remcos | 699ea201d2965d9515e01f981ab4006fd383ab17fd2f6996cc937f974dce39b2

General

Target

No. 024OPSCON-INVIII2021.js
Size

242KB
MD5

fc4340a7585070731daaf1f696a0f436
SHA1

8ad08a853156911c793861a4ac9f6d3636ced06f
SHA256

699ea201d2965d9515e01f981ab4006fd383ab17fd2f6996cc937f974dce39b2
SHA512

e2ffb8cfb65a0ff4c0418069490a4ee0dbddb8ac585fc1f340bd4ba61ba17b9b8b53ea0693381801953391326846e52f3d287b5d1bc66fbd1a56921b6cb412e4

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

C2

umuchu.hopto.org:2405

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

RODS.exeremcos.exe

pid process

1064 RODS.exe
752 remcos.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

108 cmd.exe
108 cmd.exe

pid	process
1064	RODS.exe
752	remcos.exe

pid	process
108	cmd.exe
108	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RODS.exeremcos.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\	RODS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	RODS.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	remcos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

remcos.exe

pid process

752 remcos.exe

pid	process
752	remcos.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

wscript.exeRODS.exeWScript.execmd.exe

description	pid	process	target process
PID 1092 wrote to memory of 1064	1092	wscript.exe	RODS.exe
PID 1092 wrote to memory of 1064	1092	wscript.exe	RODS.exe
PID 1092 wrote to memory of 1064	1092	wscript.exe	RODS.exe
PID 1092 wrote to memory of 1064	1092	wscript.exe	RODS.exe
PID 1064 wrote to memory of 1948	1064	RODS.exe	WScript.exe
PID 1064 wrote to memory of 1948	1064	RODS.exe	WScript.exe
PID 1064 wrote to memory of 1948	1064	RODS.exe	WScript.exe
PID 1064 wrote to memory of 1948	1064	RODS.exe	WScript.exe
PID 1948 wrote to memory of 108	1948	WScript.exe	cmd.exe
PID 1948 wrote to memory of 108	1948	WScript.exe	cmd.exe
PID 1948 wrote to memory of 108	1948	WScript.exe	cmd.exe
PID 1948 wrote to memory of 108	1948	WScript.exe	cmd.exe
PID 108 wrote to memory of 752	108	cmd.exe	remcos.exe
PID 108 wrote to memory of 752	108	cmd.exe	remcos.exe
PID 108 wrote to memory of 752	108	cmd.exe	remcos.exe
PID 108 wrote to memory of 752	108	cmd.exe	remcos.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\No. 024OPSCON-INVIII2021.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1092

C:\Users\Admin\AppData\Local\Temp\RODS.exe
"C:\Users\Admin\AppData\Local\Temp\RODS.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:108

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RODS.exe
MD5
2de4e35c8603c78b4814fdf39852e620

SHA1
5ea9c317553aa760ef396dbf51a8a1f3c6969ecb

SHA256
35f55fc5c08da65988fef28e13d4662769fdf47bd5c66add346cf1c56aa6f275

SHA512
2b3e603b6124daad69733d3d1169866eaec6e1fae83983ae4a8d9bfd5d84bc114446b9b14a63b85a87506912709cd5f37fdbe29e77ffe9a8d5038b053ab6dc9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RODS.exe
MD5
2de4e35c8603c78b4814fdf39852e620

SHA1
5ea9c317553aa760ef396dbf51a8a1f3c6969ecb

SHA256
35f55fc5c08da65988fef28e13d4662769fdf47bd5c66add346cf1c56aa6f275

SHA512
2b3e603b6124daad69733d3d1169866eaec6e1fae83983ae4a8d9bfd5d84bc114446b9b14a63b85a87506912709cd5f37fdbe29e77ffe9a8d5038b053ab6dc9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
b92d64fe5b1d1f59df4b738262aea8df

SHA1
c8fb1981759c2d9bb2ec91b705985fba5fc7af63

SHA256
fa20e9aab03dc8e9f1910aaf0cf42662379fa16ae3a22642084fb97fa3d4f83a

SHA512
2566248b93c0cfb0414f033b8dd18bbd4f88180093eac2861107289bcb4ee160f9593706ff1f7d1f2e4ecea430d67a5a2897551a4f9ebd82b707243e300520e2

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
2de4e35c8603c78b4814fdf39852e620

SHA1
5ea9c317553aa760ef396dbf51a8a1f3c6969ecb

SHA256
35f55fc5c08da65988fef28e13d4662769fdf47bd5c66add346cf1c56aa6f275

SHA512
2b3e603b6124daad69733d3d1169866eaec6e1fae83983ae4a8d9bfd5d84bc114446b9b14a63b85a87506912709cd5f37fdbe29e77ffe9a8d5038b053ab6dc9e

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
2de4e35c8603c78b4814fdf39852e620

SHA1
5ea9c317553aa760ef396dbf51a8a1f3c6969ecb

SHA256
35f55fc5c08da65988fef28e13d4662769fdf47bd5c66add346cf1c56aa6f275

SHA512
2b3e603b6124daad69733d3d1169866eaec6e1fae83983ae4a8d9bfd5d84bc114446b9b14a63b85a87506912709cd5f37fdbe29e77ffe9a8d5038b053ab6dc9e

Download Submit
\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
2de4e35c8603c78b4814fdf39852e620

SHA1
5ea9c317553aa760ef396dbf51a8a1f3c6969ecb

SHA256
35f55fc5c08da65988fef28e13d4662769fdf47bd5c66add346cf1c56aa6f275

SHA512
2b3e603b6124daad69733d3d1169866eaec6e1fae83983ae4a8d9bfd5d84bc114446b9b14a63b85a87506912709cd5f37fdbe29e77ffe9a8d5038b053ab6dc9e

Download Submit
\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
2de4e35c8603c78b4814fdf39852e620

SHA1
5ea9c317553aa760ef396dbf51a8a1f3c6969ecb

SHA256
35f55fc5c08da65988fef28e13d4662769fdf47bd5c66add346cf1c56aa6f275

SHA512
2b3e603b6124daad69733d3d1169866eaec6e1fae83983ae4a8d9bfd5d84bc114446b9b14a63b85a87506912709cd5f37fdbe29e77ffe9a8d5038b053ab6dc9e

Download Submit
memory/108-67-0x0000000000000000-mapping.dmp

Download
memory/752-71-0x0000000000000000-mapping.dmp

Download
memory/1064-60-0x0000000000000000-mapping.dmp

Download
memory/1064-62-0x00000000757D1000-0x00000000757D3000-memory.dmp

Filesize
8KB

Download
memory/1948-64-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing