remcos | a8a71fbda1363a5be18d319d6242b89371ed61007c4bce03118616ed6f261326

General

Target

a8a71fbda1363a5be18d319d6242b89371ed61007c4bce03118616ed6f261326.exe
Size

1.7MB
MD5

69f365c756d787c45d5ed4ae949935c1
SHA1

2ba8ec5f5843c913e615074d448b7d69db5bc544
SHA256

a8a71fbda1363a5be18d319d6242b89371ed61007c4bce03118616ed6f261326
SHA512

cce2ad1b1b6abdf89f77e0c5f1e95a6f6ee1c9828e30d04ad76b0e6d1079fecfc9a8b6e3192d8cb21dfcd733507f5351fc7fd8d1a4a8a1195e69126231d27360
SSDEEP

12288:TdnjonvnID+9fGS7msccqr+NEiTMnWZQzjFeM6DJOjB9sTTHy9GKuVUTXuujLYM6:UOsMhaonYQb6VOZDTj5SnW0

Score

10^/10

remcos 10052022 persistence rat

Malware Config

Extracted

Family

remcos

Botnet

10052022

C2

nikahuve.ac.ug:6969

kalskala.ac.ug:6969

tuekisaa.ac.ug:6969

parthaha.ac.ug:6969

37.0.14.204:6969

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
vbaxs.dat
keylog_flag
false
keylog_folder
fsscbas
keylog_path
%AppData%
mouse_option
false
mutex
ascxsercvghfgsdmhj-SZVH2S
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a8a71fbda1363a5be18d319d6242b89371ed61007c4bce03118616ed6f261326.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	a8a71fbda1363a5be18d319d6242b89371ed61007c4bce03118616ed6f261326.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a8a71fbda1363a5be18d319d6242b89371ed61007c4bce03118616ed6f261326.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wxcmftx = "\"C:\\Users\\Admin\\AppData\\Roaming\\Qkupijcyf\\Wxcmftx.exe\""	a8a71fbda1363a5be18d319d6242b89371ed61007c4bce03118616ed6f261326.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

a8a71fbda1363a5be18d319d6242b89371ed61007c4bce03118616ed6f261326.exe

description	pid	process	target process
PID 1208 set thread context of 2244	1208	a8a71fbda1363a5be18d319d6242b89371ed61007c4bce03118616ed6f261326.exe	a8a71fbda1363a5be18d319d6242b89371ed61007c4bce03118616ed6f261326.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

a8a71fbda1363a5be18d319d6242b89371ed61007c4bce03118616ed6f261326.exepowershell.exe

pid	process
1208	a8a71fbda1363a5be18d319d6242b89371ed61007c4bce03118616ed6f261326.exe
1208	a8a71fbda1363a5be18d319d6242b89371ed61007c4bce03118616ed6f261326.exe
2356	powershell.exe
2356	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a8a71fbda1363a5be18d319d6242b89371ed61007c4bce03118616ed6f261326.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1208	a8a71fbda1363a5be18d319d6242b89371ed61007c4bce03118616ed6f261326.exe
Token: SeDebugPrivilege	2356	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

a8a71fbda1363a5be18d319d6242b89371ed61007c4bce03118616ed6f261326.exe

pid process

2244 a8a71fbda1363a5be18d319d6242b89371ed61007c4bce03118616ed6f261326.exe

pid	process
2244	a8a71fbda1363a5be18d319d6242b89371ed61007c4bce03118616ed6f261326.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

a8a71fbda1363a5be18d319d6242b89371ed61007c4bce03118616ed6f261326.exe

C:\Users\Admin\AppData\Local\Temp\a8a71fbda1363a5be18d319d6242b89371ed61007c4bce03118616ed6f261326.exe
"C:\Users\Admin\AppData\Local\Temp\a8a71fbda1363a5be18d319d6242b89371ed61007c4bce03118616ed6f261326.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Users\Admin\AppData\Local\Temp\a8a71fbda1363a5be18d319d6242b89371ed61007c4bce03118616ed6f261326.exe
C:\Users\Admin\AppData\Local\Temp\a8a71fbda1363a5be18d319d6242b89371ed61007c4bce03118616ed6f261326.exe
2⤵
- Suspicious use of SetWindowsHookEx
PID:2244

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1208-133-0x0000000005830000-0x0000000005852000-memory.dmp

Filesize
136KB

Download
memory/1208-132-0x0000000000290000-0x0000000000452000-memory.dmp

Filesize
1.8MB

Download
memory/2244-150-0x0000000000000000-mapping.dmp

Download
memory/2244-155-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2244-154-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2244-153-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2244-152-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2244-151-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2356-138-0x0000000005310000-0x0000000005376000-memory.dmp

Filesize
408KB

Download
memory/2356-147-0x0000000007730000-0x000000000773E000-memory.dmp

Filesize
56KB

Download
memory/2356-142-0x0000000007250000-0x0000000007282000-memory.dmp

Filesize
200KB

Download
memory/2356-143-0x0000000070400000-0x000000007044C000-memory.dmp

Filesize
304KB

Download
memory/2356-144-0x0000000007230000-0x000000000724E000-memory.dmp

Filesize
120KB

Download
memory/2356-145-0x0000000007580000-0x000000000758A000-memory.dmp

Filesize
40KB

Download
memory/2356-146-0x0000000007790000-0x0000000007826000-memory.dmp

Filesize
600KB

Download
memory/2356-141-0x0000000006700000-0x000000000671A000-memory.dmp

Filesize
104KB

Download
memory/2356-148-0x0000000007ED0000-0x0000000007EEA000-memory.dmp

Filesize
104KB

Download
memory/2356-149-0x0000000007780000-0x0000000007788000-memory.dmp

Filesize
32KB

Download
memory/2356-140-0x0000000007850000-0x0000000007ECA000-memory.dmp

Filesize
6.5MB

Download
memory/2356-139-0x0000000006200000-0x000000000621E000-memory.dmp

Filesize
120KB

Download
memory/2356-137-0x00000000051F0000-0x0000000005256000-memory.dmp

Filesize
408KB

Download
memory/2356-136-0x0000000005430000-0x0000000005A58000-memory.dmp

Filesize
6.2MB

Download
memory/2356-135-0x0000000002C30000-0x0000000002C66000-memory.dmp

Filesize
216KB

Download
memory/2356-134-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 1208 wrote to memory of 2356	1208	a8a71fbda1363a5be18d319d6242b89371ed61007c4bce03118616ed6f261326.exe	powershell.exe
PID 1208 wrote to memory of 2356	1208	a8a71fbda1363a5be18d319d6242b89371ed61007c4bce03118616ed6f261326.exe	powershell.exe
PID 1208 wrote to memory of 2356	1208	a8a71fbda1363a5be18d319d6242b89371ed61007c4bce03118616ed6f261326.exe	powershell.exe
PID 1208 wrote to memory of 2244	1208	a8a71fbda1363a5be18d319d6242b89371ed61007c4bce03118616ed6f261326.exe	a8a71fbda1363a5be18d319d6242b89371ed61007c4bce03118616ed6f261326.exe
PID 1208 wrote to memory of 2244	1208	a8a71fbda1363a5be18d319d6242b89371ed61007c4bce03118616ed6f261326.exe	a8a71fbda1363a5be18d319d6242b89371ed61007c4bce03118616ed6f261326.exe
PID 1208 wrote to memory of 2244	1208	a8a71fbda1363a5be18d319d6242b89371ed61007c4bce03118616ed6f261326.exe	a8a71fbda1363a5be18d319d6242b89371ed61007c4bce03118616ed6f261326.exe
PID 1208 wrote to memory of 2244	1208	a8a71fbda1363a5be18d319d6242b89371ed61007c4bce03118616ed6f261326.exe	a8a71fbda1363a5be18d319d6242b89371ed61007c4bce03118616ed6f261326.exe
PID 1208 wrote to memory of 2244	1208	a8a71fbda1363a5be18d319d6242b89371ed61007c4bce03118616ed6f261326.exe	a8a71fbda1363a5be18d319d6242b89371ed61007c4bce03118616ed6f261326.exe
PID 1208 wrote to memory of 2244	1208	a8a71fbda1363a5be18d319d6242b89371ed61007c4bce03118616ed6f261326.exe	a8a71fbda1363a5be18d319d6242b89371ed61007c4bce03118616ed6f261326.exe
PID 1208 wrote to memory of 2244	1208	a8a71fbda1363a5be18d319d6242b89371ed61007c4bce03118616ed6f261326.exe	a8a71fbda1363a5be18d319d6242b89371ed61007c4bce03118616ed6f261326.exe
PID 1208 wrote to memory of 2244	1208	a8a71fbda1363a5be18d319d6242b89371ed61007c4bce03118616ed6f261326.exe	a8a71fbda1363a5be18d319d6242b89371ed61007c4bce03118616ed6f261326.exe
PID 1208 wrote to memory of 2244	1208	a8a71fbda1363a5be18d319d6242b89371ed61007c4bce03118616ed6f261326.exe	a8a71fbda1363a5be18d319d6242b89371ed61007c4bce03118616ed6f261326.exe
PID 1208 wrote to memory of 2244	1208	a8a71fbda1363a5be18d319d6242b89371ed61007c4bce03118616ed6f261326.exe	a8a71fbda1363a5be18d319d6242b89371ed61007c4bce03118616ed6f261326.exe
PID 1208 wrote to memory of 2244	1208	a8a71fbda1363a5be18d319d6242b89371ed61007c4bce03118616ed6f261326.exe	a8a71fbda1363a5be18d319d6242b89371ed61007c4bce03118616ed6f261326.exe
PID 1208 wrote to memory of 2244	1208	a8a71fbda1363a5be18d319d6242b89371ed61007c4bce03118616ed6f261326.exe	a8a71fbda1363a5be18d319d6242b89371ed61007c4bce03118616ed6f261326.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads