remcos | 83e2e475905c185d7114012d68a15aecf822c14a1e1bda9bf55441062a01fba1

General

Target

P.O.No.#17AUFR010S.pdf.exe
Size

789KB
MD5

4810953a88b4104013572a726d93a4de
SHA1

091ba6e7499ad3f3c44a699aca801c69203a4fc8
SHA256

83e2e475905c185d7114012d68a15aecf822c14a1e1bda9bf55441062a01fba1
SHA512

7b94158df0b2e48a81f2ee439baf8dbbcea64e812faa41d2f570d15300266ef52558d651b85a6ca89744c66886bb2cdd0623cc7016e4c8926a336c1565117181

Score

10^/10

remcos rat

Malware Config

Extracted

Family

remcos

C2

194.5.97.174:1990

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

system.exesystem.exe

pid process

644 system.exe
1708 system.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

688 cmd.exe

pid	process
644	system.exe
1708	system.exe

pid	process
688	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

P.O.No.#17AUFR010S.pdf.exesystem.exesystem.exe

description	pid	process	target process
PID 1940 set thread context of 964	1940	P.O.No.#17AUFR010S.pdf.exe	P.O.No.#17AUFR010S.pdf.exe
PID 644 set thread context of 1708	644	system.exe	system.exe
PID 1708 set thread context of 1524	1708	system.exe	svchost.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

240 schtasks.exe
1800 schtasks.exe

pid	process
240	schtasks.exe
1800	schtasks.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

P.O.No.#17AUFR010S.pdf.exeP.O.No.#17AUFR010S.pdf.exeWScript.execmd.exesystem.exesystem.exe

description	pid	process	target process
PID 1940 wrote to memory of 240	1940	P.O.No.#17AUFR010S.pdf.exe	schtasks.exe
PID 1940 wrote to memory of 240	1940	P.O.No.#17AUFR010S.pdf.exe	schtasks.exe
PID 1940 wrote to memory of 240	1940	P.O.No.#17AUFR010S.pdf.exe	schtasks.exe
PID 1940 wrote to memory of 240	1940	P.O.No.#17AUFR010S.pdf.exe	schtasks.exe
PID 1940 wrote to memory of 964	1940	P.O.No.#17AUFR010S.pdf.exe	P.O.No.#17AUFR010S.pdf.exe
PID 1940 wrote to memory of 964	1940	P.O.No.#17AUFR010S.pdf.exe	P.O.No.#17AUFR010S.pdf.exe
PID 1940 wrote to memory of 964	1940	P.O.No.#17AUFR010S.pdf.exe	P.O.No.#17AUFR010S.pdf.exe
PID 1940 wrote to memory of 964	1940	P.O.No.#17AUFR010S.pdf.exe	P.O.No.#17AUFR010S.pdf.exe
PID 1940 wrote to memory of 964	1940	P.O.No.#17AUFR010S.pdf.exe	P.O.No.#17AUFR010S.pdf.exe
PID 1940 wrote to memory of 964	1940	P.O.No.#17AUFR010S.pdf.exe	P.O.No.#17AUFR010S.pdf.exe
PID 1940 wrote to memory of 964	1940	P.O.No.#17AUFR010S.pdf.exe	P.O.No.#17AUFR010S.pdf.exe
PID 1940 wrote to memory of 964	1940	P.O.No.#17AUFR010S.pdf.exe	P.O.No.#17AUFR010S.pdf.exe
PID 1940 wrote to memory of 964	1940	P.O.No.#17AUFR010S.pdf.exe	P.O.No.#17AUFR010S.pdf.exe
PID 1940 wrote to memory of 964	1940	P.O.No.#17AUFR010S.pdf.exe	P.O.No.#17AUFR010S.pdf.exe
PID 1940 wrote to memory of 964	1940	P.O.No.#17AUFR010S.pdf.exe	P.O.No.#17AUFR010S.pdf.exe
PID 964 wrote to memory of 1852	964	P.O.No.#17AUFR010S.pdf.exe	WScript.exe
PID 964 wrote to memory of 1852	964	P.O.No.#17AUFR010S.pdf.exe	WScript.exe
PID 964 wrote to memory of 1852	964	P.O.No.#17AUFR010S.pdf.exe	WScript.exe
PID 964 wrote to memory of 1852	964	P.O.No.#17AUFR010S.pdf.exe	WScript.exe
PID 1852 wrote to memory of 688	1852	WScript.exe	cmd.exe
PID 1852 wrote to memory of 688	1852	WScript.exe	cmd.exe
PID 1852 wrote to memory of 688	1852	WScript.exe	cmd.exe
PID 1852 wrote to memory of 688	1852	WScript.exe	cmd.exe
PID 688 wrote to memory of 644	688	cmd.exe	system.exe
PID 688 wrote to memory of 644	688	cmd.exe	system.exe
PID 688 wrote to memory of 644	688	cmd.exe	system.exe
PID 688 wrote to memory of 644	688	cmd.exe	system.exe
PID 644 wrote to memory of 1800	644	system.exe	schtasks.exe
PID 644 wrote to memory of 1800	644	system.exe	schtasks.exe
PID 644 wrote to memory of 1800	644	system.exe	schtasks.exe
PID 644 wrote to memory of 1800	644	system.exe	schtasks.exe
PID 644 wrote to memory of 1708	644	system.exe	system.exe
PID 644 wrote to memory of 1708	644	system.exe	system.exe
PID 644 wrote to memory of 1708	644	system.exe	system.exe
PID 644 wrote to memory of 1708	644	system.exe	system.exe
PID 644 wrote to memory of 1708	644	system.exe	system.exe
PID 644 wrote to memory of 1708	644	system.exe	system.exe
PID 644 wrote to memory of 1708	644	system.exe	system.exe
PID 644 wrote to memory of 1708	644	system.exe	system.exe
PID 644 wrote to memory of 1708	644	system.exe	system.exe
PID 644 wrote to memory of 1708	644	system.exe	system.exe
PID 644 wrote to memory of 1708	644	system.exe	system.exe
PID 1708 wrote to memory of 1524	1708	system.exe	svchost.exe
PID 1708 wrote to memory of 1524	1708	system.exe	svchost.exe
PID 1708 wrote to memory of 1524	1708	system.exe	svchost.exe
PID 1708 wrote to memory of 1524	1708	system.exe	svchost.exe
PID 1708 wrote to memory of 1524	1708	system.exe	svchost.exe
PID 1708 wrote to memory of 1524	1708	system.exe	svchost.exe
PID 1708 wrote to memory of 1524	1708	system.exe	svchost.exe
PID 1708 wrote to memory of 1524	1708	system.exe	svchost.exe
PID 1708 wrote to memory of 1524	1708	system.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\P.O.No.#17AUFR010S.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\P.O.No.#17AUFR010S.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yxZmnzRrdjicXR" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3E67.tmp"
2⤵
- Creates scheduled task(s)
PID:240

C:\Users\Admin\AppData\Local\Temp\P.O.No.#17AUFR010S.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\P.O.No.#17AUFR010S.pdf.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\system\system.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:688

C:\Users\Admin\AppData\Roaming\system\system.exe
C:\Users\Admin\AppData\Roaming\system\system.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yxZmnzRrdjicXR" /XML "C:\Users\Admin\AppData\Local\Temp\tmp18ED.tmp"
6⤵
- Creates scheduled task(s)
PID:1800

C:\Users\Admin\AppData\Roaming\system\system.exe
"C:\Users\Admin\AppData\Roaming\system\system.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
PID:1524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
2e69fc0af0a1b7a454e3177c7ae1fb6e

SHA1
b1e7a58a7a2a989ecd90c7e482d83c5a192e78b5

SHA256
c21b9bda033a514ba156f1741e7a9957c6792faa441d00ccf190bd76694cb912

SHA512
c64d04cce74cd25914a8a7c8904ac6267bf5c4c3f44feb54bf6f3a85f87af7283390687bdae5120dab83ce0a3874c00831af6671b1ec78e2d33ed27670f8ec2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp18ED.tmp
MD5
5aa541327a2f83b73bf5df2927476234

SHA1
161dddcf60d51398cb9a1611986d9ba4703b98ba

SHA256
c7cd1c5d4f32389ac4e1d7092ec79f1f20dfcb1b791e88df626c22378f14cd22

SHA512
ad216b292a34fb27056175bbd4f180188dee2d34e7b9ecbbbcd6205faf06f2d78bd84e2630f410828f91c2c6a99237cc7cbfe379c80e86c637a0f4b380cbd7be

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3E67.tmp
MD5
5aa541327a2f83b73bf5df2927476234

SHA1
161dddcf60d51398cb9a1611986d9ba4703b98ba

SHA256
c7cd1c5d4f32389ac4e1d7092ec79f1f20dfcb1b791e88df626c22378f14cd22

SHA512
ad216b292a34fb27056175bbd4f180188dee2d34e7b9ecbbbcd6205faf06f2d78bd84e2630f410828f91c2c6a99237cc7cbfe379c80e86c637a0f4b380cbd7be

Download Submit
C:\Users\Admin\AppData\Roaming\system\system.exe
MD5
4810953a88b4104013572a726d93a4de

SHA1
091ba6e7499ad3f3c44a699aca801c69203a4fc8

SHA256
83e2e475905c185d7114012d68a15aecf822c14a1e1bda9bf55441062a01fba1

SHA512
7b94158df0b2e48a81f2ee439baf8dbbcea64e812faa41d2f570d15300266ef52558d651b85a6ca89744c66886bb2cdd0623cc7016e4c8926a336c1565117181

Download Submit
C:\Users\Admin\AppData\Roaming\system\system.exe
MD5
4810953a88b4104013572a726d93a4de

SHA1
091ba6e7499ad3f3c44a699aca801c69203a4fc8

SHA256
83e2e475905c185d7114012d68a15aecf822c14a1e1bda9bf55441062a01fba1

SHA512
7b94158df0b2e48a81f2ee439baf8dbbcea64e812faa41d2f570d15300266ef52558d651b85a6ca89744c66886bb2cdd0623cc7016e4c8926a336c1565117181

Download Submit
C:\Users\Admin\AppData\Roaming\system\system.exe
MD5
4810953a88b4104013572a726d93a4de

SHA1
091ba6e7499ad3f3c44a699aca801c69203a4fc8

SHA256
83e2e475905c185d7114012d68a15aecf822c14a1e1bda9bf55441062a01fba1

SHA512
7b94158df0b2e48a81f2ee439baf8dbbcea64e812faa41d2f570d15300266ef52558d651b85a6ca89744c66886bb2cdd0623cc7016e4c8926a336c1565117181

Download Submit
\Users\Admin\AppData\Roaming\system\system.exe
MD5
4810953a88b4104013572a726d93a4de

SHA1
091ba6e7499ad3f3c44a699aca801c69203a4fc8

SHA256
83e2e475905c185d7114012d68a15aecf822c14a1e1bda9bf55441062a01fba1

SHA512
7b94158df0b2e48a81f2ee439baf8dbbcea64e812faa41d2f570d15300266ef52558d651b85a6ca89744c66886bb2cdd0623cc7016e4c8926a336c1565117181

Download Submit
memory/240-7-0x0000000000000000-mapping.dmp

Download
memory/644-21-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/644-20-0x0000000072DB0000-0x000000007349E000-memory.dmp

Filesize
6.9MB

Download
memory/644-18-0x0000000000000000-mapping.dmp

Download
memory/688-14-0x0000000000000000-mapping.dmp

Download
memory/964-10-0x0000000000413FA4-mapping.dmp

Download
memory/964-11-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/964-9-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1524-31-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/1524-34-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/1524-33-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/1524-32-0x00000000004A7B2E-mapping.dmp

Download
memory/1708-28-0x0000000000413FA4-mapping.dmp

Download
memory/1708-30-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1800-25-0x0000000000000000-mapping.dmp

Download
memory/1852-12-0x0000000000000000-mapping.dmp

Download
memory/1852-15-0x00000000028D0000-0x00000000028D4000-memory.dmp

Filesize
16KB

Download
memory/1940-2-0x0000000073A30000-0x000000007411E000-memory.dmp

Filesize
6.9MB

Download
memory/1940-3-0x0000000001320000-0x0000000001321000-memory.dmp

Filesize
4KB

Download
memory/1940-5-0x0000000000600000-0x0000000000612000-memory.dmp

Filesize
72KB

Download
memory/1940-6-0x0000000005460000-0x00000000054BF000-memory.dmp

Filesize
380KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads