remcos | b45828548d894e2e2e78c7615e5441ebd199d0a4c31c684d54d49ba4321ac5af

General

Target

726eec69e99d3cd35bf5d4a141cff8c0_JaffaCakes118.exe
Size

556KB
MD5

726eec69e99d3cd35bf5d4a141cff8c0
SHA1

f1ca1da7a39ba80cbf0157e03390c30ae44b4b3a
SHA256

b45828548d894e2e2e78c7615e5441ebd199d0a4c31c684d54d49ba4321ac5af
SHA512

aff9e08f9708a0e0f30b30d04e69e11238bfe3e2c423b26c6871ce4ad4ff8b5816fa954d8d731b89fdc7388147b72b0a6850c35230ba14d29db0b12e5c9c674f
SSDEEP

6144:rYTN3Y3EG5bKIi0W9ZJ6NGzr2Hb3DawZZdbmRAINVnLYjz1L7cIakKBxKnPzRGRV:2y3tbK10vGPqewmRXngp7csK+rRfEj

Score

10^/10

remcos persistence rat

Malware Config

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

726eec69e99d3cd35bf5d4a141cff8c0_JaffaCakes118.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	726eec69e99d3cd35bf5d4a141cff8c0_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

Processes:

Remc.exe

pid process

2052 Remc.exe

pid	process
2052	Remc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Remc.exe726eec69e99d3cd35bf5d4a141cff8c0_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\erwfguyhjnxcj = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remc\\Remc.exe\""	Remc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\erwfguyhjnxcj = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remc\\Remc.exe\""	726eec69e99d3cd35bf5d4a141cff8c0_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Remc.exe

description pid process target process

PID 2052 set thread context of 4156 2052 Remc.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2052 set thread context of 4156	2052	Remc.exe	svchost.exe

Modifies registry class 1 IoCs

Processes:

726eec69e99d3cd35bf5d4a141cff8c0_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	726eec69e99d3cd35bf5d4a141cff8c0_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

726eec69e99d3cd35bf5d4a141cff8c0_JaffaCakes118.exeRemc.exe

pid process

2788 726eec69e99d3cd35bf5d4a141cff8c0_JaffaCakes118.exe
2052 Remc.exe
2052 Remc.exe

pid	process
2788	726eec69e99d3cd35bf5d4a141cff8c0_JaffaCakes118.exe
2052	Remc.exe
2052	Remc.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

726eec69e99d3cd35bf5d4a141cff8c0_JaffaCakes118.exeWScript.execmd.exeRemc.exe

description	pid	process	target process
PID 2788 wrote to memory of 2784	2788	726eec69e99d3cd35bf5d4a141cff8c0_JaffaCakes118.exe	WScript.exe
PID 2788 wrote to memory of 2784	2788	726eec69e99d3cd35bf5d4a141cff8c0_JaffaCakes118.exe	WScript.exe
PID 2788 wrote to memory of 2784	2788	726eec69e99d3cd35bf5d4a141cff8c0_JaffaCakes118.exe	WScript.exe
PID 2784 wrote to memory of 1180	2784	WScript.exe	cmd.exe
PID 2784 wrote to memory of 1180	2784	WScript.exe	cmd.exe
PID 2784 wrote to memory of 1180	2784	WScript.exe	cmd.exe
PID 1180 wrote to memory of 2052	1180	cmd.exe	Remc.exe
PID 1180 wrote to memory of 2052	1180	cmd.exe	Remc.exe
PID 1180 wrote to memory of 2052	1180	cmd.exe	Remc.exe
PID 2052 wrote to memory of 4156	2052	Remc.exe	svchost.exe
PID 2052 wrote to memory of 4156	2052	Remc.exe	svchost.exe
PID 2052 wrote to memory of 4156	2052	Remc.exe	svchost.exe
PID 2052 wrote to memory of 4156	2052	Remc.exe	svchost.exe
PID 2052 wrote to memory of 4156	2052	Remc.exe	svchost.exe
PID 2052 wrote to memory of 4156	2052	Remc.exe	svchost.exe
PID 2052 wrote to memory of 4156	2052	Remc.exe	svchost.exe
PID 2052 wrote to memory of 4156	2052	Remc.exe	svchost.exe
PID 2052 wrote to memory of 4156	2052	Remc.exe	svchost.exe
PID 2052 wrote to memory of 4156	2052	Remc.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\726eec69e99d3cd35bf5d4a141cff8c0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\726eec69e99d3cd35bf5d4a141cff8c0_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2788

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2784

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remc\Remc.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1180

C:\Users\Admin\AppData\Roaming\Remc\Remc.exe
C:\Users\Admin\AppData\Roaming\Remc\Remc.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2052

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
5⤵
PID:4156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
410B

MD5
837b54af2c8d285fb69d719cc9061206

SHA1
b31b75216a46b744eb0d89dd9885431a8ecde820

SHA256
353bf067c7071e2b6904205a0f6755433a8711a4b2a9b48ac32ff538463f0e46

SHA512
6cc4e846538cf16de26004343a157a565fe9730ad5c253e3fb6c64098405849e732bd2216fbdecd52cc3cbcb84e24e4dca23b5fd4f68bcdc0e73d485479e2311

Download Submit
C:\Users\Admin\AppData\Roaming\Remc\Remc.exe

Filesize
556KB

MD5
726eec69e99d3cd35bf5d4a141cff8c0

SHA1
f1ca1da7a39ba80cbf0157e03390c30ae44b4b3a

SHA256
b45828548d894e2e2e78c7615e5441ebd199d0a4c31c684d54d49ba4321ac5af

SHA512
aff9e08f9708a0e0f30b30d04e69e11238bfe3e2c423b26c6871ce4ad4ff8b5816fa954d8d731b89fdc7388147b72b0a6850c35230ba14d29db0b12e5c9c674f

Download Submit
C:\Users\Admin\AppData\Roaming\Remc\logs.dat

Filesize
79B

MD5
afcd95817552166614cef533594e821e

SHA1
bfef108f90202fee65af586d390110eb756e1053

SHA256
9e0be2035b859a4929845d8ef743967f19f9a6eb5f9da4aa701c7dad4c95207f

SHA512
d49e66d6a0be2916f25934d4b3933ef40b5b2d741a90dbbb1766406bb1f6dd7ae307e15ed6c7c20566f1e8a26d502a6d79fa547eab6f0acf214ad35aebce6bc0

Download Submit
memory/2052-22-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2052-19-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2788-3-0x00000000772C1000-0x00000000773E1000-memory.dmp

Filesize
1.1MB

Download
memory/2788-5-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2788-8-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2788-11-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4156-24-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads