remcos | d783cab5c5ae5cada441b48ab938855e5fb5a0f696f31f86d68479041cc991cf

General

Target

remcos.bin.exe
Size

360KB
MD5

c8cd8226c29bbaed1b40691f25793833
SHA1

e6e802589ce0589bb1a7b17f93661dcffb67598d
SHA256

d783cab5c5ae5cada441b48ab938855e5fb5a0f696f31f86d68479041cc991cf
SHA512

3de43aae6c5fb9bc8e900ed73f3c26ccc5fbe32ed283cfb6cfc30af4e2d2fb3402723d1298f5a82d4c6cbc50b8da59b602ddb702b45a23ccef2db1f34950e758

Score

10^/10

rat remcos persistence

Malware Config

Extracted

Family

remcos

C2

185.140.53.153:2404

Signatures

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

1908 powershell.exe
1908 powershell.exe
1624 powershell.exe
1624 powershell.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1596 cmd.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

remcos.exe

pid process

560 remcos.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

288 schtasks.exe
776 schtasks.exe

pid	process
1908	powershell.exe
1908	powershell.exe
1624	powershell.exe
1624	powershell.exe

pid	process
1596	cmd.exe

pid	process
560	remcos.exe

pid	process
288	schtasks.exe
776	schtasks.exe

Suspicious use of WriteProcessMemory 77 IoCs

Processes:

remcos.bin.exepowershell.exeremcos.bin.exeremcos.bin.exeWScript.execmd.exeremcos.exepowershell.exeremcos.exe

description	pid	process	target process
PID 1860 wrote to memory of 1908	1860	remcos.bin.exe	powershell.exe
PID 1860 wrote to memory of 1908	1860	remcos.bin.exe	powershell.exe
PID 1860 wrote to memory of 1908	1860	remcos.bin.exe	powershell.exe
PID 1860 wrote to memory of 1908	1860	remcos.bin.exe	powershell.exe
PID 1908 wrote to memory of 2008	1908	powershell.exe	remcos.bin.exe
PID 1908 wrote to memory of 2008	1908	powershell.exe	remcos.bin.exe
PID 1908 wrote to memory of 2008	1908	powershell.exe	remcos.bin.exe
PID 1908 wrote to memory of 2008	1908	powershell.exe	remcos.bin.exe
PID 1908 wrote to memory of 2008	1908	powershell.exe	remcos.bin.exe
PID 1908 wrote to memory of 2008	1908	powershell.exe	remcos.bin.exe
PID 1908 wrote to memory of 2008	1908	powershell.exe	remcos.bin.exe
PID 1908 wrote to memory of 2008	1908	powershell.exe	remcos.bin.exe
PID 1908 wrote to memory of 2008	1908	powershell.exe	remcos.bin.exe
PID 2008 wrote to memory of 288	2008	remcos.bin.exe	schtasks.exe
PID 2008 wrote to memory of 288	2008	remcos.bin.exe	schtasks.exe
PID 2008 wrote to memory of 288	2008	remcos.bin.exe	schtasks.exe
PID 2008 wrote to memory of 288	2008	remcos.bin.exe	schtasks.exe
PID 2008 wrote to memory of 1520	2008	remcos.bin.exe	remcos.bin.exe
PID 2008 wrote to memory of 1520	2008	remcos.bin.exe	remcos.bin.exe
PID 2008 wrote to memory of 1520	2008	remcos.bin.exe	remcos.bin.exe
PID 2008 wrote to memory of 1520	2008	remcos.bin.exe	remcos.bin.exe
PID 2008 wrote to memory of 1520	2008	remcos.bin.exe	remcos.bin.exe
PID 2008 wrote to memory of 1520	2008	remcos.bin.exe	remcos.bin.exe
PID 2008 wrote to memory of 1520	2008	remcos.bin.exe	remcos.bin.exe
PID 2008 wrote to memory of 1520	2008	remcos.bin.exe	remcos.bin.exe
PID 2008 wrote to memory of 1520	2008	remcos.bin.exe	remcos.bin.exe
PID 2008 wrote to memory of 1520	2008	remcos.bin.exe	remcos.bin.exe
PID 2008 wrote to memory of 1520	2008	remcos.bin.exe	remcos.bin.exe
PID 1520 wrote to memory of 808	1520	remcos.bin.exe	WScript.exe
PID 1520 wrote to memory of 808	1520	remcos.bin.exe	WScript.exe
PID 1520 wrote to memory of 808	1520	remcos.bin.exe	WScript.exe
PID 1520 wrote to memory of 808	1520	remcos.bin.exe	WScript.exe
PID 808 wrote to memory of 1596	808	WScript.exe	cmd.exe
PID 808 wrote to memory of 1596	808	WScript.exe	cmd.exe
PID 808 wrote to memory of 1596	808	WScript.exe	cmd.exe
PID 808 wrote to memory of 1596	808	WScript.exe	cmd.exe
PID 1596 wrote to memory of 1540	1596	cmd.exe	remcos.exe
PID 1596 wrote to memory of 1540	1596	cmd.exe	remcos.exe
PID 1596 wrote to memory of 1540	1596	cmd.exe	remcos.exe
PID 1596 wrote to memory of 1540	1596	cmd.exe	remcos.exe
PID 1540 wrote to memory of 1624	1540	remcos.exe	powershell.exe
PID 1540 wrote to memory of 1624	1540	remcos.exe	powershell.exe
PID 1540 wrote to memory of 1624	1540	remcos.exe	powershell.exe
PID 1540 wrote to memory of 1624	1540	remcos.exe	powershell.exe
PID 1624 wrote to memory of 1708	1624	powershell.exe	remcos.exe
PID 1624 wrote to memory of 1708	1624	powershell.exe	remcos.exe
PID 1624 wrote to memory of 1708	1624	powershell.exe	remcos.exe
PID 1624 wrote to memory of 1708	1624	powershell.exe	remcos.exe
PID 1624 wrote to memory of 1708	1624	powershell.exe	remcos.exe
PID 1624 wrote to memory of 1708	1624	powershell.exe	remcos.exe
PID 1624 wrote to memory of 1708	1624	powershell.exe	remcos.exe
PID 1624 wrote to memory of 1708	1624	powershell.exe	remcos.exe
PID 1624 wrote to memory of 1708	1624	powershell.exe	remcos.exe
PID 1708 wrote to memory of 776	1708	remcos.exe	schtasks.exe
PID 1708 wrote to memory of 776	1708	remcos.exe	schtasks.exe
PID 1708 wrote to memory of 776	1708	remcos.exe	schtasks.exe
PID 1708 wrote to memory of 776	1708	remcos.exe	schtasks.exe
PID 1708 wrote to memory of 560	1708	remcos.exe	remcos.exe
PID 1708 wrote to memory of 560	1708	remcos.exe	remcos.exe
PID 1708 wrote to memory of 560	1708	remcos.exe	remcos.exe
PID 1708 wrote to memory of 560	1708	remcos.exe	remcos.exe
PID 1708 wrote to memory of 560	1708	remcos.exe	remcos.exe
PID 1708 wrote to memory of 560	1708	remcos.exe	remcos.exe
PID 1708 wrote to memory of 560	1708	remcos.exe	remcos.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1908 powershell.exe
Token: SeDebugPrivilege 1624 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

powershell.exeremcos.bin.exepowershell.exeremcos.exeremcos.exe

description	pid	process	target process
PID 1908 set thread context of 2008	1908	powershell.exe	remcos.bin.exe
PID 2008 set thread context of 1520	2008	remcos.bin.exe	remcos.bin.exe
PID 1624 set thread context of 1708	1624	powershell.exe	remcos.exe
PID 1708 set thread context of 560	1708	remcos.exe	remcos.exe
PID 560 set thread context of 868	560	remcos.exe	svchost.exe

Executes dropped EXE 3 IoCs

Processes:

remcos.exeremcos.exeremcos.exe

pid process

1540 remcos.exe
1708 remcos.exe
560 remcos.exe
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

pid	process
1540	remcos.exe
1708	remcos.exe
560	remcos.exe

Adds Run entry to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

remcos.bin.exeremcos.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos.bin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos.bin.exe
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos.exe

C:\Users\Admin\AppData\Local\Temp\remcos.bin.exe
"C:\Users\Admin\AppData\Local\Temp\remcos.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1860

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windo 1 -noexit -exec bypass -file "C:\Users\Public\sysq.ps1"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:1908

C:\Users\Admin\AppData\Local\Temp\remcos.bin.exe
"{path}"
3⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:2008

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dvYyogXCbN" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9AD7.tmp"
4⤵
- Creates scheduled task(s)
PID:288

C:\Users\Admin\AppData\Local\Temp\remcos.bin.exe
"{path}"
4⤵
- Suspicious use of WriteProcessMemory
- Adds Run entry to start application
PID:1520

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
5⤵
- Suspicious use of WriteProcessMemory
PID:808

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1596

C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
7⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1540

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windo 1 -noexit -exec bypass -file "C:\Users\Public\sysq.ps1"
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:1624

C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
"{path}"
9⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Executes dropped EXE
PID:1708

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dvYyogXCbN" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8B9B.tmp"
10⤵
- Creates scheduled task(s)
PID:776

C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
"{path}"
10⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Adds Run entry to start application
PID:560

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
11⤵
PID:868

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8B9B.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9AD7.tmp

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\remcos.exe

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\remcos.exe

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\remcos.exe

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\remcos.exe

Download Submit
C:\Users\Public\sysq.ps1

Download Submit
C:\Users\Public\sysq.ps1

Download Submit
\Users\Admin\AppData\Roaming\remcos\remcos.exe

Download Submit
memory/560-25-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/808-10-0x0000000002780000-0x0000000002784000-memory.dmp

Filesize
16KB

Download
memory/868-26-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/868-27-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/868-28-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1520-7-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1520-8-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2008-4-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2008-5-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2008-3-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads