remcos | 43161c0778fd7277ad2d18d914e616e1ada7458ed92dff0d874fe5dd964c1975

General

Target

AS006-20211201.pdf.exe
Size

843KB
MD5

5b58aebe0dd52b528d61475c704dd359
SHA1

2297d93e6223f8b03bccdb273ed0039ba8a77bd3
SHA256

43161c0778fd7277ad2d18d914e616e1ada7458ed92dff0d874fe5dd964c1975
SHA512

04e8595ea0b07861d9cbbe76ef67ea4199683a5cee080b7ecf11fcab485468bcf96280e21365a163aa105fc6e09c8ca23e0a06bf95e9d0fb1a422917e39acb21

Score

10^/10

remcos rat

Malware Config

Extracted

Family

remcos

C2

91.193.75.185:1989

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

system32.exesystem32.exe

pid process

2712 system32.exe
984 system32.exe

pid	process
2712	system32.exe
984	system32.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

AS006-20211201.pdf.exesystem32.exesystem32.exe

description	pid	process	target process
PID 756 set thread context of 4000	756	AS006-20211201.pdf.exe	AS006-20211201.pdf.exe
PID 2712 set thread context of 984	2712	system32.exe	system32.exe
PID 984 set thread context of 2172	984	system32.exe	svchost.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1816 schtasks.exe
2348 schtasks.exe
Modifies registry class 1 IoCs

Processes:

AS006-20211201.pdf.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings AS006-20211201.pdf.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

system32.exe

pid process

2712 system32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

system32.exe

description pid process

Token: SeDebugPrivilege 2712 system32.exe

pid	process
1816	schtasks.exe
2348	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	AS006-20211201.pdf.exe

pid	process
2712	system32.exe

description	pid	process
Token: SeDebugPrivilege	2712	system32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

AS006-20211201.pdf.exeAS006-20211201.pdf.exeWScript.execmd.exesystem32.exesystem32.exe

description	pid	process	target process
PID 756 wrote to memory of 1816	756	AS006-20211201.pdf.exe	schtasks.exe
PID 756 wrote to memory of 1816	756	AS006-20211201.pdf.exe	schtasks.exe
PID 756 wrote to memory of 1816	756	AS006-20211201.pdf.exe	schtasks.exe
PID 756 wrote to memory of 4000	756	AS006-20211201.pdf.exe	AS006-20211201.pdf.exe
PID 756 wrote to memory of 4000	756	AS006-20211201.pdf.exe	AS006-20211201.pdf.exe
PID 756 wrote to memory of 4000	756	AS006-20211201.pdf.exe	AS006-20211201.pdf.exe
PID 756 wrote to memory of 4000	756	AS006-20211201.pdf.exe	AS006-20211201.pdf.exe
PID 756 wrote to memory of 4000	756	AS006-20211201.pdf.exe	AS006-20211201.pdf.exe
PID 756 wrote to memory of 4000	756	AS006-20211201.pdf.exe	AS006-20211201.pdf.exe
PID 756 wrote to memory of 4000	756	AS006-20211201.pdf.exe	AS006-20211201.pdf.exe
PID 756 wrote to memory of 4000	756	AS006-20211201.pdf.exe	AS006-20211201.pdf.exe
PID 756 wrote to memory of 4000	756	AS006-20211201.pdf.exe	AS006-20211201.pdf.exe
PID 756 wrote to memory of 4000	756	AS006-20211201.pdf.exe	AS006-20211201.pdf.exe
PID 4000 wrote to memory of 3892	4000	AS006-20211201.pdf.exe	WScript.exe
PID 4000 wrote to memory of 3892	4000	AS006-20211201.pdf.exe	WScript.exe
PID 4000 wrote to memory of 3892	4000	AS006-20211201.pdf.exe	WScript.exe
PID 3892 wrote to memory of 2020	3892	WScript.exe	cmd.exe
PID 3892 wrote to memory of 2020	3892	WScript.exe	cmd.exe
PID 3892 wrote to memory of 2020	3892	WScript.exe	cmd.exe
PID 2020 wrote to memory of 2712	2020	cmd.exe	system32.exe
PID 2020 wrote to memory of 2712	2020	cmd.exe	system32.exe
PID 2020 wrote to memory of 2712	2020	cmd.exe	system32.exe
PID 2712 wrote to memory of 2348	2712	system32.exe	schtasks.exe
PID 2712 wrote to memory of 2348	2712	system32.exe	schtasks.exe
PID 2712 wrote to memory of 2348	2712	system32.exe	schtasks.exe
PID 2712 wrote to memory of 984	2712	system32.exe	system32.exe
PID 2712 wrote to memory of 984	2712	system32.exe	system32.exe
PID 2712 wrote to memory of 984	2712	system32.exe	system32.exe
PID 2712 wrote to memory of 984	2712	system32.exe	system32.exe
PID 2712 wrote to memory of 984	2712	system32.exe	system32.exe
PID 2712 wrote to memory of 984	2712	system32.exe	system32.exe
PID 2712 wrote to memory of 984	2712	system32.exe	system32.exe
PID 2712 wrote to memory of 984	2712	system32.exe	system32.exe
PID 2712 wrote to memory of 984	2712	system32.exe	system32.exe
PID 2712 wrote to memory of 984	2712	system32.exe	system32.exe
PID 984 wrote to memory of 2172	984	system32.exe	svchost.exe
PID 984 wrote to memory of 2172	984	system32.exe	svchost.exe
PID 984 wrote to memory of 2172	984	system32.exe	svchost.exe
PID 984 wrote to memory of 2172	984	system32.exe	svchost.exe
PID 984 wrote to memory of 2172	984	system32.exe	svchost.exe
PID 984 wrote to memory of 2172	984	system32.exe	svchost.exe
PID 984 wrote to memory of 2172	984	system32.exe	svchost.exe
PID 984 wrote to memory of 2172	984	system32.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\AS006-20211201.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\AS006-20211201.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eWtjKWNXZtIZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2338.tmp"
2⤵
- Creates scheduled task(s)
PID:1816

C:\Users\Admin\AppData\Local\Temp\AS006-20211201.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\AS006-20211201.pdf.exe"
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4000

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:3892

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Programs\system32.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\Users\Admin\AppData\Roaming\Programs\system32.exe
C:\Users\Admin\AppData\Roaming\Programs\system32.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eWtjKWNXZtIZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9EF.tmp"
6⤵
- Creates scheduled task(s)
PID:2348

C:\Users\Admin\AppData\Roaming\Programs\system32.exe
"C:\Users\Admin\AppData\Roaming\Programs\system32.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:984

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
PID:2172

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
139d1ffe3f418f4794b6359f239089a2

SHA1
579f8d9c97105a2a77566de7e802a26e4a27f4c8

SHA256
7c71958fda4cff7e2ae1d9309cd4c0143057ca52732926f640252fd5a7a9a2ca

SHA512
5b806812558c28ea195326cfe800a2a41377d5e1da1fb352c2aa3d5060237a5ba544dec6f52459a9ecf55b526280c7d9c6aa8a1b8544124b288a4235eb25c2d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2338.tmp
MD5
b32883f82d78f841f82c8b93fe11aec4

SHA1
e314e956480d2162e9d67c23fe0577318f8ce939

SHA256
8a6a31f2a172f65d5d69a86091900e36f9e57fe3adbe7ff2ca5dd05d1f72347a

SHA512
babea0375aa8c4875928aece9a3efc5249c15821f29c999fa6ec99cf640e492e105c5582e816561d35e22f00b2a546eebed4a48fec05dd0ef5b35d10a7c33298

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9EF.tmp
MD5
b32883f82d78f841f82c8b93fe11aec4

SHA1
e314e956480d2162e9d67c23fe0577318f8ce939

SHA256
8a6a31f2a172f65d5d69a86091900e36f9e57fe3adbe7ff2ca5dd05d1f72347a

SHA512
babea0375aa8c4875928aece9a3efc5249c15821f29c999fa6ec99cf640e492e105c5582e816561d35e22f00b2a546eebed4a48fec05dd0ef5b35d10a7c33298

Download Submit
C:\Users\Admin\AppData\Roaming\Programs\system32.exe
MD5
5b58aebe0dd52b528d61475c704dd359

SHA1
2297d93e6223f8b03bccdb273ed0039ba8a77bd3

SHA256
43161c0778fd7277ad2d18d914e616e1ada7458ed92dff0d874fe5dd964c1975

SHA512
04e8595ea0b07861d9cbbe76ef67ea4199683a5cee080b7ecf11fcab485468bcf96280e21365a163aa105fc6e09c8ca23e0a06bf95e9d0fb1a422917e39acb21

Download Submit
C:\Users\Admin\AppData\Roaming\Programs\system32.exe
MD5
5b58aebe0dd52b528d61475c704dd359

SHA1
2297d93e6223f8b03bccdb273ed0039ba8a77bd3

SHA256
43161c0778fd7277ad2d18d914e616e1ada7458ed92dff0d874fe5dd964c1975

SHA512
04e8595ea0b07861d9cbbe76ef67ea4199683a5cee080b7ecf11fcab485468bcf96280e21365a163aa105fc6e09c8ca23e0a06bf95e9d0fb1a422917e39acb21

Download Submit
C:\Users\Admin\AppData\Roaming\Programs\system32.exe
MD5
5b58aebe0dd52b528d61475c704dd359

SHA1
2297d93e6223f8b03bccdb273ed0039ba8a77bd3

SHA256
43161c0778fd7277ad2d18d914e616e1ada7458ed92dff0d874fe5dd964c1975

SHA512
04e8595ea0b07861d9cbbe76ef67ea4199683a5cee080b7ecf11fcab485468bcf96280e21365a163aa105fc6e09c8ca23e0a06bf95e9d0fb1a422917e39acb21

Download Submit
memory/984-18-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/984-16-0x0000000000413FA4-mapping.dmp

Download
memory/1816-2-0x0000000000000000-mapping.dmp

Download
memory/2020-9-0x0000000000000000-mapping.dmp

Download
memory/2172-19-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2172-20-0x00000000004B5036-mapping.dmp

Download
memory/2348-13-0x0000000000000000-mapping.dmp

Download
memory/2712-10-0x0000000000000000-mapping.dmp

Download
memory/3892-7-0x0000000000000000-mapping.dmp

Download
memory/4000-6-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4000-5-0x0000000000413FA4-mapping.dmp

Download
memory/4000-4-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads