remcos | 6a2ffd2b362dd38d2518163bd6c849366ab37d38a446845cc9789dcd02f8e7db

General

Target

PO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe
Size

771KB
MD5

81338cc1ec365407ac22a6eab3ece373
SHA1

29f4ca9ec7fa628cea899292ac517f3852361f5d
SHA256

6a2ffd2b362dd38d2518163bd6c849366ab37d38a446845cc9789dcd02f8e7db
SHA512

0b66cbf636ccd22a4b3aab1d4bdd5357fd944de5647314d0023b7220ccc87379d59f15811c14f66a7163fcb14afcbd118ef9023686b1e485d1df9074b93c96ea

Score

10^/10

remcos rat

Malware Config

Extracted

Family

remcos

C2

212.83.46.26:4023

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of SetThreadContext 1 IoCs

Processes:

PO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe

description	pid	process	target process
PID 4688 set thread context of 900	4688	PO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe	PO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

496 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

PO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe

pid process

4688 PO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

PO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe

description pid process

Token: SeDebugPrivilege 4688 PO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe

pid	process
496	schtasks.exe

pid	process
4688	PO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe

description	pid	process
Token: SeDebugPrivilege	4688	PO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

PO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe

description	pid	process	target process
PID 4688 wrote to memory of 496	4688	PO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe	schtasks.exe
PID 4688 wrote to memory of 496	4688	PO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe	schtasks.exe
PID 4688 wrote to memory of 496	4688	PO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe	schtasks.exe
PID 4688 wrote to memory of 900	4688	PO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe	PO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe
PID 4688 wrote to memory of 900	4688	PO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe	PO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe
PID 4688 wrote to memory of 900	4688	PO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe	PO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe
PID 4688 wrote to memory of 900	4688	PO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe	PO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe
PID 4688 wrote to memory of 900	4688	PO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe	PO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe
PID 4688 wrote to memory of 900	4688	PO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe	PO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe
PID 4688 wrote to memory of 900	4688	PO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe	PO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe
PID 4688 wrote to memory of 900	4688	PO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe	PO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe
PID 4688 wrote to memory of 900	4688	PO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe	PO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe

C:\Users\Admin\AppData\Local\Temp\PO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe
"C:\Users\Admin\AppData\Local\Temp\PO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4688

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DxrQHPLzs" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4FC7.tmp"
2⤵
- Creates scheduled task(s)
PID:496

C:\Users\Admin\AppData\Local\Temp\PO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe
"C:\Users\Admin\AppData\Local\Temp\PO. MKL1-20-06053 & TECHNICAL SPECIFICATION.exe"
2⤵
PID:900

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4FC7.tmp
MD5
4a29766d233689d754ba93309b79e9bb

SHA1
1168737e3b171e467e270fac2af4dd025d8ca180

SHA256
595927e392c95a927950a09681d00e0f21c2a79a19b4f45e20c459b84c94dfa5

SHA512
48ce37657bec9262476879ae93ad7aeefa8cba0235303a5a7a92020de61846fee9418a73124e28e5c2800f57ce4dfd16bf0b1ad13dd344574adb1d0fba5b4c37

Download Submit
memory/496-12-0x0000000000000000-mapping.dmp

Download
memory/900-16-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/900-15-0x000000000040FD88-mapping.dmp

Download
memory/900-14-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4688-6-0x0000000005B90000-0x0000000005B91000-memory.dmp

Filesize
4KB

Download
memory/4688-9-0x0000000005850000-0x0000000005851000-memory.dmp

Filesize
4KB

Download
memory/4688-10-0x0000000005830000-0x0000000005842000-memory.dmp

Filesize
72KB

Download
memory/4688-11-0x00000000064C0000-0x0000000006517000-memory.dmp

Filesize
348KB

Download
memory/4688-8-0x00000000055A0000-0x00000000055A1000-memory.dmp

Filesize
4KB

Download
memory/4688-7-0x0000000005690000-0x0000000005691000-memory.dmp

Filesize
4KB

Download
memory/4688-2-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/4688-5-0x00000000055F0000-0x00000000055F1000-memory.dmp

Filesize
4KB

Download
memory/4688-3-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads