	RgEfFMWH7mMuuke.exe
PID 1736 wrote to memory of 1332	1736	RgEfFMWH7mMuuke.exe	RgEfFMWH7mMuuke.exe
PID 1736 wrote to memory of 1332	1736	RgEfFMWH7mMuuke.exe	RgEfFMWH7mMuuke.exe
PID 1736 wrote to memory of 1332	1736	RgEfFMWH7mMuuke.exe	RgEfFMWH7mMuuke.exe
PID 1736 wrote to memory of 1332	1736	RgEfFMWH7mMuuke.exe	RgEfFMWH7mMuuke.exe
PID 1736 wrote to memory of 1332	1736	RgEfFMWH7mMuuke.exe	RgEfFMWH7mMuuke.exe
PID 1736 wrote to memory of 1332	1736	RgEfFMWH7mMuuke.exe	RgEfFMWH7mMuuke.exe
PID 1332 wrote to memory of 3736	1332	RgEfFMWH7mMuuke.exe	WScript.exe
PID 1332 wrote to memory of 3736	1332	RgEfFMWH7mMuuke.exe	WScript.exe
PID 1332 wrote to memory of 3736	1332	RgEfFMWH7mMuuke.exe	WScript.exe
PID 3736 wrote to memory of 3956	3736	WScript.exe	cmd.exe
PID 3736 wrote to memory of 3956	3736	WScript.exe	cmd.exe
PID 3736 wrote to memory of 3956	3736	WScript.exe	cmd.exe
PID 3956 wrote to memory of 2684	3956	cmd.exe	remcos.exe
PID 3956 wrote to memory of 2684	3956	cmd.exe	remcos.exe
PID 3956 wrote to memory of 2684	3956	cmd.exe	remcos.exe

C:\Users\Admin\AppData\Local\Temp\RgEfFMWH7mMuuke.exe
"C:\Users\Admin\AppData\Local\Temp\RgEfFMWH7mMuuke.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RgEfFMWH7mMuuke.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Users\Admin\AppData\Local\Temp\RgEfFMWH7mMuuke.exe
"C:\Users\Admin\AppData\Local\Temp\RgEfFMWH7mMuuke.exe"
2⤵
PID:2276

C:\Users\Admin\AppData\Local\Temp\RgEfFMWH7mMuuke.exe
"C:\Users\Admin\AppData\Local\Temp\RgEfFMWH7mMuuke.exe"
2⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1332

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:3736

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:3956

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
5⤵
- Executes dropped EXE
PID:2684

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
b92d64fe5b1d1f59df4b738262aea8df

SHA1
c8fb1981759c2d9bb2ec91b705985fba5fc7af63

SHA256
fa20e9aab03dc8e9f1910aaf0cf42662379fa16ae3a22642084fb97fa3d4f83a

SHA512
2566248b93c0cfb0414f033b8dd18bbd4f88180093eac2861107289bcb4ee160f9593706ff1f7d1f2e4ecea430d67a5a2897551a4f9ebd82b707243e300520e2

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
c6732c2482863d217118f778c68aae25

SHA1
9adf978d5110db664677c0a1fad0fc0e38acdd8b

SHA256
ebb506967720e7ba4938f575c161ce84db952133b0a55bc0f5624fbde4b8c824

SHA512
38a82659a7ad67c69be5094147d6d97b1541642c61977ba17c5e90a4e67b8ebe0639866d9fb84f5a8f074fa434941a63589de21a72d4efabc2058cc21c92752f

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
c6732c2482863d217118f778c68aae25

SHA1
9adf978d5110db664677c0a1fad0fc0e38acdd8b

SHA256
ebb506967720e7ba4938f575c161ce84db952133b0a55bc0f5624fbde4b8c824

SHA512
38a82659a7ad67c69be5094147d6d97b1541642c61977ba17c5e90a4e67b8ebe0639866d9fb84f5a8f074fa434941a63589de21a72d4efabc2058cc21c92752f

Download Submit
memory/1332-133-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1332-126-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1332-127-0x000000000042EEEF-mapping.dmp

Download
memory/1736-119-0x00000000058E0000-0x00000000058E1000-memory.dmp

Filesize
4KB

Download
memory/1736-122-0x0000000005980000-0x0000000005E7E000-memory.dmp

Filesize
5.0MB

Download
memory/1736-123-0x00000000066C0000-0x0000000006773000-memory.dmp

Filesize
716KB

Download
memory/1736-124-0x0000000008C40000-0x0000000008CBE000-memory.dmp

Filesize
504KB

Download
memory/1736-121-0x0000000005B60000-0x0000000005B69000-memory.dmp

Filesize
36KB

Download
memory/1736-120-0x0000000005B90000-0x0000000005B91000-memory.dmp

Filesize
4KB

Download
memory/1736-118-0x0000000005980000-0x0000000005981000-memory.dmp

Filesize
4KB

Download
memory/1736-117-0x0000000005E80000-0x0000000005E81000-memory.dmp

Filesize
4KB

Download
memory/1736-114-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/1736-116-0x0000000005830000-0x0000000005831000-memory.dmp

Filesize
4KB

Download
memory/2268-135-0x0000000007270000-0x0000000007271000-memory.dmp

Filesize
4KB

Download
memory/2268-164-0x0000000009630000-0x0000000009663000-memory.dmp

Filesize
204KB

Download
memory/2268-181-0x0000000007273000-0x0000000007274000-memory.dmp

Filesize
4KB

Download
memory/2268-136-0x0000000007272000-0x0000000007273000-memory.dmp

Filesize
4KB

Download
memory/2268-137-0x00000000077D0000-0x00000000077D1000-memory.dmp

Filesize
4KB

Download
memory/2268-138-0x0000000007EE0000-0x0000000007EE1000-memory.dmp

Filesize
4KB

Download
memory/2268-139-0x0000000008130000-0x0000000008131000-memory.dmp

Filesize
4KB

Download
memory/2268-140-0x00000000081E0000-0x00000000081E1000-memory.dmp

Filesize
4KB

Download
memory/2268-141-0x0000000007F80000-0x0000000007F81000-memory.dmp

Filesize
4KB

Download
memory/2268-142-0x0000000008AA0000-0x0000000008AA1000-memory.dmp

Filesize
4KB

Download
memory/2268-143-0x0000000008870000-0x0000000008871000-memory.dmp

Filesize
4KB

Download
memory/2268-179-0x000000007EF60000-0x000000007EF61000-memory.dmp

Filesize
4KB

Download
memory/2268-130-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/2268-177-0x0000000009B50000-0x0000000009B51000-memory.dmp

Filesize
4KB

Download
memory/2268-125-0x0000000000000000-mapping.dmp

Download
memory/2268-176-0x0000000009A00000-0x0000000009A01000-memory.dmp

Filesize
4KB

Download
memory/2268-131-0x00000000078B0000-0x00000000078B1000-memory.dmp

Filesize
4KB

Download
memory/2268-171-0x0000000009610000-0x0000000009611000-memory.dmp

Filesize
4KB

Download
memory/2684-158-0x0000000005660000-0x0000000005B5E000-memory.dmp

Filesize
5.0MB

Download
memory/2684-145-0x0000000000000000-mapping.dmp

Download
memory/3736-132-0x0000000000000000-mapping.dmp

Download
memory/3956-144-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads