remcos | 01b1f2041aaba6815657a7a7409a0843868459fa3cabf0c377a83862ac88a27f

Processes:

VESSELS DETAILS.exeSynaptics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\Eb32dGo7VDvudYzB\\h6XvDDkVGbyI.exe\",explorer.exe"	VESSELS DETAILS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\Eb32dGo7VDvudYzB\\FzElR48giB6i.exe\",explorer.exe"	Synaptics.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 5 IoCs

Processes:

._cache_VESSELS DETAILS.exeSynaptics.exeremcos.exeSynaptics.exe._cache_Synaptics.exe

pid process

3592 ._cache_VESSELS DETAILS.exe
788 Synaptics.exe
3668 remcos.exe
2104 Synaptics.exe
3092 ._cache_Synaptics.exe

pid	process
3592	._cache_VESSELS DETAILS.exe
788	Synaptics.exe
3668	remcos.exe
2104	Synaptics.exe
3092	._cache_Synaptics.exe

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\166nhLzD.xlsm	office_macros

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

VESSELS DETAILS.exeSynaptics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	VESSELS DETAILS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

VESSELS DETAILS.exe._cache_VESSELS DETAILS.exeremcos.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	VESSELS DETAILS.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\	._cache_VESSELS DETAILS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	._cache_VESSELS DETAILS.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	remcos.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

VESSELS DETAILS.exeSynaptics.exe

description	pid	process	target process
PID 3692 set thread context of 2816	3692	VESSELS DETAILS.exe	VESSELS DETAILS.exe
PID 788 set thread context of 2104	788	Synaptics.exe	Synaptics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Modifies registry class 3 IoCs

Processes:

VESSELS DETAILS.exe._cache_VESSELS DETAILS.exeSynaptics.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	VESSELS DETAILS.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	._cache_VESSELS DETAILS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	Synaptics.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

Synaptics.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1348 EXCEL.EXE

pid	process
1348	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

VESSELS DETAILS.exeSynaptics.exe

pid	process
3692	VESSELS DETAILS.exe
3692	VESSELS DETAILS.exe
3692	VESSELS DETAILS.exe
3692	VESSELS DETAILS.exe
3692	VESSELS DETAILS.exe
3692	VESSELS DETAILS.exe
788	Synaptics.exe
788	Synaptics.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

remcos.exe

pid process

3668 remcos.exe

pid	process
3668	remcos.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

VESSELS DETAILS.exeSynaptics.exe

description	pid	process
Token: SeDebugPrivilege	3692	VESSELS DETAILS.exe
Token: SeDebugPrivilege	3692	VESSELS DETAILS.exe
Token: SeDebugPrivilege	788	Synaptics.exe
Token: SeDebugPrivilege	788	Synaptics.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

remcos.exeEXCEL.EXE

pid process

3668 remcos.exe
1348 EXCEL.EXE
1348 EXCEL.EXE
1348 EXCEL.EXE
1348 EXCEL.EXE
1348 EXCEL.EXE

pid	process
3668	remcos.exe
1348	EXCEL.EXE
1348	EXCEL.EXE
1348	EXCEL.EXE
1348	EXCEL.EXE
1348	EXCEL.EXE

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

VESSELS DETAILS.exeVESSELS DETAILS.exe._cache_VESSELS DETAILS.exeWScript.execmd.exeSynaptics.exeSynaptics.exe

description	pid	process	target process
PID 3692 wrote to memory of 2800	3692	VESSELS DETAILS.exe	VESSELS DETAILS.exe
PID 3692 wrote to memory of 2800	3692	VESSELS DETAILS.exe	VESSELS DETAILS.exe
PID 3692 wrote to memory of 2800	3692	VESSELS DETAILS.exe	VESSELS DETAILS.exe
PID 3692 wrote to memory of 2816	3692	VESSELS DETAILS.exe	VESSELS DETAILS.exe
PID 3692 wrote to memory of 2816	3692	VESSELS DETAILS.exe	VESSELS DETAILS.exe
PID 3692 wrote to memory of 2816	3692	VESSELS DETAILS.exe	VESSELS DETAILS.exe
PID 3692 wrote to memory of 2816	3692	VESSELS DETAILS.exe	VESSELS DETAILS.exe
PID 3692 wrote to memory of 2816	3692	VESSELS DETAILS.exe	VESSELS DETAILS.exe
PID 3692 wrote to memory of 2816	3692	VESSELS DETAILS.exe	VESSELS DETAILS.exe
PID 3692 wrote to memory of 2816	3692	VESSELS DETAILS.exe	VESSELS DETAILS.exe
PID 3692 wrote to memory of 2816	3692	VESSELS DETAILS.exe	VESSELS DETAILS.exe
PID 3692 wrote to memory of 2816	3692	VESSELS DETAILS.exe	VESSELS DETAILS.exe
PID 3692 wrote to memory of 2816	3692	VESSELS DETAILS.exe	VESSELS DETAILS.exe
PID 3692 wrote to memory of 2816	3692	VESSELS DETAILS.exe	VESSELS DETAILS.exe
PID 2816 wrote to memory of 3592	2816	VESSELS DETAILS.exe	._cache_VESSELS DETAILS.exe
PID 2816 wrote to memory of 3592	2816	VESSELS DETAILS.exe	._cache_VESSELS DETAILS.exe
PID 2816 wrote to memory of 3592	2816	VESSELS DETAILS.exe	._cache_VESSELS DETAILS.exe
PID 2816 wrote to memory of 788	2816	VESSELS DETAILS.exe	Synaptics.exe
PID 2816 wrote to memory of 788	2816	VESSELS DETAILS.exe	Synaptics.exe
PID 2816 wrote to memory of 788	2816	VESSELS DETAILS.exe	Synaptics.exe
PID 3592 wrote to memory of 692	3592	._cache_VESSELS DETAILS.exe	WScript.exe
PID 3592 wrote to memory of 692	3592	._cache_VESSELS DETAILS.exe	WScript.exe
PID 3592 wrote to memory of 692	3592	._cache_VESSELS DETAILS.exe	WScript.exe
PID 692 wrote to memory of 1176	692	WScript.exe	cmd.exe
PID 692 wrote to memory of 1176	692	WScript.exe	cmd.exe
PID 692 wrote to memory of 1176	692	WScript.exe	cmd.exe
PID 1176 wrote to memory of 3668	1176	cmd.exe	remcos.exe
PID 1176 wrote to memory of 3668	1176	cmd.exe	remcos.exe
PID 1176 wrote to memory of 3668	1176	cmd.exe	remcos.exe
PID 788 wrote to memory of 2104	788	Synaptics.exe	Synaptics.exe
PID 788 wrote to memory of 2104	788	Synaptics.exe	Synaptics.exe
PID 788 wrote to memory of 2104	788	Synaptics.exe	Synaptics.exe
PID 788 wrote to memory of 2104	788	Synaptics.exe	Synaptics.exe
PID 788 wrote to memory of 2104	788	Synaptics.exe	Synaptics.exe
PID 788 wrote to memory of 2104	788	Synaptics.exe	Synaptics.exe
PID 788 wrote to memory of 2104	788	Synaptics.exe	Synaptics.exe
PID 788 wrote to memory of 2104	788	Synaptics.exe	Synaptics.exe
PID 788 wrote to memory of 2104	788	Synaptics.exe	Synaptics.exe
PID 788 wrote to memory of 2104	788	Synaptics.exe	Synaptics.exe
PID 788 wrote to memory of 2104	788	Synaptics.exe	Synaptics.exe
PID 2104 wrote to memory of 3092	2104	Synaptics.exe	._cache_Synaptics.exe
PID 2104 wrote to memory of 3092	2104	Synaptics.exe	._cache_Synaptics.exe
PID 2104 wrote to memory of 3092	2104	Synaptics.exe	._cache_Synaptics.exe

C:\Users\Admin\AppData\Local\Temp\VESSELS DETAILS.exe
"C:\Users\Admin\AppData\Local\Temp\VESSELS DETAILS.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3692

C:\Users\Admin\AppData\Local\Temp\VESSELS DETAILS.exe
"C:\Users\Admin\AppData\Local\Temp\VESSELS DETAILS.exe"
2⤵
PID:2800

C:\Users\Admin\AppData\Local\Temp\VESSELS DETAILS.exe
"C:\Users\Admin\AppData\Local\Temp\VESSELS DETAILS.exe"
2⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2816

C:\Users\Admin\AppData\Local\Temp\._cache_VESSELS DETAILS.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_VESSELS DETAILS.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3592

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:692

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:1176

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3668

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:788

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2104

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
5⤵
- Executes dropped EXE
PID:3092

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1348

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

System Information Discovery