remcos | af0249150bee4fec74c124f89019cd260c9aacd7b7a7715192b5097f1948eb82

General

Target

53d1fe3209497d194e38201deb835924.exe
Size

2.1MB
MD5

53d1fe3209497d194e38201deb835924
SHA1

43f4315a82d7cd359aec38eac9fa37602d8baac6
SHA256

af0249150bee4fec74c124f89019cd260c9aacd7b7a7715192b5097f1948eb82
SHA512

a706c677811bc7b5b0368c840c00499b45c3f30e3b52350373e4475bfe90c8bfceee57100d28dece8ec3006382a0be5a8ae780e1c1d71acf43208301200128a2

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

C2

fieldsdegreenf.duckdns.org:6553

aaeeerbbbeee.duckdns.org:6553

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

remcos.exeremcos.exe

pid process

4048 remcos.exe
3356 remcos.exe

pid	process
4048	remcos.exe
3356	remcos.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

remcos.exe53d1fe3209497d194e38201deb835924.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	remcos.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	53d1fe3209497d194e38201deb835924.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	53d1fe3209497d194e38201deb835924.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

53d1fe3209497d194e38201deb835924.exeremcos.exe

description	pid	process	target process
PID 604 set thread context of 3332	604	53d1fe3209497d194e38201deb835924.exe	53d1fe3209497d194e38201deb835924.exe
PID 4048 set thread context of 3356	4048	remcos.exe	remcos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

53d1fe3209497d194e38201deb835924.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	53d1fe3209497d194e38201deb835924.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

remcos.exe

pid process

3356 remcos.exe

pid	process
3356	remcos.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

53d1fe3209497d194e38201deb835924.exe53d1fe3209497d194e38201deb835924.exeWScript.execmd.exeremcos.exeremcos.exe

description	pid	process	target process
PID 604 wrote to memory of 3332	604	53d1fe3209497d194e38201deb835924.exe	53d1fe3209497d194e38201deb835924.exe
PID 604 wrote to memory of 3332	604	53d1fe3209497d194e38201deb835924.exe	53d1fe3209497d194e38201deb835924.exe
PID 604 wrote to memory of 3332	604	53d1fe3209497d194e38201deb835924.exe	53d1fe3209497d194e38201deb835924.exe
PID 604 wrote to memory of 3332	604	53d1fe3209497d194e38201deb835924.exe	53d1fe3209497d194e38201deb835924.exe
PID 604 wrote to memory of 3332	604	53d1fe3209497d194e38201deb835924.exe	53d1fe3209497d194e38201deb835924.exe
PID 604 wrote to memory of 3332	604	53d1fe3209497d194e38201deb835924.exe	53d1fe3209497d194e38201deb835924.exe
PID 604 wrote to memory of 3332	604	53d1fe3209497d194e38201deb835924.exe	53d1fe3209497d194e38201deb835924.exe
PID 604 wrote to memory of 3332	604	53d1fe3209497d194e38201deb835924.exe	53d1fe3209497d194e38201deb835924.exe
PID 604 wrote to memory of 3332	604	53d1fe3209497d194e38201deb835924.exe	53d1fe3209497d194e38201deb835924.exe
PID 604 wrote to memory of 3332	604	53d1fe3209497d194e38201deb835924.exe	53d1fe3209497d194e38201deb835924.exe
PID 604 wrote to memory of 3332	604	53d1fe3209497d194e38201deb835924.exe	53d1fe3209497d194e38201deb835924.exe
PID 604 wrote to memory of 3332	604	53d1fe3209497d194e38201deb835924.exe	53d1fe3209497d194e38201deb835924.exe
PID 3332 wrote to memory of 3468	3332	53d1fe3209497d194e38201deb835924.exe	WScript.exe
PID 3332 wrote to memory of 3468	3332	53d1fe3209497d194e38201deb835924.exe	WScript.exe
PID 3332 wrote to memory of 3468	3332	53d1fe3209497d194e38201deb835924.exe	WScript.exe
PID 3468 wrote to memory of 1896	3468	WScript.exe	cmd.exe
PID 3468 wrote to memory of 1896	3468	WScript.exe	cmd.exe
PID 3468 wrote to memory of 1896	3468	WScript.exe	cmd.exe
PID 1896 wrote to memory of 4048	1896	cmd.exe	remcos.exe
PID 1896 wrote to memory of 4048	1896	cmd.exe	remcos.exe
PID 1896 wrote to memory of 4048	1896	cmd.exe	remcos.exe
PID 4048 wrote to memory of 3356	4048	remcos.exe	remcos.exe
PID 4048 wrote to memory of 3356	4048	remcos.exe	remcos.exe
PID 4048 wrote to memory of 3356	4048	remcos.exe	remcos.exe
PID 4048 wrote to memory of 3356	4048	remcos.exe	remcos.exe
PID 4048 wrote to memory of 3356	4048	remcos.exe	remcos.exe
PID 4048 wrote to memory of 3356	4048	remcos.exe	remcos.exe
PID 4048 wrote to memory of 3356	4048	remcos.exe	remcos.exe
PID 4048 wrote to memory of 3356	4048	remcos.exe	remcos.exe
PID 4048 wrote to memory of 3356	4048	remcos.exe	remcos.exe
PID 4048 wrote to memory of 3356	4048	remcos.exe	remcos.exe
PID 4048 wrote to memory of 3356	4048	remcos.exe	remcos.exe
PID 4048 wrote to memory of 3356	4048	remcos.exe	remcos.exe
PID 3356 wrote to memory of 1256	3356	remcos.exe	svchost.exe
PID 3356 wrote to memory of 1256	3356	remcos.exe	svchost.exe
PID 3356 wrote to memory of 1256	3356	remcos.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\53d1fe3209497d194e38201deb835924.exe
"C:\Users\Admin\AppData\Local\Temp\53d1fe3209497d194e38201deb835924.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:604

C:\Users\Admin\AppData\Local\Temp\53d1fe3209497d194e38201deb835924.exe
"{path}"
2⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3332

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:3468

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1896

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4048

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
"{path}"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3356

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
PID:1256

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

MD5
b92d64fe5b1d1f59df4b738262aea8df

SHA1
c8fb1981759c2d9bb2ec91b705985fba5fc7af63

SHA256
fa20e9aab03dc8e9f1910aaf0cf42662379fa16ae3a22642084fb97fa3d4f83a

SHA512
2566248b93c0cfb0414f033b8dd18bbd4f88180093eac2861107289bcb4ee160f9593706ff1f7d1f2e4ecea430d67a5a2897551a4f9ebd82b707243e300520e2

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

MD5
53d1fe3209497d194e38201deb835924

SHA1
43f4315a82d7cd359aec38eac9fa37602d8baac6

SHA256
af0249150bee4fec74c124f89019cd260c9aacd7b7a7715192b5097f1948eb82

SHA512
a706c677811bc7b5b0368c840c00499b45c3f30e3b52350373e4475bfe90c8bfceee57100d28dece8ec3006382a0be5a8ae780e1c1d71acf43208301200128a2

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

MD5
53d1fe3209497d194e38201deb835924

SHA1
43f4315a82d7cd359aec38eac9fa37602d8baac6

SHA256
af0249150bee4fec74c124f89019cd260c9aacd7b7a7715192b5097f1948eb82

SHA512
a706c677811bc7b5b0368c840c00499b45c3f30e3b52350373e4475bfe90c8bfceee57100d28dece8ec3006382a0be5a8ae780e1c1d71acf43208301200128a2

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

MD5
53d1fe3209497d194e38201deb835924

SHA1
43f4315a82d7cd359aec38eac9fa37602d8baac6

SHA256
af0249150bee4fec74c124f89019cd260c9aacd7b7a7715192b5097f1948eb82

SHA512
a706c677811bc7b5b0368c840c00499b45c3f30e3b52350373e4475bfe90c8bfceee57100d28dece8ec3006382a0be5a8ae780e1c1d71acf43208301200128a2

Download Submit
memory/604-121-0x0000000009F80000-0x0000000009F81000-memory.dmp

Filesize
4KB

Download
memory/604-120-0x0000000005760000-0x0000000005761000-memory.dmp

Filesize
4KB

Download
memory/604-119-0x0000000005790000-0x0000000005791000-memory.dmp

Filesize
4KB

Download
memory/604-122-0x0000000009EF0000-0x0000000009EFE000-memory.dmp

Filesize
56KB

Download
memory/604-123-0x000000000A0E0000-0x000000000A18B000-memory.dmp

Filesize
684KB

Download
memory/604-124-0x000000000C9B0000-0x000000000CA24000-memory.dmp

Filesize
464KB

Download
memory/604-118-0x0000000005BF0000-0x0000000005BF1000-memory.dmp

Filesize
4KB

Download
memory/604-117-0x00000000055F0000-0x00000000055F1000-memory.dmp

Filesize
4KB

Download
memory/604-116-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/604-114-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/1896-130-0x0000000000000000-mapping.dmp

Download
memory/3332-127-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3332-126-0x000000000042EEEF-mapping.dmp

Download
memory/3332-125-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3356-146-0x000000000042EEEF-mapping.dmp

Download
memory/3356-148-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3468-128-0x0000000000000000-mapping.dmp

Download
memory/4048-131-0x0000000000000000-mapping.dmp

Download
memory/4048-141-0x00000000059A0000-0x00000000059A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads