remcos | 7efd9de26a438503b6d0bc112ed76e29db45c3341b4b82ad81556c6218ca37cd

General

Target

7efd9de26a438503b6d0bc112ed76e29db45c3341b4b82ad81556c6218ca37cd.exe
Size

136KB
MD5

b2232a781127819d4b424924bc07ad8d
SHA1

3635c05508b6d1deaf1fac2f3339ded446f84096
SHA256

7efd9de26a438503b6d0bc112ed76e29db45c3341b4b82ad81556c6218ca37cd
SHA512

5aa987d546741d0519903a78aa39932579f2a7a70d35764d770e46824ab80fb79d13780c4c2e9864faf49bcfd3c4ac665bb4bdb0a9466acda6a4bafa36ad8973
SSDEEP

1536:ITHiPBX4nDzMyRXGHrc9YRHqbTypgpmb5Q+ZReSdhk/J+YLgD3mrxb53cSuYQjKU:xPd4n/M+WLcilrpgGH/GwY87mVmIXha

Score

10^/10

remcos host persistence rat

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

systemcontrol.ddns.net:45000

systemcontrol2.ddns.net:45000

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
OfficeUpgrade.exe
copy_folder
OfficeUpgrade
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
Upgrader.dat
keylog_flag
false
keylog_folder
Upgrader
keylog_path
%AppData%
mouse_option
false
mutex
req_khauflaoyr
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
OfficeUpgrade
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

detects Windows exceutables potentially bypassing UAC using eventvwr.exe 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2656-24-0x0000000000400000-0x0000000000417000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
behavioral1/memory/2656-22-0x0000000000400000-0x0000000000417000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
behavioral1/memory/2656-20-0x0000000000400000-0x0000000000417000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
behavioral1/memory/2656-29-0x0000000000400000-0x0000000000417000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
behavioral1/memory/2656-30-0x0000000000400000-0x0000000000417000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
behavioral1/memory/2656-32-0x0000000000400000-0x0000000000417000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer

Executes dropped EXE 2 IoCs

Processes:

wn2ra4ohzdr.exewn2ra4ohzdr.exe

pid process

2284 wn2ra4ohzdr.exe
2656 wn2ra4ohzdr.exe
Loads dropped DLL 1 IoCs

Processes:

7efd9de26a438503b6d0bc112ed76e29db45c3341b4b82ad81556c6218ca37cd.exe

pid process

2936 7efd9de26a438503b6d0bc112ed76e29db45c3341b4b82ad81556c6218ca37cd.exe

pid	process
2284	wn2ra4ohzdr.exe
2656	wn2ra4ohzdr.exe

pid	process
2936	7efd9de26a438503b6d0bc112ed76e29db45c3341b4b82ad81556c6218ca37cd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7efd9de26a438503b6d0bc112ed76e29db45c3341b4b82ad81556c6218ca37cd.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raj4dkhhiap = "C:\\Users\\Admin\\AppData\\Roaming\\raj4dkhhiap\\wn2ra4ohzdr.exe"	7efd9de26a438503b6d0bc112ed76e29db45c3341b4b82ad81556c6218ca37cd.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

wn2ra4ohzdr.exe

description pid process target process

PID 2284 set thread context of 2656 2284 wn2ra4ohzdr.exe wn2ra4ohzdr.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wn2ra4ohzdr.exe

pid process

2656 wn2ra4ohzdr.exe

description	pid	process	target process
PID 2284 set thread context of 2656	2284	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe

pid	process
2656	wn2ra4ohzdr.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

7efd9de26a438503b6d0bc112ed76e29db45c3341b4b82ad81556c6218ca37cd.exewn2ra4ohzdr.exe

description	pid	process	target process
PID 2936 wrote to memory of 2284	2936	7efd9de26a438503b6d0bc112ed76e29db45c3341b4b82ad81556c6218ca37cd.exe	wn2ra4ohzdr.exe
PID 2936 wrote to memory of 2284	2936	7efd9de26a438503b6d0bc112ed76e29db45c3341b4b82ad81556c6218ca37cd.exe	wn2ra4ohzdr.exe
PID 2936 wrote to memory of 2284	2936	7efd9de26a438503b6d0bc112ed76e29db45c3341b4b82ad81556c6218ca37cd.exe	wn2ra4ohzdr.exe
PID 2936 wrote to memory of 2284	2936	7efd9de26a438503b6d0bc112ed76e29db45c3341b4b82ad81556c6218ca37cd.exe	wn2ra4ohzdr.exe
PID 2284 wrote to memory of 2656	2284	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe
PID 2284 wrote to memory of 2656	2284	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe
PID 2284 wrote to memory of 2656	2284	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe
PID 2284 wrote to memory of 2656	2284	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe
PID 2284 wrote to memory of 2656	2284	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe
PID 2284 wrote to memory of 2656	2284	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe
PID 2284 wrote to memory of 2656	2284	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe
PID 2284 wrote to memory of 2656	2284	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe
PID 2284 wrote to memory of 2656	2284	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe
PID 2284 wrote to memory of 2656	2284	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe

C:\Users\Admin\AppData\Local\Temp\7efd9de26a438503b6d0bc112ed76e29db45c3341b4b82ad81556c6218ca37cd.exe
"C:\Users\Admin\AppData\Local\Temp\7efd9de26a438503b6d0bc112ed76e29db45c3341b4b82ad81556c6218ca37cd.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2936

C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe
"C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2284

C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe
"C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2656

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe
Filesize
136KB

MD5
3ea581899b04c92d10499bbd4e7526e3

SHA1
dd566964a2d3777fcdaaae0c49be4943bbdddb3b

SHA256
d632dec2bc174d2a04b71b8b6ad318d29445d0e384b21d8f7cf6a03c35fbfe79

SHA512
09821ad0ec1087c84cd2765fb22f64fc3e3fefab8ea9fee0ef582dd5e3aa02654844419d9d081c41b8383f7751b3121bef39b73a85757c6ece3bc8c0b91df721

Download Submit
memory/2284-14-0x00000000742C0000-0x00000000749AE000-memory.dmp

Filesize
6.9MB

Download
memory/2284-35-0x00000000742C0000-0x00000000749AE000-memory.dmp

Filesize
6.9MB

Download
memory/2284-15-0x0000000004DB0000-0x0000000004DF0000-memory.dmp

Filesize
256KB

Download
memory/2284-13-0x0000000000BD0000-0x0000000000BF8000-memory.dmp

Filesize
160KB

Download
memory/2656-16-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2656-20-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2656-32-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2656-30-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2656-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2656-24-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2656-22-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2656-29-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2656-18-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2656-17-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2936-0-0x00000000003F0000-0x0000000000418000-memory.dmp

Filesize
160KB

Download
memory/2936-12-0x00000000742C0000-0x00000000749AE000-memory.dmp

Filesize
6.9MB

Download
memory/2936-2-0x0000000004820000-0x0000000004860000-memory.dmp

Filesize
256KB

Download
memory/2936-3-0x00000000003D0000-0x00000000003F0000-memory.dmp

Filesize
128KB

Download
memory/2936-1-0x00000000742C0000-0x00000000749AE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads