remcos | 5af5665fcaf756eec2ab43c07645c814438102dba39e782a030025635a8fb713

General

Target

PO-OIOI09000.exe
Size

162KB
MD5

79b1df10d2cd8b5a115059a656594d04
SHA1

d42137c82f89036c6d0ed10c5df9bece89e4d8ba
SHA256

5af5665fcaf756eec2ab43c07645c814438102dba39e782a030025635a8fb713
SHA512

3dbb4ec67ae5b99c121f61088acc3336ff6bd1f8f93291db596448817150f9a340b2a6803cd0a12e4e9db4843d0d86318bacece36cb5f8bb5fea84341d9c24fa

Score

10^/10

remcos rat

Malware Config

Extracted

Family

remcos

C2

45.137.22.52:8780

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Suspicious use of SetThreadContext 1 IoCs

Processes:

PO-OIOI09000.exe

description pid process target process

PID 4224 set thread context of 4236 4224 PO-OIOI09000.exe PO-OIOI09000.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3232 schtasks.exe
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

PO-OIOI09000.exePO-OIOI09000.exePO-OIOI09000.exePO-OIOI09000.exe

pid process

4756 PO-OIOI09000.exe
4260 PO-OIOI09000.exe
3252 PO-OIOI09000.exe
4224 PO-OIOI09000.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

PO-OIOI09000.exe

pid process

4236 PO-OIOI09000.exe

description	pid	process	target process
PID 4224 set thread context of 4236	4224	PO-OIOI09000.exe	PO-OIOI09000.exe

pid	process
3232	schtasks.exe

pid	process
4756	PO-OIOI09000.exe
4260	PO-OIOI09000.exe
3252	PO-OIOI09000.exe
4224	PO-OIOI09000.exe

pid	process
4236	PO-OIOI09000.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

PO-OIOI09000.execmd.exePO-OIOI09000.exePO-OIOI09000.exePO-OIOI09000.exe

description	pid	process	target process
PID 4756 wrote to memory of 2812	4756	PO-OIOI09000.exe	cmd.exe
PID 4756 wrote to memory of 2812	4756	PO-OIOI09000.exe	cmd.exe
PID 4756 wrote to memory of 2812	4756	PO-OIOI09000.exe	cmd.exe
PID 4756 wrote to memory of 816	4756	PO-OIOI09000.exe	PO-OIOI09000.exe
PID 4756 wrote to memory of 816	4756	PO-OIOI09000.exe	PO-OIOI09000.exe
PID 4756 wrote to memory of 816	4756	PO-OIOI09000.exe	PO-OIOI09000.exe
PID 4756 wrote to memory of 4260	4756	PO-OIOI09000.exe	PO-OIOI09000.exe
PID 4756 wrote to memory of 4260	4756	PO-OIOI09000.exe	PO-OIOI09000.exe
PID 4756 wrote to memory of 4260	4756	PO-OIOI09000.exe	PO-OIOI09000.exe
PID 2812 wrote to memory of 3232	2812	cmd.exe	schtasks.exe
PID 2812 wrote to memory of 3232	2812	cmd.exe	schtasks.exe
PID 2812 wrote to memory of 3232	2812	cmd.exe	schtasks.exe
PID 4260 wrote to memory of 4068	4260	PO-OIOI09000.exe	PO-OIOI09000.exe
PID 4260 wrote to memory of 4068	4260	PO-OIOI09000.exe	PO-OIOI09000.exe
PID 4260 wrote to memory of 4068	4260	PO-OIOI09000.exe	PO-OIOI09000.exe
PID 4260 wrote to memory of 3252	4260	PO-OIOI09000.exe	PO-OIOI09000.exe
PID 4260 wrote to memory of 3252	4260	PO-OIOI09000.exe	PO-OIOI09000.exe
PID 4260 wrote to memory of 3252	4260	PO-OIOI09000.exe	PO-OIOI09000.exe
PID 3252 wrote to memory of 3848	3252	PO-OIOI09000.exe	PO-OIOI09000.exe
PID 3252 wrote to memory of 3848	3252	PO-OIOI09000.exe	PO-OIOI09000.exe
PID 3252 wrote to memory of 3848	3252	PO-OIOI09000.exe	PO-OIOI09000.exe
PID 3252 wrote to memory of 4224	3252	PO-OIOI09000.exe	PO-OIOI09000.exe
PID 3252 wrote to memory of 4224	3252	PO-OIOI09000.exe	PO-OIOI09000.exe
PID 3252 wrote to memory of 4224	3252	PO-OIOI09000.exe	PO-OIOI09000.exe
PID 4224 wrote to memory of 4236	4224	PO-OIOI09000.exe	PO-OIOI09000.exe
PID 4224 wrote to memory of 4236	4224	PO-OIOI09000.exe	PO-OIOI09000.exe
PID 4224 wrote to memory of 4236	4224	PO-OIOI09000.exe	PO-OIOI09000.exe
PID 4224 wrote to memory of 4236	4224	PO-OIOI09000.exe	PO-OIOI09000.exe

C:\Users\Admin\AppData\Local\Temp\PO-OIOI09000.exe
"C:\Users\Admin\AppData\Local\Temp\PO-OIOI09000.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4756
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\ad68a960caf64e05813c6305899a3528.xml"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\ad68a960caf64e05813c6305899a3528.xml"
    3⤵
    - Creates scheduled task(s)
    PID:3232
- C:\Users\Admin\AppData\Local\Temp\PO-OIOI09000.exe
  "C:\Users\Admin\AppData\Local\Temp\PO-OIOI09000.exe"
  2⤵
  PID:816
- C:\Users\Admin\AppData\Local\Temp\PO-OIOI09000.exe
  "C:\Users\Admin\AppData\Local\Temp\PO-OIOI09000.exe"
  2⤵
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4260
- - C:\Users\Admin\AppData\Local\Temp\PO-OIOI09000.exe
    "C:\Users\Admin\AppData\Local\Temp\PO-OIOI09000.exe"
    3⤵
    PID:4068
- - C:\Users\Admin\AppData\Local\Temp\PO-OIOI09000.exe
    "C:\Users\Admin\AppData\Local\Temp\PO-OIOI09000.exe"
    3⤵
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:3252
  - - C:\Users\Admin\AppData\Local\Temp\PO-OIOI09000.exe
      "C:\Users\Admin\AppData\Local\Temp\PO-OIOI09000.exe"
      4⤵
      PID:3848
  - - C:\Users\Admin\AppData\Local\Temp\PO-OIOI09000.exe
      "C:\Users\Admin\AppData\Local\Temp\PO-OIOI09000.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:4224
    - - C:\Users\Admin\AppData\Local\Temp\PO-OIOI09000.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PO-OIOI09000.exe"
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ad68a960caf64e05813c6305899a3528.xml

MD5
aa2f6636e997aaa0b01fbc78b1dabe52

SHA1
fd462100fc91975dcbea8e361cf1eb8a70f6ad54

SHA256
d710b6eda22285684579d8b547e5be2f48883c4bf8db39993b00df30f9dc8723

SHA512
6540a3bbdbd3ab51679d5b32380e6c288bf6eba2777d067d40bfe65642ccafecd18028b102dfa46ac189d84282da2b6cb202a4f307587c5639f86834788f5104

Download Submit
memory/2812-2-0x0000000000000000-mapping.dmp

Download
memory/3232-4-0x0000000000000000-mapping.dmp

Download
memory/3252-6-0x0000000000000000-mapping.dmp

Download
memory/4224-7-0x0000000000000000-mapping.dmp

Download
memory/4236-8-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4236-9-0x000000000040FD88-mapping.dmp

Download
memory/4236-11-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4260-3-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads