remcos | f19755963c94dc74b9f91b947ed0e54f7045d07d1acaa94faab62cdcb8f3cd27

General

Target

SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe
Size

1.4MB
MD5

fecaf29f4b5fa02b801f7dcaf13472d8
SHA1

ed394790fbd6c2adb6db9f4dc44d54dd85cc4171
SHA256

f19755963c94dc74b9f91b947ed0e54f7045d07d1acaa94faab62cdcb8f3cd27
SHA512

993cc7f3055adf6e9ced61b4b4a1beb0f97a81e69dee6ba676229716d97a25ba63c3458485b618cdee4df8997d3e7828b98371494cbf0627d6f0ae8244f4032e
SSDEEP

24576:Kg7AqlKSw+m74B/WHoUdSs/B1pfk4Nor1JbamMdGT8i:F7AxJ74BfUkQB1Vkxl0dS8

Score

10^/10

remcos uc persistence rat

Malware Config

Extracted

Family

remcos

Botnet

UC

C2

ucremcz1.ddns.net:1823

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
BIN.exe
copy_folder
BIN
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Rmc-TYHMFA
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
bin
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

BIN.exeBIN.exe

pid process

680 BIN.exe
1180 BIN.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1708 cmd.exe

pid	process
680	BIN.exe
1180	BIN.exe

pid	process
1708	cmd.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exeBIN.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\bin = "\"C:\\Users\\Admin\\AppData\\Roaming\\BIN\\BIN.exe\""	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bin = "\"C:\\Users\\Admin\\AppData\\Roaming\\BIN\\BIN.exe\""	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\	BIN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\bin = "\"C:\\Users\\Admin\\AppData\\Roaming\\BIN\\BIN.exe\""	BIN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	BIN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bin = "\"C:\\Users\\Admin\\AppData\\Roaming\\BIN\\BIN.exe\""	BIN.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exeBIN.exe

description	pid	process	target process
PID 1672 set thread context of 960	1672	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe
PID 680 set thread context of 1180	680	BIN.exe	BIN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1192 schtasks.exe
1776 schtasks.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

BIN.exe

pid process

1180 BIN.exe

pid	process
1192	schtasks.exe
1776	schtasks.exe

pid	process
1180	BIN.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exeSecuriteInfo.com.Win32.PWSX-gen.18196.4017.exeWScript.execmd.exeBIN.exe

description	pid	process	target process
PID 1672 wrote to memory of 1192	1672	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe	schtasks.exe
PID 1672 wrote to memory of 1192	1672	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe	schtasks.exe
PID 1672 wrote to memory of 1192	1672	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe	schtasks.exe
PID 1672 wrote to memory of 1192	1672	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe	schtasks.exe
PID 1672 wrote to memory of 960	1672	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe
PID 1672 wrote to memory of 960	1672	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe
PID 1672 wrote to memory of 960	1672	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe
PID 1672 wrote to memory of 960	1672	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe
PID 1672 wrote to memory of 960	1672	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe
PID 1672 wrote to memory of 960	1672	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe
PID 1672 wrote to memory of 960	1672	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe
PID 1672 wrote to memory of 960	1672	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe
PID 1672 wrote to memory of 960	1672	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe
PID 1672 wrote to memory of 960	1672	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe
PID 1672 wrote to memory of 960	1672	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe
PID 1672 wrote to memory of 960	1672	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe
PID 1672 wrote to memory of 960	1672	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe
PID 960 wrote to memory of 756	960	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe	WScript.exe
PID 960 wrote to memory of 756	960	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe	WScript.exe
PID 960 wrote to memory of 756	960	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe	WScript.exe
PID 960 wrote to memory of 756	960	SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe	WScript.exe
PID 756 wrote to memory of 1708	756	WScript.exe	cmd.exe
PID 756 wrote to memory of 1708	756	WScript.exe	cmd.exe
PID 756 wrote to memory of 1708	756	WScript.exe	cmd.exe
PID 756 wrote to memory of 1708	756	WScript.exe	cmd.exe
PID 1708 wrote to memory of 680	1708	cmd.exe	BIN.exe
PID 1708 wrote to memory of 680	1708	cmd.exe	BIN.exe
PID 1708 wrote to memory of 680	1708	cmd.exe	BIN.exe
PID 1708 wrote to memory of 680	1708	cmd.exe	BIN.exe
PID 680 wrote to memory of 1776	680	BIN.exe	schtasks.exe
PID 680 wrote to memory of 1776	680	BIN.exe	schtasks.exe
PID 680 wrote to memory of 1776	680	BIN.exe	schtasks.exe
PID 680 wrote to memory of 1776	680	BIN.exe	schtasks.exe
PID 680 wrote to memory of 1180	680	BIN.exe	BIN.exe
PID 680 wrote to memory of 1180	680	BIN.exe	BIN.exe
PID 680 wrote to memory of 1180	680	BIN.exe	BIN.exe
PID 680 wrote to memory of 1180	680	BIN.exe	BIN.exe
PID 680 wrote to memory of 1180	680	BIN.exe	BIN.exe
PID 680 wrote to memory of 1180	680	BIN.exe	BIN.exe
PID 680 wrote to memory of 1180	680	BIN.exe	BIN.exe
PID 680 wrote to memory of 1180	680	BIN.exe	BIN.exe
PID 680 wrote to memory of 1180	680	BIN.exe	BIN.exe
PID 680 wrote to memory of 1180	680	BIN.exe	BIN.exe
PID 680 wrote to memory of 1180	680	BIN.exe	BIN.exe
PID 680 wrote to memory of 1180	680	BIN.exe	BIN.exe
PID 680 wrote to memory of 1180	680	BIN.exe	BIN.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LASJvAOXx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1009.tmp"
2⤵
- Creates scheduled task(s)
PID:1192

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.18196.4017.exe
"{path}"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\BIN\BIN.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708

C:\Users\Admin\AppData\Roaming\BIN\BIN.exe
C:\Users\Admin\AppData\Roaming\BIN\BIN.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:680

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LASJvAOXx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9510.tmp"
6⤵
- Creates scheduled task(s)
PID:1776

C:\Users\Admin\AppData\Roaming\BIN\BIN.exe
"{path}"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1180

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
Filesize
406B

MD5
6635e7fa26b296a61475e4fc7fa2033b

SHA1
29ae9f05ce79a4239df1fa3f4a0426d1af269678

SHA256
1ed12f7480bbdc0450b1385ebb3559eb8369f69508f314bf2b31f3b399179b31

SHA512
7ae5d38eeb8c865033fda364f40f14c96e00bd45b4dac47c48bc9303b822dfb9a547bebc973ea6b96e9e1937affea541ba17689da6c6fe3462ea22e4b2bd868e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1009.tmp
Filesize
1KB

MD5
4b133f49a95510895d98f375445bd0ea

SHA1
746a8d8ca430c9f849e7ea619a010cb562ae344b

SHA256
38257cc6539055f0a6f7956ddf2855222746e6c664498e62d5086d66b6a62c92

SHA512
d1c0c297c2e2c0b728f371df950711d538088ca21262b4188328a13cb0ae363da8465faf076398d3e54879c07fca2cc647c1e49c8b23d513f5bea6f5c2a997cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9510.tmp
Filesize
1KB

MD5
4b133f49a95510895d98f375445bd0ea

SHA1
746a8d8ca430c9f849e7ea619a010cb562ae344b

SHA256
38257cc6539055f0a6f7956ddf2855222746e6c664498e62d5086d66b6a62c92

SHA512
d1c0c297c2e2c0b728f371df950711d538088ca21262b4188328a13cb0ae363da8465faf076398d3e54879c07fca2cc647c1e49c8b23d513f5bea6f5c2a997cd

Download Submit
C:\Users\Admin\AppData\Roaming\BIN\BIN.exe
Filesize
1.4MB

MD5
fecaf29f4b5fa02b801f7dcaf13472d8

SHA1
ed394790fbd6c2adb6db9f4dc44d54dd85cc4171

SHA256
f19755963c94dc74b9f91b947ed0e54f7045d07d1acaa94faab62cdcb8f3cd27

SHA512
993cc7f3055adf6e9ced61b4b4a1beb0f97a81e69dee6ba676229716d97a25ba63c3458485b618cdee4df8997d3e7828b98371494cbf0627d6f0ae8244f4032e

Download Submit
C:\Users\Admin\AppData\Roaming\BIN\BIN.exe
Filesize
1.4MB

MD5
fecaf29f4b5fa02b801f7dcaf13472d8

SHA1
ed394790fbd6c2adb6db9f4dc44d54dd85cc4171

SHA256
f19755963c94dc74b9f91b947ed0e54f7045d07d1acaa94faab62cdcb8f3cd27

SHA512
993cc7f3055adf6e9ced61b4b4a1beb0f97a81e69dee6ba676229716d97a25ba63c3458485b618cdee4df8997d3e7828b98371494cbf0627d6f0ae8244f4032e

Download Submit
C:\Users\Admin\AppData\Roaming\BIN\BIN.exe
Filesize
1.4MB

MD5
fecaf29f4b5fa02b801f7dcaf13472d8

SHA1
ed394790fbd6c2adb6db9f4dc44d54dd85cc4171

SHA256
f19755963c94dc74b9f91b947ed0e54f7045d07d1acaa94faab62cdcb8f3cd27

SHA512
993cc7f3055adf6e9ced61b4b4a1beb0f97a81e69dee6ba676229716d97a25ba63c3458485b618cdee4df8997d3e7828b98371494cbf0627d6f0ae8244f4032e

Download Submit
\Users\Admin\AppData\Roaming\BIN\BIN.exe
Filesize
1.4MB

MD5
fecaf29f4b5fa02b801f7dcaf13472d8

SHA1
ed394790fbd6c2adb6db9f4dc44d54dd85cc4171

SHA256
f19755963c94dc74b9f91b947ed0e54f7045d07d1acaa94faab62cdcb8f3cd27

SHA512
993cc7f3055adf6e9ced61b4b4a1beb0f97a81e69dee6ba676229716d97a25ba63c3458485b618cdee4df8997d3e7828b98371494cbf0627d6f0ae8244f4032e

Download Submit
memory/680-90-0x0000000007CD0000-0x0000000007D92000-memory.dmp

Filesize
776KB

Download
memory/680-89-0x00000000009F0000-0x0000000000A02000-memory.dmp

Filesize
72KB

Download
memory/680-87-0x0000000000AD0000-0x0000000000C38000-memory.dmp

Filesize
1.4MB

Download
memory/680-85-0x0000000000000000-mapping.dmp

Download
memory/756-78-0x0000000000000000-mapping.dmp

Download
memory/960-67-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/960-73-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/960-61-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/960-74-0x00000000004327A4-mapping.dmp

Download
memory/960-62-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/960-77-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/960-68-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/960-66-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/960-71-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/960-69-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/960-79-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/960-64-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1180-112-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1180-106-0x00000000004327A4-mapping.dmp

Download
memory/1180-111-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1180-110-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1192-59-0x0000000000000000-mapping.dmp

Download
memory/1672-54-0x0000000001340000-0x00000000014A8000-memory.dmp

Filesize
1.4MB

Download
memory/1672-56-0x0000000000410000-0x0000000000422000-memory.dmp

Filesize
72KB

Download
memory/1672-55-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/1672-57-0x0000000005C90000-0x0000000005D92000-memory.dmp

Filesize
1.0MB

Download
memory/1672-58-0x0000000005260000-0x0000000005322000-memory.dmp

Filesize
776KB

Download
memory/1708-82-0x0000000000000000-mapping.dmp

Download
memory/1776-91-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads