remcos | 4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81

Analysis

max time kernel
149s
max time network
147s
platform
windows10_x64
resource
win10-en-20211104
submitted
03-12-2021 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81.exe
Size

463KB
MD5

a603a8a69bbcd08f4899a605ab1c68e4
SHA1

59f7a2f88a8a3fc13f685672b72506b28ba1614e
SHA256

4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81
SHA512

367238cbdaadbfbe42e08da5596f44efb00844505b7a415a57fd3a2d969b8ca83ac4b6ab3c0a4f6c348d9fec0229baee760bb0798768325710a7e70a3f8a4612

Score

10^/10

remcos evasion rat trojan

Malware Config

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3460 reg.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81.exe

pid process

2428 4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81.exe

pid	process
3460	reg.exe

pid	process
2428	4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81.execmd.exe

description	pid	process	target process
PID 2428 wrote to memory of 2580	2428	4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81.exe	cmd.exe
PID 2428 wrote to memory of 2580	2428	4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81.exe	cmd.exe
PID 2428 wrote to memory of 2580	2428	4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81.exe	cmd.exe
PID 2428 wrote to memory of 2688	2428	4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81.exe	svchost.exe
PID 2428 wrote to memory of 2688	2428	4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81.exe	svchost.exe
PID 2428 wrote to memory of 2688	2428	4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81.exe	svchost.exe
PID 2580 wrote to memory of 3460	2580	cmd.exe	reg.exe
PID 2580 wrote to memory of 3460	2580	cmd.exe	reg.exe
PID 2580 wrote to memory of 3460	2580	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81.exe
"C:\Users\Admin\AppData\Local\Temp\4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2428

C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- Modifies registry key
PID:3460

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
2⤵
PID:2688

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2580-118-0x0000000000000000-mapping.dmp

Download
memory/3460-119-0x0000000000000000-mapping.dmp

Download