remcos | 7c7f99d2b695777b5809dcee0723304b77a06ea8c72ec8a9e0967e4d8584d585

General

Target

DHL 3374687886,PDF.exe
Size

973KB
MD5

01856ddc0973cc04929480b93139ffa5
SHA1

c204a09386374da5924ace3f928e33d89f54d4d2
SHA256

7c7f99d2b695777b5809dcee0723304b77a06ea8c72ec8a9e0967e4d8584d585
SHA512

499951d507d49ae69ea1c6206575e1a14ee5cbf1bf5c6fc2099da858276721cb9efb67454f40790c69b09b8b419f8a1869234c1b983721a5fea99ec62c4a0386

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

C2

favour2021.ddns.net:1990

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 3 IoCs

Processes:

remcos.exeremcos.exeremcos.exe

pid process

1068 remcos.exe
1980 remcos.exe
1880 remcos.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

316 cmd.exe

pid	process
1068	remcos.exe
1980	remcos.exe
1880	remcos.exe

pid	process
316	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

remcos.exeDHL 3374687886,PDF.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	remcos.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\	DHL 3374687886,PDF.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	DHL 3374687886,PDF.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

DHL 3374687886,PDF.exeremcos.exe

description	pid	process	target process
PID 1828 set thread context of 996	1828	DHL 3374687886,PDF.exe	DHL 3374687886,PDF.exe
PID 1068 set thread context of 1880	1068	remcos.exe	remcos.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1472 schtasks.exe
1976 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

remcos.exe

pid process

1068 remcos.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

remcos.exe

description pid process

Token: SeDebugPrivilege 1068 remcos.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

remcos.exe

pid process

1880 remcos.exe

pid	process
1472	schtasks.exe
1976	schtasks.exe

pid	process
1068	remcos.exe

description	pid	process
Token: SeDebugPrivilege	1068	remcos.exe

pid	process
1880	remcos.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

DHL 3374687886,PDF.exeDHL 3374687886,PDF.exeWScript.execmd.exeremcos.exe

description	pid	process	target process
PID 1828 wrote to memory of 1472	1828	DHL 3374687886,PDF.exe	schtasks.exe
PID 1828 wrote to memory of 1472	1828	DHL 3374687886,PDF.exe	schtasks.exe
PID 1828 wrote to memory of 1472	1828	DHL 3374687886,PDF.exe	schtasks.exe
PID 1828 wrote to memory of 1472	1828	DHL 3374687886,PDF.exe	schtasks.exe
PID 1828 wrote to memory of 996	1828	DHL 3374687886,PDF.exe	DHL 3374687886,PDF.exe
PID 1828 wrote to memory of 996	1828	DHL 3374687886,PDF.exe	DHL 3374687886,PDF.exe
PID 1828 wrote to memory of 996	1828	DHL 3374687886,PDF.exe	DHL 3374687886,PDF.exe
PID 1828 wrote to memory of 996	1828	DHL 3374687886,PDF.exe	DHL 3374687886,PDF.exe
PID 1828 wrote to memory of 996	1828	DHL 3374687886,PDF.exe	DHL 3374687886,PDF.exe
PID 1828 wrote to memory of 996	1828	DHL 3374687886,PDF.exe	DHL 3374687886,PDF.exe
PID 1828 wrote to memory of 996	1828	DHL 3374687886,PDF.exe	DHL 3374687886,PDF.exe
PID 1828 wrote to memory of 996	1828	DHL 3374687886,PDF.exe	DHL 3374687886,PDF.exe
PID 1828 wrote to memory of 996	1828	DHL 3374687886,PDF.exe	DHL 3374687886,PDF.exe
PID 1828 wrote to memory of 996	1828	DHL 3374687886,PDF.exe	DHL 3374687886,PDF.exe
PID 1828 wrote to memory of 996	1828	DHL 3374687886,PDF.exe	DHL 3374687886,PDF.exe
PID 996 wrote to memory of 792	996	DHL 3374687886,PDF.exe	WScript.exe
PID 996 wrote to memory of 792	996	DHL 3374687886,PDF.exe	WScript.exe
PID 996 wrote to memory of 792	996	DHL 3374687886,PDF.exe	WScript.exe
PID 996 wrote to memory of 792	996	DHL 3374687886,PDF.exe	WScript.exe
PID 792 wrote to memory of 316	792	WScript.exe	cmd.exe
PID 792 wrote to memory of 316	792	WScript.exe	cmd.exe
PID 792 wrote to memory of 316	792	WScript.exe	cmd.exe
PID 792 wrote to memory of 316	792	WScript.exe	cmd.exe
PID 316 wrote to memory of 1068	316	cmd.exe	remcos.exe
PID 316 wrote to memory of 1068	316	cmd.exe	remcos.exe
PID 316 wrote to memory of 1068	316	cmd.exe	remcos.exe
PID 316 wrote to memory of 1068	316	cmd.exe	remcos.exe
PID 1068 wrote to memory of 1976	1068	remcos.exe	schtasks.exe
PID 1068 wrote to memory of 1976	1068	remcos.exe	schtasks.exe
PID 1068 wrote to memory of 1976	1068	remcos.exe	schtasks.exe
PID 1068 wrote to memory of 1976	1068	remcos.exe	schtasks.exe
PID 1068 wrote to memory of 1980	1068	remcos.exe	remcos.exe
PID 1068 wrote to memory of 1980	1068	remcos.exe	remcos.exe
PID 1068 wrote to memory of 1980	1068	remcos.exe	remcos.exe
PID 1068 wrote to memory of 1980	1068	remcos.exe	remcos.exe
PID 1068 wrote to memory of 1880	1068	remcos.exe	remcos.exe
PID 1068 wrote to memory of 1880	1068	remcos.exe	remcos.exe
PID 1068 wrote to memory of 1880	1068	remcos.exe	remcos.exe
PID 1068 wrote to memory of 1880	1068	remcos.exe	remcos.exe
PID 1068 wrote to memory of 1880	1068	remcos.exe	remcos.exe
PID 1068 wrote to memory of 1880	1068	remcos.exe	remcos.exe
PID 1068 wrote to memory of 1880	1068	remcos.exe	remcos.exe
PID 1068 wrote to memory of 1880	1068	remcos.exe	remcos.exe
PID 1068 wrote to memory of 1880	1068	remcos.exe	remcos.exe
PID 1068 wrote to memory of 1880	1068	remcos.exe	remcos.exe
PID 1068 wrote to memory of 1880	1068	remcos.exe	remcos.exe

C:\Users\Admin\AppData\Local\Temp\DHL 3374687886,PDF.exe
"C:\Users\Admin\AppData\Local\Temp\DHL 3374687886,PDF.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hvEYWBAfCvEku" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7C13.tmp"
2⤵
- Creates scheduled task(s)
PID:1472

C:\Users\Admin\AppData\Local\Temp\DHL 3374687886,PDF.exe
"C:\Users\Admin\AppData\Local\Temp\DHL 3374687886,PDF.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:316

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hvEYWBAfCvEku" /XML "C:\Users\Admin\AppData\Local\Temp\tmp781D.tmp"
6⤵
- Creates scheduled task(s)
PID:1976

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
"C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
6⤵
- Executes dropped EXE
PID:1980

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
"C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
b92d64fe5b1d1f59df4b738262aea8df

SHA1
c8fb1981759c2d9bb2ec91b705985fba5fc7af63

SHA256
fa20e9aab03dc8e9f1910aaf0cf42662379fa16ae3a22642084fb97fa3d4f83a

SHA512
2566248b93c0cfb0414f033b8dd18bbd4f88180093eac2861107289bcb4ee160f9593706ff1f7d1f2e4ecea430d67a5a2897551a4f9ebd82b707243e300520e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp781D.tmp
MD5
48c22544f814c4edc93d855f4db16ecf

SHA1
125f9daea9f07007dfe33b18af505e23ad845401

SHA256
0eb671f35286faa12a42468d57847ab5ccf267e9264f9eb3811226901505dc25

SHA512
a93ab96f0fefd3fdf19b21233993c0a17d750881513d0692bc828855bc651004cde97d98bd12c4d44f9ab312a078454da44f9a10ebe3cc3e97e0441978ab75bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7C13.tmp
MD5
48c22544f814c4edc93d855f4db16ecf

SHA1
125f9daea9f07007dfe33b18af505e23ad845401

SHA256
0eb671f35286faa12a42468d57847ab5ccf267e9264f9eb3811226901505dc25

SHA512
a93ab96f0fefd3fdf19b21233993c0a17d750881513d0692bc828855bc651004cde97d98bd12c4d44f9ab312a078454da44f9a10ebe3cc3e97e0441978ab75bc

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
01856ddc0973cc04929480b93139ffa5

SHA1
c204a09386374da5924ace3f928e33d89f54d4d2

SHA256
7c7f99d2b695777b5809dcee0723304b77a06ea8c72ec8a9e0967e4d8584d585

SHA512
499951d507d49ae69ea1c6206575e1a14ee5cbf1bf5c6fc2099da858276721cb9efb67454f40790c69b09b8b419f8a1869234c1b983721a5fea99ec62c4a0386

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
01856ddc0973cc04929480b93139ffa5

SHA1
c204a09386374da5924ace3f928e33d89f54d4d2

SHA256
7c7f99d2b695777b5809dcee0723304b77a06ea8c72ec8a9e0967e4d8584d585

SHA512
499951d507d49ae69ea1c6206575e1a14ee5cbf1bf5c6fc2099da858276721cb9efb67454f40790c69b09b8b419f8a1869234c1b983721a5fea99ec62c4a0386

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
01856ddc0973cc04929480b93139ffa5

SHA1
c204a09386374da5924ace3f928e33d89f54d4d2

SHA256
7c7f99d2b695777b5809dcee0723304b77a06ea8c72ec8a9e0967e4d8584d585

SHA512
499951d507d49ae69ea1c6206575e1a14ee5cbf1bf5c6fc2099da858276721cb9efb67454f40790c69b09b8b419f8a1869234c1b983721a5fea99ec62c4a0386

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
01856ddc0973cc04929480b93139ffa5

SHA1
c204a09386374da5924ace3f928e33d89f54d4d2

SHA256
7c7f99d2b695777b5809dcee0723304b77a06ea8c72ec8a9e0967e4d8584d585

SHA512
499951d507d49ae69ea1c6206575e1a14ee5cbf1bf5c6fc2099da858276721cb9efb67454f40790c69b09b8b419f8a1869234c1b983721a5fea99ec62c4a0386

Download Submit
\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
01856ddc0973cc04929480b93139ffa5

SHA1
c204a09386374da5924ace3f928e33d89f54d4d2

SHA256
7c7f99d2b695777b5809dcee0723304b77a06ea8c72ec8a9e0967e4d8584d585

SHA512
499951d507d49ae69ea1c6206575e1a14ee5cbf1bf5c6fc2099da858276721cb9efb67454f40790c69b09b8b419f8a1869234c1b983721a5fea99ec62c4a0386

Download Submit
memory/316-14-0x0000000000000000-mapping.dmp

Download
memory/792-15-0x0000000002870000-0x0000000002874000-memory.dmp

Filesize
16KB

Download
memory/792-12-0x0000000000000000-mapping.dmp

Download
memory/996-9-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/996-11-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/996-10-0x0000000000413FA4-mapping.dmp

Download
memory/1068-18-0x0000000000000000-mapping.dmp

Download
memory/1068-20-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/1472-7-0x0000000000000000-mapping.dmp

Download
memory/1828-2-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/1828-6-0x0000000005100000-0x000000000515D000-memory.dmp

Filesize
372KB

Download
memory/1828-5-0x0000000000660000-0x0000000000672000-memory.dmp

Filesize
72KB

Download
memory/1828-3-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1880-31-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1880-29-0x0000000000413FA4-mapping.dmp

Download
memory/1976-25-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads