remcos | 00c6fec43721edc15cca63d3848cfa4173edffa71e601461daaf130eec32eff4

General

Target

02_MYCHI.exe
Size

128KB
MD5

75043c4082c567335c389fdd3a2d43d2
SHA1

162dab26aea594b65a4f4fc11aeb5a2b8a53021b
SHA256

00c6fec43721edc15cca63d3848cfa4173edffa71e601461daaf130eec32eff4
SHA512

919081234316e7f142e908c38d4688154ff81eef94809e24a150b9e92f733a268d91ba78d98199bad7d96e92c4b5256601f70031981283fd3c93e02e9d00f4a9

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

C2

mychi.hopto.org:2405

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 1 IoCs

Processes:

remcos.exe

pid process

184 remcos.exe

pid	process
184	remcos.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

02_MYCHI.exeremcos.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	02_MYCHI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	02_MYCHI.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	remcos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

02_MYCHI.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings 02_MYCHI.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

remcos.exe

pid process

184 remcos.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	02_MYCHI.exe

pid	process
184	remcos.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

02_MYCHI.exeWScript.execmd.exe

description	pid	process	target process
PID 4044 wrote to memory of 3540	4044	02_MYCHI.exe	WScript.exe
PID 4044 wrote to memory of 3540	4044	02_MYCHI.exe	WScript.exe
PID 4044 wrote to memory of 3540	4044	02_MYCHI.exe	WScript.exe
PID 3540 wrote to memory of 2652	3540	WScript.exe	cmd.exe
PID 3540 wrote to memory of 2652	3540	WScript.exe	cmd.exe
PID 3540 wrote to memory of 2652	3540	WScript.exe	cmd.exe
PID 2652 wrote to memory of 184	2652	cmd.exe	remcos.exe
PID 2652 wrote to memory of 184	2652	cmd.exe	remcos.exe
PID 2652 wrote to memory of 184	2652	cmd.exe	remcos.exe

C:\Users\Admin\AppData\Local\Temp\02_MYCHI.exe
"C:\Users\Admin\AppData\Local\Temp\02_MYCHI.exe"
1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4044

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:3540

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2652

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:184

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
b92d64fe5b1d1f59df4b738262aea8df

SHA1
c8fb1981759c2d9bb2ec91b705985fba5fc7af63

SHA256
fa20e9aab03dc8e9f1910aaf0cf42662379fa16ae3a22642084fb97fa3d4f83a

SHA512
2566248b93c0cfb0414f033b8dd18bbd4f88180093eac2861107289bcb4ee160f9593706ff1f7d1f2e4ecea430d67a5a2897551a4f9ebd82b707243e300520e2

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
75043c4082c567335c389fdd3a2d43d2

SHA1
162dab26aea594b65a4f4fc11aeb5a2b8a53021b

SHA256
00c6fec43721edc15cca63d3848cfa4173edffa71e601461daaf130eec32eff4

SHA512
919081234316e7f142e908c38d4688154ff81eef94809e24a150b9e92f733a268d91ba78d98199bad7d96e92c4b5256601f70031981283fd3c93e02e9d00f4a9

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
75043c4082c567335c389fdd3a2d43d2

SHA1
162dab26aea594b65a4f4fc11aeb5a2b8a53021b

SHA256
00c6fec43721edc15cca63d3848cfa4173edffa71e601461daaf130eec32eff4

SHA512
919081234316e7f142e908c38d4688154ff81eef94809e24a150b9e92f733a268d91ba78d98199bad7d96e92c4b5256601f70031981283fd3c93e02e9d00f4a9

Download Submit
memory/184-117-0x0000000000000000-mapping.dmp

Download
memory/2652-116-0x0000000000000000-mapping.dmp

Download
memory/3540-114-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing