remcos | bdf02d5f6252b594bc27d0b8628e1b60f614533d32b63bb3848ad136b57d3cfd

General

Target

ORDER EM067022.exe
Size

6KB
MD5

6fa8af45a1f5ab2bed6933e1b982f7f1
SHA1

ddbaeb9e823b4af615cfa87212eb1171969f1d4f
SHA256

6454523a7bb0aec9d2c66c43447ea65bfe8cff6659b4b4fea26d8919571de430
SHA512

60d7d7fd0969294aa59a8817c544f14228e1437a750300165e4c248d36c51dd1cca2f4e6d4e5cb650ead4439c4171f5e1579fdc7f0a78890501e044e70b4e417
SSDEEP

96:B2EzDjDPd6GhLee9xHdAaG3xWclF1utdbyzNt:B1PdRLxz9AaG3MclF1ur0

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

172.111.234.110:5888

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-DEOEQR
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Fdrwnq\\Vspuz.exe\","	ORDER EM067022.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1480 set thread context of 364	1480	ORDER EM067022.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2036	powershell.exe
1480	ORDER EM067022.exe
1480	ORDER EM067022.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1480	ORDER EM067022.exe
Token: SeDebugPrivilege	2036	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 2036	1480	ORDER EM067022.exe	27
PID 1480 wrote to memory of 2036	1480	ORDER EM067022.exe	27
PID 1480 wrote to memory of 2036	1480	ORDER EM067022.exe	27
PID 1480 wrote to memory of 2036	1480	ORDER EM067022.exe	27
PID 1480 wrote to memory of 848	1480	ORDER EM067022.exe	30
PID 1480 wrote to memory of 848	1480	ORDER EM067022.exe	30
PID 1480 wrote to memory of 848	1480	ORDER EM067022.exe	30
PID 1480 wrote to memory of 848	1480	ORDER EM067022.exe	30
PID 1480 wrote to memory of 364	1480	ORDER EM067022.exe	31
PID 1480 wrote to memory of 364	1480	ORDER EM067022.exe	31
PID 1480 wrote to memory of 364	1480	ORDER EM067022.exe	31
PID 1480 wrote to memory of 364	1480	ORDER EM067022.exe	31
PID 1480 wrote to memory of 364	1480	ORDER EM067022.exe	31
PID 1480 wrote to memory of 364	1480	ORDER EM067022.exe	31
PID 1480 wrote to memory of 364	1480	ORDER EM067022.exe	31
PID 1480 wrote to memory of 364	1480	ORDER EM067022.exe	31
PID 1480 wrote to memory of 364	1480	ORDER EM067022.exe	31
PID 1480 wrote to memory of 364	1480	ORDER EM067022.exe	31
PID 1480 wrote to memory of 364	1480	ORDER EM067022.exe	31
PID 1480 wrote to memory of 364	1480	ORDER EM067022.exe	31
PID 1480 wrote to memory of 364	1480	ORDER EM067022.exe	31

C:\Users\Admin\AppData\Local\Temp\ORDER EM067022.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER EM067022.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAxAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2036
- C:\Users\Admin\AppData\Local\Temp\ORDER EM067022.exe
  "C:\Users\Admin\AppData\Local\Temp\ORDER EM067022.exe"
  2⤵
  PID:848
- C:\Users\Admin\AppData\Local\Temp\ORDER EM067022.exe
  "C:\Users\Admin\AppData\Local\Temp\ORDER EM067022.exe"
  2⤵
  PID:364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/364-74-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/364-70-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/364-80-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/364-79-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/364-78-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/364-72-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/364-62-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/364-65-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/364-63-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/364-69-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/364-68-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/364-67-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1480-55-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/1480-54-0x0000000000BF0000-0x0000000000BF8000-memory.dmp

Filesize
32KB

Download
memory/1480-57-0x0000000000920000-0x00000000009B2000-memory.dmp

Filesize
584KB

Download
memory/1480-56-0x00000000088E0000-0x00000000089C8000-memory.dmp

Filesize
928KB

Download
memory/2036-61-0x000000006F140000-0x000000006F6EB000-memory.dmp

Filesize
5.7MB

Download
memory/2036-60-0x000000006F140000-0x000000006F6EB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing