remcos | 19fa9ec02851046fd1d39e19491c507ca4e757ac7fa50d0facf3e73849a7772f

General

Target

Quote_45893216_33661100.pdf.exe
Size

757KB
MD5

cb823c7a092678a45b40f7740d3036c7
SHA1

8c385821e1398d5ba703e94ca8952559f15dd82a
SHA256

19fa9ec02851046fd1d39e19491c507ca4e757ac7fa50d0facf3e73849a7772f
SHA512

28121c092660417be52d61e8d680bde84ce13ce924d890443ff51572d34a83c5b9d2cd69f6b8d5fa87700fbb2d5fd8c4b20e302d970054583384d94f4e7297fc

Score

10^/10

remcos rat

Malware Config

Extracted

Family

remcos

C2

91.193.75.185:1989

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

system32.exesystem32.exe

pid process

320 system32.exe
1604 system32.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1156 cmd.exe

pid	process
320	system32.exe
1604	system32.exe

pid	process
1156	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Quote_45893216_33661100.pdf.exesystem32.exesystem32.exe

description	pid	process	target process
PID 2008 set thread context of 1112	2008	Quote_45893216_33661100.pdf.exe	Quote_45893216_33661100.pdf.exe
PID 320 set thread context of 1604	320	system32.exe	system32.exe
PID 1604 set thread context of 1340	1604	system32.exe	svchost.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1824 schtasks.exe
1932 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Quote_45893216_33661100.pdf.exesystem32.exe

pid process

2008 Quote_45893216_33661100.pdf.exe
2008 Quote_45893216_33661100.pdf.exe
320 system32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Quote_45893216_33661100.pdf.exesystem32.exe

description pid process

Token: SeDebugPrivilege 2008 Quote_45893216_33661100.pdf.exe
Token: SeDebugPrivilege 320 system32.exe

pid	process
1824	schtasks.exe
1932	schtasks.exe

pid	process
2008	Quote_45893216_33661100.pdf.exe
2008	Quote_45893216_33661100.pdf.exe
320	system32.exe

description	pid	process
Token: SeDebugPrivilege	2008	Quote_45893216_33661100.pdf.exe
Token: SeDebugPrivilege	320	system32.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

Quote_45893216_33661100.pdf.exeQuote_45893216_33661100.pdf.exeWScript.execmd.exesystem32.exesystem32.exe

description	pid	process	target process
PID 2008 wrote to memory of 1824	2008	Quote_45893216_33661100.pdf.exe	schtasks.exe
PID 2008 wrote to memory of 1824	2008	Quote_45893216_33661100.pdf.exe	schtasks.exe
PID 2008 wrote to memory of 1824	2008	Quote_45893216_33661100.pdf.exe	schtasks.exe
PID 2008 wrote to memory of 1824	2008	Quote_45893216_33661100.pdf.exe	schtasks.exe
PID 2008 wrote to memory of 368	2008	Quote_45893216_33661100.pdf.exe	Quote_45893216_33661100.pdf.exe
PID 2008 wrote to memory of 368	2008	Quote_45893216_33661100.pdf.exe	Quote_45893216_33661100.pdf.exe
PID 2008 wrote to memory of 368	2008	Quote_45893216_33661100.pdf.exe	Quote_45893216_33661100.pdf.exe
PID 2008 wrote to memory of 368	2008	Quote_45893216_33661100.pdf.exe	Quote_45893216_33661100.pdf.exe
PID 2008 wrote to memory of 1112	2008	Quote_45893216_33661100.pdf.exe	Quote_45893216_33661100.pdf.exe
PID 2008 wrote to memory of 1112	2008	Quote_45893216_33661100.pdf.exe	Quote_45893216_33661100.pdf.exe
PID 2008 wrote to memory of 1112	2008	Quote_45893216_33661100.pdf.exe	Quote_45893216_33661100.pdf.exe
PID 2008 wrote to memory of 1112	2008	Quote_45893216_33661100.pdf.exe	Quote_45893216_33661100.pdf.exe
PID 2008 wrote to memory of 1112	2008	Quote_45893216_33661100.pdf.exe	Quote_45893216_33661100.pdf.exe
PID 2008 wrote to memory of 1112	2008	Quote_45893216_33661100.pdf.exe	Quote_45893216_33661100.pdf.exe
PID 2008 wrote to memory of 1112	2008	Quote_45893216_33661100.pdf.exe	Quote_45893216_33661100.pdf.exe
PID 2008 wrote to memory of 1112	2008	Quote_45893216_33661100.pdf.exe	Quote_45893216_33661100.pdf.exe
PID 2008 wrote to memory of 1112	2008	Quote_45893216_33661100.pdf.exe	Quote_45893216_33661100.pdf.exe
PID 2008 wrote to memory of 1112	2008	Quote_45893216_33661100.pdf.exe	Quote_45893216_33661100.pdf.exe
PID 2008 wrote to memory of 1112	2008	Quote_45893216_33661100.pdf.exe	Quote_45893216_33661100.pdf.exe
PID 1112 wrote to memory of 924	1112	Quote_45893216_33661100.pdf.exe	WScript.exe
PID 1112 wrote to memory of 924	1112	Quote_45893216_33661100.pdf.exe	WScript.exe
PID 1112 wrote to memory of 924	1112	Quote_45893216_33661100.pdf.exe	WScript.exe
PID 1112 wrote to memory of 924	1112	Quote_45893216_33661100.pdf.exe	WScript.exe
PID 924 wrote to memory of 1156	924	WScript.exe	cmd.exe
PID 924 wrote to memory of 1156	924	WScript.exe	cmd.exe
PID 924 wrote to memory of 1156	924	WScript.exe	cmd.exe
PID 924 wrote to memory of 1156	924	WScript.exe	cmd.exe
PID 1156 wrote to memory of 320	1156	cmd.exe	system32.exe
PID 1156 wrote to memory of 320	1156	cmd.exe	system32.exe
PID 1156 wrote to memory of 320	1156	cmd.exe	system32.exe
PID 1156 wrote to memory of 320	1156	cmd.exe	system32.exe
PID 320 wrote to memory of 1932	320	system32.exe	schtasks.exe
PID 320 wrote to memory of 1932	320	system32.exe	schtasks.exe
PID 320 wrote to memory of 1932	320	system32.exe	schtasks.exe
PID 320 wrote to memory of 1932	320	system32.exe	schtasks.exe
PID 320 wrote to memory of 1604	320	system32.exe	system32.exe
PID 320 wrote to memory of 1604	320	system32.exe	system32.exe
PID 320 wrote to memory of 1604	320	system32.exe	system32.exe
PID 320 wrote to memory of 1604	320	system32.exe	system32.exe
PID 320 wrote to memory of 1604	320	system32.exe	system32.exe
PID 320 wrote to memory of 1604	320	system32.exe	system32.exe
PID 320 wrote to memory of 1604	320	system32.exe	system32.exe
PID 320 wrote to memory of 1604	320	system32.exe	system32.exe
PID 320 wrote to memory of 1604	320	system32.exe	system32.exe
PID 320 wrote to memory of 1604	320	system32.exe	system32.exe
PID 320 wrote to memory of 1604	320	system32.exe	system32.exe
PID 1604 wrote to memory of 1340	1604	system32.exe	svchost.exe
PID 1604 wrote to memory of 1340	1604	system32.exe	svchost.exe
PID 1604 wrote to memory of 1340	1604	system32.exe	svchost.exe
PID 1604 wrote to memory of 1340	1604	system32.exe	svchost.exe
PID 1604 wrote to memory of 1340	1604	system32.exe	svchost.exe
PID 1604 wrote to memory of 1340	1604	system32.exe	svchost.exe
PID 1604 wrote to memory of 1340	1604	system32.exe	svchost.exe
PID 1604 wrote to memory of 1340	1604	system32.exe	svchost.exe
PID 1604 wrote to memory of 1340	1604	system32.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\Quote_45893216_33661100.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Quote_45893216_33661100.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yyjWbtG" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD88.tmp"
2⤵
- Creates scheduled task(s)
PID:1824

C:\Users\Admin\AppData\Local\Temp\Quote_45893216_33661100.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Quote_45893216_33661100.pdf.exe"
2⤵
PID:368

C:\Users\Admin\AppData\Local\Temp\Quote_45893216_33661100.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Quote_45893216_33661100.pdf.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:924

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Programs\system32.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1156

C:\Users\Admin\AppData\Roaming\Programs\system32.exe
C:\Users\Admin\AppData\Roaming\Programs\system32.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:320

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yyjWbtG" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF8C0.tmp"
6⤵
- Creates scheduled task(s)
PID:1932

C:\Users\Admin\AppData\Roaming\Programs\system32.exe
"C:\Users\Admin\AppData\Roaming\Programs\system32.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
PID:1340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
139d1ffe3f418f4794b6359f239089a2

SHA1
579f8d9c97105a2a77566de7e802a26e4a27f4c8

SHA256
7c71958fda4cff7e2ae1d9309cd4c0143057ca52732926f640252fd5a7a9a2ca

SHA512
5b806812558c28ea195326cfe800a2a41377d5e1da1fb352c2aa3d5060237a5ba544dec6f52459a9ecf55b526280c7d9c6aa8a1b8544124b288a4235eb25c2d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD88.tmp
MD5
3afac555ec1de837c3f40c65f4a02295

SHA1
e19aea190de3fdd719c9073d671b3fc0951aaa8f

SHA256
4b0d7dba844e24a8d449ff15e850d0d8ea0bd8ebcdc205fd2746ec83e79f6bc2

SHA512
051f084885445db716c2ec94535022b1dd80d601d46cceee824cb128c4eac5d2368a0d34c0a115e5d05c4143a21b24edaa36530b490b5dec166620523e40d419

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF8C0.tmp
MD5
3afac555ec1de837c3f40c65f4a02295

SHA1
e19aea190de3fdd719c9073d671b3fc0951aaa8f

SHA256
4b0d7dba844e24a8d449ff15e850d0d8ea0bd8ebcdc205fd2746ec83e79f6bc2

SHA512
051f084885445db716c2ec94535022b1dd80d601d46cceee824cb128c4eac5d2368a0d34c0a115e5d05c4143a21b24edaa36530b490b5dec166620523e40d419

Download Submit
C:\Users\Admin\AppData\Roaming\Programs\system32.exe
MD5
cb823c7a092678a45b40f7740d3036c7

SHA1
8c385821e1398d5ba703e94ca8952559f15dd82a

SHA256
19fa9ec02851046fd1d39e19491c507ca4e757ac7fa50d0facf3e73849a7772f

SHA512
28121c092660417be52d61e8d680bde84ce13ce924d890443ff51572d34a83c5b9d2cd69f6b8d5fa87700fbb2d5fd8c4b20e302d970054583384d94f4e7297fc

Download Submit
C:\Users\Admin\AppData\Roaming\Programs\system32.exe
MD5
cb823c7a092678a45b40f7740d3036c7

SHA1
8c385821e1398d5ba703e94ca8952559f15dd82a

SHA256
19fa9ec02851046fd1d39e19491c507ca4e757ac7fa50d0facf3e73849a7772f

SHA512
28121c092660417be52d61e8d680bde84ce13ce924d890443ff51572d34a83c5b9d2cd69f6b8d5fa87700fbb2d5fd8c4b20e302d970054583384d94f4e7297fc

Download Submit
C:\Users\Admin\AppData\Roaming\Programs\system32.exe
MD5
cb823c7a092678a45b40f7740d3036c7

SHA1
8c385821e1398d5ba703e94ca8952559f15dd82a

SHA256
19fa9ec02851046fd1d39e19491c507ca4e757ac7fa50d0facf3e73849a7772f

SHA512
28121c092660417be52d61e8d680bde84ce13ce924d890443ff51572d34a83c5b9d2cd69f6b8d5fa87700fbb2d5fd8c4b20e302d970054583384d94f4e7297fc

Download Submit
\Users\Admin\AppData\Roaming\Programs\system32.exe
MD5
cb823c7a092678a45b40f7740d3036c7

SHA1
8c385821e1398d5ba703e94ca8952559f15dd82a

SHA256
19fa9ec02851046fd1d39e19491c507ca4e757ac7fa50d0facf3e73849a7772f

SHA512
28121c092660417be52d61e8d680bde84ce13ce924d890443ff51572d34a83c5b9d2cd69f6b8d5fa87700fbb2d5fd8c4b20e302d970054583384d94f4e7297fc

Download Submit
memory/320-21-0x0000000001130000-0x0000000001131000-memory.dmp

Filesize
4KB

Download
memory/320-20-0x0000000074B20000-0x000000007520E000-memory.dmp

Filesize
6.9MB

Download
memory/320-18-0x0000000000000000-mapping.dmp

Download
memory/924-15-0x00000000027E0000-0x00000000027E4000-memory.dmp

Filesize
16KB

Download
memory/924-12-0x0000000000000000-mapping.dmp

Download
memory/1112-9-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1112-11-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1112-10-0x0000000000413FA4-mapping.dmp

Download
memory/1156-14-0x0000000000000000-mapping.dmp

Download
memory/1340-31-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1340-32-0x000000000049FA32-mapping.dmp

Download
memory/1340-33-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1340-34-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1604-30-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1604-28-0x0000000000413FA4-mapping.dmp

Download
memory/1824-7-0x0000000000000000-mapping.dmp

Download
memory/1932-25-0x0000000000000000-mapping.dmp

Download
memory/2008-3-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2008-5-0x0000000000370000-0x0000000000382000-memory.dmp

Filesize
72KB

Download
memory/2008-6-0x00000000050C0000-0x000000000511F000-memory.dmp

Filesize
380KB

Download
memory/2008-2-0x0000000074BA0000-0x000000007528E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads