remcos | 2d3030fd5b7664be15fc730d2e6ecaf0a0df5a28ee2aad28cd6b989b64c8e262

General

Target

86e8bfaeaff4ba2706de162b159d6052.exe
Size

1.1MB
MD5

86e8bfaeaff4ba2706de162b159d6052
SHA1

28b240580810cf142440558c073118f5a7cb6cc1
SHA256

2d3030fd5b7664be15fc730d2e6ecaf0a0df5a28ee2aad28cd6b989b64c8e262
SHA512

40e3a05a63efb06bb8628f03be726ff18055bf9cfe44b35f6c95bd69816c11c0ace421dbbc3ccf57159edc78ae9f7173391815fde7b20d333a53162076e3f2e3
SSDEEP

24576:YAFBkPPpLnSrpcMiU7e0zJO4w1Uk3PeLAwhrbhP:vFyhnypZtJ5w1XYhhf

Score

10^/10

remcos awele persistence rat

Malware Config

Extracted

Family

remcos

Botnet

Awele

C2

gdyhjjdhbvxgsfe.gotdns.ch:2718

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
qoc.exe
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-LLTFOH
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
mix
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

qoc.exeqoc.exe

pid process

4216 qoc.exe
3008 qoc.exe

pid	process
4216	qoc.exe
3008	qoc.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

86e8bfaeaff4ba2706de162b159d6052.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	86e8bfaeaff4ba2706de162b159d6052.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

86e8bfaeaff4ba2706de162b159d6052.exeqoc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows\CurrentVersion\Run\	86e8bfaeaff4ba2706de162b159d6052.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mix = "\"C:\\Users\\Admin\\AppData\\Roaming\\qoc.exe\""	86e8bfaeaff4ba2706de162b159d6052.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows\CurrentVersion\Run\	qoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mix = "\"C:\\Users\\Admin\\AppData\\Roaming\\qoc.exe\""	qoc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

86e8bfaeaff4ba2706de162b159d6052.exeqoc.exe

description	pid	process	target process
PID 4308 set thread context of 3608	4308	86e8bfaeaff4ba2706de162b159d6052.exe	86e8bfaeaff4ba2706de162b159d6052.exe
PID 4216 set thread context of 3008	4216	qoc.exe	qoc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

86e8bfaeaff4ba2706de162b159d6052.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000_Classes\Local Settings	86e8bfaeaff4ba2706de162b159d6052.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

86e8bfaeaff4ba2706de162b159d6052.exeqoc.exe

pid	process
4308	86e8bfaeaff4ba2706de162b159d6052.exe
4308	86e8bfaeaff4ba2706de162b159d6052.exe
4308	86e8bfaeaff4ba2706de162b159d6052.exe
4308	86e8bfaeaff4ba2706de162b159d6052.exe
4308	86e8bfaeaff4ba2706de162b159d6052.exe
4216	qoc.exe
4216	qoc.exe
4216	qoc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

86e8bfaeaff4ba2706de162b159d6052.exeqoc.exe

description pid process

Token: SeDebugPrivilege 4308 86e8bfaeaff4ba2706de162b159d6052.exe
Token: SeDebugPrivilege 4216 qoc.exe

description	pid	process
Token: SeDebugPrivilege	4308	86e8bfaeaff4ba2706de162b159d6052.exe
Token: SeDebugPrivilege	4216	qoc.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

86e8bfaeaff4ba2706de162b159d6052.exe86e8bfaeaff4ba2706de162b159d6052.exeWScript.execmd.exeqoc.exe

description	pid	process	target process
PID 4308 wrote to memory of 360	4308	86e8bfaeaff4ba2706de162b159d6052.exe	86e8bfaeaff4ba2706de162b159d6052.exe
PID 4308 wrote to memory of 360	4308	86e8bfaeaff4ba2706de162b159d6052.exe	86e8bfaeaff4ba2706de162b159d6052.exe
PID 4308 wrote to memory of 360	4308	86e8bfaeaff4ba2706de162b159d6052.exe	86e8bfaeaff4ba2706de162b159d6052.exe
PID 4308 wrote to memory of 3608	4308	86e8bfaeaff4ba2706de162b159d6052.exe	86e8bfaeaff4ba2706de162b159d6052.exe
PID 4308 wrote to memory of 3608	4308	86e8bfaeaff4ba2706de162b159d6052.exe	86e8bfaeaff4ba2706de162b159d6052.exe
PID 4308 wrote to memory of 3608	4308	86e8bfaeaff4ba2706de162b159d6052.exe	86e8bfaeaff4ba2706de162b159d6052.exe
PID 4308 wrote to memory of 3608	4308	86e8bfaeaff4ba2706de162b159d6052.exe	86e8bfaeaff4ba2706de162b159d6052.exe
PID 4308 wrote to memory of 3608	4308	86e8bfaeaff4ba2706de162b159d6052.exe	86e8bfaeaff4ba2706de162b159d6052.exe
PID 4308 wrote to memory of 3608	4308	86e8bfaeaff4ba2706de162b159d6052.exe	86e8bfaeaff4ba2706de162b159d6052.exe
PID 4308 wrote to memory of 3608	4308	86e8bfaeaff4ba2706de162b159d6052.exe	86e8bfaeaff4ba2706de162b159d6052.exe
PID 4308 wrote to memory of 3608	4308	86e8bfaeaff4ba2706de162b159d6052.exe	86e8bfaeaff4ba2706de162b159d6052.exe
PID 4308 wrote to memory of 3608	4308	86e8bfaeaff4ba2706de162b159d6052.exe	86e8bfaeaff4ba2706de162b159d6052.exe
PID 4308 wrote to memory of 3608	4308	86e8bfaeaff4ba2706de162b159d6052.exe	86e8bfaeaff4ba2706de162b159d6052.exe
PID 4308 wrote to memory of 3608	4308	86e8bfaeaff4ba2706de162b159d6052.exe	86e8bfaeaff4ba2706de162b159d6052.exe
PID 4308 wrote to memory of 3608	4308	86e8bfaeaff4ba2706de162b159d6052.exe	86e8bfaeaff4ba2706de162b159d6052.exe
PID 3608 wrote to memory of 4440	3608	86e8bfaeaff4ba2706de162b159d6052.exe	WScript.exe
PID 3608 wrote to memory of 4440	3608	86e8bfaeaff4ba2706de162b159d6052.exe	WScript.exe
PID 3608 wrote to memory of 4440	3608	86e8bfaeaff4ba2706de162b159d6052.exe	WScript.exe
PID 4440 wrote to memory of 976	4440	WScript.exe	cmd.exe
PID 4440 wrote to memory of 976	4440	WScript.exe	cmd.exe
PID 4440 wrote to memory of 976	4440	WScript.exe	cmd.exe
PID 976 wrote to memory of 4216	976	cmd.exe	qoc.exe
PID 976 wrote to memory of 4216	976	cmd.exe	qoc.exe
PID 976 wrote to memory of 4216	976	cmd.exe	qoc.exe
PID 4216 wrote to memory of 3008	4216	qoc.exe	qoc.exe
PID 4216 wrote to memory of 3008	4216	qoc.exe	qoc.exe
PID 4216 wrote to memory of 3008	4216	qoc.exe	qoc.exe
PID 4216 wrote to memory of 3008	4216	qoc.exe	qoc.exe
PID 4216 wrote to memory of 3008	4216	qoc.exe	qoc.exe
PID 4216 wrote to memory of 3008	4216	qoc.exe	qoc.exe
PID 4216 wrote to memory of 3008	4216	qoc.exe	qoc.exe
PID 4216 wrote to memory of 3008	4216	qoc.exe	qoc.exe
PID 4216 wrote to memory of 3008	4216	qoc.exe	qoc.exe
PID 4216 wrote to memory of 3008	4216	qoc.exe	qoc.exe
PID 4216 wrote to memory of 3008	4216	qoc.exe	qoc.exe
PID 4216 wrote to memory of 3008	4216	qoc.exe	qoc.exe

C:\Users\Admin\AppData\Local\Temp\86e8bfaeaff4ba2706de162b159d6052.exe
"C:\Users\Admin\AppData\Local\Temp\86e8bfaeaff4ba2706de162b159d6052.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4308

C:\Users\Admin\AppData\Local\Temp\86e8bfaeaff4ba2706de162b159d6052.exe
"C:\Users\Admin\AppData\Local\Temp\86e8bfaeaff4ba2706de162b159d6052.exe"
2⤵
PID:360

C:\Users\Admin\AppData\Local\Temp\86e8bfaeaff4ba2706de162b159d6052.exe
"C:\Users\Admin\AppData\Local\Temp\86e8bfaeaff4ba2706de162b159d6052.exe"
2⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3608

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4440

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\qoc.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:976

C:\Users\Admin\AppData\Roaming\qoc.exe
C:\Users\Admin\AppData\Roaming\qoc.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4216

C:\Users\Admin\AppData\Roaming\qoc.exe
"C:\Users\Admin\AppData\Roaming\qoc.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
398B

MD5
9edf722c5b68fc5befaf057c2aad1ccb

SHA1
0b079fc86d4c859ecb3c1a1893b6ffae2eb1e2cb

SHA256
bfdf30f700f36f615a0b3a9389bdaa2b3a334ece816e95a3090f7c41ec8efba6

SHA512
ea4f1e5842c38f998f2050004f4af9ffedeb0bbd4e6cf9e29b037f9659d48dd17b477a2b0ab23c1b6f8b94c4355a17f6155965bada1b98fd12c2868ec7ea82fc

Download Submit
C:\Users\Admin\AppData\Roaming\qoc.exe

Filesize
1.1MB

MD5
86e8bfaeaff4ba2706de162b159d6052

SHA1
28b240580810cf142440558c073118f5a7cb6cc1

SHA256
2d3030fd5b7664be15fc730d2e6ecaf0a0df5a28ee2aad28cd6b989b64c8e262

SHA512
40e3a05a63efb06bb8628f03be726ff18055bf9cfe44b35f6c95bd69816c11c0ace421dbbc3ccf57159edc78ae9f7173391815fde7b20d333a53162076e3f2e3

Download Submit
C:\Users\Admin\AppData\Roaming\qoc.exe

Filesize
1.1MB

MD5
86e8bfaeaff4ba2706de162b159d6052

SHA1
28b240580810cf142440558c073118f5a7cb6cc1

SHA256
2d3030fd5b7664be15fc730d2e6ecaf0a0df5a28ee2aad28cd6b989b64c8e262

SHA512
40e3a05a63efb06bb8628f03be726ff18055bf9cfe44b35f6c95bd69816c11c0ace421dbbc3ccf57159edc78ae9f7173391815fde7b20d333a53162076e3f2e3

Download Submit
C:\Users\Admin\AppData\Roaming\qoc.exe

Filesize
1.1MB

MD5
86e8bfaeaff4ba2706de162b159d6052

SHA1
28b240580810cf142440558c073118f5a7cb6cc1

SHA256
2d3030fd5b7664be15fc730d2e6ecaf0a0df5a28ee2aad28cd6b989b64c8e262

SHA512
40e3a05a63efb06bb8628f03be726ff18055bf9cfe44b35f6c95bd69816c11c0ace421dbbc3ccf57159edc78ae9f7173391815fde7b20d333a53162076e3f2e3

Download Submit
memory/360-138-0x0000000000000000-mapping.dmp

Download
memory/976-147-0x0000000000000000-mapping.dmp

Download
memory/3008-156-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3008-155-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3008-154-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3008-151-0x0000000000000000-mapping.dmp

Download
memory/3608-145-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3608-139-0x0000000000000000-mapping.dmp

Download
memory/3608-140-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3608-143-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3608-142-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3608-141-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4216-148-0x0000000000000000-mapping.dmp

Download
memory/4308-136-0x00000000007A0000-0x000000000083C000-memory.dmp

Filesize
624KB

Download
memory/4308-134-0x0000000007480000-0x0000000007512000-memory.dmp

Filesize
584KB

Download
memory/4308-135-0x0000000007520000-0x000000000752A000-memory.dmp

Filesize
40KB

Download
memory/4308-133-0x0000000007850000-0x0000000007DF4000-memory.dmp

Filesize
5.6MB

Download
memory/4308-137-0x000000000AD00000-0x000000000AD66000-memory.dmp

Filesize
408KB

Download
memory/4308-132-0x0000000000160000-0x0000000000276000-memory.dmp

Filesize
1.1MB

Download
memory/4440-144-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads