remcos | 19fa9ec02851046fd1d39e19491c507ca4e757ac7fa50d0facf3e73849a7772f

General

Target

Quote_45893216_33661100.pdf.exe
Size

757KB
MD5

cb823c7a092678a45b40f7740d3036c7
SHA1

8c385821e1398d5ba703e94ca8952559f15dd82a
SHA256

19fa9ec02851046fd1d39e19491c507ca4e757ac7fa50d0facf3e73849a7772f
SHA512

28121c092660417be52d61e8d680bde84ce13ce924d890443ff51572d34a83c5b9d2cd69f6b8d5fa87700fbb2d5fd8c4b20e302d970054583384d94f4e7297fc

Score

10^/10

remcos rat

Malware Config

Extracted

Family

remcos

C2

91.193.75.185:1989

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

system32.exesystem32.exe

pid process

1172 system32.exe
4296 system32.exe

pid	process
1172	system32.exe
4296	system32.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Quote_45893216_33661100.pdf.exesystem32.exe

description	pid	process	target process
PID 4636 set thread context of 3168	4636	Quote_45893216_33661100.pdf.exe	Quote_45893216_33661100.pdf.exe
PID 1172 set thread context of 4296	1172	system32.exe	system32.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4184 schtasks.exe
1728 schtasks.exe
Modifies registry class 1 IoCs

Processes:

Quote_45893216_33661100.pdf.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings Quote_45893216_33661100.pdf.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

system32.exe

pid process

1172 system32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

system32.exe

description pid process

Token: SeDebugPrivilege 1172 system32.exe

pid	process
4184	schtasks.exe
1728	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	Quote_45893216_33661100.pdf.exe

pid	process
1172	system32.exe

description	pid	process
Token: SeDebugPrivilege	1172	system32.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

Quote_45893216_33661100.pdf.exeQuote_45893216_33661100.pdf.exeWScript.execmd.exesystem32.exesystem32.exe

description	pid	process	target process
PID 4636 wrote to memory of 4184	4636	Quote_45893216_33661100.pdf.exe	schtasks.exe
PID 4636 wrote to memory of 4184	4636	Quote_45893216_33661100.pdf.exe	schtasks.exe
PID 4636 wrote to memory of 4184	4636	Quote_45893216_33661100.pdf.exe	schtasks.exe
PID 4636 wrote to memory of 3168	4636	Quote_45893216_33661100.pdf.exe	Quote_45893216_33661100.pdf.exe
PID 4636 wrote to memory of 3168	4636	Quote_45893216_33661100.pdf.exe	Quote_45893216_33661100.pdf.exe
PID 4636 wrote to memory of 3168	4636	Quote_45893216_33661100.pdf.exe	Quote_45893216_33661100.pdf.exe
PID 4636 wrote to memory of 3168	4636	Quote_45893216_33661100.pdf.exe	Quote_45893216_33661100.pdf.exe
PID 4636 wrote to memory of 3168	4636	Quote_45893216_33661100.pdf.exe	Quote_45893216_33661100.pdf.exe
PID 4636 wrote to memory of 3168	4636	Quote_45893216_33661100.pdf.exe	Quote_45893216_33661100.pdf.exe
PID 4636 wrote to memory of 3168	4636	Quote_45893216_33661100.pdf.exe	Quote_45893216_33661100.pdf.exe
PID 4636 wrote to memory of 3168	4636	Quote_45893216_33661100.pdf.exe	Quote_45893216_33661100.pdf.exe
PID 4636 wrote to memory of 3168	4636	Quote_45893216_33661100.pdf.exe	Quote_45893216_33661100.pdf.exe
PID 4636 wrote to memory of 3168	4636	Quote_45893216_33661100.pdf.exe	Quote_45893216_33661100.pdf.exe
PID 3168 wrote to memory of 668	3168	Quote_45893216_33661100.pdf.exe	WScript.exe
PID 3168 wrote to memory of 668	3168	Quote_45893216_33661100.pdf.exe	WScript.exe
PID 3168 wrote to memory of 668	3168	Quote_45893216_33661100.pdf.exe	WScript.exe
PID 668 wrote to memory of 376	668	WScript.exe	cmd.exe
PID 668 wrote to memory of 376	668	WScript.exe	cmd.exe
PID 668 wrote to memory of 376	668	WScript.exe	cmd.exe
PID 376 wrote to memory of 1172	376	cmd.exe	system32.exe
PID 376 wrote to memory of 1172	376	cmd.exe	system32.exe
PID 376 wrote to memory of 1172	376	cmd.exe	system32.exe
PID 1172 wrote to memory of 1728	1172	system32.exe	schtasks.exe
PID 1172 wrote to memory of 1728	1172	system32.exe	schtasks.exe
PID 1172 wrote to memory of 1728	1172	system32.exe	schtasks.exe
PID 1172 wrote to memory of 4296	1172	system32.exe	system32.exe
PID 1172 wrote to memory of 4296	1172	system32.exe	system32.exe
PID 1172 wrote to memory of 4296	1172	system32.exe	system32.exe
PID 1172 wrote to memory of 4296	1172	system32.exe	system32.exe
PID 1172 wrote to memory of 4296	1172	system32.exe	system32.exe
PID 1172 wrote to memory of 4296	1172	system32.exe	system32.exe
PID 1172 wrote to memory of 4296	1172	system32.exe	system32.exe
PID 1172 wrote to memory of 4296	1172	system32.exe	system32.exe
PID 1172 wrote to memory of 4296	1172	system32.exe	system32.exe
PID 1172 wrote to memory of 4296	1172	system32.exe	system32.exe
PID 4296 wrote to memory of 4252	4296	system32.exe	svchost.exe
PID 4296 wrote to memory of 4252	4296	system32.exe	svchost.exe
PID 4296 wrote to memory of 4252	4296	system32.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\Quote_45893216_33661100.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Quote_45893216_33661100.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4636
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yyjWbtG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp32B9.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:4184
- C:\Users\Admin\AppData\Local\Temp\Quote_45893216_33661100.pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Quote_45893216_33661100.pdf.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3168
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:668
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Programs\system32.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:376
    - - C:\Users\Admin\AppData\Roaming\Programs\system32.exe
        
        C:\Users\Admin\AppData\Roaming\Programs\system32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1172
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yyjWbtG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp599.tmp"
        6⤵
        Creates scheduled task(s)
        
        PID:1728
      - C:\Users\Admin\AppData\Roaming\Programs\system32.exe
        
        "C:\Users\Admin\AppData\Roaming\Programs\system32.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        7⤵
        
        PID:4252

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

MD5
139d1ffe3f418f4794b6359f239089a2

SHA1
579f8d9c97105a2a77566de7e802a26e4a27f4c8

SHA256
7c71958fda4cff7e2ae1d9309cd4c0143057ca52732926f640252fd5a7a9a2ca

SHA512
5b806812558c28ea195326cfe800a2a41377d5e1da1fb352c2aa3d5060237a5ba544dec6f52459a9ecf55b526280c7d9c6aa8a1b8544124b288a4235eb25c2d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp32B9.tmp

MD5
ec5dd19a9ff516556b413d91af828a07

SHA1
63ca957acd5d1d8f6097c34dabd1ee4d184239ea

SHA256
83c909cb4031c5f3f11edcbda858342a9b2939aee396db1b7ee920616079d5a1

SHA512
bbb6d7bcf4135a2b522ce6c981a65cd96478abd9ebe4b1fea214d3adc70197a208831b90f3b591578f1d14e5720e37319e20410a04c9ff3b5ee963ddd647a784

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp599.tmp

MD5
ec5dd19a9ff516556b413d91af828a07

SHA1
63ca957acd5d1d8f6097c34dabd1ee4d184239ea

SHA256
83c909cb4031c5f3f11edcbda858342a9b2939aee396db1b7ee920616079d5a1

SHA512
bbb6d7bcf4135a2b522ce6c981a65cd96478abd9ebe4b1fea214d3adc70197a208831b90f3b591578f1d14e5720e37319e20410a04c9ff3b5ee963ddd647a784

Download Submit
C:\Users\Admin\AppData\Roaming\Programs\system32.exe

MD5
cb823c7a092678a45b40f7740d3036c7

SHA1
8c385821e1398d5ba703e94ca8952559f15dd82a

SHA256
19fa9ec02851046fd1d39e19491c507ca4e757ac7fa50d0facf3e73849a7772f

SHA512
28121c092660417be52d61e8d680bde84ce13ce924d890443ff51572d34a83c5b9d2cd69f6b8d5fa87700fbb2d5fd8c4b20e302d970054583384d94f4e7297fc

Download Submit
C:\Users\Admin\AppData\Roaming\Programs\system32.exe

MD5
cb823c7a092678a45b40f7740d3036c7

SHA1
8c385821e1398d5ba703e94ca8952559f15dd82a

SHA256
19fa9ec02851046fd1d39e19491c507ca4e757ac7fa50d0facf3e73849a7772f

SHA512
28121c092660417be52d61e8d680bde84ce13ce924d890443ff51572d34a83c5b9d2cd69f6b8d5fa87700fbb2d5fd8c4b20e302d970054583384d94f4e7297fc

Download Submit
C:\Users\Admin\AppData\Roaming\Programs\system32.exe

MD5
cb823c7a092678a45b40f7740d3036c7

SHA1
8c385821e1398d5ba703e94ca8952559f15dd82a

SHA256
19fa9ec02851046fd1d39e19491c507ca4e757ac7fa50d0facf3e73849a7772f

SHA512
28121c092660417be52d61e8d680bde84ce13ce924d890443ff51572d34a83c5b9d2cd69f6b8d5fa87700fbb2d5fd8c4b20e302d970054583384d94f4e7297fc

Download Submit
memory/376-19-0x0000000000000000-mapping.dmp

Download
memory/668-17-0x0000000000000000-mapping.dmp

Download
memory/1172-23-0x0000000073DA0000-0x000000007448E000-memory.dmp

Filesize
6.9MB

Download
memory/1172-20-0x0000000000000000-mapping.dmp

Download
memory/1728-33-0x0000000000000000-mapping.dmp

Download
memory/3168-15-0x0000000000413FA4-mapping.dmp

Download
memory/3168-16-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3168-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4184-12-0x0000000000000000-mapping.dmp

Download
memory/4296-36-0x0000000000413FA4-mapping.dmp

Download
memory/4296-38-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4636-9-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/4636-2-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/4636-8-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/4636-7-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/4636-6-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/4636-5-0x00000000049E0000-0x00000000049E1000-memory.dmp

Filesize
4KB

Download
memory/4636-10-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

Filesize
72KB

Download
memory/4636-3-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/4636-11-0x0000000005770000-0x00000000057CF000-memory.dmp

Filesize
380KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads