remcos | 19bdd11ed161fdce1a8e1dbbf3edfe4fb5273072101e711ee371bc0420afd7e7

Modify Registry

Processes:

Backdoor.exeremcos.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	Backdoor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

Backdoor.exeremcos.exe

pid process

4148 Backdoor.exe
2548 remcos.exe

pid	process
4148	Backdoor.exe
2548	remcos.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Backdoor.exe	upx
behavioral2/memory/5032-16-0x00000146F9630000-0x00000146F9640000-memory.dmp	upx
behavioral2/memory/4148-27-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4148-31-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2548-39-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3500-40-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2548-41-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

Backdoor.exeremcos.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	Backdoor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

Modify Registry

Processes:

Backdoor.exeremcos.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	Backdoor.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	remcos.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

remcos.exe

description pid process target process

PID 2548 set thread context of 3500 2548 remcos.exe iexplore.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

5016 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

5032 powershell.exe
5032 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 5032 powershell.exe

description	pid	process	target process
PID 2548 set thread context of 3500	2548	remcos.exe	iexplore.exe

pid	process
5016	PING.EXE

pid	process
5032	powershell.exe
5032	powershell.exe

description	pid	process
Token: SeDebugPrivilege	5032	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

19bdd11ed161fdce1a8e1dbbf3edfe4fb5273072101e711ee371bc0420afd7e7.exeBackdoor.execmd.exeremcos.exe

description	pid	process	target process
PID 3676 wrote to memory of 5032	3676	19bdd11ed161fdce1a8e1dbbf3edfe4fb5273072101e711ee371bc0420afd7e7.exe	powershell.exe
PID 3676 wrote to memory of 5032	3676	19bdd11ed161fdce1a8e1dbbf3edfe4fb5273072101e711ee371bc0420afd7e7.exe	powershell.exe
PID 3676 wrote to memory of 4148	3676	19bdd11ed161fdce1a8e1dbbf3edfe4fb5273072101e711ee371bc0420afd7e7.exe	Backdoor.exe
PID 3676 wrote to memory of 4148	3676	19bdd11ed161fdce1a8e1dbbf3edfe4fb5273072101e711ee371bc0420afd7e7.exe	Backdoor.exe
PID 3676 wrote to memory of 4148	3676	19bdd11ed161fdce1a8e1dbbf3edfe4fb5273072101e711ee371bc0420afd7e7.exe	Backdoor.exe
PID 4148 wrote to memory of 4928	4148	Backdoor.exe	cmd.exe
PID 4148 wrote to memory of 4928	4148	Backdoor.exe	cmd.exe
PID 4148 wrote to memory of 4928	4148	Backdoor.exe	cmd.exe
PID 4928 wrote to memory of 5016	4928	cmd.exe	PING.EXE
PID 4928 wrote to memory of 5016	4928	cmd.exe	PING.EXE
PID 4928 wrote to memory of 5016	4928	cmd.exe	PING.EXE
PID 4928 wrote to memory of 2548	4928	cmd.exe	remcos.exe
PID 4928 wrote to memory of 2548	4928	cmd.exe	remcos.exe
PID 4928 wrote to memory of 2548	4928	cmd.exe	remcos.exe
PID 2548 wrote to memory of 3500	2548	remcos.exe	iexplore.exe
PID 2548 wrote to memory of 3500	2548	remcos.exe	iexplore.exe
PID 2548 wrote to memory of 3500	2548	remcos.exe	iexplore.exe
PID 2548 wrote to memory of 3500	2548	remcos.exe	iexplore.exe
PID 2548 wrote to memory of 3500	2548	remcos.exe	iexplore.exe
PID 2548 wrote to memory of 3500	2548	remcos.exe	iexplore.exe
PID 2548 wrote to memory of 3500	2548	remcos.exe	iexplore.exe
PID 2548 wrote to memory of 3500	2548	remcos.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\19bdd11ed161fdce1a8e1dbbf3edfe4fb5273072101e711ee371bc0420afd7e7.exe
"C:\Users\Admin\AppData\Local\Temp\19bdd11ed161fdce1a8e1dbbf3edfe4fb5273072101e711ee371bc0420afd7e7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGMAYgB0ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAdwBjACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAbABpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AdAB6ACMAPgA="
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5032

C:\Users\Admin\AppData\Local\Temp\Backdoor.exe
"C:\Users\Admin\AppData\Local\Temp\Backdoor.exe"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Suspicious use of WriteProcessMemory
PID:4148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4928

C:\Windows\SysWOW64\PING.EXE
PING 127.0.0.1 -n 2
4⤵
- Runs ping.exe
PID:5016

C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
"C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2548

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
5⤵
PID:3500

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

2

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

2

Defense Evasion

Modify Registry

3

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery