remcos | e96aed97b899d7cfc37b229f045f6b87623f9abd97b15256fa6322685cb2c5f0

General

Target

Arrival notice.exe
Size

933KB
MD5

cd4bacd0528a0f7efdea9be27414c6e7
SHA1

fd92ca627cc15e4ed350478fa5aa575ef39adacf
SHA256

e96aed97b899d7cfc37b229f045f6b87623f9abd97b15256fa6322685cb2c5f0
SHA512

bd7c3e1a86bc2eeb21105a308ceaa94b9b930d9c179b255d1563491f6dfad010f3efcf3796d25a110769f54484aae9a8f0224f7d6788007a4651c7d70beef37a
SSDEEP

12288:I4stXCxGE7FyfV3RuK7EmImLu6krd2ks1v2bZ4OQN2EjWPPtiUQ+8+t5pX5PO9PD:IBtXkGEiVMcENmL1aeOQDoi+pX5eoHw

Score

10^/10

remcos xp persistence rat

Malware Config

Extracted

Family

remcos

Botnet

XP

C2

xpremcuz300622.ddns.net:3542

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
oos.exe
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Remcos-MMP2I7
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
kkl
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

oos.exeoos.exe

pid process

584 oos.exe
1144 oos.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

688 cmd.exe
688 cmd.exe

pid	process
584	oos.exe
1144	oos.exe

pid	process
688	cmd.exe
688	cmd.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Arrival notice.exeoos.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	Arrival notice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kkl = "\"C:\\Users\\Admin\\AppData\\Roaming\\oos.exe\""	Arrival notice.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\	oos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\kkl = "\"C:\\Users\\Admin\\AppData\\Roaming\\oos.exe\""	oos.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	oos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kkl = "\"C:\\Users\\Admin\\AppData\\Roaming\\oos.exe\""	oos.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\	Arrival notice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\kkl = "\"C:\\Users\\Admin\\AppData\\Roaming\\oos.exe\""	Arrival notice.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Arrival notice.exeoos.exe

description	pid	process	target process
PID 1560 set thread context of 1672	1560	Arrival notice.exe	Arrival notice.exe
PID 584 set thread context of 1144	584	oos.exe	oos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

oos.exe

pid process

1144 oos.exe

pid	process
1144	oos.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

Arrival notice.exeArrival notice.exeWScript.execmd.exeoos.exe

description	pid	process	target process
PID 1560 wrote to memory of 1672	1560	Arrival notice.exe	Arrival notice.exe
PID 1560 wrote to memory of 1672	1560	Arrival notice.exe	Arrival notice.exe
PID 1560 wrote to memory of 1672	1560	Arrival notice.exe	Arrival notice.exe
PID 1560 wrote to memory of 1672	1560	Arrival notice.exe	Arrival notice.exe
PID 1560 wrote to memory of 1672	1560	Arrival notice.exe	Arrival notice.exe
PID 1560 wrote to memory of 1672	1560	Arrival notice.exe	Arrival notice.exe
PID 1560 wrote to memory of 1672	1560	Arrival notice.exe	Arrival notice.exe
PID 1560 wrote to memory of 1672	1560	Arrival notice.exe	Arrival notice.exe
PID 1560 wrote to memory of 1672	1560	Arrival notice.exe	Arrival notice.exe
PID 1560 wrote to memory of 1672	1560	Arrival notice.exe	Arrival notice.exe
PID 1560 wrote to memory of 1672	1560	Arrival notice.exe	Arrival notice.exe
PID 1560 wrote to memory of 1672	1560	Arrival notice.exe	Arrival notice.exe
PID 1560 wrote to memory of 1672	1560	Arrival notice.exe	Arrival notice.exe
PID 1672 wrote to memory of 1212	1672	Arrival notice.exe	WScript.exe
PID 1672 wrote to memory of 1212	1672	Arrival notice.exe	WScript.exe
PID 1672 wrote to memory of 1212	1672	Arrival notice.exe	WScript.exe
PID 1672 wrote to memory of 1212	1672	Arrival notice.exe	WScript.exe
PID 1212 wrote to memory of 688	1212	WScript.exe	cmd.exe
PID 1212 wrote to memory of 688	1212	WScript.exe	cmd.exe
PID 1212 wrote to memory of 688	1212	WScript.exe	cmd.exe
PID 1212 wrote to memory of 688	1212	WScript.exe	cmd.exe
PID 688 wrote to memory of 584	688	cmd.exe	oos.exe
PID 688 wrote to memory of 584	688	cmd.exe	oos.exe
PID 688 wrote to memory of 584	688	cmd.exe	oos.exe
PID 688 wrote to memory of 584	688	cmd.exe	oos.exe
PID 584 wrote to memory of 1144	584	oos.exe	oos.exe
PID 584 wrote to memory of 1144	584	oos.exe	oos.exe
PID 584 wrote to memory of 1144	584	oos.exe	oos.exe
PID 584 wrote to memory of 1144	584	oos.exe	oos.exe
PID 584 wrote to memory of 1144	584	oos.exe	oos.exe
PID 584 wrote to memory of 1144	584	oos.exe	oos.exe
PID 584 wrote to memory of 1144	584	oos.exe	oos.exe
PID 584 wrote to memory of 1144	584	oos.exe	oos.exe
PID 584 wrote to memory of 1144	584	oos.exe	oos.exe
PID 584 wrote to memory of 1144	584	oos.exe	oos.exe
PID 584 wrote to memory of 1144	584	oos.exe	oos.exe
PID 584 wrote to memory of 1144	584	oos.exe	oos.exe
PID 584 wrote to memory of 1144	584	oos.exe	oos.exe

C:\Users\Admin\AppData\Local\Temp\Arrival notice.exe
"C:\Users\Admin\AppData\Local\Temp\Arrival notice.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1560

C:\Users\Admin\AppData\Local\Temp\Arrival notice.exe
"C:\Users\Admin\AppData\Local\Temp\Arrival notice.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\oos.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:688

C:\Users\Admin\AppData\Roaming\oos.exe
C:\Users\Admin\AppData\Roaming\oos.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:584

C:\Users\Admin\AppData\Roaming\oos.exe
"C:\Users\Admin\AppData\Roaming\oos.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1144

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
144B

MD5
699d9bd7f24272ef1a7a53bbeb0f1d19

SHA1
31bb0fe772c53ab3d39135f4b8919398cb20d69e

SHA256
0370d9cbb720b7c7a89d96fa2450eb7dfb8ed76b18566deee25dbf2e299a47c0

SHA512
cb76bb3421422154e54ce8a31b490f1a2c3e81beafe23324405c44952aad82be8512a18ebf0d130796cc248fbdbf592e7d80ca5d56d9d5a3fbebf1b7ede05f1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs
Filesize
398B

MD5
a5d3440f90cbfae712166e20870eaed7

SHA1
cc1e1a2945eb2ad475234344f7527ad9e9873647

SHA256
960a570da95b8d16809cbcc18e8ca4d81e16cb666354ddc1d572daf93f291f02

SHA512
d3136a280fbb326ccc5cb5ab1214aed8ccd6baa7f3f89ef9e0b5bf391a957dab2c121640bb056e6cbda0594f83133c4dbb4e1e2f0e290b44a401cd2cf8cfd4aa

Download Submit
C:\Users\Admin\AppData\Roaming\oos.exe
Filesize
933KB

MD5
cd4bacd0528a0f7efdea9be27414c6e7

SHA1
fd92ca627cc15e4ed350478fa5aa575ef39adacf

SHA256
e96aed97b899d7cfc37b229f045f6b87623f9abd97b15256fa6322685cb2c5f0

SHA512
bd7c3e1a86bc2eeb21105a308ceaa94b9b930d9c179b255d1563491f6dfad010f3efcf3796d25a110769f54484aae9a8f0224f7d6788007a4651c7d70beef37a

Download Submit
C:\Users\Admin\AppData\Roaming\oos.exe
Filesize
933KB

MD5
cd4bacd0528a0f7efdea9be27414c6e7

SHA1
fd92ca627cc15e4ed350478fa5aa575ef39adacf

SHA256
e96aed97b899d7cfc37b229f045f6b87623f9abd97b15256fa6322685cb2c5f0

SHA512
bd7c3e1a86bc2eeb21105a308ceaa94b9b930d9c179b255d1563491f6dfad010f3efcf3796d25a110769f54484aae9a8f0224f7d6788007a4651c7d70beef37a

Download Submit
C:\Users\Admin\AppData\Roaming\oos.exe
Filesize
933KB

MD5
cd4bacd0528a0f7efdea9be27414c6e7

SHA1
fd92ca627cc15e4ed350478fa5aa575ef39adacf

SHA256
e96aed97b899d7cfc37b229f045f6b87623f9abd97b15256fa6322685cb2c5f0

SHA512
bd7c3e1a86bc2eeb21105a308ceaa94b9b930d9c179b255d1563491f6dfad010f3efcf3796d25a110769f54484aae9a8f0224f7d6788007a4651c7d70beef37a

Download Submit
\Users\Admin\AppData\Roaming\oos.exe
Filesize
933KB

MD5
cd4bacd0528a0f7efdea9be27414c6e7

SHA1
fd92ca627cc15e4ed350478fa5aa575ef39adacf

SHA256
e96aed97b899d7cfc37b229f045f6b87623f9abd97b15256fa6322685cb2c5f0

SHA512
bd7c3e1a86bc2eeb21105a308ceaa94b9b930d9c179b255d1563491f6dfad010f3efcf3796d25a110769f54484aae9a8f0224f7d6788007a4651c7d70beef37a

Download Submit
\Users\Admin\AppData\Roaming\oos.exe
Filesize
933KB

MD5
cd4bacd0528a0f7efdea9be27414c6e7

SHA1
fd92ca627cc15e4ed350478fa5aa575ef39adacf

SHA256
e96aed97b899d7cfc37b229f045f6b87623f9abd97b15256fa6322685cb2c5f0

SHA512
bd7c3e1a86bc2eeb21105a308ceaa94b9b930d9c179b255d1563491f6dfad010f3efcf3796d25a110769f54484aae9a8f0224f7d6788007a4651c7d70beef37a

Download Submit
memory/584-92-0x0000000004D60000-0x0000000004DA0000-memory.dmp

Filesize
256KB

Download
memory/584-91-0x0000000004D60000-0x0000000004DA0000-memory.dmp

Filesize
256KB

Download
memory/584-90-0x0000000004D60000-0x0000000004DA0000-memory.dmp

Filesize
256KB

Download
memory/584-89-0x0000000004D60000-0x0000000004DA0000-memory.dmp

Filesize
256KB

Download
memory/584-88-0x00000000013A0000-0x000000000148E000-memory.dmp

Filesize
952KB

Download
memory/1144-106-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1144-101-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1144-128-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1144-127-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1144-121-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1144-120-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1144-119-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1144-116-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1144-113-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1144-112-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1144-111-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1144-110-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1144-109-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1144-108-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1144-105-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1560-58-0x0000000004C90000-0x0000000004CD0000-memory.dmp

Filesize
256KB

Download
memory/1560-61-0x0000000005570000-0x000000000562E000-memory.dmp

Filesize
760KB

Download
memory/1560-60-0x0000000000720000-0x000000000072C000-memory.dmp

Filesize
48KB

Download
memory/1560-59-0x0000000004C90000-0x0000000004CD0000-memory.dmp

Filesize
256KB

Download
memory/1560-55-0x0000000004C90000-0x0000000004CD0000-memory.dmp

Filesize
256KB

Download
memory/1560-57-0x0000000004C90000-0x0000000004CD0000-memory.dmp

Filesize
256KB

Download
memory/1560-62-0x0000000000A80000-0x0000000000A86000-memory.dmp

Filesize
24KB

Download
memory/1560-56-0x0000000000710000-0x0000000000724000-memory.dmp

Filesize
80KB

Download
memory/1560-63-0x0000000005150000-0x00000000051CE000-memory.dmp

Filesize
504KB

Download
memory/1560-54-0x0000000000FA0000-0x000000000108E000-memory.dmp

Filesize
952KB

Download
memory/1672-65-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1672-64-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1672-66-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1672-82-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1672-79-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1672-75-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1672-72-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1672-73-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1672-71-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1672-70-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1672-67-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1672-69-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1672-68-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads