remcos | 88478956ea6c8ea5423e2c30e23fbbf893f4ebbcaa3718d407ac418bf9964c0e

General

Target

New PO.doc.rtf
Size

1.3MB
MD5

3e734589bebe665471dec5c6342b1df3
SHA1

08a241bc943f69b937e6df4bd231d19d81b84128
SHA256

88478956ea6c8ea5423e2c30e23fbbf893f4ebbcaa3718d407ac418bf9964c0e
SHA512

15463cf5f247f8d6b9abfbd8697e82a06ac61dea918b64b6668fdb281e39d28d61bcd9b9a5cb14e2375b6998f0872e4018e442eba83f02ddbfefd359234e02ec

Score

10^/10

remcos rat

Malware Config

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 4 IoCs

Processes:

EQNEDT32.EXE

flow pid process

6 1764 EQNEDT32.EXE
8 1764 EQNEDT32.EXE
10 1764 EQNEDT32.EXE
12 1764 EQNEDT32.EXE
Executes dropped EXE 1 IoCs

Processes:

69577.exe

pid process

932 69577.exe
Loads dropped DLL 2 IoCs

Processes:

EQNEDT32.EXE

pid process

1764 EQNEDT32.EXE
1764 EQNEDT32.EXE
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

69577.exeieinstal.exe

pid process

932 69577.exe
1300 ieinstal.exe
1300 ieinstal.exe

flow	pid	process
6	1764	EQNEDT32.EXE
8	1764	EQNEDT32.EXE
10	1764	EQNEDT32.EXE
12	1764	EQNEDT32.EXE

pid	process
932	69577.exe

pid	process
1764	EQNEDT32.EXE
1764	EQNEDT32.EXE

pid	process
932	69577.exe
1300	ieinstal.exe
1300	ieinstal.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

69577.exeieinstal.exe

description	pid	process	target process
PID 932 set thread context of 1300	932	69577.exe	ieinstal.exe
PID 1300 set thread context of 996	1300	ieinstal.exe	ieinstal.exe
PID 1300 set thread context of 1512	1300	ieinstal.exe	ieinstal.exe
PID 1300 set thread context of 1844	1300	ieinstal.exe	ieinstal.exe

Drops file in Program Files directory 1 IoCs

Processes:

ieinstal.exe

description ioc process

File opened for modification C:\Program Files (x86)\internet explorer\ieinstal.exe ieinstal.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1764 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\internet explorer\ieinstal.exe	ieinstal.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1764	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

748 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ieinstal.exe

pid process

996 ieinstal.exe
996 ieinstal.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

69577.exe

pid process

932 69577.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ieinstal.exe

description pid process

Token: SeDebugPrivilege 1512 ieinstal.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

WINWORD.EXE69577.exeieinstal.exe

pid process

748 WINWORD.EXE
748 WINWORD.EXE
932 69577.exe
1300 ieinstal.exe

pid	process
748	WINWORD.EXE

pid	process
996	ieinstal.exe
996	ieinstal.exe

pid	process
932	69577.exe

description	pid	process
Token: SeDebugPrivilege	1512	ieinstal.exe

pid	process
748	WINWORD.EXE
748	WINWORD.EXE
932	69577.exe
1300	ieinstal.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

WINWORD.EXEEQNEDT32.EXE69577.exeieinstal.exe

description	pid	process	target process
PID 748 wrote to memory of 1164	748	WINWORD.EXE	splwow64.exe
PID 748 wrote to memory of 1164	748	WINWORD.EXE	splwow64.exe
PID 748 wrote to memory of 1164	748	WINWORD.EXE	splwow64.exe
PID 748 wrote to memory of 1164	748	WINWORD.EXE	splwow64.exe
PID 1764 wrote to memory of 932	1764	EQNEDT32.EXE	69577.exe
PID 1764 wrote to memory of 932	1764	EQNEDT32.EXE	69577.exe
PID 1764 wrote to memory of 932	1764	EQNEDT32.EXE	69577.exe
PID 1764 wrote to memory of 932	1764	EQNEDT32.EXE	69577.exe
PID 932 wrote to memory of 1300	932	69577.exe	ieinstal.exe
PID 932 wrote to memory of 1300	932	69577.exe	ieinstal.exe
PID 932 wrote to memory of 1300	932	69577.exe	ieinstal.exe
PID 932 wrote to memory of 1300	932	69577.exe	ieinstal.exe
PID 932 wrote to memory of 1300	932	69577.exe	ieinstal.exe
PID 932 wrote to memory of 1300	932	69577.exe	ieinstal.exe
PID 932 wrote to memory of 1300	932	69577.exe	ieinstal.exe
PID 932 wrote to memory of 1300	932	69577.exe	ieinstal.exe
PID 1300 wrote to memory of 996	1300	ieinstal.exe	ieinstal.exe
PID 1300 wrote to memory of 996	1300	ieinstal.exe	ieinstal.exe
PID 1300 wrote to memory of 996	1300	ieinstal.exe	ieinstal.exe
PID 1300 wrote to memory of 996	1300	ieinstal.exe	ieinstal.exe
PID 1300 wrote to memory of 996	1300	ieinstal.exe	ieinstal.exe
PID 1300 wrote to memory of 996	1300	ieinstal.exe	ieinstal.exe
PID 1300 wrote to memory of 996	1300	ieinstal.exe	ieinstal.exe
PID 1300 wrote to memory of 996	1300	ieinstal.exe	ieinstal.exe
PID 1300 wrote to memory of 996	1300	ieinstal.exe	ieinstal.exe
PID 1300 wrote to memory of 996	1300	ieinstal.exe	ieinstal.exe
PID 1300 wrote to memory of 996	1300	ieinstal.exe	ieinstal.exe
PID 1300 wrote to memory of 996	1300	ieinstal.exe	ieinstal.exe
PID 1300 wrote to memory of 1512	1300	ieinstal.exe	ieinstal.exe
PID 1300 wrote to memory of 1512	1300	ieinstal.exe	ieinstal.exe
PID 1300 wrote to memory of 1512	1300	ieinstal.exe	ieinstal.exe
PID 1300 wrote to memory of 1512	1300	ieinstal.exe	ieinstal.exe
PID 1300 wrote to memory of 1512	1300	ieinstal.exe	ieinstal.exe
PID 1300 wrote to memory of 1512	1300	ieinstal.exe	ieinstal.exe
PID 1300 wrote to memory of 1512	1300	ieinstal.exe	ieinstal.exe
PID 1300 wrote to memory of 1512	1300	ieinstal.exe	ieinstal.exe
PID 1300 wrote to memory of 1512	1300	ieinstal.exe	ieinstal.exe
PID 1300 wrote to memory of 1512	1300	ieinstal.exe	ieinstal.exe
PID 1300 wrote to memory of 1512	1300	ieinstal.exe	ieinstal.exe
PID 1300 wrote to memory of 1512	1300	ieinstal.exe	ieinstal.exe
PID 1300 wrote to memory of 1844	1300	ieinstal.exe	ieinstal.exe
PID 1300 wrote to memory of 1844	1300	ieinstal.exe	ieinstal.exe
PID 1300 wrote to memory of 1844	1300	ieinstal.exe	ieinstal.exe
PID 1300 wrote to memory of 1844	1300	ieinstal.exe	ieinstal.exe
PID 1300 wrote to memory of 1844	1300	ieinstal.exe	ieinstal.exe
PID 1300 wrote to memory of 1844	1300	ieinstal.exe	ieinstal.exe
PID 1300 wrote to memory of 1844	1300	ieinstal.exe	ieinstal.exe
PID 1300 wrote to memory of 1844	1300	ieinstal.exe	ieinstal.exe
PID 1300 wrote to memory of 1844	1300	ieinstal.exe	ieinstal.exe
PID 1300 wrote to memory of 1844	1300	ieinstal.exe	ieinstal.exe
PID 1300 wrote to memory of 1844	1300	ieinstal.exe	ieinstal.exe
PID 1300 wrote to memory of 1844	1300	ieinstal.exe	ieinstal.exe
PID 1300 wrote to memory of 1628	1300	ieinstal.exe	WScript.exe
PID 1300 wrote to memory of 1628	1300	ieinstal.exe	WScript.exe
PID 1300 wrote to memory of 1628	1300	ieinstal.exe	WScript.exe
PID 1300 wrote to memory of 1628	1300	ieinstal.exe	WScript.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\New PO.doc.rtf"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1164

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1764

C:\Users\Public\69577.exe
"C:\Users\Public\69577.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:932

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Users\Public\69577.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1300

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe" /stext "C:\Users\Admin\AppData\Local\Temp\kosqtexgmqtqemlxau"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:996

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe" /stext "C:\Users\Admin\AppData\Local\Temp\vqxbuxihayldhszbjfzkt"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe" /stext "C:\Users\Admin\AppData\Local\Temp\fkltvptbogdirgvnaqmmwjnwf"
4⤵
PID:1844

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\uninstall.vbs"
4⤵
PID:1628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
b145a2f496f92bc0a166bc49177e6d15

SHA1
e3b2c0fb5c2393d595e121b5fe8225de96e90da2

SHA256
1441ed25fa37ed99986a770e13c2a3e68f9b13e07ce9d95c5ba935cfdf2df2b3

SHA512
6cb4caf9deb58a02d46724058da150b4bae9bcf2a2e4575443ccd91ae0a7a615d70e074817692bd8aa051c01f09346ad04d77632e8169d67f444a38f6cbfff48

Download Submit
C:\Users\Admin\AppData\Local\Temp\kosqtexgmqtqemlxau
MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\uninstall.vbs
MD5
0fe2423601d3291b0b6326e6518286a0

SHA1
09746eb739147f191068aba1552cd616eabd5e1d

SHA256
1a899121e3969c2bb894e08765a57e8a65cb9154d71c3825baa6b4f2da61d8f3

SHA512
9632acaa96bf0d7bc5f3754d15117079888fcc23591007fc7f4d5dabfdb1e9300cf96ff3ee9266fe2d29ea118623651773d1002d5a3f91270471841d5012cec6

Download Submit
C:\Users\Public\69577.exe
MD5
0640f43c412f8f2c3bf6e1b9139db1d0

SHA1
f07e9e5e618b14b0dd5478cb2a26f42096a10e1d

SHA256
1664c6a330c5b318458518ea71b2a9995a91c79281a050278c3aa2388663a986

SHA512
753029891e9db39d072cce14dd552ef313479ea0cff2e4c3a5591bbf045174ea474e2651c8bdbed5ca30429852f4d28a5126fe99bfcaf9aa9daec30ac46f0a05

Download Submit
\Users\Public\69577.exe
MD5
0640f43c412f8f2c3bf6e1b9139db1d0

SHA1
f07e9e5e618b14b0dd5478cb2a26f42096a10e1d

SHA256
1664c6a330c5b318458518ea71b2a9995a91c79281a050278c3aa2388663a986

SHA512
753029891e9db39d072cce14dd552ef313479ea0cff2e4c3a5591bbf045174ea474e2651c8bdbed5ca30429852f4d28a5126fe99bfcaf9aa9daec30ac46f0a05

Download Submit
\Users\Public\69577.exe
MD5
0640f43c412f8f2c3bf6e1b9139db1d0

SHA1
f07e9e5e618b14b0dd5478cb2a26f42096a10e1d

SHA256
1664c6a330c5b318458518ea71b2a9995a91c79281a050278c3aa2388663a986

SHA512
753029891e9db39d072cce14dd552ef313479ea0cff2e4c3a5591bbf045174ea474e2651c8bdbed5ca30429852f4d28a5126fe99bfcaf9aa9daec30ac46f0a05

Download Submit
memory/932-6-0x0000000000000000-mapping.dmp

Download
memory/996-13-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/996-23-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/996-17-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/996-14-0x0000000000476274-mapping.dmp

Download
memory/1164-2-0x0000000000000000-mapping.dmp

Download
memory/1300-10-0x00000000000D0000-0x00000000001D0000-memory.dmp

Filesize
1024KB

Download
memory/1300-11-0x00000000000D0000-mapping.dmp

Download
memory/1456-3-0x000007FEF7500000-0x000007FEF777A000-memory.dmp

Filesize
2.5MB

Download
memory/1512-18-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1512-21-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1512-15-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1512-16-0x0000000000422206-mapping.dmp

Download
memory/1628-26-0x0000000000000000-mapping.dmp

Download
memory/1628-28-0x0000000002750000-0x0000000002754000-memory.dmp

Filesize
16KB

Download
memory/1844-22-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1844-20-0x0000000000455238-mapping.dmp

Download
memory/1844-19-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1844-24-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads