remcos | 93e3956f268d38726acd19958a181d02feaea3e166b7e7d24d7a0c908141a4b2

General

Target

25c71e37a9cc1bae4bc5227de8c3c17a.exe
Size

1.3MB
MD5

25c71e37a9cc1bae4bc5227de8c3c17a
SHA1

0b841a04228d0774559a70051ce45ecab747ec77
SHA256

93e3956f268d38726acd19958a181d02feaea3e166b7e7d24d7a0c908141a4b2
SHA512

1a08f3457bfde941e8129e600d8618a6f35cf645bcdf77dad62eb0146f8f1462cef8cb8c72fb58f3e68d67ed8ae2cce41f01777dd5e32c66193d566cae7e26d4

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

C2

fieldsdegreenf.duckdns.org:6553

aaeeerbbbeee.duckdns.org:6553

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

remcos.exeremcos.exe

pid process

2468 remcos.exe
824 remcos.exe

pid	process
2468	remcos.exe
824	remcos.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

25c71e37a9cc1bae4bc5227de8c3c17a.exeremcos.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	25c71e37a9cc1bae4bc5227de8c3c17a.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	remcos.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\	25c71e37a9cc1bae4bc5227de8c3c17a.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

25c71e37a9cc1bae4bc5227de8c3c17a.exeremcos.exe

description	pid	process	target process
PID 3944 set thread context of 3616	3944	25c71e37a9cc1bae4bc5227de8c3c17a.exe	25c71e37a9cc1bae4bc5227de8c3c17a.exe
PID 2468 set thread context of 824	2468	remcos.exe	remcos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

25c71e37a9cc1bae4bc5227de8c3c17a.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	25c71e37a9cc1bae4bc5227de8c3c17a.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

remcos.exe

pid process

824 remcos.exe

pid	process
824	remcos.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

25c71e37a9cc1bae4bc5227de8c3c17a.exe25c71e37a9cc1bae4bc5227de8c3c17a.exeWScript.execmd.exeremcos.exeremcos.exe

description	pid	process	target process
PID 3944 wrote to memory of 3616	3944	25c71e37a9cc1bae4bc5227de8c3c17a.exe	25c71e37a9cc1bae4bc5227de8c3c17a.exe
PID 3944 wrote to memory of 3616	3944	25c71e37a9cc1bae4bc5227de8c3c17a.exe	25c71e37a9cc1bae4bc5227de8c3c17a.exe
PID 3944 wrote to memory of 3616	3944	25c71e37a9cc1bae4bc5227de8c3c17a.exe	25c71e37a9cc1bae4bc5227de8c3c17a.exe
PID 3944 wrote to memory of 3616	3944	25c71e37a9cc1bae4bc5227de8c3c17a.exe	25c71e37a9cc1bae4bc5227de8c3c17a.exe
PID 3944 wrote to memory of 3616	3944	25c71e37a9cc1bae4bc5227de8c3c17a.exe	25c71e37a9cc1bae4bc5227de8c3c17a.exe
PID 3944 wrote to memory of 3616	3944	25c71e37a9cc1bae4bc5227de8c3c17a.exe	25c71e37a9cc1bae4bc5227de8c3c17a.exe
PID 3944 wrote to memory of 3616	3944	25c71e37a9cc1bae4bc5227de8c3c17a.exe	25c71e37a9cc1bae4bc5227de8c3c17a.exe
PID 3944 wrote to memory of 3616	3944	25c71e37a9cc1bae4bc5227de8c3c17a.exe	25c71e37a9cc1bae4bc5227de8c3c17a.exe
PID 3944 wrote to memory of 3616	3944	25c71e37a9cc1bae4bc5227de8c3c17a.exe	25c71e37a9cc1bae4bc5227de8c3c17a.exe
PID 3944 wrote to memory of 3616	3944	25c71e37a9cc1bae4bc5227de8c3c17a.exe	25c71e37a9cc1bae4bc5227de8c3c17a.exe
PID 3944 wrote to memory of 3616	3944	25c71e37a9cc1bae4bc5227de8c3c17a.exe	25c71e37a9cc1bae4bc5227de8c3c17a.exe
PID 3944 wrote to memory of 3616	3944	25c71e37a9cc1bae4bc5227de8c3c17a.exe	25c71e37a9cc1bae4bc5227de8c3c17a.exe
PID 3616 wrote to memory of 2128	3616	25c71e37a9cc1bae4bc5227de8c3c17a.exe	WScript.exe
PID 3616 wrote to memory of 2128	3616	25c71e37a9cc1bae4bc5227de8c3c17a.exe	WScript.exe
PID 3616 wrote to memory of 2128	3616	25c71e37a9cc1bae4bc5227de8c3c17a.exe	WScript.exe
PID 2128 wrote to memory of 3896	2128	WScript.exe	cmd.exe
PID 2128 wrote to memory of 3896	2128	WScript.exe	cmd.exe
PID 2128 wrote to memory of 3896	2128	WScript.exe	cmd.exe
PID 3896 wrote to memory of 2468	3896	cmd.exe	remcos.exe
PID 3896 wrote to memory of 2468	3896	cmd.exe	remcos.exe
PID 3896 wrote to memory of 2468	3896	cmd.exe	remcos.exe
PID 2468 wrote to memory of 824	2468	remcos.exe	remcos.exe
PID 2468 wrote to memory of 824	2468	remcos.exe	remcos.exe
PID 2468 wrote to memory of 824	2468	remcos.exe	remcos.exe
PID 2468 wrote to memory of 824	2468	remcos.exe	remcos.exe
PID 2468 wrote to memory of 824	2468	remcos.exe	remcos.exe
PID 2468 wrote to memory of 824	2468	remcos.exe	remcos.exe
PID 2468 wrote to memory of 824	2468	remcos.exe	remcos.exe
PID 2468 wrote to memory of 824	2468	remcos.exe	remcos.exe
PID 2468 wrote to memory of 824	2468	remcos.exe	remcos.exe
PID 2468 wrote to memory of 824	2468	remcos.exe	remcos.exe
PID 2468 wrote to memory of 824	2468	remcos.exe	remcos.exe
PID 2468 wrote to memory of 824	2468	remcos.exe	remcos.exe
PID 824 wrote to memory of 1468	824	remcos.exe	svchost.exe
PID 824 wrote to memory of 1468	824	remcos.exe	svchost.exe
PID 824 wrote to memory of 1468	824	remcos.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\25c71e37a9cc1bae4bc5227de8c3c17a.exe
"C:\Users\Admin\AppData\Local\Temp\25c71e37a9cc1bae4bc5227de8c3c17a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3944

C:\Users\Admin\AppData\Local\Temp\25c71e37a9cc1bae4bc5227de8c3c17a.exe
"{path}"
2⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3616

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:2128

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:3896

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2468

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
"{path}"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:824

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
PID:1468

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
b92d64fe5b1d1f59df4b738262aea8df

SHA1
c8fb1981759c2d9bb2ec91b705985fba5fc7af63

SHA256
fa20e9aab03dc8e9f1910aaf0cf42662379fa16ae3a22642084fb97fa3d4f83a

SHA512
2566248b93c0cfb0414f033b8dd18bbd4f88180093eac2861107289bcb4ee160f9593706ff1f7d1f2e4ecea430d67a5a2897551a4f9ebd82b707243e300520e2

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
25c71e37a9cc1bae4bc5227de8c3c17a

SHA1
0b841a04228d0774559a70051ce45ecab747ec77

SHA256
93e3956f268d38726acd19958a181d02feaea3e166b7e7d24d7a0c908141a4b2

SHA512
1a08f3457bfde941e8129e600d8618a6f35cf645bcdf77dad62eb0146f8f1462cef8cb8c72fb58f3e68d67ed8ae2cce41f01777dd5e32c66193d566cae7e26d4

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
25c71e37a9cc1bae4bc5227de8c3c17a

SHA1
0b841a04228d0774559a70051ce45ecab747ec77

SHA256
93e3956f268d38726acd19958a181d02feaea3e166b7e7d24d7a0c908141a4b2

SHA512
1a08f3457bfde941e8129e600d8618a6f35cf645bcdf77dad62eb0146f8f1462cef8cb8c72fb58f3e68d67ed8ae2cce41f01777dd5e32c66193d566cae7e26d4

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
25c71e37a9cc1bae4bc5227de8c3c17a

SHA1
0b841a04228d0774559a70051ce45ecab747ec77

SHA256
93e3956f268d38726acd19958a181d02feaea3e166b7e7d24d7a0c908141a4b2

SHA512
1a08f3457bfde941e8129e600d8618a6f35cf645bcdf77dad62eb0146f8f1462cef8cb8c72fb58f3e68d67ed8ae2cce41f01777dd5e32c66193d566cae7e26d4

Download Submit
memory/824-146-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/824-144-0x000000000042EEEF-mapping.dmp

Download
memory/2128-126-0x0000000000000000-mapping.dmp

Download
memory/2468-140-0x0000000005310000-0x000000000580E000-memory.dmp

Filesize
5.0MB

Download
memory/2468-130-0x0000000000000000-mapping.dmp

Download
memory/3616-125-0x000000000042EEEF-mapping.dmp

Download
memory/3616-124-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3616-128-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3896-129-0x0000000000000000-mapping.dmp

Download
memory/3944-114-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/3944-123-0x000000000AFB0000-0x000000000B079000-memory.dmp

Filesize
804KB

Download
memory/3944-122-0x00000000087E0000-0x00000000088DD000-memory.dmp

Filesize
1012KB

Download
memory/3944-121-0x0000000008610000-0x0000000008611000-memory.dmp

Filesize
4KB

Download
memory/3944-120-0x0000000005150000-0x000000000515E000-memory.dmp

Filesize
56KB

Download
memory/3944-118-0x0000000005070000-0x000000000556E000-memory.dmp

Filesize
5.0MB

Download
memory/3944-119-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/3944-117-0x0000000002C30000-0x0000000002C31000-memory.dmp

Filesize
4KB

Download
memory/3944-116-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads