remcos | 0bec16111e2199d4f62882cd59c2e3868b5c7539e64f5f3fb16dde94e2b4292e

General

Target

cbd453d3cca0a21f19e5d2f1b2f2cdd5_JaffaCakes118.exe
Size

556KB
MD5

cbd453d3cca0a21f19e5d2f1b2f2cdd5
SHA1

b5b2d7139500f1a45c9e85e7a278d59ab0e6dac4
SHA256

0bec16111e2199d4f62882cd59c2e3868b5c7539e64f5f3fb16dde94e2b4292e
SHA512

7ede9637c2fdb3640bdd2fb7bc81e7ba96b85dd6154ba68e4ff45469d9597bcca9ff76765ef16f28782d5ee50168a9323082a3d05b5fcb1ece4fe21e4f0eb66e
SSDEEP

6144:D3zSXlx+8X8zqLoDpNAZF6HdygYEuH0u4N51cz/XtD/yld9K753:jWXTZsuMDpKT68gYEuUp50try1K7F

Score

10^/10

remcos discovery persistence rat

Malware Config

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 1 IoCs

pid	Process
2772	Remc.exe

Loads dropped DLL 2 IoCs

pid	Process
2400	cmd.exe
2400	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\erwfguyhjnxcj = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remc\\Remc.exe\""	cbd453d3cca0a21f19e5d2f1b2f2cdd5_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\erwfguyhjnxcj = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remc\\Remc.exe\""	Remc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2772 set thread context of 2636	2772	Remc.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cbd453d3cca0a21f19e5d2f1b2f2cdd5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Remc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1992	cbd453d3cca0a21f19e5d2f1b2f2cdd5_JaffaCakes118.exe
2772	Remc.exe
2772	Remc.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1992	cbd453d3cca0a21f19e5d2f1b2f2cdd5_JaffaCakes118.exe
2772	Remc.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 1756	1992	cbd453d3cca0a21f19e5d2f1b2f2cdd5_JaffaCakes118.exe	30
PID 1992 wrote to memory of 1756	1992	cbd453d3cca0a21f19e5d2f1b2f2cdd5_JaffaCakes118.exe	30
PID 1992 wrote to memory of 1756	1992	cbd453d3cca0a21f19e5d2f1b2f2cdd5_JaffaCakes118.exe	30
PID 1992 wrote to memory of 1756	1992	cbd453d3cca0a21f19e5d2f1b2f2cdd5_JaffaCakes118.exe	30
PID 1756 wrote to memory of 2400	1756	WScript.exe	31
PID 1756 wrote to memory of 2400	1756	WScript.exe	31
PID 1756 wrote to memory of 2400	1756	WScript.exe	31
PID 1756 wrote to memory of 2400	1756	WScript.exe	31
PID 2400 wrote to memory of 2772	2400	cmd.exe	33
PID 2400 wrote to memory of 2772	2400	cmd.exe	33
PID 2400 wrote to memory of 2772	2400	cmd.exe	33
PID 2400 wrote to memory of 2772	2400	cmd.exe	33
PID 2772 wrote to memory of 2636	2772	Remc.exe	34
PID 2772 wrote to memory of 2636	2772	Remc.exe	34
PID 2772 wrote to memory of 2636	2772	Remc.exe	34
PID 2772 wrote to memory of 2636	2772	Remc.exe	34
PID 2772 wrote to memory of 2636	2772	Remc.exe	34
PID 2772 wrote to memory of 2636	2772	Remc.exe	34
PID 2772 wrote to memory of 2636	2772	Remc.exe	34
PID 2772 wrote to memory of 2636	2772	Remc.exe	34
PID 2772 wrote to memory of 2636	2772	Remc.exe	34
PID 2772 wrote to memory of 2636	2772	Remc.exe	34
PID 2772 wrote to memory of 2636	2772	Remc.exe	34

C:\Users\Admin\AppData\Local\Temp\cbd453d3cca0a21f19e5d2f1b2f2cdd5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cbd453d3cca0a21f19e5d2f1b2f2cdd5_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remc\Remc.exe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2400
  - - C:\Users\Admin\AppData\Roaming\Remc\Remc.exe
      C:\Users\Admin\AppData\Roaming\Remc\Remc.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:2772
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        5⤵
        
        PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
410B

MD5
837b54af2c8d285fb69d719cc9061206

SHA1
b31b75216a46b744eb0d89dd9885431a8ecde820

SHA256
353bf067c7071e2b6904205a0f6755433a8711a4b2a9b48ac32ff538463f0e46

SHA512
6cc4e846538cf16de26004343a157a565fe9730ad5c253e3fb6c64098405849e732bd2216fbdecd52cc3cbcb84e24e4dca23b5fd4f68bcdc0e73d485479e2311

Download Submit
C:\Users\Admin\AppData\Roaming\Remc\logs.dat

Filesize
79B

MD5
a427676487385e01f1efd56248f90193

SHA1
fd523df33f9e29e1d7fd58ee29b4e88498f2107e

SHA256
0bb1f75a2d6ce9c9933ce552eeb28fa2d7902e42ab0f8a7fff7ed507daade805

SHA512
4c8275e604cf78d90f4065203e3abf823b7773d291eb5a9b10417ba9a9e4b7e55e6c5b03199eb51958565afcafe067a489bc71f8623d818da7c15ecabdfa351f

Download Submit
\Users\Admin\AppData\Roaming\Remc\Remc.exe

Filesize
556KB

MD5
cbd453d3cca0a21f19e5d2f1b2f2cdd5

SHA1
b5b2d7139500f1a45c9e85e7a278d59ab0e6dac4

SHA256
0bec16111e2199d4f62882cd59c2e3868b5c7539e64f5f3fb16dde94e2b4292e

SHA512
7ede9637c2fdb3640bdd2fb7bc81e7ba96b85dd6154ba68e4ff45469d9597bcca9ff76765ef16f28782d5ee50168a9323082a3d05b5fcb1ece4fe21e4f0eb66e

Download Submit
memory/1992-2-0x0000000077D00000-0x0000000077DD6000-memory.dmp

Filesize
856KB

Download
memory/1992-4-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1992-3-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1992-7-0x0000000072940000-0x0000000072A60000-memory.dmp

Filesize
1.1MB

Download
memory/1992-12-0x0000000072940000-0x0000000072A60000-memory.dmp

Filesize
1.1MB

Download
memory/1992-11-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2636-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2636-25-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2636-38-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2636-35-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2636-33-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2636-31-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2636-29-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2636-27-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2772-23-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2772-20-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads