remcos | 200c65040041056006600f5a6ed2bbc3281a6e440a12d24a84544d65e157288e

General

Target

BID_TENDER_DOCUMENTS-#01.08.2020.exe
Size

778KB
MD5

1df1ba3f5339b6185d2588efb1d35859
SHA1

db75794e44a59da19d4540257e8b4389cd31b87a
SHA256

200c65040041056006600f5a6ed2bbc3281a6e440a12d24a84544d65e157288e
SHA512

0fcbdb5b4c4eb8af7a6c0130226696b73e666fdf8fe40b351201963772d94e9898b7bbbcecac512a4746022bacc2f7fc59083390698d47e34c2beffe7151733b

Score

10^/10

remcos rat

Malware Config

Extracted

Family

remcos

C2

212.83.46.26:4023

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Suspicious use of SetThreadContext 1 IoCs

Processes:

BID_TENDER_DOCUMENTS-#01.08.2020.exe

description pid process target process

PID 4772 set thread context of 944 4772 BID_TENDER_DOCUMENTS-#01.08.2020.exe BID_TENDER_DOCUMENTS-#01.08.2020.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

808 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

BID_TENDER_DOCUMENTS-#01.08.2020.exe

pid process

4772 BID_TENDER_DOCUMENTS-#01.08.2020.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

BID_TENDER_DOCUMENTS-#01.08.2020.exe

description pid process

Token: SeDebugPrivilege 4772 BID_TENDER_DOCUMENTS-#01.08.2020.exe

description	pid	process	target process
PID 4772 set thread context of 944	4772	BID_TENDER_DOCUMENTS-#01.08.2020.exe	BID_TENDER_DOCUMENTS-#01.08.2020.exe

pid	process
808	schtasks.exe

pid	process
4772	BID_TENDER_DOCUMENTS-#01.08.2020.exe

description	pid	process
Token: SeDebugPrivilege	4772	BID_TENDER_DOCUMENTS-#01.08.2020.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

BID_TENDER_DOCUMENTS-#01.08.2020.exe

description	pid	process	target process
PID 4772 wrote to memory of 808	4772	BID_TENDER_DOCUMENTS-#01.08.2020.exe	schtasks.exe
PID 4772 wrote to memory of 808	4772	BID_TENDER_DOCUMENTS-#01.08.2020.exe	schtasks.exe
PID 4772 wrote to memory of 808	4772	BID_TENDER_DOCUMENTS-#01.08.2020.exe	schtasks.exe
PID 4772 wrote to memory of 944	4772	BID_TENDER_DOCUMENTS-#01.08.2020.exe	BID_TENDER_DOCUMENTS-#01.08.2020.exe
PID 4772 wrote to memory of 944	4772	BID_TENDER_DOCUMENTS-#01.08.2020.exe	BID_TENDER_DOCUMENTS-#01.08.2020.exe
PID 4772 wrote to memory of 944	4772	BID_TENDER_DOCUMENTS-#01.08.2020.exe	BID_TENDER_DOCUMENTS-#01.08.2020.exe
PID 4772 wrote to memory of 944	4772	BID_TENDER_DOCUMENTS-#01.08.2020.exe	BID_TENDER_DOCUMENTS-#01.08.2020.exe
PID 4772 wrote to memory of 944	4772	BID_TENDER_DOCUMENTS-#01.08.2020.exe	BID_TENDER_DOCUMENTS-#01.08.2020.exe
PID 4772 wrote to memory of 944	4772	BID_TENDER_DOCUMENTS-#01.08.2020.exe	BID_TENDER_DOCUMENTS-#01.08.2020.exe
PID 4772 wrote to memory of 944	4772	BID_TENDER_DOCUMENTS-#01.08.2020.exe	BID_TENDER_DOCUMENTS-#01.08.2020.exe
PID 4772 wrote to memory of 944	4772	BID_TENDER_DOCUMENTS-#01.08.2020.exe	BID_TENDER_DOCUMENTS-#01.08.2020.exe
PID 4772 wrote to memory of 944	4772	BID_TENDER_DOCUMENTS-#01.08.2020.exe	BID_TENDER_DOCUMENTS-#01.08.2020.exe

C:\Users\Admin\AppData\Local\Temp\BID_TENDER_DOCUMENTS-#01.08.2020.exe
"C:\Users\Admin\AppData\Local\Temp\BID_TENDER_DOCUMENTS-#01.08.2020.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4772

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XvInCaX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3365.tmp"
2⤵
- Creates scheduled task(s)
PID:808

C:\Users\Admin\AppData\Local\Temp\BID_TENDER_DOCUMENTS-#01.08.2020.exe
"C:\Users\Admin\AppData\Local\Temp\BID_TENDER_DOCUMENTS-#01.08.2020.exe"
2⤵
PID:944

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3365.tmp
MD5
5d4dd35f0811aae8b64c8d5ef7f839f9

SHA1
954b9d2b5d2ac7dc1a794c9ca0be57a5ba211857

SHA256
8909dfe9e506010e48112b5d0874cde19bbcad751b7789f01b4b0cdf956bf7db

SHA512
f6ee562ef8e4e8571747bea763a112a3f663d43e6000dc8f0fd4ca6ff95507ce24c5833854e5f5aac1aec0f4d651624f55ecf08f0aa3b3dd43fb0bf2c2037c84

Download Submit
memory/808-12-0x0000000000000000-mapping.dmp

Download
memory/944-16-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/944-15-0x000000000040FD88-mapping.dmp

Download
memory/944-14-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4772-6-0x0000000005690000-0x0000000005691000-memory.dmp

Filesize
4KB

Download
memory/4772-9-0x00000000053F0000-0x00000000053F1000-memory.dmp

Filesize
4KB

Download
memory/4772-10-0x00000000053D0000-0x00000000053E2000-memory.dmp

Filesize
72KB

Download
memory/4772-11-0x0000000006120000-0x0000000006195000-memory.dmp

Filesize
468KB

Download
memory/4772-8-0x00000000051B0000-0x00000000051B1000-memory.dmp

Filesize
4KB

Download
memory/4772-7-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download
memory/4772-2-0x0000000073360000-0x0000000073A4E000-memory.dmp

Filesize
6.9MB

Download
memory/4772-5-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/4772-3-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads