remcos | 58c07a9579110d38370f1050906a397ce8692681b20083f335d2f122bc570b80

General

Target

58c07a9579110d38370f1050906a397ce8692681b20083f335d2f122bc570b80.exe
Size

1.2MB
MD5

9509104c2389315af9357e4ce52242a0
SHA1

d9b308391ba881f5c2ebb68561ae857c4e11d398
SHA256

58c07a9579110d38370f1050906a397ce8692681b20083f335d2f122bc570b80
SHA512

b3fb4b65397c5c2e14a1310a8d78daebc9b52b33498c9ce4eb4aad0bbf5630854501c8f82e0729dea94bd8f42f1405a92195849da03da6f80ece50ea53e4f38c
SSDEEP

24576:YM+L74mBfNUstzofl/A2LlwzCExB290oFx5PdKHFMH6bjx8alzD03r8JN:3/AaluB2BUHFMabjSq0I

Score

10^/10

remcos eric-host persistence rat

Malware Config

Extracted

Family

remcos

Botnet

Eric-Host

C2

craigjonson91211.freedynamicdns.net:2011

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
wee.exe
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
Rmc-TJGIFV
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
qos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

wee.exewee.exe

pid process

4512 wee.exe
4920 wee.exe

pid	process
4512	wee.exe
4920	wee.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

58c07a9579110d38370f1050906a397ce8692681b20083f335d2f122bc570b80.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	58c07a9579110d38370f1050906a397ce8692681b20083f335d2f122bc570b80.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

58c07a9579110d38370f1050906a397ce8692681b20083f335d2f122bc570b80.exewee.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\	58c07a9579110d38370f1050906a397ce8692681b20083f335d2f122bc570b80.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qos = "\"C:\\Users\\Admin\\AppData\\Roaming\\wee.exe\""	58c07a9579110d38370f1050906a397ce8692681b20083f335d2f122bc570b80.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	58c07a9579110d38370f1050906a397ce8692681b20083f335d2f122bc570b80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qos = "\"C:\\Users\\Admin\\AppData\\Roaming\\wee.exe\""	58c07a9579110d38370f1050906a397ce8692681b20083f335d2f122bc570b80.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\	wee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qos = "\"C:\\Users\\Admin\\AppData\\Roaming\\wee.exe\""	wee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	wee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qos = "\"C:\\Users\\Admin\\AppData\\Roaming\\wee.exe\""	wee.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

58c07a9579110d38370f1050906a397ce8692681b20083f335d2f122bc570b80.exewee.exe

description	pid	process	target process
PID 2300 set thread context of 1144	2300	58c07a9579110d38370f1050906a397ce8692681b20083f335d2f122bc570b80.exe	58c07a9579110d38370f1050906a397ce8692681b20083f335d2f122bc570b80.exe
PID 4512 set thread context of 4920	4512	wee.exe	wee.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

58c07a9579110d38370f1050906a397ce8692681b20083f335d2f122bc570b80.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	58c07a9579110d38370f1050906a397ce8692681b20083f335d2f122bc570b80.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wee.exe

pid process

4920 wee.exe

pid	process
4920	wee.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

58c07a9579110d38370f1050906a397ce8692681b20083f335d2f122bc570b80.exe58c07a9579110d38370f1050906a397ce8692681b20083f335d2f122bc570b80.exeWScript.execmd.exewee.exe

description	pid	process	target process
PID 2300 wrote to memory of 1144	2300	58c07a9579110d38370f1050906a397ce8692681b20083f335d2f122bc570b80.exe	58c07a9579110d38370f1050906a397ce8692681b20083f335d2f122bc570b80.exe
PID 2300 wrote to memory of 1144	2300	58c07a9579110d38370f1050906a397ce8692681b20083f335d2f122bc570b80.exe	58c07a9579110d38370f1050906a397ce8692681b20083f335d2f122bc570b80.exe
PID 2300 wrote to memory of 1144	2300	58c07a9579110d38370f1050906a397ce8692681b20083f335d2f122bc570b80.exe	58c07a9579110d38370f1050906a397ce8692681b20083f335d2f122bc570b80.exe
PID 2300 wrote to memory of 1144	2300	58c07a9579110d38370f1050906a397ce8692681b20083f335d2f122bc570b80.exe	58c07a9579110d38370f1050906a397ce8692681b20083f335d2f122bc570b80.exe
PID 2300 wrote to memory of 1144	2300	58c07a9579110d38370f1050906a397ce8692681b20083f335d2f122bc570b80.exe	58c07a9579110d38370f1050906a397ce8692681b20083f335d2f122bc570b80.exe
PID 2300 wrote to memory of 1144	2300	58c07a9579110d38370f1050906a397ce8692681b20083f335d2f122bc570b80.exe	58c07a9579110d38370f1050906a397ce8692681b20083f335d2f122bc570b80.exe
PID 2300 wrote to memory of 1144	2300	58c07a9579110d38370f1050906a397ce8692681b20083f335d2f122bc570b80.exe	58c07a9579110d38370f1050906a397ce8692681b20083f335d2f122bc570b80.exe
PID 2300 wrote to memory of 1144	2300	58c07a9579110d38370f1050906a397ce8692681b20083f335d2f122bc570b80.exe	58c07a9579110d38370f1050906a397ce8692681b20083f335d2f122bc570b80.exe
PID 2300 wrote to memory of 1144	2300	58c07a9579110d38370f1050906a397ce8692681b20083f335d2f122bc570b80.exe	58c07a9579110d38370f1050906a397ce8692681b20083f335d2f122bc570b80.exe
PID 2300 wrote to memory of 1144	2300	58c07a9579110d38370f1050906a397ce8692681b20083f335d2f122bc570b80.exe	58c07a9579110d38370f1050906a397ce8692681b20083f335d2f122bc570b80.exe
PID 2300 wrote to memory of 1144	2300	58c07a9579110d38370f1050906a397ce8692681b20083f335d2f122bc570b80.exe	58c07a9579110d38370f1050906a397ce8692681b20083f335d2f122bc570b80.exe
PID 2300 wrote to memory of 1144	2300	58c07a9579110d38370f1050906a397ce8692681b20083f335d2f122bc570b80.exe	58c07a9579110d38370f1050906a397ce8692681b20083f335d2f122bc570b80.exe
PID 1144 wrote to memory of 4688	1144	58c07a9579110d38370f1050906a397ce8692681b20083f335d2f122bc570b80.exe	WScript.exe
PID 1144 wrote to memory of 4688	1144	58c07a9579110d38370f1050906a397ce8692681b20083f335d2f122bc570b80.exe	WScript.exe
PID 1144 wrote to memory of 4688	1144	58c07a9579110d38370f1050906a397ce8692681b20083f335d2f122bc570b80.exe	WScript.exe
PID 4688 wrote to memory of 4324	4688	WScript.exe	cmd.exe
PID 4688 wrote to memory of 4324	4688	WScript.exe	cmd.exe
PID 4688 wrote to memory of 4324	4688	WScript.exe	cmd.exe
PID 4324 wrote to memory of 4512	4324	cmd.exe	wee.exe
PID 4324 wrote to memory of 4512	4324	cmd.exe	wee.exe
PID 4324 wrote to memory of 4512	4324	cmd.exe	wee.exe
PID 4512 wrote to memory of 4920	4512	wee.exe	wee.exe
PID 4512 wrote to memory of 4920	4512	wee.exe	wee.exe
PID 4512 wrote to memory of 4920	4512	wee.exe	wee.exe
PID 4512 wrote to memory of 4920	4512	wee.exe	wee.exe
PID 4512 wrote to memory of 4920	4512	wee.exe	wee.exe
PID 4512 wrote to memory of 4920	4512	wee.exe	wee.exe
PID 4512 wrote to memory of 4920	4512	wee.exe	wee.exe
PID 4512 wrote to memory of 4920	4512	wee.exe	wee.exe
PID 4512 wrote to memory of 4920	4512	wee.exe	wee.exe
PID 4512 wrote to memory of 4920	4512	wee.exe	wee.exe
PID 4512 wrote to memory of 4920	4512	wee.exe	wee.exe
PID 4512 wrote to memory of 4920	4512	wee.exe	wee.exe

C:\Users\Admin\AppData\Local\Temp\58c07a9579110d38370f1050906a397ce8692681b20083f335d2f122bc570b80.exe
"C:\Users\Admin\AppData\Local\Temp\58c07a9579110d38370f1050906a397ce8692681b20083f335d2f122bc570b80.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2300

C:\Users\Admin\AppData\Local\Temp\58c07a9579110d38370f1050906a397ce8692681b20083f335d2f122bc570b80.exe
"C:\Users\Admin\AppData\Local\Temp\58c07a9579110d38370f1050906a397ce8692681b20083f335d2f122bc570b80.exe"
2⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1144

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4688

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\wee.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:4324

C:\Users\Admin\AppData\Roaming\wee.exe
C:\Users\Admin\AppData\Roaming\wee.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4512

C:\Users\Admin\AppData\Roaming\wee.exe
"C:\Users\Admin\AppData\Roaming\wee.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:4920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
398B

MD5
f1536fc12b615b3b046757ce09cc2b41

SHA1
c67cacdb7dd2a1aa58ec9d2f554a831935fea0a2

SHA256
c03a7b60b1a4a6d06dbe6d1fc3444f68a64e1b9e48e1967b60003b0b02c78502

SHA512
39d0bfce41381099628b3d7f184c0aa49a98a9eef90da3b4be953530f3115bb4b72f871c6cf5026cce8d760b088865b63bbab3d8911d3e4513855712a3062207

Download Submit
C:\Users\Admin\AppData\Roaming\wee.exe

Filesize
1.2MB

MD5
9509104c2389315af9357e4ce52242a0

SHA1
d9b308391ba881f5c2ebb68561ae857c4e11d398

SHA256
58c07a9579110d38370f1050906a397ce8692681b20083f335d2f122bc570b80

SHA512
b3fb4b65397c5c2e14a1310a8d78daebc9b52b33498c9ce4eb4aad0bbf5630854501c8f82e0729dea94bd8f42f1405a92195849da03da6f80ece50ea53e4f38c

Download Submit
C:\Users\Admin\AppData\Roaming\wee.exe

Filesize
1.2MB

MD5
9509104c2389315af9357e4ce52242a0

SHA1
d9b308391ba881f5c2ebb68561ae857c4e11d398

SHA256
58c07a9579110d38370f1050906a397ce8692681b20083f335d2f122bc570b80

SHA512
b3fb4b65397c5c2e14a1310a8d78daebc9b52b33498c9ce4eb4aad0bbf5630854501c8f82e0729dea94bd8f42f1405a92195849da03da6f80ece50ea53e4f38c

Download Submit
C:\Users\Admin\AppData\Roaming\wee.exe

Filesize
1.2MB

MD5
9509104c2389315af9357e4ce52242a0

SHA1
d9b308391ba881f5c2ebb68561ae857c4e11d398

SHA256
58c07a9579110d38370f1050906a397ce8692681b20083f335d2f122bc570b80

SHA512
b3fb4b65397c5c2e14a1310a8d78daebc9b52b33498c9ce4eb4aad0bbf5630854501c8f82e0729dea94bd8f42f1405a92195849da03da6f80ece50ea53e4f38c

Download Submit
memory/1144-137-0x0000000000000000-mapping.dmp

Download
memory/1144-138-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1144-139-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1144-140-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1144-141-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1144-143-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2300-135-0x0000000005A60000-0x0000000005A6A000-memory.dmp

Filesize
40KB

Download
memory/2300-133-0x0000000006040000-0x00000000065E4000-memory.dmp

Filesize
5.6MB

Download
memory/2300-136-0x0000000008680000-0x000000000871C000-memory.dmp

Filesize
624KB

Download
memory/2300-132-0x0000000000F70000-0x00000000010A2000-memory.dmp

Filesize
1.2MB

Download
memory/2300-134-0x0000000005A90000-0x0000000005B22000-memory.dmp

Filesize
584KB

Download
memory/4324-145-0x0000000000000000-mapping.dmp

Download
memory/4512-146-0x0000000000000000-mapping.dmp

Download
memory/4688-142-0x0000000000000000-mapping.dmp

Download
memory/4920-149-0x0000000000000000-mapping.dmp

Download
memory/4920-152-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4920-153-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4920-154-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4920-155-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads