remcos | 059ac87b5d6736721984e912bc0dcca50506fba170787b6aedb85e94b9683642

General

Target

Request ## HMI 8130-3##.pdf.exe
Size

1013KB
MD5

d91456035c9e48c7b8da1ebcd4d6cdbc
SHA1

65fae97ec1480deb5421bc967e316ce10977c9db
SHA256

059ac87b5d6736721984e912bc0dcca50506fba170787b6aedb85e94b9683642
SHA512

8b614bb9b11fda452a39a8a86ddcd1d82d285f329063a8d4755fc1b6c0e46f92b9c7a79641f60ed4739fe4203b5a7e2fdeda9ee45e3cf0960c17b4ee9e6a9731

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

C2

richiealvin2021.duckdns.org:1989

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 1 IoCs

Processes:

windows update.exe

pid process

1608 windows update.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1608	windows update.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\windows update = "\"C:\\Users\\Admin\\AppData\\Roaming\\microsoft office\\windows update.exe\""	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Request ## HMI 8130-3##.pdf.exe

description pid process target process

PID 4768 set thread context of 816 4768 Request ## HMI 8130-3##.pdf.exe vbc.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

416 schtasks.exe
Modifies registry class 1 IoCs

Processes:

vbc.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings vbc.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Request ## HMI 8130-3##.pdf.exe

pid process

4768 Request ## HMI 8130-3##.pdf.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Request ## HMI 8130-3##.pdf.exe

description pid process

Token: SeDebugPrivilege 4768 Request ## HMI 8130-3##.pdf.exe

description	pid	process	target process
PID 4768 set thread context of 816	4768	Request ## HMI 8130-3##.pdf.exe	vbc.exe

pid	process
416	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	vbc.exe

pid	process
4768	Request ## HMI 8130-3##.pdf.exe

description	pid	process
Token: SeDebugPrivilege	4768	Request ## HMI 8130-3##.pdf.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

Request ## HMI 8130-3##.pdf.exevbc.exeWScript.execmd.exe

description	pid	process	target process
PID 4768 wrote to memory of 416	4768	Request ## HMI 8130-3##.pdf.exe	schtasks.exe
PID 4768 wrote to memory of 416	4768	Request ## HMI 8130-3##.pdf.exe	schtasks.exe
PID 4768 wrote to memory of 416	4768	Request ## HMI 8130-3##.pdf.exe	schtasks.exe
PID 4768 wrote to memory of 816	4768	Request ## HMI 8130-3##.pdf.exe	vbc.exe
PID 4768 wrote to memory of 816	4768	Request ## HMI 8130-3##.pdf.exe	vbc.exe
PID 4768 wrote to memory of 816	4768	Request ## HMI 8130-3##.pdf.exe	vbc.exe
PID 4768 wrote to memory of 816	4768	Request ## HMI 8130-3##.pdf.exe	vbc.exe
PID 4768 wrote to memory of 816	4768	Request ## HMI 8130-3##.pdf.exe	vbc.exe
PID 4768 wrote to memory of 816	4768	Request ## HMI 8130-3##.pdf.exe	vbc.exe
PID 4768 wrote to memory of 816	4768	Request ## HMI 8130-3##.pdf.exe	vbc.exe
PID 4768 wrote to memory of 816	4768	Request ## HMI 8130-3##.pdf.exe	vbc.exe
PID 4768 wrote to memory of 816	4768	Request ## HMI 8130-3##.pdf.exe	vbc.exe
PID 4768 wrote to memory of 816	4768	Request ## HMI 8130-3##.pdf.exe	vbc.exe
PID 816 wrote to memory of 1104	816	vbc.exe	WScript.exe
PID 816 wrote to memory of 1104	816	vbc.exe	WScript.exe
PID 816 wrote to memory of 1104	816	vbc.exe	WScript.exe
PID 1104 wrote to memory of 1424	1104	WScript.exe	cmd.exe
PID 1104 wrote to memory of 1424	1104	WScript.exe	cmd.exe
PID 1104 wrote to memory of 1424	1104	WScript.exe	cmd.exe
PID 1424 wrote to memory of 1608	1424	cmd.exe	windows update.exe
PID 1424 wrote to memory of 1608	1424	cmd.exe	windows update.exe
PID 1424 wrote to memory of 1608	1424	cmd.exe	windows update.exe

C:\Users\Admin\AppData\Local\Temp\Request ## HMI 8130-3##.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Request ## HMI 8130-3##.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4768

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fxVYDCoPb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp47F7.tmp"
2⤵
- Creates scheduled task(s)
PID:416

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\microsoft office\windows update.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1424

C:\Users\Admin\AppData\Roaming\microsoft office\windows update.exe
"C:\Users\Admin\AppData\Roaming\microsoft office\windows update.exe"
5⤵
- Executes dropped EXE
PID:1608

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
ecc04d2275a312f55c1ab894dc4dd602

SHA1
58e66fb27ffe1bf77d8afcd76540d008b34f6d0c

SHA256
964b848431157771cf78be4819cd22cb42b942a02a69f945b3e3af94a623b852

SHA512
308b25c650710da0831fa62a6883cc49904f9799468eb30fe02a64db11f3e90124c93c317a470d5b5c51aaeb6b50cb9d3c7f4f1205b2000a94093b6fcb84dbe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp47F7.tmp
MD5
b42878e4c2d1a77d86a0b902497cbfec

SHA1
9a31ee1047b7aef9413af22bbc9d99117645bfb0

SHA256
0721627e82a5eda150d7b06201f98a32cfc107ce6af713dd864dfde4c6593f63

SHA512
5cf734fad128dcc4eeab4aa49b9f449495b25b5544e687591e9a05d925cb41691407109c360be1eea06bb0a4c772815d3f09e6f63cb3d96d78de473ed5db2eea

Download Submit
C:\Users\Admin\AppData\Roaming\microsoft office\windows update.exe
MD5
99d17ff97e92667bf238e5154e53c6a1

SHA1
893d5e4fc27e23831dba69e39762fb494c7edc94

SHA256
bb44568093a3b7299af075b09358bb4691abaa57c0496e8d97d289b05b58ad27

SHA512
31c5a1425d3fd36a26dc85270a19d6d1a07a644466de4527798985b12aba1242a961e6df0990c6f0bbb7f21a4c4de31aa4baaaf18999894e7c6cb56f4689bddd

Download Submit
C:\Users\Admin\AppData\Roaming\microsoft office\windows update.exe
MD5
99d17ff97e92667bf238e5154e53c6a1

SHA1
893d5e4fc27e23831dba69e39762fb494c7edc94

SHA256
bb44568093a3b7299af075b09358bb4691abaa57c0496e8d97d289b05b58ad27

SHA512
31c5a1425d3fd36a26dc85270a19d6d1a07a644466de4527798985b12aba1242a961e6df0990c6f0bbb7f21a4c4de31aa4baaaf18999894e7c6cb56f4689bddd

Download Submit
memory/416-2-0x0000000000000000-mapping.dmp

Download
memory/816-4-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/816-5-0x0000000000413FA4-mapping.dmp

Download
memory/816-6-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1104-7-0x0000000000000000-mapping.dmp

Download
memory/1424-9-0x0000000000000000-mapping.dmp

Download
memory/1608-10-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads