remcos | 059ac87b5d6736721984e912bc0dcca50506fba170787b6aedb85e94b9683642

General

Target

Request ## HMI 8130-3##.pdf.exe
Size

1013KB
MD5

d91456035c9e48c7b8da1ebcd4d6cdbc
SHA1

65fae97ec1480deb5421bc967e316ce10977c9db
SHA256

059ac87b5d6736721984e912bc0dcca50506fba170787b6aedb85e94b9683642
SHA512

8b614bb9b11fda452a39a8a86ddcd1d82d285f329063a8d4755fc1b6c0e46f92b9c7a79641f60ed4739fe4203b5a7e2fdeda9ee45e3cf0960c17b4ee9e6a9731

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

C2

richiealvin2021.duckdns.org:1989

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 1 IoCs

Processes:

windows update.exe

pid process

1160 windows update.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

756 cmd.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1160	windows update.exe

pid	process
756	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\windows update = "\"C:\\Users\\Admin\\AppData\\Roaming\\microsoft office\\windows update.exe\""	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Request ## HMI 8130-3##.pdf.exe

description pid process target process

PID 1992 set thread context of 1928 1992 Request ## HMI 8130-3##.pdf.exe vbc.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

752 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Request ## HMI 8130-3##.pdf.exe

pid process

1992 Request ## HMI 8130-3##.pdf.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Request ## HMI 8130-3##.pdf.exe

description pid process

Token: SeDebugPrivilege 1992 Request ## HMI 8130-3##.pdf.exe

description	pid	process	target process
PID 1992 set thread context of 1928	1992	Request ## HMI 8130-3##.pdf.exe	vbc.exe

pid	process
752	schtasks.exe

pid	process
1992	Request ## HMI 8130-3##.pdf.exe

description	pid	process
Token: SeDebugPrivilege	1992	Request ## HMI 8130-3##.pdf.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

Request ## HMI 8130-3##.pdf.exevbc.exeWScript.execmd.exe

description	pid	process	target process
PID 1992 wrote to memory of 752	1992	Request ## HMI 8130-3##.pdf.exe	schtasks.exe
PID 1992 wrote to memory of 752	1992	Request ## HMI 8130-3##.pdf.exe	schtasks.exe
PID 1992 wrote to memory of 752	1992	Request ## HMI 8130-3##.pdf.exe	schtasks.exe
PID 1992 wrote to memory of 752	1992	Request ## HMI 8130-3##.pdf.exe	schtasks.exe
PID 1992 wrote to memory of 1928	1992	Request ## HMI 8130-3##.pdf.exe	vbc.exe
PID 1992 wrote to memory of 1928	1992	Request ## HMI 8130-3##.pdf.exe	vbc.exe
PID 1992 wrote to memory of 1928	1992	Request ## HMI 8130-3##.pdf.exe	vbc.exe
PID 1992 wrote to memory of 1928	1992	Request ## HMI 8130-3##.pdf.exe	vbc.exe
PID 1992 wrote to memory of 1928	1992	Request ## HMI 8130-3##.pdf.exe	vbc.exe
PID 1992 wrote to memory of 1928	1992	Request ## HMI 8130-3##.pdf.exe	vbc.exe
PID 1992 wrote to memory of 1928	1992	Request ## HMI 8130-3##.pdf.exe	vbc.exe
PID 1992 wrote to memory of 1928	1992	Request ## HMI 8130-3##.pdf.exe	vbc.exe
PID 1992 wrote to memory of 1928	1992	Request ## HMI 8130-3##.pdf.exe	vbc.exe
PID 1992 wrote to memory of 1928	1992	Request ## HMI 8130-3##.pdf.exe	vbc.exe
PID 1992 wrote to memory of 1928	1992	Request ## HMI 8130-3##.pdf.exe	vbc.exe
PID 1928 wrote to memory of 1824	1928	vbc.exe	WScript.exe
PID 1928 wrote to memory of 1824	1928	vbc.exe	WScript.exe
PID 1928 wrote to memory of 1824	1928	vbc.exe	WScript.exe
PID 1928 wrote to memory of 1824	1928	vbc.exe	WScript.exe
PID 1824 wrote to memory of 756	1824	WScript.exe	cmd.exe
PID 1824 wrote to memory of 756	1824	WScript.exe	cmd.exe
PID 1824 wrote to memory of 756	1824	WScript.exe	cmd.exe
PID 1824 wrote to memory of 756	1824	WScript.exe	cmd.exe
PID 756 wrote to memory of 1160	756	cmd.exe	windows update.exe
PID 756 wrote to memory of 1160	756	cmd.exe	windows update.exe
PID 756 wrote to memory of 1160	756	cmd.exe	windows update.exe
PID 756 wrote to memory of 1160	756	cmd.exe	windows update.exe
PID 756 wrote to memory of 1160	756	cmd.exe	windows update.exe
PID 756 wrote to memory of 1160	756	cmd.exe	windows update.exe
PID 756 wrote to memory of 1160	756	cmd.exe	windows update.exe

C:\Users\Admin\AppData\Local\Temp\Request ## HMI 8130-3##.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Request ## HMI 8130-3##.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fxVYDCoPb" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBA4.tmp"
2⤵
- Creates scheduled task(s)
PID:752

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\microsoft office\windows update.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:756

C:\Users\Admin\AppData\Roaming\microsoft office\windows update.exe
"C:\Users\Admin\AppData\Roaming\microsoft office\windows update.exe"
5⤵
- Executes dropped EXE
PID:1160

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
ecc04d2275a312f55c1ab894dc4dd602

SHA1
58e66fb27ffe1bf77d8afcd76540d008b34f6d0c

SHA256
964b848431157771cf78be4819cd22cb42b942a02a69f945b3e3af94a623b852

SHA512
308b25c650710da0831fa62a6883cc49904f9799468eb30fe02a64db11f3e90124c93c317a470d5b5c51aaeb6b50cb9d3c7f4f1205b2000a94093b6fcb84dbe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBA4.tmp
MD5
b5b7ef6551fc82c035bdb1f7fabd887b

SHA1
15df5d990fc3ecfeebdc7c62a20231b0ecef28d4

SHA256
e14c861f5ac2822bc033426c0552abecc0b86d5e17a02a3f1f8aafd336f67d07

SHA512
69ce5004ebf65ff2677f6cf16f39e120d408e64f914fa1f79cbd6a306b57217a94680d6d08442c0a0e88daf1117dd2e4fd0afdcab97df675aef3d0269dcce96b

Download Submit
C:\Users\Admin\AppData\Roaming\microsoft office\windows update.exe
MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\Users\Admin\AppData\Roaming\microsoft office\windows update.exe
MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\Users\Admin\AppData\Roaming\microsoft office\windows update.exe
MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
memory/752-2-0x0000000000000000-mapping.dmp

Download
memory/756-9-0x0000000000000000-mapping.dmp

Download
memory/1160-13-0x0000000000000000-mapping.dmp

Download
memory/1824-7-0x0000000000000000-mapping.dmp

Download
memory/1824-10-0x00000000026D0000-0x00000000026D4000-memory.dmp

Filesize
16KB

Download
memory/1928-6-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1928-4-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1928-5-0x0000000000413FA4-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads