remcos | d93d98295e3aebd631b2fd6d1a47ddd5ed0597343bf2c0ed870d6bdb59cb6192

General

Target

PO NO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe
Size

807KB
MD5

a3d8e6527b3cd4d2e74539af7918fc34
SHA1

cbc6e8e8e9c777b708350f4be1e14393d0c0551a
SHA256

d93d98295e3aebd631b2fd6d1a47ddd5ed0597343bf2c0ed870d6bdb59cb6192
SHA512

c6f81fc3c03c8939fdfcaea765171c2470170a91fe6a35165bc2cbf7ac18e6d5dba1876dbf2932e89f49ef593215ec2e57197464dfcc9daa893982f5c0684e9d

Score

10^/10

remcos rat

Malware Config

Extracted

Family

remcos

C2

212.83.46.26:4023

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of SetThreadContext 1 IoCs

Processes:

PO NO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe

description	pid	process	target process
PID 1204 set thread context of 1712	1204	PO NO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe	PO NO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1460 schtasks.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

PO NO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe

description pid process

Token: SeDebugPrivilege 1204 PO NO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe

pid	process
1460	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	1204	PO NO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

PO NO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe

description	pid	process	target process
PID 1204 wrote to memory of 1460	1204	PO NO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe	schtasks.exe
PID 1204 wrote to memory of 1460	1204	PO NO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe	schtasks.exe
PID 1204 wrote to memory of 1460	1204	PO NO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe	schtasks.exe
PID 1204 wrote to memory of 1460	1204	PO NO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe	schtasks.exe
PID 1204 wrote to memory of 1712	1204	PO NO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe	PO NO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe
PID 1204 wrote to memory of 1712	1204	PO NO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe	PO NO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe
PID 1204 wrote to memory of 1712	1204	PO NO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe	PO NO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe
PID 1204 wrote to memory of 1712	1204	PO NO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe	PO NO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe
PID 1204 wrote to memory of 1712	1204	PO NO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe	PO NO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe
PID 1204 wrote to memory of 1712	1204	PO NO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe	PO NO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe
PID 1204 wrote to memory of 1712	1204	PO NO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe	PO NO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe
PID 1204 wrote to memory of 1712	1204	PO NO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe	PO NO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe
PID 1204 wrote to memory of 1712	1204	PO NO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe	PO NO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe
PID 1204 wrote to memory of 1712	1204	PO NO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe	PO NO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe

C:\Users\Admin\AppData\Local\Temp\PO NO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe
"C:\Users\Admin\AppData\Local\Temp\PO NO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pAZrZLHJfxvYL" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAE9.tmp"
2⤵
- Creates scheduled task(s)
PID:1460

C:\Users\Admin\AppData\Local\Temp\PO NO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe
"C:\Users\Admin\AppData\Local\Temp\PO NO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe"
2⤵
PID:1712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpAE9.tmp
MD5
860f672a1729a6d9f233f46547a0c3a0

SHA1
a9cb1892f4114377b8190545c9100c0beacdf3b4

SHA256
818b718dec4d84a13eb678c46ba9b6067a789f4be53e72a8f4bfa3ad548f98cb

SHA512
359b437bc75d23562326c195dfdc03b1301a69b91e92c2932f8d6ca2e58cd6096df36990036a1488e68040d8a22ce13dc4694639964629de715cffb8be971ab0

Download Submit
memory/1204-2-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/1204-3-0x0000000000040000-0x0000000000041000-memory.dmp

Filesize
4KB

Download
memory/1204-5-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/1204-6-0x0000000004ED0000-0x0000000004F26000-memory.dmp

Filesize
344KB

Download
memory/1460-7-0x0000000000000000-mapping.dmp

Download
memory/1712-9-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1712-10-0x000000000040FD88-mapping.dmp

Download
memory/1712-11-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads