remcos | b45828548d894e2e2e78c7615e5441ebd199d0a4c31c684d54d49ba4321ac5af

General

Target

726eec69e99d3cd35bf5d4a141cff8c0_JaffaCakes118.exe
Size

556KB
MD5

726eec69e99d3cd35bf5d4a141cff8c0
SHA1

f1ca1da7a39ba80cbf0157e03390c30ae44b4b3a
SHA256

b45828548d894e2e2e78c7615e5441ebd199d0a4c31c684d54d49ba4321ac5af
SHA512

aff9e08f9708a0e0f30b30d04e69e11238bfe3e2c423b26c6871ce4ad4ff8b5816fa954d8d731b89fdc7388147b72b0a6850c35230ba14d29db0b12e5c9c674f
SSDEEP

6144:rYTN3Y3EG5bKIi0W9ZJ6NGzr2Hb3DawZZdbmRAINVnLYjz1L7cIakKBxKnPzRGRV:2y3tbK10vGPqewmRXngp7csK+rRfEj

Score

10^/10

remcos persistence rat

Malware Config

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 1 IoCs

Processes:

Remc.exe

pid process

2568 Remc.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

2728 cmd.exe
2728 cmd.exe

pid	process
2568	Remc.exe

pid	process
2728	cmd.exe
2728	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

726eec69e99d3cd35bf5d4a141cff8c0_JaffaCakes118.exeRemc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\erwfguyhjnxcj = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remc\\Remc.exe\""	726eec69e99d3cd35bf5d4a141cff8c0_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\erwfguyhjnxcj = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remc\\Remc.exe\""	Remc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Remc.exe

description pid process target process

PID 2568 set thread context of 2792 2568 Remc.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

726eec69e99d3cd35bf5d4a141cff8c0_JaffaCakes118.exeRemc.exe

pid process

1640 726eec69e99d3cd35bf5d4a141cff8c0_JaffaCakes118.exe
2568 Remc.exe
2568 Remc.exe
Suspicious use of UnmapMainImage 2 IoCs

Processes:

726eec69e99d3cd35bf5d4a141cff8c0_JaffaCakes118.exeRemc.exe

pid process

1640 726eec69e99d3cd35bf5d4a141cff8c0_JaffaCakes118.exe
2568 Remc.exe

description	pid	process	target process
PID 2568 set thread context of 2792	2568	Remc.exe	svchost.exe

pid	process
1640	726eec69e99d3cd35bf5d4a141cff8c0_JaffaCakes118.exe
2568	Remc.exe
2568	Remc.exe

pid	process
1640	726eec69e99d3cd35bf5d4a141cff8c0_JaffaCakes118.exe
2568	Remc.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

726eec69e99d3cd35bf5d4a141cff8c0_JaffaCakes118.exeWScript.execmd.exeRemc.exe

description	pid	process	target process
PID 1640 wrote to memory of 2944	1640	726eec69e99d3cd35bf5d4a141cff8c0_JaffaCakes118.exe	WScript.exe
PID 1640 wrote to memory of 2944	1640	726eec69e99d3cd35bf5d4a141cff8c0_JaffaCakes118.exe	WScript.exe
PID 1640 wrote to memory of 2944	1640	726eec69e99d3cd35bf5d4a141cff8c0_JaffaCakes118.exe	WScript.exe
PID 1640 wrote to memory of 2944	1640	726eec69e99d3cd35bf5d4a141cff8c0_JaffaCakes118.exe	WScript.exe
PID 2944 wrote to memory of 2728	2944	WScript.exe	cmd.exe
PID 2944 wrote to memory of 2728	2944	WScript.exe	cmd.exe
PID 2944 wrote to memory of 2728	2944	WScript.exe	cmd.exe
PID 2944 wrote to memory of 2728	2944	WScript.exe	cmd.exe
PID 2728 wrote to memory of 2568	2728	cmd.exe	Remc.exe
PID 2728 wrote to memory of 2568	2728	cmd.exe	Remc.exe
PID 2728 wrote to memory of 2568	2728	cmd.exe	Remc.exe
PID 2728 wrote to memory of 2568	2728	cmd.exe	Remc.exe
PID 2568 wrote to memory of 2792	2568	Remc.exe	svchost.exe
PID 2568 wrote to memory of 2792	2568	Remc.exe	svchost.exe
PID 2568 wrote to memory of 2792	2568	Remc.exe	svchost.exe
PID 2568 wrote to memory of 2792	2568	Remc.exe	svchost.exe
PID 2568 wrote to memory of 2792	2568	Remc.exe	svchost.exe
PID 2568 wrote to memory of 2792	2568	Remc.exe	svchost.exe
PID 2568 wrote to memory of 2792	2568	Remc.exe	svchost.exe
PID 2568 wrote to memory of 2792	2568	Remc.exe	svchost.exe
PID 2568 wrote to memory of 2792	2568	Remc.exe	svchost.exe
PID 2568 wrote to memory of 2792	2568	Remc.exe	svchost.exe
PID 2568 wrote to memory of 2792	2568	Remc.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\726eec69e99d3cd35bf5d4a141cff8c0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\726eec69e99d3cd35bf5d4a141cff8c0_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:2944

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remc\Remc.exe"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728

C:\Users\Admin\AppData\Roaming\Remc\Remc.exe
C:\Users\Admin\AppData\Roaming\Remc\Remc.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2568

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
5⤵
PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
410B

MD5
837b54af2c8d285fb69d719cc9061206

SHA1
b31b75216a46b744eb0d89dd9885431a8ecde820

SHA256
353bf067c7071e2b6904205a0f6755433a8711a4b2a9b48ac32ff538463f0e46

SHA512
6cc4e846538cf16de26004343a157a565fe9730ad5c253e3fb6c64098405849e732bd2216fbdecd52cc3cbcb84e24e4dca23b5fd4f68bcdc0e73d485479e2311

Download Submit
C:\Users\Admin\AppData\Roaming\Remc\Remc.exe

Filesize
556KB

MD5
726eec69e99d3cd35bf5d4a141cff8c0

SHA1
f1ca1da7a39ba80cbf0157e03390c30ae44b4b3a

SHA256
b45828548d894e2e2e78c7615e5441ebd199d0a4c31c684d54d49ba4321ac5af

SHA512
aff9e08f9708a0e0f30b30d04e69e11238bfe3e2c423b26c6871ce4ad4ff8b5816fa954d8d731b89fdc7388147b72b0a6850c35230ba14d29db0b12e5c9c674f

Download Submit
C:\Users\Admin\AppData\Roaming\Remc\logs.dat

Filesize
79B

MD5
b4a1b180e11fb920610fe7df65e7b0ac

SHA1
86a5572a0c1b287a3876568c7ad4c7745d9d9de3

SHA256
9fc9c141bda43ec033c45d006fdc6a65107547107385da3741026d635b0475f5

SHA512
5b7c6c5721e391eac7d47fcf543271586b2d4cb853fdaae8469b119784e44ffaa2cc50b1fbec5fb5fc64a7fb9f287fb01fc65bcbd9b8c2f04330a4864e2e5ca0

Download Submit
memory/1640-3-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1640-6-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1640-7-0x0000000072940000-0x0000000072A60000-memory.dmp

Filesize
1.1MB

Download
memory/1640-11-0x0000000072940000-0x0000000072A60000-memory.dmp

Filesize
1.1MB

Download
memory/1640-10-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1640-2-0x0000000077430000-0x0000000077506000-memory.dmp

Filesize
856KB

Download
memory/2568-19-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2568-22-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2792-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2792-38-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2792-34-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2792-32-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2792-30-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2792-28-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2792-26-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2792-24-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads