remcos | cb1606fa6e387118598b57f810cb767feaa1ab3c3d59a865c52af2ec75a81c6d

Analysis

max time kernel
150s
max time network
149s
platform
windows10_x64
resource
win10v20210410
submitted
23-04-2021 13:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

doc07621220210416113300.exe
Size

611KB
MD5

86a60c76f4734d8e5e664d4296b05d23
SHA1

bbd8bfae7c2449915d071899300aeb3de5030464
SHA256

1dc132d54524bfd99e713b47052ec9fc2a59fcbb46d70c732426cf228446e17e
SHA512

8ac001844e94a5bac88d3abf6f5a1d6a904d0443e29e78c9b41ab7b2f06995ea2a4d78d9829f61467ec2217c2db51b8dc33abda4caab7712c0dbebbb022ffd68

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

www.pakchoob.me:2404

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

doc07621220210416113300.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gpnjtw = "C:\\Users\\Public\\Libraries\\wtjnpG.url"	doc07621220210416113300.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

doc07621220210416113300.exe

description pid process target process

PID 4048 set thread context of 2932 4048 doc07621220210416113300.exe doc07621220210416113300.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

doc07621220210416113300.exe

pid process

2932 doc07621220210416113300.exe

description	pid	process	target process
PID 4048 set thread context of 2932	4048	doc07621220210416113300.exe	doc07621220210416113300.exe

pid	process
2932	doc07621220210416113300.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

doc07621220210416113300.exe

description	pid	process	target process
PID 4048 wrote to memory of 2932	4048	doc07621220210416113300.exe	doc07621220210416113300.exe
PID 4048 wrote to memory of 2932	4048	doc07621220210416113300.exe	doc07621220210416113300.exe
PID 4048 wrote to memory of 2932	4048	doc07621220210416113300.exe	doc07621220210416113300.exe
PID 4048 wrote to memory of 2932	4048	doc07621220210416113300.exe	doc07621220210416113300.exe
PID 4048 wrote to memory of 2932	4048	doc07621220210416113300.exe	doc07621220210416113300.exe

C:\Users\Admin\AppData\Local\Temp\doc07621220210416113300.exe
"C:\Users\Admin\AppData\Local\Temp\doc07621220210416113300.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4048

C:\Users\Admin\AppData\Local\Temp\doc07621220210416113300.exe
C:\Users\Admin\AppData\Local\Temp\doc07621220210416113300.exe
2⤵
- Suspicious use of SetWindowsHookEx
PID:2932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2932-119-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2932-120-0x0000000000413FA4-mapping.dmp

Download
memory/2932-121-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4048-114-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/4048-116-0x0000000000760000-0x000000000077A000-memory.dmp

Filesize
104KB

Download