remcos | 6a8e333328928f8497741e03ae829a86587b9005cccb2a33a6062c20cb759491

General

Target

50e8d1bfc6604c8dc05bd72b015bd1d0_JaffaCakes118.exe
Size

588KB
MD5

50e8d1bfc6604c8dc05bd72b015bd1d0
SHA1

bf2f30a0b4d43fd24741a5fbb3830a1cf1846b6e
SHA256

6a8e333328928f8497741e03ae829a86587b9005cccb2a33a6062c20cb759491
SHA512

06cd20c661d2a9af4ffed4ce7223b2527a44438718a871312e2482a8290369633294aa94cdfe1b38c6d1d6f270d55b92eda83ceb170f6fce6e6eb47fe4277276
SSDEEP

6144:kJFynC0QKjmzzqWMQE2VCW5+Mf3exBEScTC8iIkS8p1PREc3g/rN0IyN:xnC0nKzQgVCc+MAB8mS82agTN07

Score

10^/10

remcos persistence rat

Malware Config

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 1 IoCs

Processes:

Remc.exe

pid process

2732 Remc.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

2592 cmd.exe
2592 cmd.exe

pid	process
2732	Remc.exe

pid	process
2592	cmd.exe
2592	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

50e8d1bfc6604c8dc05bd72b015bd1d0_JaffaCakes118.exeRemc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\erwfguyhjnxcj = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remc\\Remc.exe\""	50e8d1bfc6604c8dc05bd72b015bd1d0_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\erwfguyhjnxcj = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remc\\Remc.exe\""	Remc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Remc.exe

description pid process target process

PID 2732 set thread context of 2396 2732 Remc.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

50e8d1bfc6604c8dc05bd72b015bd1d0_JaffaCakes118.exeRemc.exe

pid process

2356 50e8d1bfc6604c8dc05bd72b015bd1d0_JaffaCakes118.exe
2732 Remc.exe
2732 Remc.exe
Suspicious use of UnmapMainImage 2 IoCs

Processes:

50e8d1bfc6604c8dc05bd72b015bd1d0_JaffaCakes118.exeRemc.exe

pid process

2356 50e8d1bfc6604c8dc05bd72b015bd1d0_JaffaCakes118.exe
2732 Remc.exe

description	pid	process	target process
PID 2732 set thread context of 2396	2732	Remc.exe	svchost.exe

pid	process
2356	50e8d1bfc6604c8dc05bd72b015bd1d0_JaffaCakes118.exe
2732	Remc.exe
2732	Remc.exe

pid	process
2356	50e8d1bfc6604c8dc05bd72b015bd1d0_JaffaCakes118.exe
2732	Remc.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

50e8d1bfc6604c8dc05bd72b015bd1d0_JaffaCakes118.exeWScript.execmd.exeRemc.exe

description	pid	process	target process
PID 2356 wrote to memory of 2636	2356	50e8d1bfc6604c8dc05bd72b015bd1d0_JaffaCakes118.exe	WScript.exe
PID 2356 wrote to memory of 2636	2356	50e8d1bfc6604c8dc05bd72b015bd1d0_JaffaCakes118.exe	WScript.exe
PID 2356 wrote to memory of 2636	2356	50e8d1bfc6604c8dc05bd72b015bd1d0_JaffaCakes118.exe	WScript.exe
PID 2356 wrote to memory of 2636	2356	50e8d1bfc6604c8dc05bd72b015bd1d0_JaffaCakes118.exe	WScript.exe
PID 2636 wrote to memory of 2592	2636	WScript.exe	cmd.exe
PID 2636 wrote to memory of 2592	2636	WScript.exe	cmd.exe
PID 2636 wrote to memory of 2592	2636	WScript.exe	cmd.exe
PID 2636 wrote to memory of 2592	2636	WScript.exe	cmd.exe
PID 2592 wrote to memory of 2732	2592	cmd.exe	Remc.exe
PID 2592 wrote to memory of 2732	2592	cmd.exe	Remc.exe
PID 2592 wrote to memory of 2732	2592	cmd.exe	Remc.exe
PID 2592 wrote to memory of 2732	2592	cmd.exe	Remc.exe
PID 2732 wrote to memory of 2396	2732	Remc.exe	svchost.exe
PID 2732 wrote to memory of 2396	2732	Remc.exe	svchost.exe
PID 2732 wrote to memory of 2396	2732	Remc.exe	svchost.exe
PID 2732 wrote to memory of 2396	2732	Remc.exe	svchost.exe
PID 2732 wrote to memory of 2396	2732	Remc.exe	svchost.exe
PID 2732 wrote to memory of 2396	2732	Remc.exe	svchost.exe
PID 2732 wrote to memory of 2396	2732	Remc.exe	svchost.exe
PID 2732 wrote to memory of 2396	2732	Remc.exe	svchost.exe
PID 2732 wrote to memory of 2396	2732	Remc.exe	svchost.exe
PID 2732 wrote to memory of 2396	2732	Remc.exe	svchost.exe
PID 2732 wrote to memory of 2396	2732	Remc.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\50e8d1bfc6604c8dc05bd72b015bd1d0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\50e8d1bfc6604c8dc05bd72b015bd1d0_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remc\Remc.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Users\Admin\AppData\Roaming\Remc\Remc.exe
      C:\Users\Admin\AppData\Roaming\Remc\Remc.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        5⤵
        
        PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
410B

MD5
837b54af2c8d285fb69d719cc9061206

SHA1
b31b75216a46b744eb0d89dd9885431a8ecde820

SHA256
353bf067c7071e2b6904205a0f6755433a8711a4b2a9b48ac32ff538463f0e46

SHA512
6cc4e846538cf16de26004343a157a565fe9730ad5c253e3fb6c64098405849e732bd2216fbdecd52cc3cbcb84e24e4dca23b5fd4f68bcdc0e73d485479e2311

Download Submit
C:\Users\Admin\AppData\Roaming\Remc\logs.dat

Filesize
79B

MD5
e34821bcc4c871e6686769b9c398b38b

SHA1
0786d120068249b538627d995a29d239f70814ec

SHA256
e73c1b7ce70938162d936d2ee7e358136222bd6c1057f40473f2b09b4df3fd94

SHA512
2a8fab9f75a55fbaa4da3291a5861cb0902f100a41b5e4dc1a868cebd2a045f62732ab23718f30254c41c89cdda1d5e1c7fef6f7362d6f74c5b410e1162d1e6c

Download Submit
\Users\Admin\AppData\Roaming\Remc\Remc.exe

Filesize
588KB

MD5
50e8d1bfc6604c8dc05bd72b015bd1d0

SHA1
bf2f30a0b4d43fd24741a5fbb3830a1cf1846b6e

SHA256
6a8e333328928f8497741e03ae829a86587b9005cccb2a33a6062c20cb759491

SHA512
06cd20c661d2a9af4ffed4ce7223b2527a44438718a871312e2482a8290369633294aa94cdfe1b38c6d1d6f270d55b92eda83ceb170f6fce6e6eb47fe4277276

Download Submit
memory/2356-2-0x0000000077940000-0x0000000077A16000-memory.dmp

Filesize
856KB

Download
memory/2356-3-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2356-6-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2356-7-0x0000000072940000-0x0000000072A60000-memory.dmp

Filesize
1.1MB

Download
memory/2356-11-0x0000000072940000-0x0000000072A60000-memory.dmp

Filesize
1.1MB

Download
memory/2356-10-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2396-32-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2396-24-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2396-34-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2396-30-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2396-28-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2396-37-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2396-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2396-26-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2732-19-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2732-22-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads