remcos | 02650bdf290724edd38abc7e303ff74ca1fc7fba26f3f0dcead22cdce5b9b3fa

General

Target

9f7ef650ee32895e313edc085fbc29f9.exe
Size

455KB
MD5

9f7ef650ee32895e313edc085fbc29f9
SHA1

bcde3f8d90c9b0d3ad79785f77a089003260fedc
SHA256

02650bdf290724edd38abc7e303ff74ca1fc7fba26f3f0dcead22cdce5b9b3fa
SHA512

c79c2c31aeb6c22ede5cdfbf1c7b5428be304327b0f9ccd000f094ccbb9ec0a871bb5f5217ec7e98ea05917f6ae927a1082dd80adcc9bd0a35c26daac8de0e50

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

C2

fieldsdegreenf.duckdns.org:6553

aaeeerbbbeee.duckdns.org:6553

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 1 IoCs

Processes:

remcos.exe

pid process

1324 remcos.exe

pid	process
1324	remcos.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9f7ef650ee32895e313edc085fbc29f9.exeremcos.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\	9f7ef650ee32895e313edc085fbc29f9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	9f7ef650ee32895e313edc085fbc29f9.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	remcos.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

remcos.exe

description pid process target process

PID 1324 set thread context of 3560 1324 remcos.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1324 set thread context of 3560	1324	remcos.exe	svchost.exe

Modifies registry class 1 IoCs

Processes:

9f7ef650ee32895e313edc085fbc29f9.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	9f7ef650ee32895e313edc085fbc29f9.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

remcos.exe

pid process

1324 remcos.exe

pid	process
1324	remcos.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

9f7ef650ee32895e313edc085fbc29f9.exeWScript.execmd.exeremcos.exe

description	pid	process	target process
PID 4008 wrote to memory of 2772	4008	9f7ef650ee32895e313edc085fbc29f9.exe	WScript.exe
PID 4008 wrote to memory of 2772	4008	9f7ef650ee32895e313edc085fbc29f9.exe	WScript.exe
PID 4008 wrote to memory of 2772	4008	9f7ef650ee32895e313edc085fbc29f9.exe	WScript.exe
PID 2772 wrote to memory of 748	2772	WScript.exe	cmd.exe
PID 2772 wrote to memory of 748	2772	WScript.exe	cmd.exe
PID 2772 wrote to memory of 748	2772	WScript.exe	cmd.exe
PID 748 wrote to memory of 1324	748	cmd.exe	remcos.exe
PID 748 wrote to memory of 1324	748	cmd.exe	remcos.exe
PID 748 wrote to memory of 1324	748	cmd.exe	remcos.exe
PID 1324 wrote to memory of 3560	1324	remcos.exe	svchost.exe
PID 1324 wrote to memory of 3560	1324	remcos.exe	svchost.exe
PID 1324 wrote to memory of 3560	1324	remcos.exe	svchost.exe
PID 1324 wrote to memory of 3560	1324	remcos.exe	svchost.exe
PID 1324 wrote to memory of 3560	1324	remcos.exe	svchost.exe
PID 1324 wrote to memory of 3560	1324	remcos.exe	svchost.exe
PID 1324 wrote to memory of 3560	1324	remcos.exe	svchost.exe
PID 1324 wrote to memory of 3560	1324	remcos.exe	svchost.exe
PID 1324 wrote to memory of 3560	1324	remcos.exe	svchost.exe
PID 1324 wrote to memory of 3560	1324	remcos.exe	svchost.exe
PID 1324 wrote to memory of 3560	1324	remcos.exe	svchost.exe
PID 1324 wrote to memory of 3560	1324	remcos.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\9f7ef650ee32895e313edc085fbc29f9.exe
"C:\Users\Admin\AppData\Local\Temp\9f7ef650ee32895e313edc085fbc29f9.exe"
1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4008

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:2772

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:748

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
5⤵
PID:3560

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
b92d64fe5b1d1f59df4b738262aea8df

SHA1
c8fb1981759c2d9bb2ec91b705985fba5fc7af63

SHA256
fa20e9aab03dc8e9f1910aaf0cf42662379fa16ae3a22642084fb97fa3d4f83a

SHA512
2566248b93c0cfb0414f033b8dd18bbd4f88180093eac2861107289bcb4ee160f9593706ff1f7d1f2e4ecea430d67a5a2897551a4f9ebd82b707243e300520e2

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
9f7ef650ee32895e313edc085fbc29f9

SHA1
bcde3f8d90c9b0d3ad79785f77a089003260fedc

SHA256
02650bdf290724edd38abc7e303ff74ca1fc7fba26f3f0dcead22cdce5b9b3fa

SHA512
c79c2c31aeb6c22ede5cdfbf1c7b5428be304327b0f9ccd000f094ccbb9ec0a871bb5f5217ec7e98ea05917f6ae927a1082dd80adcc9bd0a35c26daac8de0e50

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
9f7ef650ee32895e313edc085fbc29f9

SHA1
bcde3f8d90c9b0d3ad79785f77a089003260fedc

SHA256
02650bdf290724edd38abc7e303ff74ca1fc7fba26f3f0dcead22cdce5b9b3fa

SHA512
c79c2c31aeb6c22ede5cdfbf1c7b5428be304327b0f9ccd000f094ccbb9ec0a871bb5f5217ec7e98ea05917f6ae927a1082dd80adcc9bd0a35c26daac8de0e50

Download Submit
memory/748-116-0x0000000000000000-mapping.dmp

Download
memory/1324-117-0x0000000000000000-mapping.dmp

Download
memory/2772-114-0x0000000000000000-mapping.dmp

Download
memory/3560-120-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3560-121-0x000000000042EEEF-mapping.dmp

Download
memory/3560-124-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads