remcos | 3a2b6b7cd1cec006f28a7e4d69c14273a7b3de368c273840ea5c6f2b9d62e50d

General

Target

Purchase Order.exe
Size

246KB
MD5

b48b71d44037bf1e07d0284b8611f9e6
SHA1

9ca3d67a31c738c779cea681020bb27e3f25d829
SHA256

3a2b6b7cd1cec006f28a7e4d69c14273a7b3de368c273840ea5c6f2b9d62e50d
SHA512

565340c000f208450e5287cc0ccb04b51459d198765da4484e96ecb6f3af902b525e75d4b3383b93ca0f11154d50e8d7ade8715a7976daebacdf871f8c3df993

Score

10^/10

remcos host persistence rat suricata

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

dera33.ddns.net:1186

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
ddrw.exe
copy_folder
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
remcos_xvhyzfmlwvsqhfc
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
win
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
suricata: ET MALWARE Remcos RAT Checkin 23
suricata: ET MALWARE Remcos RAT Checkin 23
suricata
Executes dropped EXE 2 IoCs

Processes:

ddrw.exeddrw.exe

pid process

1836 ddrw.exe
828 ddrw.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1400 cmd.exe

pid	process
1836	ddrw.exe
828	ddrw.exe

pid	process
1400	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Purchase Order.exeddrw.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\	Purchase Order.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\win = "\"C:\\Users\\Admin\\AppData\\Roaming\\ddrw.exe\""	Purchase Order.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\	ddrw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\win = "\"C:\\Users\\Admin\\AppData\\Roaming\\ddrw.exe\""	ddrw.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Purchase Order.exeddrw.exe

description	pid	process	target process
PID 584 set thread context of 1496	584	Purchase Order.exe	Purchase Order.exe
PID 1836 set thread context of 828	1836	ddrw.exe	ddrw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

392 PING.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ddrw.exe

pid process

828 ddrw.exe

pid	process
392	PING.EXE

pid	process
828	ddrw.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

Purchase Order.exePurchase Order.execmd.exeddrw.exe

description	pid	process	target process
PID 584 wrote to memory of 1496	584	Purchase Order.exe	Purchase Order.exe
PID 584 wrote to memory of 1496	584	Purchase Order.exe	Purchase Order.exe
PID 584 wrote to memory of 1496	584	Purchase Order.exe	Purchase Order.exe
PID 584 wrote to memory of 1496	584	Purchase Order.exe	Purchase Order.exe
PID 584 wrote to memory of 1496	584	Purchase Order.exe	Purchase Order.exe
PID 584 wrote to memory of 1496	584	Purchase Order.exe	Purchase Order.exe
PID 584 wrote to memory of 1496	584	Purchase Order.exe	Purchase Order.exe
PID 584 wrote to memory of 1496	584	Purchase Order.exe	Purchase Order.exe
PID 584 wrote to memory of 1496	584	Purchase Order.exe	Purchase Order.exe
PID 584 wrote to memory of 1496	584	Purchase Order.exe	Purchase Order.exe
PID 1496 wrote to memory of 1400	1496	Purchase Order.exe	cmd.exe
PID 1496 wrote to memory of 1400	1496	Purchase Order.exe	cmd.exe
PID 1496 wrote to memory of 1400	1496	Purchase Order.exe	cmd.exe
PID 1496 wrote to memory of 1400	1496	Purchase Order.exe	cmd.exe
PID 1496 wrote to memory of 1400	1496	Purchase Order.exe	cmd.exe
PID 1496 wrote to memory of 1400	1496	Purchase Order.exe	cmd.exe
PID 1496 wrote to memory of 1400	1496	Purchase Order.exe	cmd.exe
PID 1400 wrote to memory of 392	1400	cmd.exe	PING.EXE
PID 1400 wrote to memory of 392	1400	cmd.exe	PING.EXE
PID 1400 wrote to memory of 392	1400	cmd.exe	PING.EXE
PID 1400 wrote to memory of 392	1400	cmd.exe	PING.EXE
PID 1400 wrote to memory of 1836	1400	cmd.exe	ddrw.exe
PID 1400 wrote to memory of 1836	1400	cmd.exe	ddrw.exe
PID 1400 wrote to memory of 1836	1400	cmd.exe	ddrw.exe
PID 1400 wrote to memory of 1836	1400	cmd.exe	ddrw.exe
PID 1836 wrote to memory of 828	1836	ddrw.exe	ddrw.exe
PID 1836 wrote to memory of 828	1836	ddrw.exe	ddrw.exe
PID 1836 wrote to memory of 828	1836	ddrw.exe	ddrw.exe
PID 1836 wrote to memory of 828	1836	ddrw.exe	ddrw.exe
PID 1836 wrote to memory of 828	1836	ddrw.exe	ddrw.exe
PID 1836 wrote to memory of 828	1836	ddrw.exe	ddrw.exe
PID 1836 wrote to memory of 828	1836	ddrw.exe	ddrw.exe
PID 1836 wrote to memory of 828	1836	ddrw.exe	ddrw.exe
PID 1836 wrote to memory of 828	1836	ddrw.exe	ddrw.exe
PID 1836 wrote to memory of 828	1836	ddrw.exe	ddrw.exe

C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:584

C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1400

C:\Windows\SysWOW64\PING.EXE
PING 127.0.0.1 -n 2
4⤵
- Runs ping.exe
PID:392

C:\Users\Admin\AppData\Roaming\ddrw.exe
"C:\Users\Admin\AppData\Roaming\ddrw.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1836

C:\Users\Admin\AppData\Roaming\ddrw.exe
"C:\Users\Admin\AppData\Roaming\ddrw.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.bat
MD5
9ed7a03e913f6f5e76f26038f927563f

SHA1
7e6c10fb0db740025dcbc924483ac160820cbd65

SHA256
f648984d4a5fc9f0190dd1bc01ea298d8b38da04ae618529deeb143829d8e46f

SHA512
ea627db68accb37a0b6facc9f3db6e6471b394d65db2297adecf0da4b1e300a505fe021cd81e6a705cd8e9aebfb4f01140fca5f7dfadf6207e35aa0911bce442

Download Submit
C:\Users\Admin\AppData\Roaming\ddrw.exe
MD5
b48b71d44037bf1e07d0284b8611f9e6

SHA1
9ca3d67a31c738c779cea681020bb27e3f25d829

SHA256
3a2b6b7cd1cec006f28a7e4d69c14273a7b3de368c273840ea5c6f2b9d62e50d

SHA512
565340c000f208450e5287cc0ccb04b51459d198765da4484e96ecb6f3af902b525e75d4b3383b93ca0f11154d50e8d7ade8715a7976daebacdf871f8c3df993

Download Submit
C:\Users\Admin\AppData\Roaming\ddrw.exe
MD5
b48b71d44037bf1e07d0284b8611f9e6

SHA1
9ca3d67a31c738c779cea681020bb27e3f25d829

SHA256
3a2b6b7cd1cec006f28a7e4d69c14273a7b3de368c273840ea5c6f2b9d62e50d

SHA512
565340c000f208450e5287cc0ccb04b51459d198765da4484e96ecb6f3af902b525e75d4b3383b93ca0f11154d50e8d7ade8715a7976daebacdf871f8c3df993

Download Submit
C:\Users\Admin\AppData\Roaming\ddrw.exe
MD5
b48b71d44037bf1e07d0284b8611f9e6

SHA1
9ca3d67a31c738c779cea681020bb27e3f25d829

SHA256
3a2b6b7cd1cec006f28a7e4d69c14273a7b3de368c273840ea5c6f2b9d62e50d

SHA512
565340c000f208450e5287cc0ccb04b51459d198765da4484e96ecb6f3af902b525e75d4b3383b93ca0f11154d50e8d7ade8715a7976daebacdf871f8c3df993

Download Submit
\Users\Admin\AppData\Roaming\ddrw.exe
MD5
b48b71d44037bf1e07d0284b8611f9e6

SHA1
9ca3d67a31c738c779cea681020bb27e3f25d829

SHA256
3a2b6b7cd1cec006f28a7e4d69c14273a7b3de368c273840ea5c6f2b9d62e50d

SHA512
565340c000f208450e5287cc0ccb04b51459d198765da4484e96ecb6f3af902b525e75d4b3383b93ca0f11154d50e8d7ade8715a7976daebacdf871f8c3df993

Download Submit
memory/392-69-0x0000000000000000-mapping.dmp

Download
memory/584-58-0x00000000020A0000-0x00000000020D9000-memory.dmp

Filesize
228KB

Download
memory/584-54-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/584-57-0x0000000000680000-0x0000000000687000-memory.dmp

Filesize
28KB

Download
memory/584-56-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/828-86-0x000000000040FD88-mapping.dmp

Download
memory/828-89-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1400-67-0x0000000000000000-mapping.dmp

Download
memory/1496-61-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1496-66-0x00000000755A1000-0x00000000755A3000-memory.dmp

Filesize
8KB

Download
memory/1496-70-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1496-65-0x000000000040FD88-mapping.dmp

Download
memory/1496-64-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1496-62-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1496-63-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1496-60-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1496-59-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1836-73-0x0000000000000000-mapping.dmp

Download
memory/1836-75-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/1836-78-0x0000000004500000-0x0000000004501000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads