remcos | 4e9dc740909974e7e5c1f5618bfba6192ada1ab988173685a50280bb4d232a5f

General

Target

2CBPOfVTs5QeG8Z.exe
Size

725KB
MD5

7b709e3928fa5d957244a6620d546a7e
SHA1

fd6f4702fe9bcdcfc9555f50b2917ff6ca00ba12
SHA256

4e9dc740909974e7e5c1f5618bfba6192ada1ab988173685a50280bb4d232a5f
SHA512

4ecfad7f2221a1d37997aa40fc45bfb88a2630021cc3506b1c641a18913fb5944508f31f80f6b0d297031e3349d6a5034bb72c2a5ece181ce841576326faf970

Score

10^/10

remcos rat

Malware Config

Extracted

Family

remcos

C2

185.244.26.208:29100

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

remcos.exeremcos.exe

pid process

3060 remcos.exe
3996 remcos.exe

pid	process
3060	remcos.exe
3996	remcos.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

2CBPOfVTs5QeG8Z.exeremcos.exeremcos.exe

description	pid	process	target process
PID 816 set thread context of 1432	816	2CBPOfVTs5QeG8Z.exe	2CBPOfVTs5QeG8Z.exe
PID 3060 set thread context of 3996	3060	remcos.exe	remcos.exe
PID 3996 set thread context of 2916	3996	remcos.exe	svchost.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

424 schtasks.exe
3188 schtasks.exe
Modifies registry class 1 IoCs

Processes:

2CBPOfVTs5QeG8Z.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings 2CBPOfVTs5QeG8Z.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

2CBPOfVTs5QeG8Z.exeremcos.exe

pid process

816 2CBPOfVTs5QeG8Z.exe
3060 remcos.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2CBPOfVTs5QeG8Z.exeremcos.exe

description pid process

Token: SeDebugPrivilege 816 2CBPOfVTs5QeG8Z.exe
Token: SeDebugPrivilege 3060 remcos.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

remcos.exe

pid process

3996 remcos.exe

pid	process
424	schtasks.exe
3188	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	2CBPOfVTs5QeG8Z.exe

pid	process
816	2CBPOfVTs5QeG8Z.exe
3060	remcos.exe

description	pid	process
Token: SeDebugPrivilege	816	2CBPOfVTs5QeG8Z.exe
Token: SeDebugPrivilege	3060	remcos.exe

pid	process
3996	remcos.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

2CBPOfVTs5QeG8Z.exe2CBPOfVTs5QeG8Z.exeWScript.execmd.exeremcos.exeremcos.exe

description	pid	process	target process
PID 816 wrote to memory of 424	816	2CBPOfVTs5QeG8Z.exe	schtasks.exe
PID 816 wrote to memory of 424	816	2CBPOfVTs5QeG8Z.exe	schtasks.exe
PID 816 wrote to memory of 424	816	2CBPOfVTs5QeG8Z.exe	schtasks.exe
PID 816 wrote to memory of 1432	816	2CBPOfVTs5QeG8Z.exe	2CBPOfVTs5QeG8Z.exe
PID 816 wrote to memory of 1432	816	2CBPOfVTs5QeG8Z.exe	2CBPOfVTs5QeG8Z.exe
PID 816 wrote to memory of 1432	816	2CBPOfVTs5QeG8Z.exe	2CBPOfVTs5QeG8Z.exe
PID 816 wrote to memory of 1432	816	2CBPOfVTs5QeG8Z.exe	2CBPOfVTs5QeG8Z.exe
PID 816 wrote to memory of 1432	816	2CBPOfVTs5QeG8Z.exe	2CBPOfVTs5QeG8Z.exe
PID 816 wrote to memory of 1432	816	2CBPOfVTs5QeG8Z.exe	2CBPOfVTs5QeG8Z.exe
PID 816 wrote to memory of 1432	816	2CBPOfVTs5QeG8Z.exe	2CBPOfVTs5QeG8Z.exe
PID 816 wrote to memory of 1432	816	2CBPOfVTs5QeG8Z.exe	2CBPOfVTs5QeG8Z.exe
PID 816 wrote to memory of 1432	816	2CBPOfVTs5QeG8Z.exe	2CBPOfVTs5QeG8Z.exe
PID 816 wrote to memory of 1432	816	2CBPOfVTs5QeG8Z.exe	2CBPOfVTs5QeG8Z.exe
PID 1432 wrote to memory of 1344	1432	2CBPOfVTs5QeG8Z.exe	WScript.exe
PID 1432 wrote to memory of 1344	1432	2CBPOfVTs5QeG8Z.exe	WScript.exe
PID 1432 wrote to memory of 1344	1432	2CBPOfVTs5QeG8Z.exe	WScript.exe
PID 1344 wrote to memory of 3028	1344	WScript.exe	cmd.exe
PID 1344 wrote to memory of 3028	1344	WScript.exe	cmd.exe
PID 1344 wrote to memory of 3028	1344	WScript.exe	cmd.exe
PID 3028 wrote to memory of 3060	3028	cmd.exe	remcos.exe
PID 3028 wrote to memory of 3060	3028	cmd.exe	remcos.exe
PID 3028 wrote to memory of 3060	3028	cmd.exe	remcos.exe
PID 3060 wrote to memory of 3188	3060	remcos.exe	schtasks.exe
PID 3060 wrote to memory of 3188	3060	remcos.exe	schtasks.exe
PID 3060 wrote to memory of 3188	3060	remcos.exe	schtasks.exe
PID 3060 wrote to memory of 3996	3060	remcos.exe	remcos.exe
PID 3060 wrote to memory of 3996	3060	remcos.exe	remcos.exe
PID 3060 wrote to memory of 3996	3060	remcos.exe	remcos.exe
PID 3060 wrote to memory of 3996	3060	remcos.exe	remcos.exe
PID 3060 wrote to memory of 3996	3060	remcos.exe	remcos.exe
PID 3060 wrote to memory of 3996	3060	remcos.exe	remcos.exe
PID 3060 wrote to memory of 3996	3060	remcos.exe	remcos.exe
PID 3060 wrote to memory of 3996	3060	remcos.exe	remcos.exe
PID 3060 wrote to memory of 3996	3060	remcos.exe	remcos.exe
PID 3060 wrote to memory of 3996	3060	remcos.exe	remcos.exe
PID 3996 wrote to memory of 2916	3996	remcos.exe	svchost.exe
PID 3996 wrote to memory of 2916	3996	remcos.exe	svchost.exe
PID 3996 wrote to memory of 2916	3996	remcos.exe	svchost.exe
PID 3996 wrote to memory of 2916	3996	remcos.exe	svchost.exe
PID 3996 wrote to memory of 2916	3996	remcos.exe	svchost.exe
PID 3996 wrote to memory of 2916	3996	remcos.exe	svchost.exe
PID 3996 wrote to memory of 2916	3996	remcos.exe	svchost.exe
PID 3996 wrote to memory of 2916	3996	remcos.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\2CBPOfVTs5QeG8Z.exe
"C:\Users\Admin\AppData\Local\Temp\2CBPOfVTs5QeG8Z.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ERojaNssrIHFaE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp329A.tmp"
2⤵
- Creates scheduled task(s)
PID:424

C:\Users\Admin\AppData\Local\Temp\2CBPOfVTs5QeG8Z.exe
"C:\Users\Admin\AppData\Local\Temp\2CBPOfVTs5QeG8Z.exe"
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1344

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:3028

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ERojaNssrIHFaE" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDD7.tmp"
6⤵
- Creates scheduled task(s)
PID:3188

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
"C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3996

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
PID:2916

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
b92d64fe5b1d1f59df4b738262aea8df

SHA1
c8fb1981759c2d9bb2ec91b705985fba5fc7af63

SHA256
fa20e9aab03dc8e9f1910aaf0cf42662379fa16ae3a22642084fb97fa3d4f83a

SHA512
2566248b93c0cfb0414f033b8dd18bbd4f88180093eac2861107289bcb4ee160f9593706ff1f7d1f2e4ecea430d67a5a2897551a4f9ebd82b707243e300520e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp329A.tmp
MD5
5180e20a9de7deb876b615320d51a84f

SHA1
d114b5ebed9e8ce7e02a7c6fc8d919e2ea3cda63

SHA256
b264e2ea7400da07158b381c61aa1b07d7f41ba84295d739684876f8d5a1917c

SHA512
e2904c167ad1fba4176a75d60be7489b4479ee3d4fee085a02be6a55316c706eac88a5e6ffc8c5d25947b0b5b76e136f1dd35366f946ba2740a4b028eacc2a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDD7.tmp
MD5
5180e20a9de7deb876b615320d51a84f

SHA1
d114b5ebed9e8ce7e02a7c6fc8d919e2ea3cda63

SHA256
b264e2ea7400da07158b381c61aa1b07d7f41ba84295d739684876f8d5a1917c

SHA512
e2904c167ad1fba4176a75d60be7489b4479ee3d4fee085a02be6a55316c706eac88a5e6ffc8c5d25947b0b5b76e136f1dd35366f946ba2740a4b028eacc2a45

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
7b709e3928fa5d957244a6620d546a7e

SHA1
fd6f4702fe9bcdcfc9555f50b2917ff6ca00ba12

SHA256
4e9dc740909974e7e5c1f5618bfba6192ada1ab988173685a50280bb4d232a5f

SHA512
4ecfad7f2221a1d37997aa40fc45bfb88a2630021cc3506b1c641a18913fb5944508f31f80f6b0d297031e3349d6a5034bb72c2a5ece181ce841576326faf970

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
7b709e3928fa5d957244a6620d546a7e

SHA1
fd6f4702fe9bcdcfc9555f50b2917ff6ca00ba12

SHA256
4e9dc740909974e7e5c1f5618bfba6192ada1ab988173685a50280bb4d232a5f

SHA512
4ecfad7f2221a1d37997aa40fc45bfb88a2630021cc3506b1c641a18913fb5944508f31f80f6b0d297031e3349d6a5034bb72c2a5ece181ce841576326faf970

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
7b709e3928fa5d957244a6620d546a7e

SHA1
fd6f4702fe9bcdcfc9555f50b2917ff6ca00ba12

SHA256
4e9dc740909974e7e5c1f5618bfba6192ada1ab988173685a50280bb4d232a5f

SHA512
4ecfad7f2221a1d37997aa40fc45bfb88a2630021cc3506b1c641a18913fb5944508f31f80f6b0d297031e3349d6a5034bb72c2a5ece181ce841576326faf970

Download Submit
memory/424-12-0x0000000000000000-mapping.dmp

Download
memory/816-7-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/816-11-0x0000000005A00000-0x0000000005A5E000-memory.dmp

Filesize
376KB

Download
memory/816-10-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/816-9-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/816-8-0x0000000004C40000-0x0000000004C41000-memory.dmp

Filesize
4KB

Download
memory/816-6-0x0000000005280000-0x0000000005281000-memory.dmp

Filesize
4KB

Download
memory/816-5-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/816-2-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/816-3-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1344-17-0x0000000000000000-mapping.dmp

Download
memory/1432-16-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1432-15-0x0000000000413FA4-mapping.dmp

Download
memory/1432-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2916-39-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2916-40-0x00000000004B6846-mapping.dmp

Download
memory/3028-19-0x0000000000000000-mapping.dmp

Download
memory/3060-20-0x0000000000000000-mapping.dmp

Download
memory/3060-23-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/3188-33-0x0000000000000000-mapping.dmp

Download
memory/3996-36-0x0000000000413FA4-mapping.dmp

Download
memory/3996-38-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads