remcos | 93e3956f268d38726acd19958a181d02feaea3e166b7e7d24d7a0c908141a4b2

Analysis

max time kernel
77s
max time network
18s
platform
windows7_x64
resource
win7v20210408
submitted
23-04-2021 06:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25c71e37a9cc1bae4bc5227de8c3c17a.exe
Size

1.3MB
MD5

25c71e37a9cc1bae4bc5227de8c3c17a
SHA1

0b841a04228d0774559a70051ce45ecab747ec77
SHA256

93e3956f268d38726acd19958a181d02feaea3e166b7e7d24d7a0c908141a4b2
SHA512

1a08f3457bfde941e8129e600d8618a6f35cf645bcdf77dad62eb0146f8f1462cef8cb8c72fb58f3e68d67ed8ae2cce41f01777dd5e32c66193d566cae7e26d4

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

fieldsdegreenf.duckdns.org:6553

aaeeerbbbeee.duckdns.org:6553

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 6 IoCs

Processes:

remcos.exeremcos.exeremcos.exeremcos.exeremcos.exeremcos.exe

pid process

632 remcos.exe
1060 remcos.exe
1268 remcos.exe
1796 remcos.exe
1376 remcos.exe
1016 remcos.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

588 cmd.exe

pid	process
632	remcos.exe
1060	remcos.exe
1268	remcos.exe
1796	remcos.exe
1376	remcos.exe
1016	remcos.exe

pid	process
588	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

25c71e37a9cc1bae4bc5227de8c3c17a.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	25c71e37a9cc1bae4bc5227de8c3c17a.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\	25c71e37a9cc1bae4bc5227de8c3c17a.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

25c71e37a9cc1bae4bc5227de8c3c17a.exe

description pid process target process

PID 1684 set thread context of 988 1684 25c71e37a9cc1bae4bc5227de8c3c17a.exe 25c71e37a9cc1bae4bc5227de8c3c17a.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

remcos.exe

pid process

632 remcos.exe
632 remcos.exe
632 remcos.exe
632 remcos.exe
632 remcos.exe
632 remcos.exe
632 remcos.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

remcos.exe

description pid process

Token: SeDebugPrivilege 632 remcos.exe

description	pid	process	target process
PID 1684 set thread context of 988	1684	25c71e37a9cc1bae4bc5227de8c3c17a.exe	25c71e37a9cc1bae4bc5227de8c3c17a.exe

pid	process
632	remcos.exe
632	remcos.exe
632	remcos.exe
632	remcos.exe
632	remcos.exe
632	remcos.exe
632	remcos.exe

description	pid	process
Token: SeDebugPrivilege	632	remcos.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

25c71e37a9cc1bae4bc5227de8c3c17a.exe25c71e37a9cc1bae4bc5227de8c3c17a.exeWScript.execmd.exeremcos.exe

description	pid	process	target process
PID 1684 wrote to memory of 988	1684	25c71e37a9cc1bae4bc5227de8c3c17a.exe	25c71e37a9cc1bae4bc5227de8c3c17a.exe
PID 1684 wrote to memory of 988	1684	25c71e37a9cc1bae4bc5227de8c3c17a.exe	25c71e37a9cc1bae4bc5227de8c3c17a.exe
PID 1684 wrote to memory of 988	1684	25c71e37a9cc1bae4bc5227de8c3c17a.exe	25c71e37a9cc1bae4bc5227de8c3c17a.exe
PID 1684 wrote to memory of 988	1684	25c71e37a9cc1bae4bc5227de8c3c17a.exe	25c71e37a9cc1bae4bc5227de8c3c17a.exe
PID 1684 wrote to memory of 988	1684	25c71e37a9cc1bae4bc5227de8c3c17a.exe	25c71e37a9cc1bae4bc5227de8c3c17a.exe
PID 1684 wrote to memory of 988	1684	25c71e37a9cc1bae4bc5227de8c3c17a.exe	25c71e37a9cc1bae4bc5227de8c3c17a.exe
PID 1684 wrote to memory of 988	1684	25c71e37a9cc1bae4bc5227de8c3c17a.exe	25c71e37a9cc1bae4bc5227de8c3c17a.exe
PID 1684 wrote to memory of 988	1684	25c71e37a9cc1bae4bc5227de8c3c17a.exe	25c71e37a9cc1bae4bc5227de8c3c17a.exe
PID 1684 wrote to memory of 988	1684	25c71e37a9cc1bae4bc5227de8c3c17a.exe	25c71e37a9cc1bae4bc5227de8c3c17a.exe
PID 1684 wrote to memory of 988	1684	25c71e37a9cc1bae4bc5227de8c3c17a.exe	25c71e37a9cc1bae4bc5227de8c3c17a.exe
PID 1684 wrote to memory of 988	1684	25c71e37a9cc1bae4bc5227de8c3c17a.exe	25c71e37a9cc1bae4bc5227de8c3c17a.exe
PID 1684 wrote to memory of 988	1684	25c71e37a9cc1bae4bc5227de8c3c17a.exe	25c71e37a9cc1bae4bc5227de8c3c17a.exe
PID 1684 wrote to memory of 988	1684	25c71e37a9cc1bae4bc5227de8c3c17a.exe	25c71e37a9cc1bae4bc5227de8c3c17a.exe
PID 988 wrote to memory of 1708	988	25c71e37a9cc1bae4bc5227de8c3c17a.exe	WScript.exe
PID 988 wrote to memory of 1708	988	25c71e37a9cc1bae4bc5227de8c3c17a.exe	WScript.exe
PID 988 wrote to memory of 1708	988	25c71e37a9cc1bae4bc5227de8c3c17a.exe	WScript.exe
PID 988 wrote to memory of 1708	988	25c71e37a9cc1bae4bc5227de8c3c17a.exe	WScript.exe
PID 1708 wrote to memory of 588	1708	WScript.exe	cmd.exe
PID 1708 wrote to memory of 588	1708	WScript.exe	cmd.exe
PID 1708 wrote to memory of 588	1708	WScript.exe	cmd.exe
PID 1708 wrote to memory of 588	1708	WScript.exe	cmd.exe
PID 588 wrote to memory of 632	588	cmd.exe	remcos.exe
PID 588 wrote to memory of 632	588	cmd.exe	remcos.exe
PID 588 wrote to memory of 632	588	cmd.exe	remcos.exe
PID 588 wrote to memory of 632	588	cmd.exe	remcos.exe
PID 632 wrote to memory of 1060	632	remcos.exe	remcos.exe
PID 632 wrote to memory of 1060	632	remcos.exe	remcos.exe
PID 632 wrote to memory of 1060	632	remcos.exe	remcos.exe
PID 632 wrote to memory of 1060	632	remcos.exe	remcos.exe
PID 632 wrote to memory of 1268	632	remcos.exe	remcos.exe
PID 632 wrote to memory of 1268	632	remcos.exe	remcos.exe
PID 632 wrote to memory of 1268	632	remcos.exe	remcos.exe
PID 632 wrote to memory of 1268	632	remcos.exe	remcos.exe
PID 632 wrote to memory of 1796	632	remcos.exe	remcos.exe
PID 632 wrote to memory of 1796	632	remcos.exe	remcos.exe
PID 632 wrote to memory of 1796	632	remcos.exe	remcos.exe
PID 632 wrote to memory of 1796	632	remcos.exe	remcos.exe
PID 632 wrote to memory of 1376	632	remcos.exe	remcos.exe
PID 632 wrote to memory of 1376	632	remcos.exe	remcos.exe
PID 632 wrote to memory of 1376	632	remcos.exe	remcos.exe
PID 632 wrote to memory of 1376	632	remcos.exe	remcos.exe
PID 632 wrote to memory of 1016	632	remcos.exe	remcos.exe
PID 632 wrote to memory of 1016	632	remcos.exe	remcos.exe
PID 632 wrote to memory of 1016	632	remcos.exe	remcos.exe
PID 632 wrote to memory of 1016	632	remcos.exe	remcos.exe

C:\Users\Admin\AppData\Local\Temp\25c71e37a9cc1bae4bc5227de8c3c17a.exe
"C:\Users\Admin\AppData\Local\Temp\25c71e37a9cc1bae4bc5227de8c3c17a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1684

C:\Users\Admin\AppData\Local\Temp\25c71e37a9cc1bae4bc5227de8c3c17a.exe
"{path}"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:988

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:588

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:632

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
"{path}"
6⤵
- Executes dropped EXE
PID:1060

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
"{path}"
6⤵
- Executes dropped EXE
PID:1796

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
"{path}"
6⤵
- Executes dropped EXE
PID:1016

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
"{path}"
6⤵
- Executes dropped EXE
PID:1376

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
"{path}"
6⤵
- Executes dropped EXE
PID:1268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

MD5
b92d64fe5b1d1f59df4b738262aea8df

SHA1
c8fb1981759c2d9bb2ec91b705985fba5fc7af63

SHA256
fa20e9aab03dc8e9f1910aaf0cf42662379fa16ae3a22642084fb97fa3d4f83a

SHA512
2566248b93c0cfb0414f033b8dd18bbd4f88180093eac2861107289bcb4ee160f9593706ff1f7d1f2e4ecea430d67a5a2897551a4f9ebd82b707243e300520e2

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

MD5
25c71e37a9cc1bae4bc5227de8c3c17a

SHA1
0b841a04228d0774559a70051ce45ecab747ec77

SHA256
93e3956f268d38726acd19958a181d02feaea3e166b7e7d24d7a0c908141a4b2

SHA512
1a08f3457bfde941e8129e600d8618a6f35cf645bcdf77dad62eb0146f8f1462cef8cb8c72fb58f3e68d67ed8ae2cce41f01777dd5e32c66193d566cae7e26d4

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

MD5
25c71e37a9cc1bae4bc5227de8c3c17a

SHA1
0b841a04228d0774559a70051ce45ecab747ec77

SHA256
93e3956f268d38726acd19958a181d02feaea3e166b7e7d24d7a0c908141a4b2

SHA512
1a08f3457bfde941e8129e600d8618a6f35cf645bcdf77dad62eb0146f8f1462cef8cb8c72fb58f3e68d67ed8ae2cce41f01777dd5e32c66193d566cae7e26d4

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

MD5
25c71e37a9cc1bae4bc5227de8c3c17a

SHA1
0b841a04228d0774559a70051ce45ecab747ec77

SHA256
93e3956f268d38726acd19958a181d02feaea3e166b7e7d24d7a0c908141a4b2

SHA512
1a08f3457bfde941e8129e600d8618a6f35cf645bcdf77dad62eb0146f8f1462cef8cb8c72fb58f3e68d67ed8ae2cce41f01777dd5e32c66193d566cae7e26d4

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

MD5
25c71e37a9cc1bae4bc5227de8c3c17a

SHA1
0b841a04228d0774559a70051ce45ecab747ec77

SHA256
93e3956f268d38726acd19958a181d02feaea3e166b7e7d24d7a0c908141a4b2

SHA512
1a08f3457bfde941e8129e600d8618a6f35cf645bcdf77dad62eb0146f8f1462cef8cb8c72fb58f3e68d67ed8ae2cce41f01777dd5e32c66193d566cae7e26d4

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

MD5
25c71e37a9cc1bae4bc5227de8c3c17a

SHA1
0b841a04228d0774559a70051ce45ecab747ec77

SHA256
93e3956f268d38726acd19958a181d02feaea3e166b7e7d24d7a0c908141a4b2

SHA512
1a08f3457bfde941e8129e600d8618a6f35cf645bcdf77dad62eb0146f8f1462cef8cb8c72fb58f3e68d67ed8ae2cce41f01777dd5e32c66193d566cae7e26d4

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

MD5
25c71e37a9cc1bae4bc5227de8c3c17a

SHA1
0b841a04228d0774559a70051ce45ecab747ec77

SHA256
93e3956f268d38726acd19958a181d02feaea3e166b7e7d24d7a0c908141a4b2

SHA512
1a08f3457bfde941e8129e600d8618a6f35cf645bcdf77dad62eb0146f8f1462cef8cb8c72fb58f3e68d67ed8ae2cce41f01777dd5e32c66193d566cae7e26d4

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

MD5
25c71e37a9cc1bae4bc5227de8c3c17a

SHA1
0b841a04228d0774559a70051ce45ecab747ec77

SHA256
93e3956f268d38726acd19958a181d02feaea3e166b7e7d24d7a0c908141a4b2

SHA512
1a08f3457bfde941e8129e600d8618a6f35cf645bcdf77dad62eb0146f8f1462cef8cb8c72fb58f3e68d67ed8ae2cce41f01777dd5e32c66193d566cae7e26d4

Download Submit
\Users\Admin\AppData\Roaming\Remcos\remcos.exe

MD5
25c71e37a9cc1bae4bc5227de8c3c17a

SHA1
0b841a04228d0774559a70051ce45ecab747ec77

SHA256
93e3956f268d38726acd19958a181d02feaea3e166b7e7d24d7a0c908141a4b2

SHA512
1a08f3457bfde941e8129e600d8618a6f35cf645bcdf77dad62eb0146f8f1462cef8cb8c72fb58f3e68d67ed8ae2cce41f01777dd5e32c66193d566cae7e26d4

Download Submit
memory/588-73-0x0000000000000000-mapping.dmp

Download
memory/632-81-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/632-78-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/632-76-0x0000000000000000-mapping.dmp

Download
memory/988-66-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/988-72-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/988-68-0x0000000075B31000-0x0000000075B33000-memory.dmp

Filesize
8KB

Download
memory/988-67-0x000000000042EEEF-mapping.dmp

Download
memory/1684-60-0x0000000001010000-0x0000000001011000-memory.dmp

Filesize
4KB

Download
memory/1684-65-0x0000000008140000-0x0000000008209000-memory.dmp

Filesize
804KB

Download
memory/1684-64-0x0000000008040000-0x000000000813D000-memory.dmp

Filesize
1012KB

Download
memory/1684-63-0x00000000004D0000-0x00000000004DE000-memory.dmp

Filesize
56KB

Download
memory/1684-62-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/1708-69-0x0000000000000000-mapping.dmp

Download