remcos | 43161c0778fd7277ad2d18d914e616e1ada7458ed92dff0d874fe5dd964c1975

General

Target

AS006-20211201.pdf.exe
Size

843KB
MD5

5b58aebe0dd52b528d61475c704dd359
SHA1

2297d93e6223f8b03bccdb273ed0039ba8a77bd3
SHA256

43161c0778fd7277ad2d18d914e616e1ada7458ed92dff0d874fe5dd964c1975
SHA512

04e8595ea0b07861d9cbbe76ef67ea4199683a5cee080b7ecf11fcab485468bcf96280e21365a163aa105fc6e09c8ca23e0a06bf95e9d0fb1a422917e39acb21

Score

10^/10

remcos rat

Malware Config

Extracted

Family

remcos

C2

91.193.75.185:1989

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

system32.exesystem32.exe

pid process

404 system32.exe
344 system32.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1036 cmd.exe

pid	process
404	system32.exe
344	system32.exe

pid	process
1036	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

AS006-20211201.pdf.exesystem32.exesystem32.exe

description	pid	process	target process
PID 1828 set thread context of 1656	1828	AS006-20211201.pdf.exe	AS006-20211201.pdf.exe
PID 404 set thread context of 344	404	system32.exe	system32.exe
PID 344 set thread context of 1608	344	system32.exe	svchost.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1620 schtasks.exe
812 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

system32.exe

pid process

404 system32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

system32.exe

description pid process

Token: SeDebugPrivilege 404 system32.exe

pid	process
1620	schtasks.exe
812	schtasks.exe

pid	process
404	system32.exe

description	pid	process
Token: SeDebugPrivilege	404	system32.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

AS006-20211201.pdf.exeAS006-20211201.pdf.exeWScript.execmd.exesystem32.exesystem32.exe

description	pid	process	target process
PID 1828 wrote to memory of 1620	1828	AS006-20211201.pdf.exe	schtasks.exe
PID 1828 wrote to memory of 1620	1828	AS006-20211201.pdf.exe	schtasks.exe
PID 1828 wrote to memory of 1620	1828	AS006-20211201.pdf.exe	schtasks.exe
PID 1828 wrote to memory of 1620	1828	AS006-20211201.pdf.exe	schtasks.exe
PID 1828 wrote to memory of 1656	1828	AS006-20211201.pdf.exe	AS006-20211201.pdf.exe
PID 1828 wrote to memory of 1656	1828	AS006-20211201.pdf.exe	AS006-20211201.pdf.exe
PID 1828 wrote to memory of 1656	1828	AS006-20211201.pdf.exe	AS006-20211201.pdf.exe
PID 1828 wrote to memory of 1656	1828	AS006-20211201.pdf.exe	AS006-20211201.pdf.exe
PID 1828 wrote to memory of 1656	1828	AS006-20211201.pdf.exe	AS006-20211201.pdf.exe
PID 1828 wrote to memory of 1656	1828	AS006-20211201.pdf.exe	AS006-20211201.pdf.exe
PID 1828 wrote to memory of 1656	1828	AS006-20211201.pdf.exe	AS006-20211201.pdf.exe
PID 1828 wrote to memory of 1656	1828	AS006-20211201.pdf.exe	AS006-20211201.pdf.exe
PID 1828 wrote to memory of 1656	1828	AS006-20211201.pdf.exe	AS006-20211201.pdf.exe
PID 1828 wrote to memory of 1656	1828	AS006-20211201.pdf.exe	AS006-20211201.pdf.exe
PID 1828 wrote to memory of 1656	1828	AS006-20211201.pdf.exe	AS006-20211201.pdf.exe
PID 1656 wrote to memory of 1648	1656	AS006-20211201.pdf.exe	WScript.exe
PID 1656 wrote to memory of 1648	1656	AS006-20211201.pdf.exe	WScript.exe
PID 1656 wrote to memory of 1648	1656	AS006-20211201.pdf.exe	WScript.exe
PID 1656 wrote to memory of 1648	1656	AS006-20211201.pdf.exe	WScript.exe
PID 1648 wrote to memory of 1036	1648	WScript.exe	cmd.exe
PID 1648 wrote to memory of 1036	1648	WScript.exe	cmd.exe
PID 1648 wrote to memory of 1036	1648	WScript.exe	cmd.exe
PID 1648 wrote to memory of 1036	1648	WScript.exe	cmd.exe
PID 1036 wrote to memory of 404	1036	cmd.exe	system32.exe
PID 1036 wrote to memory of 404	1036	cmd.exe	system32.exe
PID 1036 wrote to memory of 404	1036	cmd.exe	system32.exe
PID 1036 wrote to memory of 404	1036	cmd.exe	system32.exe
PID 404 wrote to memory of 812	404	system32.exe	schtasks.exe
PID 404 wrote to memory of 812	404	system32.exe	schtasks.exe
PID 404 wrote to memory of 812	404	system32.exe	schtasks.exe
PID 404 wrote to memory of 812	404	system32.exe	schtasks.exe
PID 404 wrote to memory of 344	404	system32.exe	system32.exe
PID 404 wrote to memory of 344	404	system32.exe	system32.exe
PID 404 wrote to memory of 344	404	system32.exe	system32.exe
PID 404 wrote to memory of 344	404	system32.exe	system32.exe
PID 404 wrote to memory of 344	404	system32.exe	system32.exe
PID 404 wrote to memory of 344	404	system32.exe	system32.exe
PID 404 wrote to memory of 344	404	system32.exe	system32.exe
PID 404 wrote to memory of 344	404	system32.exe	system32.exe
PID 404 wrote to memory of 344	404	system32.exe	system32.exe
PID 404 wrote to memory of 344	404	system32.exe	system32.exe
PID 404 wrote to memory of 344	404	system32.exe	system32.exe
PID 344 wrote to memory of 1608	344	system32.exe	svchost.exe
PID 344 wrote to memory of 1608	344	system32.exe	svchost.exe
PID 344 wrote to memory of 1608	344	system32.exe	svchost.exe
PID 344 wrote to memory of 1608	344	system32.exe	svchost.exe
PID 344 wrote to memory of 1608	344	system32.exe	svchost.exe
PID 344 wrote to memory of 1608	344	system32.exe	svchost.exe
PID 344 wrote to memory of 1608	344	system32.exe	svchost.exe
PID 344 wrote to memory of 1608	344	system32.exe	svchost.exe
PID 344 wrote to memory of 1608	344	system32.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\AS006-20211201.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\AS006-20211201.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eWtjKWNXZtIZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5409.tmp"
2⤵
- Creates scheduled task(s)
PID:1620

C:\Users\Admin\AppData\Local\Temp\AS006-20211201.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\AS006-20211201.pdf.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Programs\system32.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1036

C:\Users\Admin\AppData\Roaming\Programs\system32.exe
C:\Users\Admin\AppData\Roaming\Programs\system32.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:404

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eWtjKWNXZtIZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2F79.tmp"
6⤵
- Creates scheduled task(s)
PID:812

C:\Users\Admin\AppData\Roaming\Programs\system32.exe
"C:\Users\Admin\AppData\Roaming\Programs\system32.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:344

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
PID:1608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
139d1ffe3f418f4794b6359f239089a2

SHA1
579f8d9c97105a2a77566de7e802a26e4a27f4c8

SHA256
7c71958fda4cff7e2ae1d9309cd4c0143057ca52732926f640252fd5a7a9a2ca

SHA512
5b806812558c28ea195326cfe800a2a41377d5e1da1fb352c2aa3d5060237a5ba544dec6f52459a9ecf55b526280c7d9c6aa8a1b8544124b288a4235eb25c2d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2F79.tmp
MD5
d9c603ebee0ee06f62f6a1067ef060ad

SHA1
2de2896a757b535dd6bdfb3e2c0da0b57e4d0b9f

SHA256
7e3d447f931666a7406d42f9280eae604a6fed5508f74a8ef641dd5fa5575cc4

SHA512
e814dcb0d6e06b644b4f675e3cd2b8e1edad121ca5d0ac6dee5ec9801d7a45d1c3c2ce04070a65885568c9dd49c7dbe9f502ec9d155b8cf0d1a60f931ec64154

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5409.tmp
MD5
d9c603ebee0ee06f62f6a1067ef060ad

SHA1
2de2896a757b535dd6bdfb3e2c0da0b57e4d0b9f

SHA256
7e3d447f931666a7406d42f9280eae604a6fed5508f74a8ef641dd5fa5575cc4

SHA512
e814dcb0d6e06b644b4f675e3cd2b8e1edad121ca5d0ac6dee5ec9801d7a45d1c3c2ce04070a65885568c9dd49c7dbe9f502ec9d155b8cf0d1a60f931ec64154

Download Submit
C:\Users\Admin\AppData\Roaming\Programs\system32.exe
MD5
5b58aebe0dd52b528d61475c704dd359

SHA1
2297d93e6223f8b03bccdb273ed0039ba8a77bd3

SHA256
43161c0778fd7277ad2d18d914e616e1ada7458ed92dff0d874fe5dd964c1975

SHA512
04e8595ea0b07861d9cbbe76ef67ea4199683a5cee080b7ecf11fcab485468bcf96280e21365a163aa105fc6e09c8ca23e0a06bf95e9d0fb1a422917e39acb21

Download Submit
C:\Users\Admin\AppData\Roaming\Programs\system32.exe
MD5
5b58aebe0dd52b528d61475c704dd359

SHA1
2297d93e6223f8b03bccdb273ed0039ba8a77bd3

SHA256
43161c0778fd7277ad2d18d914e616e1ada7458ed92dff0d874fe5dd964c1975

SHA512
04e8595ea0b07861d9cbbe76ef67ea4199683a5cee080b7ecf11fcab485468bcf96280e21365a163aa105fc6e09c8ca23e0a06bf95e9d0fb1a422917e39acb21

Download Submit
C:\Users\Admin\AppData\Roaming\Programs\system32.exe
MD5
5b58aebe0dd52b528d61475c704dd359

SHA1
2297d93e6223f8b03bccdb273ed0039ba8a77bd3

SHA256
43161c0778fd7277ad2d18d914e616e1ada7458ed92dff0d874fe5dd964c1975

SHA512
04e8595ea0b07861d9cbbe76ef67ea4199683a5cee080b7ecf11fcab485468bcf96280e21365a163aa105fc6e09c8ca23e0a06bf95e9d0fb1a422917e39acb21

Download Submit
\Users\Admin\AppData\Roaming\Programs\system32.exe
MD5
5b58aebe0dd52b528d61475c704dd359

SHA1
2297d93e6223f8b03bccdb273ed0039ba8a77bd3

SHA256
43161c0778fd7277ad2d18d914e616e1ada7458ed92dff0d874fe5dd964c1975

SHA512
04e8595ea0b07861d9cbbe76ef67ea4199683a5cee080b7ecf11fcab485468bcf96280e21365a163aa105fc6e09c8ca23e0a06bf95e9d0fb1a422917e39acb21

Download Submit
memory/344-18-0x0000000000413FA4-mapping.dmp

Download
memory/344-20-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/404-13-0x0000000000000000-mapping.dmp

Download
memory/812-15-0x0000000000000000-mapping.dmp

Download
memory/1036-9-0x0000000000000000-mapping.dmp

Download
memory/1608-21-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1608-22-0x00000000004B5036-mapping.dmp

Download
memory/1608-23-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1608-24-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1620-2-0x0000000000000000-mapping.dmp

Download
memory/1648-7-0x0000000000000000-mapping.dmp

Download
memory/1648-10-0x00000000027C0000-0x00000000027C4000-memory.dmp

Filesize
16KB

Download
memory/1656-6-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1656-5-0x0000000000413FA4-mapping.dmp

Download
memory/1656-4-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads