remcos | 0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9

General

Target

0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe
Size

994KB
MD5

e7fb36c4654d8db22d0daf11792b1e10
SHA1

1434f15e02b240ee6e08d53ea65548d10d4b97d7
SHA256

0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9
SHA512

21adf2de5c91bf9cfa6ec2eb8c1e2ffbba362c24cfeb23d5e29213f5537457e7f94a697214c5059597b2a51f0257c39cdc9d49344c0e12a5012f730f8a1b7150

Score

10^/10

remcos rat

Malware Config

Extracted

Family

remcos

C2

rem-pounds.ddns.net:9970

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Drops startup file 1 IoCs

Processes:

0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WMPDMC.lnk	0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe

description	pid	process	target process
PID 2112 set thread context of 3964	2112	0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe	0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe

pid	process
2112	0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe
2112	0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe
2112	0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe
2112	0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe
2112	0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe
2112	0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe
2112	0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe
2112	0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe
2112	0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe
2112	0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe
2112	0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe
2112	0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe
2112	0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe
2112	0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe
2112	0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe
2112	0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe
2112	0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe
2112	0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe
2112	0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe
2112	0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe
2112	0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe
2112	0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe
2112	0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe
2112	0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe
2112	0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe
2112	0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe
2112	0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe
2112	0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe
2112	0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe
2112	0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe

pid process

3964 0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe

pid	process
3964	0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe

pid	process
2112	0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe
2112	0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe
2112	0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe

pid	process
2112	0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe
2112	0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe
2112	0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe

description	pid	process	target process
PID 2112 wrote to memory of 3964	2112	0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe	0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe
PID 2112 wrote to memory of 3964	2112	0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe	0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe
PID 2112 wrote to memory of 3964	2112	0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe	0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe
PID 2112 wrote to memory of 3964	2112	0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe	0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe
PID 2112 wrote to memory of 3964	2112	0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe	0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe

C:\Users\Admin\AppData\Local\Temp\0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe
"C:\Users\Admin\AppData\Local\Temp\0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2112

C:\Users\Admin\AppData\Local\Temp\0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe
"C:\Users\Admin\AppData\Local\Temp\0067d9cf4d9131ab11d22ddf62e2aeccd4a8742d216cbc28af7da09739db87f9.exe"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2112-122-0x0000000004620000-0x0000000004621000-memory.dmp

Filesize
4KB

Download
memory/3964-114-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3964-120-0x00000000004139A4-mapping.dmp

Download
memory/3964-121-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads