remcos | 52b98cca3167f7f97a7ae7729aeddee0b2280a18841d692697bd6dea415f3abe

General

Target

SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe
Size

1.7MB
MD5

99e166082b19603ff6c4cbebd2641813
SHA1

407f1729ca0abe94a3202789522807683dfe57aa
SHA256

52b98cca3167f7f97a7ae7729aeddee0b2280a18841d692697bd6dea415f3abe
SHA512

77a55185038a2070b0b6b72248ec199afa3fc0f2c4b5f649fe46db3647683d6ced86b3071c88719c07a77cb269fb1ffdc72fc7ac37cdcaa472c249a3fb5d7b0f

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

C2

hjduiebcvzcalpmjdbcnwqadhsiybcnzxswedgap.ydns.eu:2024

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

win.exewin.exe

pid process

3108 win.exe
2424 win.exe

pid	process
3108	win.exe
2424	win.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exewin.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\win = "\"C:\\Users\\Admin\\AppData\\Roaming\\win.exe\""	SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\	win.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\win = "\"C:\\Users\\Admin\\AppData\\Roaming\\win.exe\""	win.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\	SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 25 IoCs

Processes:

SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exewin.exe

pid	process
4024	SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe
4024	SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe
4024	SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe
4024	SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe
4024	SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe
4024	SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe
4024	SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe
4024	SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe
4024	SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe
4024	SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe
4024	SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe
4024	SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe
4024	SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe
3108	win.exe
3108	win.exe
3108	win.exe
3108	win.exe
3108	win.exe
3108	win.exe
3108	win.exe
3108	win.exe
3108	win.exe
3108	win.exe
3108	win.exe
3108	win.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exewin.exe

description	pid	process	target process
PID 4024 set thread context of 2284	4024	SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe	SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe
PID 3108 set thread context of 2424	3108	win.exe	win.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2844 4024 WerFault.exe SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe
3172 3108 WerFault.exe win.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

1732 timeout.exe
2160 timeout.exe

pid	pid_target	process	target process
2844	4024	WerFault.exe	SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe
3172	3108	WerFault.exe	win.exe

pid	process
1732	timeout.exe
2160	timeout.exe

Modifies registry class 1 IoCs

Processes:

SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exeWerFault.exewin.exeWerFault.exe

pid	process
4024	SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe
4024	SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe
4024	SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe
2844	WerFault.exe
2844	WerFault.exe
2844	WerFault.exe
2844	WerFault.exe
2844	WerFault.exe
2844	WerFault.exe
2844	WerFault.exe
2844	WerFault.exe
2844	WerFault.exe
2844	WerFault.exe
2844	WerFault.exe
2844	WerFault.exe
2844	WerFault.exe
2844	WerFault.exe
2844	WerFault.exe
3108	win.exe
3108	win.exe
3108	win.exe
3172	WerFault.exe
3172	WerFault.exe
3172	WerFault.exe
3172	WerFault.exe
3172	WerFault.exe
3172	WerFault.exe
3172	WerFault.exe
3172	WerFault.exe
3172	WerFault.exe
3172	WerFault.exe
3172	WerFault.exe
3172	WerFault.exe
3172	WerFault.exe
3172	WerFault.exe
3172	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

win.exe

pid process

2424 win.exe

pid	process
2424	win.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exeWerFault.exewin.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	4024	SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe
Token: SeRestorePrivilege	2844	WerFault.exe
Token: SeBackupPrivilege	2844	WerFault.exe
Token: SeDebugPrivilege	2844	WerFault.exe
Token: SeDebugPrivilege	3108	win.exe
Token: SeDebugPrivilege	3172	WerFault.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

win.exe

pid process

2424 win.exe

pid	process
2424	win.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.execmd.exeSecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exeWScript.execmd.exewin.execmd.exe

description	pid	process	target process
PID 4024 wrote to memory of 1460	4024	SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe	cmd.exe
PID 4024 wrote to memory of 1460	4024	SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe	cmd.exe
PID 4024 wrote to memory of 1460	4024	SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe	cmd.exe
PID 1460 wrote to memory of 1732	1460	cmd.exe	timeout.exe
PID 1460 wrote to memory of 1732	1460	cmd.exe	timeout.exe
PID 1460 wrote to memory of 1732	1460	cmd.exe	timeout.exe
PID 4024 wrote to memory of 2284	4024	SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe	SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe
PID 4024 wrote to memory of 2284	4024	SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe	SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe
PID 4024 wrote to memory of 2284	4024	SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe	SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe
PID 4024 wrote to memory of 2284	4024	SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe	SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe
PID 4024 wrote to memory of 2284	4024	SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe	SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe
PID 4024 wrote to memory of 2284	4024	SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe	SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe
PID 4024 wrote to memory of 2284	4024	SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe	SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe
PID 4024 wrote to memory of 2284	4024	SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe	SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe
PID 4024 wrote to memory of 2284	4024	SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe	SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe
PID 4024 wrote to memory of 2284	4024	SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe	SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe
PID 2284 wrote to memory of 2984	2284	SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe	WScript.exe
PID 2284 wrote to memory of 2984	2284	SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe	WScript.exe
PID 2284 wrote to memory of 2984	2284	SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe	WScript.exe
PID 2984 wrote to memory of 204	2984	WScript.exe	cmd.exe
PID 2984 wrote to memory of 204	2984	WScript.exe	cmd.exe
PID 2984 wrote to memory of 204	2984	WScript.exe	cmd.exe
PID 204 wrote to memory of 3108	204	cmd.exe	win.exe
PID 204 wrote to memory of 3108	204	cmd.exe	win.exe
PID 204 wrote to memory of 3108	204	cmd.exe	win.exe
PID 3108 wrote to memory of 1732	3108	win.exe	cmd.exe
PID 3108 wrote to memory of 1732	3108	win.exe	cmd.exe
PID 3108 wrote to memory of 1732	3108	win.exe	cmd.exe
PID 1732 wrote to memory of 2160	1732	cmd.exe	timeout.exe
PID 1732 wrote to memory of 2160	1732	cmd.exe	timeout.exe
PID 1732 wrote to memory of 2160	1732	cmd.exe	timeout.exe
PID 3108 wrote to memory of 2424	3108	win.exe	win.exe
PID 3108 wrote to memory of 2424	3108	win.exe	win.exe
PID 3108 wrote to memory of 2424	3108	win.exe	win.exe
PID 3108 wrote to memory of 2424	3108	win.exe	win.exe
PID 3108 wrote to memory of 2424	3108	win.exe	win.exe
PID 3108 wrote to memory of 2424	3108	win.exe	win.exe
PID 3108 wrote to memory of 2424	3108	win.exe	win.exe
PID 3108 wrote to memory of 2424	3108	win.exe	win.exe
PID 3108 wrote to memory of 2424	3108	win.exe	win.exe
PID 3108 wrote to memory of 2424	3108	win.exe	win.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4024

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1732

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.703.21955.2754.exe"
2⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:2984

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\win.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:204

C:\Users\Admin\AppData\Roaming\win.exe
C:\Users\Admin\AppData\Roaming\win.exe
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3108

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
6⤵
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\SysWOW64\timeout.exe
timeout 1
7⤵
- Delays execution with timeout.exe
PID:2160

C:\Users\Admin\AppData\Roaming\win.exe
"C:\Users\Admin\AppData\Roaming\win.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 1492
6⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 1528
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2844

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
4a74e626596d6e66b4bbc59ee6848f2d

SHA1
047849ac8735ecc0943428c7cd5e00b52eee06ed

SHA256
98bd6dc219a7a3e04d3d67bbec9f0b4d4640831a3a6be0a0078b050041088b0e

SHA512
1cd943482d0f1ce2ffaf6ee4a82895e4d57c52051bb14bbda0548cf072b4c5cbe719d2cdb549b5ae7c0241dd9c68dd9d1674acd26aed684b8145500079cc5403

Download Submit
C:\Users\Admin\AppData\Roaming\win.exe
MD5
99e166082b19603ff6c4cbebd2641813

SHA1
407f1729ca0abe94a3202789522807683dfe57aa

SHA256
52b98cca3167f7f97a7ae7729aeddee0b2280a18841d692697bd6dea415f3abe

SHA512
77a55185038a2070b0b6b72248ec199afa3fc0f2c4b5f649fe46db3647683d6ced86b3071c88719c07a77cb269fb1ffdc72fc7ac37cdcaa472c249a3fb5d7b0f

Download Submit
C:\Users\Admin\AppData\Roaming\win.exe
MD5
99e166082b19603ff6c4cbebd2641813

SHA1
407f1729ca0abe94a3202789522807683dfe57aa

SHA256
52b98cca3167f7f97a7ae7729aeddee0b2280a18841d692697bd6dea415f3abe

SHA512
77a55185038a2070b0b6b72248ec199afa3fc0f2c4b5f649fe46db3647683d6ced86b3071c88719c07a77cb269fb1ffdc72fc7ac37cdcaa472c249a3fb5d7b0f

Download Submit
C:\Users\Admin\AppData\Roaming\win.exe
MD5
99e166082b19603ff6c4cbebd2641813

SHA1
407f1729ca0abe94a3202789522807683dfe57aa

SHA256
52b98cca3167f7f97a7ae7729aeddee0b2280a18841d692697bd6dea415f3abe

SHA512
77a55185038a2070b0b6b72248ec199afa3fc0f2c4b5f649fe46db3647683d6ced86b3071c88719c07a77cb269fb1ffdc72fc7ac37cdcaa472c249a3fb5d7b0f

Download Submit
memory/204-129-0x0000000000000000-mapping.dmp

Download
memory/1460-122-0x0000000000000000-mapping.dmp

Download
memory/1732-140-0x0000000000000000-mapping.dmp

Download
memory/1732-123-0x0000000000000000-mapping.dmp

Download
memory/2160-141-0x0000000000000000-mapping.dmp

Download
memory/2284-124-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2284-125-0x0000000000413FA4-mapping.dmp

Download
memory/2284-128-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2424-146-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2424-144-0x0000000000413FA4-mapping.dmp

Download
memory/2984-126-0x0000000000000000-mapping.dmp

Download
memory/3108-130-0x0000000000000000-mapping.dmp

Download
memory/3108-142-0x0000000005DF0000-0x0000000005DF1000-memory.dmp

Filesize
4KB

Download
memory/4024-118-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download
memory/4024-117-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/4024-114-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/4024-119-0x0000000004E10000-0x0000000004E4E000-memory.dmp

Filesize
248KB

Download
memory/4024-120-0x00000000052B0000-0x00000000052B1000-memory.dmp

Filesize
4KB

Download
memory/4024-116-0x0000000005900000-0x0000000005901000-memory.dmp

Filesize
4KB

Download
memory/4024-121-0x0000000005400000-0x00000000058FE000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads