remcos | 596479cd77e25e5d6dbf0b421afff049390813cc254ae90f86af00a10bdf6f90

Analysis

max time kernel
149s
max time network
148s
platform
windows10_x64
resource
win10v20201028
submitted
12-01-2021 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

i5TiYkAYkWJy1O8.exe
Size

772KB
MD5

e17a0488de5ca3c73672541143ee6927
SHA1

8a4c59f81c17710e665fb3e055dc1cbd28bc8ce6
SHA256

596479cd77e25e5d6dbf0b421afff049390813cc254ae90f86af00a10bdf6f90
SHA512

6766459cca6b6a25902973ca210e274241841e7acd2684ccb3f362040e3dbd568f1b430d305e773e50e0ec1e5e7cd879d8f3aff7d4cc30ce0a786be58555537d

Score

10^/10

remcos persistence rat spyware

Malware Config

Extracted

Family

remcos

185.244.26.208:29100

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 4 IoCs

Processes:

remcos.exeremcos.exeremcos.exeremcos.exe

pid process

3800 remcos.exe
2244 remcos.exe
2232 remcos.exe
340 remcos.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3800	remcos.exe
2244	remcos.exe
2232	remcos.exe
340	remcos.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

i5TiYkAYkWJy1O8.exeremcos.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\	i5TiYkAYkWJy1O8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	i5TiYkAYkWJy1O8.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	remcos.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

i5TiYkAYkWJy1O8.exeremcos.exeremcos.exe

description	pid	process	target process
PID 3576 set thread context of 2524	3576	i5TiYkAYkWJy1O8.exe	i5TiYkAYkWJy1O8.exe
PID 3800 set thread context of 2244	3800	remcos.exe	remcos.exe
PID 2244 set thread context of 2232	2244	remcos.exe	remcos.exe
PID 2244 set thread context of 340	2244	remcos.exe	remcos.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2180 schtasks.exe
736 schtasks.exe
Modifies registry class 1 IoCs

Processes:

i5TiYkAYkWJy1O8.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings i5TiYkAYkWJy1O8.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

i5TiYkAYkWJy1O8.exeremcos.exeremcos.exeremcos.exe

pid process

3576 i5TiYkAYkWJy1O8.exe
3800 remcos.exe
2232 remcos.exe
2232 remcos.exe
340 remcos.exe
340 remcos.exe
2232 remcos.exe
2232 remcos.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

i5TiYkAYkWJy1O8.exeremcos.exeremcos.exe

description pid process

Token: SeDebugPrivilege 3576 i5TiYkAYkWJy1O8.exe
Token: SeDebugPrivilege 3800 remcos.exe
Token: SeDebugPrivilege 340 remcos.exe

pid	process
2180	schtasks.exe
736	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	i5TiYkAYkWJy1O8.exe

pid	process
3576	i5TiYkAYkWJy1O8.exe
3800	remcos.exe
2232	remcos.exe
2232	remcos.exe
340	remcos.exe
340	remcos.exe
2232	remcos.exe
2232	remcos.exe

description	pid	process
Token: SeDebugPrivilege	3576	i5TiYkAYkWJy1O8.exe
Token: SeDebugPrivilege	3800	remcos.exe
Token: SeDebugPrivilege	340	remcos.exe

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

i5TiYkAYkWJy1O8.exei5TiYkAYkWJy1O8.exeWScript.execmd.exeremcos.exeremcos.exe

description	pid	process	target process
PID 3576 wrote to memory of 2180	3576	i5TiYkAYkWJy1O8.exe	schtasks.exe
PID 3576 wrote to memory of 2180	3576	i5TiYkAYkWJy1O8.exe	schtasks.exe
PID 3576 wrote to memory of 2180	3576	i5TiYkAYkWJy1O8.exe	schtasks.exe
PID 3576 wrote to memory of 2524	3576	i5TiYkAYkWJy1O8.exe	i5TiYkAYkWJy1O8.exe
PID 3576 wrote to memory of 2524	3576	i5TiYkAYkWJy1O8.exe	i5TiYkAYkWJy1O8.exe
PID 3576 wrote to memory of 2524	3576	i5TiYkAYkWJy1O8.exe	i5TiYkAYkWJy1O8.exe
PID 3576 wrote to memory of 2524	3576	i5TiYkAYkWJy1O8.exe	i5TiYkAYkWJy1O8.exe
PID 3576 wrote to memory of 2524	3576	i5TiYkAYkWJy1O8.exe	i5TiYkAYkWJy1O8.exe
PID 3576 wrote to memory of 2524	3576	i5TiYkAYkWJy1O8.exe	i5TiYkAYkWJy1O8.exe
PID 3576 wrote to memory of 2524	3576	i5TiYkAYkWJy1O8.exe	i5TiYkAYkWJy1O8.exe
PID 3576 wrote to memory of 2524	3576	i5TiYkAYkWJy1O8.exe	i5TiYkAYkWJy1O8.exe
PID 3576 wrote to memory of 2524	3576	i5TiYkAYkWJy1O8.exe	i5TiYkAYkWJy1O8.exe
PID 3576 wrote to memory of 2524	3576	i5TiYkAYkWJy1O8.exe	i5TiYkAYkWJy1O8.exe
PID 2524 wrote to memory of 1124	2524	i5TiYkAYkWJy1O8.exe	WScript.exe
PID 2524 wrote to memory of 1124	2524	i5TiYkAYkWJy1O8.exe	WScript.exe
PID 2524 wrote to memory of 1124	2524	i5TiYkAYkWJy1O8.exe	WScript.exe
PID 1124 wrote to memory of 3112	1124	WScript.exe	cmd.exe
PID 1124 wrote to memory of 3112	1124	WScript.exe	cmd.exe
PID 1124 wrote to memory of 3112	1124	WScript.exe	cmd.exe
PID 3112 wrote to memory of 3800	3112	cmd.exe	remcos.exe
PID 3112 wrote to memory of 3800	3112	cmd.exe	remcos.exe
PID 3112 wrote to memory of 3800	3112	cmd.exe	remcos.exe
PID 3800 wrote to memory of 736	3800	remcos.exe	schtasks.exe
PID 3800 wrote to memory of 736	3800	remcos.exe	schtasks.exe
PID 3800 wrote to memory of 736	3800	remcos.exe	schtasks.exe
PID 3800 wrote to memory of 2244	3800	remcos.exe	remcos.exe
PID 3800 wrote to memory of 2244	3800	remcos.exe	remcos.exe
PID 3800 wrote to memory of 2244	3800	remcos.exe	remcos.exe
PID 3800 wrote to memory of 2244	3800	remcos.exe	remcos.exe
PID 3800 wrote to memory of 2244	3800	remcos.exe	remcos.exe
PID 3800 wrote to memory of 2244	3800	remcos.exe	remcos.exe
PID 3800 wrote to memory of 2244	3800	remcos.exe	remcos.exe
PID 3800 wrote to memory of 2244	3800	remcos.exe	remcos.exe
PID 3800 wrote to memory of 2244	3800	remcos.exe	remcos.exe
PID 3800 wrote to memory of 2244	3800	remcos.exe	remcos.exe
PID 2244 wrote to memory of 2200	2244	remcos.exe	remcos.exe
PID 2244 wrote to memory of 2200	2244	remcos.exe	remcos.exe
PID 2244 wrote to memory of 2200	2244	remcos.exe	remcos.exe
PID 2244 wrote to memory of 2232	2244	remcos.exe	remcos.exe
PID 2244 wrote to memory of 2232	2244	remcos.exe	remcos.exe
PID 2244 wrote to memory of 2232	2244	remcos.exe	remcos.exe
PID 2244 wrote to memory of 2232	2244	remcos.exe	remcos.exe
PID 2244 wrote to memory of 2232	2244	remcos.exe	remcos.exe
PID 2244 wrote to memory of 2232	2244	remcos.exe	remcos.exe
PID 2244 wrote to memory of 2232	2244	remcos.exe	remcos.exe
PID 2244 wrote to memory of 2232	2244	remcos.exe	remcos.exe
PID 2244 wrote to memory of 340	2244	remcos.exe	remcos.exe
PID 2244 wrote to memory of 340	2244	remcos.exe	remcos.exe
PID 2244 wrote to memory of 340	2244	remcos.exe	remcos.exe
PID 2244 wrote to memory of 340	2244	remcos.exe	remcos.exe
PID 2244 wrote to memory of 340	2244	remcos.exe	remcos.exe
PID 2244 wrote to memory of 340	2244	remcos.exe	remcos.exe
PID 2244 wrote to memory of 340	2244	remcos.exe	remcos.exe
PID 2244 wrote to memory of 340	2244	remcos.exe	remcos.exe
PID 2244 wrote to memory of 644	2244	remcos.exe	remcos.exe
PID 2244 wrote to memory of 644	2244	remcos.exe	remcos.exe
PID 2244 wrote to memory of 644	2244	remcos.exe	remcos.exe

C:\Users\Admin\AppData\Local\Temp\i5TiYkAYkWJy1O8.exe
"C:\Users\Admin\AppData\Local\Temp\i5TiYkAYkWJy1O8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3576

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LChCpmvhHgIatd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3B16.tmp"
2⤵
- Creates scheduled task(s)
PID:2180

C:\Users\Admin\AppData\Local\Temp\i5TiYkAYkWJy1O8.exe
"C:\Users\Admin\AppData\Local\Temp\i5TiYkAYkWJy1O8.exe"
2⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2524

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:3112

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3800

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LChCpmvhHgIatd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp28D1.tmp"
6⤵
- Creates scheduled task(s)
PID:736

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
"C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2244

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\flflminm"
7⤵
PID:2200

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\flflminm"
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2232

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\pglvnsygszr"
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:340

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\saqonljighjazcn"
7⤵
PID:644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\flflminm
MD5
814b5ce4cad79d36055d2d4b5958cc31

SHA1
2a06a869615f0858479371b0415899681fb0c7d8

SHA256
6d1fa1a75faec2b39e8a2a1df8dd0f15e5256de7da7c527225ecf22fdacaf559

SHA512
a82fa1594ccbe1df93a973a01c787a6baa0ce8a97c0b0b0a844c90cb6be092b1094636b4d88c568fece95cd9bdfe4412875011abe318373a4fcfc218f93d1278

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
b92d64fe5b1d1f59df4b738262aea8df

SHA1
c8fb1981759c2d9bb2ec91b705985fba5fc7af63

SHA256
fa20e9aab03dc8e9f1910aaf0cf42662379fa16ae3a22642084fb97fa3d4f83a

SHA512
2566248b93c0cfb0414f033b8dd18bbd4f88180093eac2861107289bcb4ee160f9593706ff1f7d1f2e4ecea430d67a5a2897551a4f9ebd82b707243e300520e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp28D1.tmp
MD5
b785027f3cacec9ca525346c3bb323a4

SHA1
bf70613b53b025a338a469e32fda4351bbf5d835

SHA256
9cff36d31a694709b7cc6b46611975f658898f6ae4f40f009c66c48d7434931b

SHA512
6da93bf2be1c938adc0eb5ea46f3760bc391786ff52ab65fd03a09da72170820957420627a7cc2e6ac64d4d6997747b9a179e5f2006291febabf979153935095

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3B16.tmp
MD5
b785027f3cacec9ca525346c3bb323a4

SHA1
bf70613b53b025a338a469e32fda4351bbf5d835

SHA256
9cff36d31a694709b7cc6b46611975f658898f6ae4f40f009c66c48d7434931b

SHA512
6da93bf2be1c938adc0eb5ea46f3760bc391786ff52ab65fd03a09da72170820957420627a7cc2e6ac64d4d6997747b9a179e5f2006291febabf979153935095

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
e17a0488de5ca3c73672541143ee6927

SHA1
8a4c59f81c17710e665fb3e055dc1cbd28bc8ce6

SHA256
596479cd77e25e5d6dbf0b421afff049390813cc254ae90f86af00a10bdf6f90

SHA512
6766459cca6b6a25902973ca210e274241841e7acd2684ccb3f362040e3dbd568f1b430d305e773e50e0ec1e5e7cd879d8f3aff7d4cc30ce0a786be58555537d

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
e17a0488de5ca3c73672541143ee6927

SHA1
8a4c59f81c17710e665fb3e055dc1cbd28bc8ce6

SHA256
596479cd77e25e5d6dbf0b421afff049390813cc254ae90f86af00a10bdf6f90

SHA512
6766459cca6b6a25902973ca210e274241841e7acd2684ccb3f362040e3dbd568f1b430d305e773e50e0ec1e5e7cd879d8f3aff7d4cc30ce0a786be58555537d

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
e17a0488de5ca3c73672541143ee6927

SHA1
8a4c59f81c17710e665fb3e055dc1cbd28bc8ce6

SHA256
596479cd77e25e5d6dbf0b421afff049390813cc254ae90f86af00a10bdf6f90

SHA512
6766459cca6b6a25902973ca210e274241841e7acd2684ccb3f362040e3dbd568f1b430d305e773e50e0ec1e5e7cd879d8f3aff7d4cc30ce0a786be58555537d

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
e17a0488de5ca3c73672541143ee6927

SHA1
8a4c59f81c17710e665fb3e055dc1cbd28bc8ce6

SHA256
596479cd77e25e5d6dbf0b421afff049390813cc254ae90f86af00a10bdf6f90

SHA512
6766459cca6b6a25902973ca210e274241841e7acd2684ccb3f362040e3dbd568f1b430d305e773e50e0ec1e5e7cd879d8f3aff7d4cc30ce0a786be58555537d

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
e17a0488de5ca3c73672541143ee6927

SHA1
8a4c59f81c17710e665fb3e055dc1cbd28bc8ce6

SHA256
596479cd77e25e5d6dbf0b421afff049390813cc254ae90f86af00a10bdf6f90

SHA512
6766459cca6b6a25902973ca210e274241841e7acd2684ccb3f362040e3dbd568f1b430d305e773e50e0ec1e5e7cd879d8f3aff7d4cc30ce0a786be58555537d

Download Submit
memory/340-47-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/340-44-0x0000000000422206-mapping.dmp

Download
memory/340-48-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/340-42-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/736-33-0x0000000000000000-mapping.dmp

Download
memory/1124-17-0x0000000000000000-mapping.dmp

Download
memory/2180-12-0x0000000000000000-mapping.dmp

Download
memory/2232-40-0x0000000000476274-mapping.dmp

Download
memory/2232-39-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2232-43-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2232-45-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2244-36-0x0000000000413FA4-mapping.dmp

Download
memory/2244-38-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2524-16-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2524-15-0x0000000000413FA4-mapping.dmp

Download
memory/2524-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3112-19-0x0000000000000000-mapping.dmp

Download
memory/3576-2-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/3576-11-0x00000000061E0000-0x000000000623F000-memory.dmp

Filesize
380KB

Download
memory/3576-10-0x00000000053F0000-0x0000000005402000-memory.dmp

Filesize
72KB

Download
memory/3576-9-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download
memory/3576-8-0x00000000053D0000-0x00000000053D1000-memory.dmp

Filesize
4KB

Download
memory/3576-7-0x0000000005490000-0x0000000005491000-memory.dmp

Filesize
4KB

Download
memory/3576-6-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/3576-5-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download
memory/3576-3-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3800-23-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/3800-20-0x0000000000000000-mapping.dmp

Download