remcos | 81cd20986cf64db5433eff8750449e847c7d327a8493b4dee1af9cb51b21d3e8

General

Target

PORTAFOLIO PRIORITARIO CANCELACIÓN DE CONTRATO 18 DE OCT/DOC PRIORITARIO CANCELACIÓN DE CONTRATO 18 DE OCT.exe
Size

4.0MB
MD5

6358b60b9e07fb80b705ec024e5e3fe9
SHA1

0af3b32f03055623e89036885952a398dd897252
SHA256

6272c72c830630f76aac92c2ad13e3f601aa7752e13d8713e150511754097eaa
SHA512

65fe12720f0dc375925a077dc7a7bacf2297ac7c957cbec9788f5c5b411f92529ba96b725d1214ac321e4ef326f4f9f9140bb497255498c03626df548a025915
SSDEEP

49152:HWGtLBcXq5IR6SVb8kq4pgquLMMji4NYxtJpkxhGjIKTbZB333zvm6t7holsw7W:ptLuYqgwh4NYxtJpkxhGxB333roJW

Score

10^/10

remcos raton discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RATON

C2

newtestdn.dns.army:1700

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
registros.dat
keylog_flag
false
keylog_folder
datos
mouse_option
false
mutex
hbdggdmmmskbsciihcjh-VVGXL8
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Capturas de pantalla
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Deletes itself 1 IoCs

pid	Process
1348	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\UniDesignerEditor = "C:\\Users\\Admin\\Music\\UniDesignerUpdater\\UniConvertVideo.exe"	DOC PRIORITARIO CANCELACIÓN DE CONTRATO 18 DE OCT.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DOC PRIORITARIO CANCELACIÓN DE CONTRATO 18 DE OCT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DOC PRIORITARIO CANCELACIÓN DE CONTRATO 18 DE OCT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2984	DOC PRIORITARIO CANCELACIÓN DE CONTRATO 18 DE OCT.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 684 wrote to memory of 2984	684	DOC PRIORITARIO CANCELACIÓN DE CONTRATO 18 DE OCT.exe	30
PID 684 wrote to memory of 2984	684	DOC PRIORITARIO CANCELACIÓN DE CONTRATO 18 DE OCT.exe	30
PID 684 wrote to memory of 2984	684	DOC PRIORITARIO CANCELACIÓN DE CONTRATO 18 DE OCT.exe	30
PID 684 wrote to memory of 2984	684	DOC PRIORITARIO CANCELACIÓN DE CONTRATO 18 DE OCT.exe	30
PID 684 wrote to memory of 2984	684	DOC PRIORITARIO CANCELACIÓN DE CONTRATO 18 DE OCT.exe	30
PID 684 wrote to memory of 2984	684	DOC PRIORITARIO CANCELACIÓN DE CONTRATO 18 DE OCT.exe	30
PID 684 wrote to memory of 2984	684	DOC PRIORITARIO CANCELACIÓN DE CONTRATO 18 DE OCT.exe	30
PID 684 wrote to memory of 2984	684	DOC PRIORITARIO CANCELACIÓN DE CONTRATO 18 DE OCT.exe	30
PID 684 wrote to memory of 2984	684	DOC PRIORITARIO CANCELACIÓN DE CONTRATO 18 DE OCT.exe	30
PID 2984 wrote to memory of 1348	2984	DOC PRIORITARIO CANCELACIÓN DE CONTRATO 18 DE OCT.exe	32
PID 2984 wrote to memory of 1348	2984	DOC PRIORITARIO CANCELACIÓN DE CONTRATO 18 DE OCT.exe	32
PID 2984 wrote to memory of 1348	2984	DOC PRIORITARIO CANCELACIÓN DE CONTRATO 18 DE OCT.exe	32
PID 2984 wrote to memory of 1348	2984	DOC PRIORITARIO CANCELACIÓN DE CONTRATO 18 DE OCT.exe	32

C:\Users\Admin\AppData\Local\Temp\PORTAFOLIO PRIORITARIO CANCELACIÓN DE CONTRATO 18 DE OCT\DOC PRIORITARIO CANCELACIÓN DE CONTRATO 18 DE OCT.exe
"C:\Users\Admin\AppData\Local\Temp\PORTAFOLIO PRIORITARIO CANCELACIÓN DE CONTRATO 18 DE OCT\DOC PRIORITARIO CANCELACIÓN DE CONTRATO 18 DE OCT.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:684
- C:\Users\Admin\AppData\Local\Temp\PORTAFOLIO PRIORITARIO CANCELACIÓN DE CONTRATO 18 DE OCT\DOC PRIORITARIO CANCELACIÓN DE CONTRATO 18 DE OCT.exe
  "C:\Users\Admin\AppData\Local\Temp\PORTAFOLIO PRIORITARIO CANCELACIÓN DE CONTRATO 18 DE OCT\DOC PRIORITARIO CANCELACIÓN DE CONTRATO 18 DE OCT.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\qoemozrqalrjrays.vbs"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:1348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\datos\registros.dat

Filesize
184B

MD5
2da5c70226f40e118ccd869746b45bcc

SHA1
dac3ff007cf601915211b88e9e046a1230723286

SHA256
3ab00bdebf6ba0793135a0930da72afb568bf0e9a475d4b5b26ea5513c48e39b

SHA512
83dd94594c8a1022352a2436f3514f299d38ef80e25018414f9d3f6e7e254b2846f8da443dec9c7c0285fb3e3e1dd5c65272e64c12140ecc10f92b9f95c0e970

Download Submit
C:\Users\Admin\AppData\Local\Temp\qoemozrqalrjrays.vbs

Filesize
900B

MD5
27c83ccbc9047bdb755f1a68a8ef7bd2

SHA1
dda8674c2c7ff5bc3c57198faf16a0d9b1b75df2

SHA256
8fa869c93120a4e4299a658d5e5098495760be55a28f7fd2a5e191a47dd5a30b

SHA512
bd6855a7ccc3b2cdd1b7cad1b799048ecfda8754c9c50c5c9a36ed6b423966d39f94dbdd0b5840f0425222889df0cda60e01b2704fa06fbddf655ecb66d55094

Download Submit
memory/684-6-0x0000000000400000-0x0000000000818000-memory.dmp

Filesize
4.1MB

Download
memory/684-1-0x0000000000400000-0x0000000000818000-memory.dmp

Filesize
4.1MB

Download
memory/684-2-0x0000000000517000-0x000000000052F000-memory.dmp

Filesize
96KB

Download
memory/684-5-0x0000000000400000-0x0000000000818000-memory.dmp

Filesize
4.1MB

Download
memory/684-7-0x0000000000400000-0x0000000000818000-memory.dmp

Filesize
4.1MB

Download
memory/684-13-0x0000000000400000-0x0000000000818000-memory.dmp

Filesize
4.1MB

Download
memory/684-17-0x0000000000400000-0x0000000000818000-memory.dmp

Filesize
4.1MB

Download
memory/684-0-0x0000000000400000-0x0000000000818000-memory.dmp

Filesize
4.1MB

Download
memory/684-4-0x0000000000400000-0x0000000000818000-memory.dmp

Filesize
4.1MB

Download
memory/2984-16-0x00000000001D0000-0x0000000000252000-memory.dmp

Filesize
520KB

Download
memory/2984-31-0x00000000001D0000-0x0000000000252000-memory.dmp

Filesize
520KB

Download
memory/2984-8-0x00000000001D0000-0x0000000000252000-memory.dmp

Filesize
520KB

Download
memory/2984-12-0x00000000001D0000-0x0000000000252000-memory.dmp

Filesize
520KB

Download
memory/2984-23-0x00000000001D0000-0x0000000000252000-memory.dmp

Filesize
520KB

Download
memory/2984-18-0x00000000001D0000-0x0000000000252000-memory.dmp

Filesize
520KB

Download
memory/2984-25-0x00000000001D0000-0x0000000000252000-memory.dmp

Filesize
520KB

Download
memory/2984-24-0x00000000001D0000-0x0000000000252000-memory.dmp

Filesize
520KB

Download
memory/2984-26-0x00000000001D0000-0x0000000000252000-memory.dmp

Filesize
520KB

Download
memory/2984-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2984-32-0x00000000001D0000-0x0000000000252000-memory.dmp

Filesize
520KB

Download
memory/2984-21-0x00000000001D0000-0x0000000000252000-memory.dmp

Filesize
520KB

Download
memory/2984-39-0x00000000001D0000-0x0000000000252000-memory.dmp

Filesize
520KB

Download
memory/2984-40-0x00000000001D0000-0x0000000000252000-memory.dmp

Filesize
520KB

Download
memory/2984-41-0x00000000001D0000-0x0000000000252000-memory.dmp

Filesize
520KB

Download
memory/2984-42-0x00000000001D0000-0x0000000000252000-memory.dmp

Filesize
520KB

Download
memory/2984-43-0x00000000001D0000-0x0000000000252000-memory.dmp

Filesize
520KB

Download
memory/2984-55-0x00000000001D0000-0x0000000000252000-memory.dmp

Filesize
520KB

Download
memory/2984-48-0x00000000001D0000-0x0000000000252000-memory.dmp

Filesize
520KB

Download
memory/2984-22-0x0000000000400000-0x0000000000818000-memory.dmp

Filesize
4.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads