remcos | fd268ac25b0f2a211b7538d2be175f27833b058f16437a8c2625e7762074db7c

General

Target

fd268ac25b0f2a211b7538d2be175f27833b058f16437a8c2625e7762074db7c.exe
Size

1.1MB
MD5

992bb973cca802daf8f95c6a0015267b
SHA1

b1fdb6f34f989930ef0b7d8b090f52591ac4d316
SHA256

fd268ac25b0f2a211b7538d2be175f27833b058f16437a8c2625e7762074db7c
SHA512

094b2e0ec3209694201d937f7c25aef8cdbe75144d3a51214e1f7bd99b8e35a240da7ca3a16370c4ddd0660421a8f49ded13f0bdf294d18e2b79866e5faee4f2
SSDEEP

24576:mPskkedT3pe/HfSOuFYZXsdWikf745uo4W18XO:mwy3o/wFCx3zuIWK+

Score

10^/10

remcos eric-host persistence rat

Malware Config

Extracted

Family

remcos

Botnet

Eric-Host

C2

craigjonson91211.freedynamicdns.net:2011

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
wee.exe
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
Rmc-3CS7D1
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
qos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

wee.exewee.exe

pid process

548 wee.exe
2008 wee.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

2024 cmd.exe
2024 cmd.exe

pid	process
548	wee.exe
2008	wee.exe

pid	process
2024	cmd.exe
2024	cmd.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wee.exefd268ac25b0f2a211b7538d2be175f27833b058f16437a8c2625e7762074db7c.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qos = "\"C:\\Users\\Admin\\AppData\\Roaming\\wee.exe\""	wee.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	fd268ac25b0f2a211b7538d2be175f27833b058f16437a8c2625e7762074db7c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qos = "\"C:\\Users\\Admin\\AppData\\Roaming\\wee.exe\""	fd268ac25b0f2a211b7538d2be175f27833b058f16437a8c2625e7762074db7c.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	fd268ac25b0f2a211b7538d2be175f27833b058f16437a8c2625e7762074db7c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qos = "\"C:\\Users\\Admin\\AppData\\Roaming\\wee.exe\""	fd268ac25b0f2a211b7538d2be175f27833b058f16437a8c2625e7762074db7c.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	wee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qos = "\"C:\\Users\\Admin\\AppData\\Roaming\\wee.exe\""	wee.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	wee.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

fd268ac25b0f2a211b7538d2be175f27833b058f16437a8c2625e7762074db7c.exewee.exe

description	pid	process	target process
PID 1516 set thread context of 1696	1516	fd268ac25b0f2a211b7538d2be175f27833b058f16437a8c2625e7762074db7c.exe	fd268ac25b0f2a211b7538d2be175f27833b058f16437a8c2625e7762074db7c.exe
PID 548 set thread context of 2008	548	wee.exe	wee.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wee.exe

pid process

2008 wee.exe

pid	process
2008	wee.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

fd268ac25b0f2a211b7538d2be175f27833b058f16437a8c2625e7762074db7c.exefd268ac25b0f2a211b7538d2be175f27833b058f16437a8c2625e7762074db7c.exeWScript.execmd.exewee.exe

description	pid	process	target process
PID 1516 wrote to memory of 1696	1516	fd268ac25b0f2a211b7538d2be175f27833b058f16437a8c2625e7762074db7c.exe	fd268ac25b0f2a211b7538d2be175f27833b058f16437a8c2625e7762074db7c.exe
PID 1516 wrote to memory of 1696	1516	fd268ac25b0f2a211b7538d2be175f27833b058f16437a8c2625e7762074db7c.exe	fd268ac25b0f2a211b7538d2be175f27833b058f16437a8c2625e7762074db7c.exe
PID 1516 wrote to memory of 1696	1516	fd268ac25b0f2a211b7538d2be175f27833b058f16437a8c2625e7762074db7c.exe	fd268ac25b0f2a211b7538d2be175f27833b058f16437a8c2625e7762074db7c.exe
PID 1516 wrote to memory of 1696	1516	fd268ac25b0f2a211b7538d2be175f27833b058f16437a8c2625e7762074db7c.exe	fd268ac25b0f2a211b7538d2be175f27833b058f16437a8c2625e7762074db7c.exe
PID 1516 wrote to memory of 1696	1516	fd268ac25b0f2a211b7538d2be175f27833b058f16437a8c2625e7762074db7c.exe	fd268ac25b0f2a211b7538d2be175f27833b058f16437a8c2625e7762074db7c.exe
PID 1516 wrote to memory of 1696	1516	fd268ac25b0f2a211b7538d2be175f27833b058f16437a8c2625e7762074db7c.exe	fd268ac25b0f2a211b7538d2be175f27833b058f16437a8c2625e7762074db7c.exe
PID 1516 wrote to memory of 1696	1516	fd268ac25b0f2a211b7538d2be175f27833b058f16437a8c2625e7762074db7c.exe	fd268ac25b0f2a211b7538d2be175f27833b058f16437a8c2625e7762074db7c.exe
PID 1516 wrote to memory of 1696	1516	fd268ac25b0f2a211b7538d2be175f27833b058f16437a8c2625e7762074db7c.exe	fd268ac25b0f2a211b7538d2be175f27833b058f16437a8c2625e7762074db7c.exe
PID 1516 wrote to memory of 1696	1516	fd268ac25b0f2a211b7538d2be175f27833b058f16437a8c2625e7762074db7c.exe	fd268ac25b0f2a211b7538d2be175f27833b058f16437a8c2625e7762074db7c.exe
PID 1516 wrote to memory of 1696	1516	fd268ac25b0f2a211b7538d2be175f27833b058f16437a8c2625e7762074db7c.exe	fd268ac25b0f2a211b7538d2be175f27833b058f16437a8c2625e7762074db7c.exe
PID 1516 wrote to memory of 1696	1516	fd268ac25b0f2a211b7538d2be175f27833b058f16437a8c2625e7762074db7c.exe	fd268ac25b0f2a211b7538d2be175f27833b058f16437a8c2625e7762074db7c.exe
PID 1516 wrote to memory of 1696	1516	fd268ac25b0f2a211b7538d2be175f27833b058f16437a8c2625e7762074db7c.exe	fd268ac25b0f2a211b7538d2be175f27833b058f16437a8c2625e7762074db7c.exe
PID 1516 wrote to memory of 1696	1516	fd268ac25b0f2a211b7538d2be175f27833b058f16437a8c2625e7762074db7c.exe	fd268ac25b0f2a211b7538d2be175f27833b058f16437a8c2625e7762074db7c.exe
PID 1696 wrote to memory of 1480	1696	fd268ac25b0f2a211b7538d2be175f27833b058f16437a8c2625e7762074db7c.exe	WScript.exe
PID 1696 wrote to memory of 1480	1696	fd268ac25b0f2a211b7538d2be175f27833b058f16437a8c2625e7762074db7c.exe	WScript.exe
PID 1696 wrote to memory of 1480	1696	fd268ac25b0f2a211b7538d2be175f27833b058f16437a8c2625e7762074db7c.exe	WScript.exe
PID 1696 wrote to memory of 1480	1696	fd268ac25b0f2a211b7538d2be175f27833b058f16437a8c2625e7762074db7c.exe	WScript.exe
PID 1480 wrote to memory of 2024	1480	WScript.exe	cmd.exe
PID 1480 wrote to memory of 2024	1480	WScript.exe	cmd.exe
PID 1480 wrote to memory of 2024	1480	WScript.exe	cmd.exe
PID 1480 wrote to memory of 2024	1480	WScript.exe	cmd.exe
PID 2024 wrote to memory of 548	2024	cmd.exe	wee.exe
PID 2024 wrote to memory of 548	2024	cmd.exe	wee.exe
PID 2024 wrote to memory of 548	2024	cmd.exe	wee.exe
PID 2024 wrote to memory of 548	2024	cmd.exe	wee.exe
PID 548 wrote to memory of 2008	548	wee.exe	wee.exe
PID 548 wrote to memory of 2008	548	wee.exe	wee.exe
PID 548 wrote to memory of 2008	548	wee.exe	wee.exe
PID 548 wrote to memory of 2008	548	wee.exe	wee.exe
PID 548 wrote to memory of 2008	548	wee.exe	wee.exe
PID 548 wrote to memory of 2008	548	wee.exe	wee.exe
PID 548 wrote to memory of 2008	548	wee.exe	wee.exe
PID 548 wrote to memory of 2008	548	wee.exe	wee.exe
PID 548 wrote to memory of 2008	548	wee.exe	wee.exe
PID 548 wrote to memory of 2008	548	wee.exe	wee.exe
PID 548 wrote to memory of 2008	548	wee.exe	wee.exe
PID 548 wrote to memory of 2008	548	wee.exe	wee.exe
PID 548 wrote to memory of 2008	548	wee.exe	wee.exe

C:\Users\Admin\AppData\Local\Temp\fd268ac25b0f2a211b7538d2be175f27833b058f16437a8c2625e7762074db7c.exe
"C:\Users\Admin\AppData\Local\Temp\fd268ac25b0f2a211b7538d2be175f27833b058f16437a8c2625e7762074db7c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1516

C:\Users\Admin\AppData\Local\Temp\fd268ac25b0f2a211b7538d2be175f27833b058f16437a8c2625e7762074db7c.exe
"C:\Users\Admin\AppData\Local\Temp\fd268ac25b0f2a211b7538d2be175f27833b058f16437a8c2625e7762074db7c.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dsizbjrxljvierl.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\wee.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Roaming\wee.exe
C:\Users\Admin\AppData\Roaming\wee.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:548

C:\Users\Admin\AppData\Roaming\wee.exe
"C:\Users\Admin\AppData\Roaming\wee.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:2008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dsizbjrxljvierl.vbs
Filesize
398B

MD5
f1536fc12b615b3b046757ce09cc2b41

SHA1
c67cacdb7dd2a1aa58ec9d2f554a831935fea0a2

SHA256
c03a7b60b1a4a6d06dbe6d1fc3444f68a64e1b9e48e1967b60003b0b02c78502

SHA512
39d0bfce41381099628b3d7f184c0aa49a98a9eef90da3b4be953530f3115bb4b72f871c6cf5026cce8d760b088865b63bbab3d8911d3e4513855712a3062207

Download Submit
C:\Users\Admin\AppData\Roaming\wee.exe
Filesize
1.1MB

MD5
992bb973cca802daf8f95c6a0015267b

SHA1
b1fdb6f34f989930ef0b7d8b090f52591ac4d316

SHA256
fd268ac25b0f2a211b7538d2be175f27833b058f16437a8c2625e7762074db7c

SHA512
094b2e0ec3209694201d937f7c25aef8cdbe75144d3a51214e1f7bd99b8e35a240da7ca3a16370c4ddd0660421a8f49ded13f0bdf294d18e2b79866e5faee4f2

Download Submit
C:\Users\Admin\AppData\Roaming\wee.exe
Filesize
1.1MB

MD5
992bb973cca802daf8f95c6a0015267b

SHA1
b1fdb6f34f989930ef0b7d8b090f52591ac4d316

SHA256
fd268ac25b0f2a211b7538d2be175f27833b058f16437a8c2625e7762074db7c

SHA512
094b2e0ec3209694201d937f7c25aef8cdbe75144d3a51214e1f7bd99b8e35a240da7ca3a16370c4ddd0660421a8f49ded13f0bdf294d18e2b79866e5faee4f2

Download Submit
C:\Users\Admin\AppData\Roaming\wee.exe
Filesize
1.1MB

MD5
992bb973cca802daf8f95c6a0015267b

SHA1
b1fdb6f34f989930ef0b7d8b090f52591ac4d316

SHA256
fd268ac25b0f2a211b7538d2be175f27833b058f16437a8c2625e7762074db7c

SHA512
094b2e0ec3209694201d937f7c25aef8cdbe75144d3a51214e1f7bd99b8e35a240da7ca3a16370c4ddd0660421a8f49ded13f0bdf294d18e2b79866e5faee4f2

Download Submit
\Users\Admin\AppData\Roaming\wee.exe
Filesize
1.1MB

MD5
992bb973cca802daf8f95c6a0015267b

SHA1
b1fdb6f34f989930ef0b7d8b090f52591ac4d316

SHA256
fd268ac25b0f2a211b7538d2be175f27833b058f16437a8c2625e7762074db7c

SHA512
094b2e0ec3209694201d937f7c25aef8cdbe75144d3a51214e1f7bd99b8e35a240da7ca3a16370c4ddd0660421a8f49ded13f0bdf294d18e2b79866e5faee4f2

Download Submit
\Users\Admin\AppData\Roaming\wee.exe
Filesize
1.1MB

MD5
992bb973cca802daf8f95c6a0015267b

SHA1
b1fdb6f34f989930ef0b7d8b090f52591ac4d316

SHA256
fd268ac25b0f2a211b7538d2be175f27833b058f16437a8c2625e7762074db7c

SHA512
094b2e0ec3209694201d937f7c25aef8cdbe75144d3a51214e1f7bd99b8e35a240da7ca3a16370c4ddd0660421a8f49ded13f0bdf294d18e2b79866e5faee4f2

Download Submit
memory/548-85-0x0000000000000000-mapping.dmp

Download
memory/548-87-0x00000000012A0000-0x00000000013C6000-memory.dmp

Filesize
1.1MB

Download
memory/1480-77-0x0000000000000000-mapping.dmp

Download
memory/1516-54-0x0000000000FA0000-0x00000000010C6000-memory.dmp

Filesize
1.1MB

Download
memory/1516-59-0x00000000081B0000-0x0000000008252000-memory.dmp

Filesize
648KB

Download
memory/1516-58-0x00000000080D0000-0x00000000081A6000-memory.dmp

Filesize
856KB

Download
memory/1516-57-0x00000000005B0000-0x00000000005BE000-memory.dmp

Filesize
56KB

Download
memory/1516-56-0x00000000005A0000-0x00000000005B6000-memory.dmp

Filesize
88KB

Download
memory/1516-55-0x0000000075111000-0x0000000075113000-memory.dmp

Filesize
8KB

Download
memory/1696-65-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1696-60-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1696-73-0x000000000043292E-mapping.dmp

Download
memory/1696-78-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1696-72-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1696-76-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1696-70-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1696-68-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1696-67-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1696-63-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1696-66-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1696-61-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2008-102-0x000000000043292E-mapping.dmp

Download
memory/2008-106-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2008-107-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2008-108-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2024-81-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads