remcos | 1f353369c80de1b1e98ded84be361263e75f56c109764fa3f5fa1d9b1df3a0c9

General

Target

SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe
Size

10KB
MD5

c4356d6506fed06bf83324222896e64f
SHA1

3932ecf0b9ae7e144180ae357cc72f05b2bb1963
SHA256

1f353369c80de1b1e98ded84be361263e75f56c109764fa3f5fa1d9b1df3a0c9
SHA512

d68f76f09183e84c729cb1f7f4d090dedf387925d7cfd80e369a89d17a13b488fb0c9fc10620da3f5d39cbad73d9ff8ac0bbefa79981f7693abe925d6b786e53
SSDEEP

192:ujGVmR2TsJcAALF+9kseWgN0l4TKmF8stYcFmVc03KY:uikRvJczLF+9ksxgfTKmFptYcFmVc03K

Score

10^/10

remcos remote persistence rat

Malware Config

Extracted

Family

remcos

Botnet

Remote

C2

79.110.62.46:50499

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
windowss
mouse_option
false
mutex
fg4wer4s5trgfqewdc-WR9LLO
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gbmevjs = "\"C:\\Users\\Admin\\AppData\\Roaming\\Fjkatm\\Gbmevjs.exe\""	SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe

description	pid	process	target process
PID 2004 set thread context of 1960	2004	SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe	SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

948 powershell.exe
580 powershell.exe

pid	process
948	powershell.exe
580	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exeSecuriteInfo.com.Win32.PWSX-gen.7824.29061.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	2004	SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe
Token: SeDebugPrivilege	580	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe

pid process

1960 SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe

pid	process
1960	SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-Date
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:580

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe
2⤵
- Suspicious use of SetWindowsHookEx
PID:1960

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
24da30f6bf70a1bc986263b03b9cb22e

SHA1
a2c6a0aea57ea5f70a1b64788180a227b8028397

SHA256
bc069348fff0bbe1d6f160e0bc87ce805854c80fcebfc507606d664017d92e65

SHA512
9d0778f88e9e464945a17ebdbbb25bc2ec63f8cdd8e8152d15589fe690ec3d5001735c9734bcb32686d081a00beee115448c70a2a5dce7ee3d3b23f2dab2af66

Download Submit
memory/580-64-0x000000006F0C0000-0x000000006F66B000-memory.dmp

Filesize
5.7MB

Download
memory/580-65-0x000000006F0C0000-0x000000006F66B000-memory.dmp

Filesize
5.7MB

Download
memory/580-61-0x0000000000000000-mapping.dmp

Download
memory/948-55-0x0000000000000000-mapping.dmp

Download
memory/948-56-0x00000000761E1000-0x00000000761E3000-memory.dmp

Filesize
8KB

Download
memory/948-58-0x000000006FEC0000-0x000000007046B000-memory.dmp

Filesize
5.7MB

Download
memory/948-59-0x000000006FEC0000-0x000000007046B000-memory.dmp

Filesize
5.7MB

Download
memory/1960-74-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1960-78-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1960-66-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1960-67-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1960-69-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1960-71-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1960-76-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1960-84-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1960-73-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1960-72-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1960-83-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1960-79-0x00000000004327A4-mapping.dmp

Download
memory/1960-82-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2004-60-0x0000000007370000-0x00000000075AA000-memory.dmp

Filesize
2.2MB

Download
memory/2004-54-0x0000000000060000-0x0000000000068000-memory.dmp

Filesize
32KB

Download

description	pid	process	target process
PID 2004 wrote to memory of 948	2004	SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe	powershell.exe
PID 2004 wrote to memory of 948	2004	SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe	powershell.exe
PID 2004 wrote to memory of 948	2004	SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe	powershell.exe
PID 2004 wrote to memory of 948	2004	SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe	powershell.exe
PID 2004 wrote to memory of 580	2004	SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe	powershell.exe
PID 2004 wrote to memory of 580	2004	SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe	powershell.exe
PID 2004 wrote to memory of 580	2004	SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe	powershell.exe
PID 2004 wrote to memory of 580	2004	SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe	powershell.exe
PID 2004 wrote to memory of 1960	2004	SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe	SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe
PID 2004 wrote to memory of 1960	2004	SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe	SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe
PID 2004 wrote to memory of 1960	2004	SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe	SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe
PID 2004 wrote to memory of 1960	2004	SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe	SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe
PID 2004 wrote to memory of 1960	2004	SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe	SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe
PID 2004 wrote to memory of 1960	2004	SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe	SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe
PID 2004 wrote to memory of 1960	2004	SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe	SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe
PID 2004 wrote to memory of 1960	2004	SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe	SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe
PID 2004 wrote to memory of 1960	2004	SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe	SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe
PID 2004 wrote to memory of 1960	2004	SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe	SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe
PID 2004 wrote to memory of 1960	2004	SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe	SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe
PID 2004 wrote to memory of 1960	2004	SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe	SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe
PID 2004 wrote to memory of 1960	2004	SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe	SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads