remcos | 7c7f99d2b695777b5809dcee0723304b77a06ea8c72ec8a9e0967e4d8584d585

General

Target

Shipping Document PL BL 960.exe
Size

973KB
MD5

01856ddc0973cc04929480b93139ffa5
SHA1

c204a09386374da5924ace3f928e33d89f54d4d2
SHA256

7c7f99d2b695777b5809dcee0723304b77a06ea8c72ec8a9e0967e4d8584d585
SHA512

499951d507d49ae69ea1c6206575e1a14ee5cbf1bf5c6fc2099da858276721cb9efb67454f40790c69b09b8b419f8a1869234c1b983721a5fea99ec62c4a0386

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

C2

favour2021.ddns.net:1990

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

remcos.exeremcos.exe

pid process

1784 remcos.exe
4536 remcos.exe

pid	process
1784	remcos.exe
4536	remcos.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Shipping Document PL BL 960.exeremcos.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\	Shipping Document PL BL 960.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	Shipping Document PL BL 960.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	remcos.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Shipping Document PL BL 960.exeremcos.exe

description	pid	process	target process
PID 4768 set thread context of 352	4768	Shipping Document PL BL 960.exe	Shipping Document PL BL 960.exe
PID 1784 set thread context of 4536	1784	remcos.exe	remcos.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4016 schtasks.exe
648 schtasks.exe
Modifies registry class 1 IoCs

Processes:

Shipping Document PL BL 960.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings Shipping Document PL BL 960.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Shipping Document PL BL 960.exeremcos.exe

pid process

4768 Shipping Document PL BL 960.exe
1784 remcos.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Shipping Document PL BL 960.exeremcos.exe

description pid process

Token: SeDebugPrivilege 4768 Shipping Document PL BL 960.exe
Token: SeDebugPrivilege 1784 remcos.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

remcos.exe

pid process

4536 remcos.exe

pid	process
4016	schtasks.exe
648	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	Shipping Document PL BL 960.exe

pid	process
4768	Shipping Document PL BL 960.exe
1784	remcos.exe

description	pid	process
Token: SeDebugPrivilege	4768	Shipping Document PL BL 960.exe
Token: SeDebugPrivilege	1784	remcos.exe

pid	process
4536	remcos.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

Shipping Document PL BL 960.exeShipping Document PL BL 960.exeWScript.execmd.exeremcos.exe

description	pid	process	target process
PID 4768 wrote to memory of 648	4768	Shipping Document PL BL 960.exe	schtasks.exe
PID 4768 wrote to memory of 648	4768	Shipping Document PL BL 960.exe	schtasks.exe
PID 4768 wrote to memory of 648	4768	Shipping Document PL BL 960.exe	schtasks.exe
PID 4768 wrote to memory of 352	4768	Shipping Document PL BL 960.exe	Shipping Document PL BL 960.exe
PID 4768 wrote to memory of 352	4768	Shipping Document PL BL 960.exe	Shipping Document PL BL 960.exe
PID 4768 wrote to memory of 352	4768	Shipping Document PL BL 960.exe	Shipping Document PL BL 960.exe
PID 4768 wrote to memory of 352	4768	Shipping Document PL BL 960.exe	Shipping Document PL BL 960.exe
PID 4768 wrote to memory of 352	4768	Shipping Document PL BL 960.exe	Shipping Document PL BL 960.exe
PID 4768 wrote to memory of 352	4768	Shipping Document PL BL 960.exe	Shipping Document PL BL 960.exe
PID 4768 wrote to memory of 352	4768	Shipping Document PL BL 960.exe	Shipping Document PL BL 960.exe
PID 4768 wrote to memory of 352	4768	Shipping Document PL BL 960.exe	Shipping Document PL BL 960.exe
PID 4768 wrote to memory of 352	4768	Shipping Document PL BL 960.exe	Shipping Document PL BL 960.exe
PID 4768 wrote to memory of 352	4768	Shipping Document PL BL 960.exe	Shipping Document PL BL 960.exe
PID 352 wrote to memory of 1312	352	Shipping Document PL BL 960.exe	WScript.exe
PID 352 wrote to memory of 1312	352	Shipping Document PL BL 960.exe	WScript.exe
PID 352 wrote to memory of 1312	352	Shipping Document PL BL 960.exe	WScript.exe
PID 1312 wrote to memory of 1592	1312	WScript.exe	cmd.exe
PID 1312 wrote to memory of 1592	1312	WScript.exe	cmd.exe
PID 1312 wrote to memory of 1592	1312	WScript.exe	cmd.exe
PID 1592 wrote to memory of 1784	1592	cmd.exe	remcos.exe
PID 1592 wrote to memory of 1784	1592	cmd.exe	remcos.exe
PID 1592 wrote to memory of 1784	1592	cmd.exe	remcos.exe
PID 1784 wrote to memory of 4016	1784	remcos.exe	schtasks.exe
PID 1784 wrote to memory of 4016	1784	remcos.exe	schtasks.exe
PID 1784 wrote to memory of 4016	1784	remcos.exe	schtasks.exe
PID 1784 wrote to memory of 4536	1784	remcos.exe	remcos.exe
PID 1784 wrote to memory of 4536	1784	remcos.exe	remcos.exe
PID 1784 wrote to memory of 4536	1784	remcos.exe	remcos.exe
PID 1784 wrote to memory of 4536	1784	remcos.exe	remcos.exe
PID 1784 wrote to memory of 4536	1784	remcos.exe	remcos.exe
PID 1784 wrote to memory of 4536	1784	remcos.exe	remcos.exe
PID 1784 wrote to memory of 4536	1784	remcos.exe	remcos.exe
PID 1784 wrote to memory of 4536	1784	remcos.exe	remcos.exe
PID 1784 wrote to memory of 4536	1784	remcos.exe	remcos.exe
PID 1784 wrote to memory of 4536	1784	remcos.exe	remcos.exe

C:\Users\Admin\AppData\Local\Temp\Shipping Document PL BL 960.exe
"C:\Users\Admin\AppData\Local\Temp\Shipping Document PL BL 960.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4768

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hvEYWBAfCvEku" /XML "C:\Users\Admin\AppData\Local\Temp\tmp448C.tmp"
2⤵
- Creates scheduled task(s)
PID:648

C:\Users\Admin\AppData\Local\Temp\Shipping Document PL BL 960.exe
"C:\Users\Admin\AppData\Local\Temp\Shipping Document PL BL 960.exe"
2⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:352

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1592

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hvEYWBAfCvEku" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3BAD.tmp"
6⤵
- Creates scheduled task(s)
PID:4016

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
"C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:4536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

MD5
b92d64fe5b1d1f59df4b738262aea8df

SHA1
c8fb1981759c2d9bb2ec91b705985fba5fc7af63

SHA256
fa20e9aab03dc8e9f1910aaf0cf42662379fa16ae3a22642084fb97fa3d4f83a

SHA512
2566248b93c0cfb0414f033b8dd18bbd4f88180093eac2861107289bcb4ee160f9593706ff1f7d1f2e4ecea430d67a5a2897551a4f9ebd82b707243e300520e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3BAD.tmp

MD5
b9472a2c25474d9f1af961e4e7b3e4f9

SHA1
274b7161ddef2212bfeece67a24ae87c1945c326

SHA256
17c6970247a7c9bcc9b9f4aaab8b6d5ee165bd436064d73808d99b5b88a778db

SHA512
a68927b4b42116a9edc168104ca0563bbdc628efc0621c8befee27bd5688df85acc534ff3c893659b10ede032d83452e35bd73b68a5c3244ccd8218d7a2d2490

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp448C.tmp

MD5
b9472a2c25474d9f1af961e4e7b3e4f9

SHA1
274b7161ddef2212bfeece67a24ae87c1945c326

SHA256
17c6970247a7c9bcc9b9f4aaab8b6d5ee165bd436064d73808d99b5b88a778db

SHA512
a68927b4b42116a9edc168104ca0563bbdc628efc0621c8befee27bd5688df85acc534ff3c893659b10ede032d83452e35bd73b68a5c3244ccd8218d7a2d2490

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

MD5
01856ddc0973cc04929480b93139ffa5

SHA1
c204a09386374da5924ace3f928e33d89f54d4d2

SHA256
7c7f99d2b695777b5809dcee0723304b77a06ea8c72ec8a9e0967e4d8584d585

SHA512
499951d507d49ae69ea1c6206575e1a14ee5cbf1bf5c6fc2099da858276721cb9efb67454f40790c69b09b8b419f8a1869234c1b983721a5fea99ec62c4a0386

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

MD5
01856ddc0973cc04929480b93139ffa5

SHA1
c204a09386374da5924ace3f928e33d89f54d4d2

SHA256
7c7f99d2b695777b5809dcee0723304b77a06ea8c72ec8a9e0967e4d8584d585

SHA512
499951d507d49ae69ea1c6206575e1a14ee5cbf1bf5c6fc2099da858276721cb9efb67454f40790c69b09b8b419f8a1869234c1b983721a5fea99ec62c4a0386

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

MD5
01856ddc0973cc04929480b93139ffa5

SHA1
c204a09386374da5924ace3f928e33d89f54d4d2

SHA256
7c7f99d2b695777b5809dcee0723304b77a06ea8c72ec8a9e0967e4d8584d585

SHA512
499951d507d49ae69ea1c6206575e1a14ee5cbf1bf5c6fc2099da858276721cb9efb67454f40790c69b09b8b419f8a1869234c1b983721a5fea99ec62c4a0386

Download Submit
memory/352-15-0x0000000000413FA4-mapping.dmp

Download
memory/352-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/352-16-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/648-12-0x0000000000000000-mapping.dmp

Download
memory/1312-17-0x0000000000000000-mapping.dmp

Download
memory/1592-19-0x0000000000000000-mapping.dmp

Download
memory/1784-20-0x0000000000000000-mapping.dmp

Download
memory/1784-23-0x0000000073360000-0x0000000073A4E000-memory.dmp

Filesize
6.9MB

Download
memory/4016-33-0x0000000000000000-mapping.dmp

Download
memory/4536-38-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4536-36-0x0000000000413FA4-mapping.dmp

Download
memory/4768-8-0x0000000005840000-0x0000000005841000-memory.dmp

Filesize
4KB

Download
memory/4768-7-0x0000000005970000-0x0000000005971000-memory.dmp

Filesize
4KB

Download
memory/4768-6-0x0000000005E70000-0x0000000005E71000-memory.dmp

Filesize
4KB

Download
memory/4768-10-0x0000000005880000-0x0000000005892000-memory.dmp

Filesize
72KB

Download
memory/4768-2-0x0000000073360000-0x0000000073A4E000-memory.dmp

Filesize
6.9MB

Download
memory/4768-5-0x00000000058D0000-0x00000000058D1000-memory.dmp

Filesize
4KB

Download
memory/4768-9-0x0000000005B50000-0x0000000005B51000-memory.dmp

Filesize
4KB

Download
memory/4768-3-0x0000000000F20000-0x0000000000F21000-memory.dmp

Filesize
4KB

Download
memory/4768-11-0x00000000065F0000-0x000000000664D000-memory.dmp

Filesize
372KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads