remcos | f540cc413a46d1c64542c9935d831de6e9908c1bd86e490ed66d47afb8f742f8

Analysis

max time kernel
151s
max time network
117s
platform
windows7_x64
resource
win7v20201028
submitted
14-01-2021 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO#83922009122.pdf.exe
Size

898KB
MD5

923a6bfbacc542ea646c55a2e644c605
SHA1

c808220bb23632c399afb688a752f26b2b6056b0
SHA256

f540cc413a46d1c64542c9935d831de6e9908c1bd86e490ed66d47afb8f742f8
SHA512

1fb4f443ab600da86d8b07906d107394b18da23b89a70b20c8a6224453c7d7e4a345e43ef5b04d5283c02ab5b8005ed9d8913cdfc0c1da51aca8550965d12b88

Score

10^/10

remcos rat

Malware Config

Extracted

Family

remcos

194.5.97.174:1990

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 6 IoCs

Processes:

system.exesystem.exesystem.exesystem.exesystem.exesystem.exe

pid process

600 system.exe
1688 system.exe
1612 system.exe
1416 system.exe
1804 system.exe
1248 system.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1548 cmd.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

PO#83922009122.pdf.exe

description pid process target process

PID 2024 set thread context of 436 2024 PO#83922009122.pdf.exe PO#83922009122.pdf.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1824 schtasks.exe
1648 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

system.exe

pid process

600 system.exe
600 system.exe
600 system.exe
600 system.exe
600 system.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

system.exe

description pid process

Token: SeDebugPrivilege 600 system.exe

pid	process
600	system.exe
1688	system.exe
1612	system.exe
1416	system.exe
1804	system.exe
1248	system.exe

pid	process
1548	cmd.exe

description	pid	process	target process
PID 2024 set thread context of 436	2024	PO#83922009122.pdf.exe	PO#83922009122.pdf.exe

pid	process
1824	schtasks.exe
1648	schtasks.exe

pid	process
600	system.exe
600	system.exe
600	system.exe
600	system.exe
600	system.exe

description	pid	process
Token: SeDebugPrivilege	600	system.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

PO#83922009122.pdf.exePO#83922009122.pdf.exeWScript.execmd.exesystem.exe

description	pid	process	target process
PID 2024 wrote to memory of 1824	2024	PO#83922009122.pdf.exe	schtasks.exe
PID 2024 wrote to memory of 1824	2024	PO#83922009122.pdf.exe	schtasks.exe
PID 2024 wrote to memory of 1824	2024	PO#83922009122.pdf.exe	schtasks.exe
PID 2024 wrote to memory of 1824	2024	PO#83922009122.pdf.exe	schtasks.exe
PID 2024 wrote to memory of 436	2024	PO#83922009122.pdf.exe	PO#83922009122.pdf.exe
PID 2024 wrote to memory of 436	2024	PO#83922009122.pdf.exe	PO#83922009122.pdf.exe
PID 2024 wrote to memory of 436	2024	PO#83922009122.pdf.exe	PO#83922009122.pdf.exe
PID 2024 wrote to memory of 436	2024	PO#83922009122.pdf.exe	PO#83922009122.pdf.exe
PID 2024 wrote to memory of 436	2024	PO#83922009122.pdf.exe	PO#83922009122.pdf.exe
PID 2024 wrote to memory of 436	2024	PO#83922009122.pdf.exe	PO#83922009122.pdf.exe
PID 2024 wrote to memory of 436	2024	PO#83922009122.pdf.exe	PO#83922009122.pdf.exe
PID 2024 wrote to memory of 436	2024	PO#83922009122.pdf.exe	PO#83922009122.pdf.exe
PID 2024 wrote to memory of 436	2024	PO#83922009122.pdf.exe	PO#83922009122.pdf.exe
PID 2024 wrote to memory of 436	2024	PO#83922009122.pdf.exe	PO#83922009122.pdf.exe
PID 2024 wrote to memory of 436	2024	PO#83922009122.pdf.exe	PO#83922009122.pdf.exe
PID 436 wrote to memory of 240	436	PO#83922009122.pdf.exe	WScript.exe
PID 436 wrote to memory of 240	436	PO#83922009122.pdf.exe	WScript.exe
PID 436 wrote to memory of 240	436	PO#83922009122.pdf.exe	WScript.exe
PID 436 wrote to memory of 240	436	PO#83922009122.pdf.exe	WScript.exe
PID 240 wrote to memory of 1548	240	WScript.exe	cmd.exe
PID 240 wrote to memory of 1548	240	WScript.exe	cmd.exe
PID 240 wrote to memory of 1548	240	WScript.exe	cmd.exe
PID 240 wrote to memory of 1548	240	WScript.exe	cmd.exe
PID 1548 wrote to memory of 600	1548	cmd.exe	system.exe
PID 1548 wrote to memory of 600	1548	cmd.exe	system.exe
PID 1548 wrote to memory of 600	1548	cmd.exe	system.exe
PID 1548 wrote to memory of 600	1548	cmd.exe	system.exe
PID 600 wrote to memory of 1648	600	system.exe	schtasks.exe
PID 600 wrote to memory of 1648	600	system.exe	schtasks.exe
PID 600 wrote to memory of 1648	600	system.exe	schtasks.exe
PID 600 wrote to memory of 1648	600	system.exe	schtasks.exe
PID 600 wrote to memory of 1688	600	system.exe	system.exe
PID 600 wrote to memory of 1688	600	system.exe	system.exe
PID 600 wrote to memory of 1688	600	system.exe	system.exe
PID 600 wrote to memory of 1688	600	system.exe	system.exe
PID 600 wrote to memory of 1612	600	system.exe	system.exe
PID 600 wrote to memory of 1612	600	system.exe	system.exe
PID 600 wrote to memory of 1612	600	system.exe	system.exe
PID 600 wrote to memory of 1612	600	system.exe	system.exe
PID 600 wrote to memory of 1416	600	system.exe	system.exe
PID 600 wrote to memory of 1416	600	system.exe	system.exe
PID 600 wrote to memory of 1416	600	system.exe	system.exe
PID 600 wrote to memory of 1416	600	system.exe	system.exe
PID 600 wrote to memory of 1804	600	system.exe	system.exe
PID 600 wrote to memory of 1804	600	system.exe	system.exe
PID 600 wrote to memory of 1804	600	system.exe	system.exe
PID 600 wrote to memory of 1804	600	system.exe	system.exe
PID 600 wrote to memory of 1248	600	system.exe	system.exe
PID 600 wrote to memory of 1248	600	system.exe	system.exe
PID 600 wrote to memory of 1248	600	system.exe	system.exe
PID 600 wrote to memory of 1248	600	system.exe	system.exe

C:\Users\Admin\AppData\Local\Temp\PO#83922009122.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\PO#83922009122.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Vodgtv" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEA5F.tmp"
2⤵
- Creates scheduled task(s)
PID:1824

C:\Users\Admin\AppData\Local\Temp\PO#83922009122.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\PO#83922009122.pdf.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:436

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:240

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\system\system.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1548

C:\Users\Admin\AppData\Roaming\system\system.exe
C:\Users\Admin\AppData\Roaming\system\system.exe
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:600

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Vodgtv" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBBA1.tmp"
6⤵
- Creates scheduled task(s)
PID:1648

C:\Users\Admin\AppData\Roaming\system\system.exe
"C:\Users\Admin\AppData\Roaming\system\system.exe"
6⤵
- Executes dropped EXE
PID:1688

C:\Users\Admin\AppData\Roaming\system\system.exe
"C:\Users\Admin\AppData\Roaming\system\system.exe"
6⤵
- Executes dropped EXE
PID:1612

C:\Users\Admin\AppData\Roaming\system\system.exe
"C:\Users\Admin\AppData\Roaming\system\system.exe"
6⤵
- Executes dropped EXE
PID:1416

C:\Users\Admin\AppData\Roaming\system\system.exe
"C:\Users\Admin\AppData\Roaming\system\system.exe"
6⤵
- Executes dropped EXE
PID:1804

C:\Users\Admin\AppData\Roaming\system\system.exe
"C:\Users\Admin\AppData\Roaming\system\system.exe"
6⤵
- Executes dropped EXE
PID:1248

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
2e69fc0af0a1b7a454e3177c7ae1fb6e

SHA1
b1e7a58a7a2a989ecd90c7e482d83c5a192e78b5

SHA256
c21b9bda033a514ba156f1741e7a9957c6792faa441d00ccf190bd76694cb912

SHA512
c64d04cce74cd25914a8a7c8904ac6267bf5c4c3f44feb54bf6f3a85f87af7283390687bdae5120dab83ce0a3874c00831af6671b1ec78e2d33ed27670f8ec2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBBA1.tmp
MD5
22f29d82b821cbdf07b0f8082ce4b6d7

SHA1
9555b7fb143e3ec95eaaf698f97176f7f2f7d3c5

SHA256
c43c5c1c697e5bce0549eebaf2c0401995f013533853b767251061a2d6b3ef5e

SHA512
71b436f6df2a1af79fb8e10c4f2edb67cf2dd862ed43c761fe96825d85c52ca26276643fff49e402054dd74896a24949602e7304b47f724b9d483a6b448a7a0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEA5F.tmp
MD5
22f29d82b821cbdf07b0f8082ce4b6d7

SHA1
9555b7fb143e3ec95eaaf698f97176f7f2f7d3c5

SHA256
c43c5c1c697e5bce0549eebaf2c0401995f013533853b767251061a2d6b3ef5e

SHA512
71b436f6df2a1af79fb8e10c4f2edb67cf2dd862ed43c761fe96825d85c52ca26276643fff49e402054dd74896a24949602e7304b47f724b9d483a6b448a7a0c

Download Submit
C:\Users\Admin\AppData\Roaming\system\system.exe
MD5
923a6bfbacc542ea646c55a2e644c605

SHA1
c808220bb23632c399afb688a752f26b2b6056b0

SHA256
f540cc413a46d1c64542c9935d831de6e9908c1bd86e490ed66d47afb8f742f8

SHA512
1fb4f443ab600da86d8b07906d107394b18da23b89a70b20c8a6224453c7d7e4a345e43ef5b04d5283c02ab5b8005ed9d8913cdfc0c1da51aca8550965d12b88

Download Submit
C:\Users\Admin\AppData\Roaming\system\system.exe
MD5
923a6bfbacc542ea646c55a2e644c605

SHA1
c808220bb23632c399afb688a752f26b2b6056b0

SHA256
f540cc413a46d1c64542c9935d831de6e9908c1bd86e490ed66d47afb8f742f8

SHA512
1fb4f443ab600da86d8b07906d107394b18da23b89a70b20c8a6224453c7d7e4a345e43ef5b04d5283c02ab5b8005ed9d8913cdfc0c1da51aca8550965d12b88

Download Submit
C:\Users\Admin\AppData\Roaming\system\system.exe
MD5
923a6bfbacc542ea646c55a2e644c605

SHA1
c808220bb23632c399afb688a752f26b2b6056b0

SHA256
f540cc413a46d1c64542c9935d831de6e9908c1bd86e490ed66d47afb8f742f8

SHA512
1fb4f443ab600da86d8b07906d107394b18da23b89a70b20c8a6224453c7d7e4a345e43ef5b04d5283c02ab5b8005ed9d8913cdfc0c1da51aca8550965d12b88

Download Submit
C:\Users\Admin\AppData\Roaming\system\system.exe
MD5
923a6bfbacc542ea646c55a2e644c605

SHA1
c808220bb23632c399afb688a752f26b2b6056b0

SHA256
f540cc413a46d1c64542c9935d831de6e9908c1bd86e490ed66d47afb8f742f8

SHA512
1fb4f443ab600da86d8b07906d107394b18da23b89a70b20c8a6224453c7d7e4a345e43ef5b04d5283c02ab5b8005ed9d8913cdfc0c1da51aca8550965d12b88

Download Submit
C:\Users\Admin\AppData\Roaming\system\system.exe
MD5
923a6bfbacc542ea646c55a2e644c605

SHA1
c808220bb23632c399afb688a752f26b2b6056b0

SHA256
f540cc413a46d1c64542c9935d831de6e9908c1bd86e490ed66d47afb8f742f8

SHA512
1fb4f443ab600da86d8b07906d107394b18da23b89a70b20c8a6224453c7d7e4a345e43ef5b04d5283c02ab5b8005ed9d8913cdfc0c1da51aca8550965d12b88

Download Submit
C:\Users\Admin\AppData\Roaming\system\system.exe
MD5
923a6bfbacc542ea646c55a2e644c605

SHA1
c808220bb23632c399afb688a752f26b2b6056b0

SHA256
f540cc413a46d1c64542c9935d831de6e9908c1bd86e490ed66d47afb8f742f8

SHA512
1fb4f443ab600da86d8b07906d107394b18da23b89a70b20c8a6224453c7d7e4a345e43ef5b04d5283c02ab5b8005ed9d8913cdfc0c1da51aca8550965d12b88

Download Submit
C:\Users\Admin\AppData\Roaming\system\system.exe
MD5
923a6bfbacc542ea646c55a2e644c605

SHA1
c808220bb23632c399afb688a752f26b2b6056b0

SHA256
f540cc413a46d1c64542c9935d831de6e9908c1bd86e490ed66d47afb8f742f8

SHA512
1fb4f443ab600da86d8b07906d107394b18da23b89a70b20c8a6224453c7d7e4a345e43ef5b04d5283c02ab5b8005ed9d8913cdfc0c1da51aca8550965d12b88

Download Submit
\Users\Admin\AppData\Roaming\system\system.exe
MD5
923a6bfbacc542ea646c55a2e644c605

SHA1
c808220bb23632c399afb688a752f26b2b6056b0

SHA256
f540cc413a46d1c64542c9935d831de6e9908c1bd86e490ed66d47afb8f742f8

SHA512
1fb4f443ab600da86d8b07906d107394b18da23b89a70b20c8a6224453c7d7e4a345e43ef5b04d5283c02ab5b8005ed9d8913cdfc0c1da51aca8550965d12b88

Download Submit
memory/240-12-0x0000000000000000-mapping.dmp

Download
memory/240-15-0x0000000002860000-0x0000000002864000-memory.dmp

Filesize
16KB

Download
memory/436-9-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/436-11-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/436-10-0x0000000000413FA4-mapping.dmp

Download
memory/600-18-0x0000000000000000-mapping.dmp

Download
memory/600-20-0x0000000073500000-0x0000000073BEE000-memory.dmp

Filesize
6.9MB

Download
memory/600-21-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1548-14-0x0000000000000000-mapping.dmp

Download
memory/1648-25-0x0000000000000000-mapping.dmp

Download
memory/1824-7-0x0000000000000000-mapping.dmp

Download
memory/2024-2-0x0000000074230000-0x000000007491E000-memory.dmp

Filesize
6.9MB

Download
memory/2024-6-0x0000000004F90000-0x0000000004FEE000-memory.dmp

Filesize
376KB

Download
memory/2024-5-0x0000000000680000-0x0000000000692000-memory.dmp

Filesize
72KB

Download
memory/2024-3-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads