remcos | 83e2e475905c185d7114012d68a15aecf822c14a1e1bda9bf55441062a01fba1

General

Target

P.O.No.#17AUFR010S.pdf.exe
Size

789KB
MD5

4810953a88b4104013572a726d93a4de
SHA1

091ba6e7499ad3f3c44a699aca801c69203a4fc8
SHA256

83e2e475905c185d7114012d68a15aecf822c14a1e1bda9bf55441062a01fba1
SHA512

7b94158df0b2e48a81f2ee439baf8dbbcea64e812faa41d2f570d15300266ef52558d651b85a6ca89744c66886bb2cdd0623cc7016e4c8926a336c1565117181

Score

10^/10

remcos rat

Malware Config

Extracted

Family

remcos

C2

194.5.97.174:1990

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

system.exesystem.exe

pid process

1868 system.exe
2960 system.exe

pid	process
1868	system.exe
2960	system.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

P.O.No.#17AUFR010S.pdf.exesystem.exesystem.exe

description	pid	process	target process
PID 4796 set thread context of 724	4796	P.O.No.#17AUFR010S.pdf.exe	P.O.No.#17AUFR010S.pdf.exe
PID 1868 set thread context of 2960	1868	system.exe	system.exe
PID 2960 set thread context of 3984	2960	system.exe	svchost.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2556 schtasks.exe
580 schtasks.exe
Modifies registry class 1 IoCs

Processes:

P.O.No.#17AUFR010S.pdf.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings P.O.No.#17AUFR010S.pdf.exe

pid	process
2556	schtasks.exe
580	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	P.O.No.#17AUFR010S.pdf.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

P.O.No.#17AUFR010S.pdf.exeP.O.No.#17AUFR010S.pdf.exeWScript.execmd.exesystem.exesystem.exe

description	pid	process	target process
PID 4796 wrote to memory of 580	4796	P.O.No.#17AUFR010S.pdf.exe	schtasks.exe
PID 4796 wrote to memory of 580	4796	P.O.No.#17AUFR010S.pdf.exe	schtasks.exe
PID 4796 wrote to memory of 580	4796	P.O.No.#17AUFR010S.pdf.exe	schtasks.exe
PID 4796 wrote to memory of 724	4796	P.O.No.#17AUFR010S.pdf.exe	P.O.No.#17AUFR010S.pdf.exe
PID 4796 wrote to memory of 724	4796	P.O.No.#17AUFR010S.pdf.exe	P.O.No.#17AUFR010S.pdf.exe
PID 4796 wrote to memory of 724	4796	P.O.No.#17AUFR010S.pdf.exe	P.O.No.#17AUFR010S.pdf.exe
PID 4796 wrote to memory of 724	4796	P.O.No.#17AUFR010S.pdf.exe	P.O.No.#17AUFR010S.pdf.exe
PID 4796 wrote to memory of 724	4796	P.O.No.#17AUFR010S.pdf.exe	P.O.No.#17AUFR010S.pdf.exe
PID 4796 wrote to memory of 724	4796	P.O.No.#17AUFR010S.pdf.exe	P.O.No.#17AUFR010S.pdf.exe
PID 4796 wrote to memory of 724	4796	P.O.No.#17AUFR010S.pdf.exe	P.O.No.#17AUFR010S.pdf.exe
PID 4796 wrote to memory of 724	4796	P.O.No.#17AUFR010S.pdf.exe	P.O.No.#17AUFR010S.pdf.exe
PID 4796 wrote to memory of 724	4796	P.O.No.#17AUFR010S.pdf.exe	P.O.No.#17AUFR010S.pdf.exe
PID 4796 wrote to memory of 724	4796	P.O.No.#17AUFR010S.pdf.exe	P.O.No.#17AUFR010S.pdf.exe
PID 724 wrote to memory of 1200	724	P.O.No.#17AUFR010S.pdf.exe	WScript.exe
PID 724 wrote to memory of 1200	724	P.O.No.#17AUFR010S.pdf.exe	WScript.exe
PID 724 wrote to memory of 1200	724	P.O.No.#17AUFR010S.pdf.exe	WScript.exe
PID 1200 wrote to memory of 1580	1200	WScript.exe	cmd.exe
PID 1200 wrote to memory of 1580	1200	WScript.exe	cmd.exe
PID 1200 wrote to memory of 1580	1200	WScript.exe	cmd.exe
PID 1580 wrote to memory of 1868	1580	cmd.exe	system.exe
PID 1580 wrote to memory of 1868	1580	cmd.exe	system.exe
PID 1580 wrote to memory of 1868	1580	cmd.exe	system.exe
PID 1868 wrote to memory of 2556	1868	system.exe	schtasks.exe
PID 1868 wrote to memory of 2556	1868	system.exe	schtasks.exe
PID 1868 wrote to memory of 2556	1868	system.exe	schtasks.exe
PID 1868 wrote to memory of 2960	1868	system.exe	system.exe
PID 1868 wrote to memory of 2960	1868	system.exe	system.exe
PID 1868 wrote to memory of 2960	1868	system.exe	system.exe
PID 1868 wrote to memory of 2960	1868	system.exe	system.exe
PID 1868 wrote to memory of 2960	1868	system.exe	system.exe
PID 1868 wrote to memory of 2960	1868	system.exe	system.exe
PID 1868 wrote to memory of 2960	1868	system.exe	system.exe
PID 1868 wrote to memory of 2960	1868	system.exe	system.exe
PID 1868 wrote to memory of 2960	1868	system.exe	system.exe
PID 1868 wrote to memory of 2960	1868	system.exe	system.exe
PID 2960 wrote to memory of 3984	2960	system.exe	svchost.exe
PID 2960 wrote to memory of 3984	2960	system.exe	svchost.exe
PID 2960 wrote to memory of 3984	2960	system.exe	svchost.exe
PID 2960 wrote to memory of 3984	2960	system.exe	svchost.exe
PID 2960 wrote to memory of 3984	2960	system.exe	svchost.exe
PID 2960 wrote to memory of 3984	2960	system.exe	svchost.exe
PID 2960 wrote to memory of 3984	2960	system.exe	svchost.exe
PID 2960 wrote to memory of 3984	2960	system.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\P.O.No.#17AUFR010S.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\P.O.No.#17AUFR010S.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4796

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yxZmnzRrdjicXR" /XML "C:\Users\Admin\AppData\Local\Temp\tmp35F5.tmp"
2⤵
- Creates scheduled task(s)
PID:580

C:\Users\Admin\AppData\Local\Temp\P.O.No.#17AUFR010S.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\P.O.No.#17AUFR010S.pdf.exe"
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:724

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\system\system.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1580

C:\Users\Admin\AppData\Roaming\system\system.exe
C:\Users\Admin\AppData\Roaming\system\system.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yxZmnzRrdjicXR" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAF8.tmp"
6⤵
- Creates scheduled task(s)
PID:2556

C:\Users\Admin\AppData\Roaming\system\system.exe
"C:\Users\Admin\AppData\Roaming\system\system.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2960

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
PID:3984

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
2e69fc0af0a1b7a454e3177c7ae1fb6e

SHA1
b1e7a58a7a2a989ecd90c7e482d83c5a192e78b5

SHA256
c21b9bda033a514ba156f1741e7a9957c6792faa441d00ccf190bd76694cb912

SHA512
c64d04cce74cd25914a8a7c8904ac6267bf5c4c3f44feb54bf6f3a85f87af7283390687bdae5120dab83ce0a3874c00831af6671b1ec78e2d33ed27670f8ec2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp35F5.tmp
MD5
c55bcb2217da2962d80e07cac3feecef

SHA1
6bcfb5f9d6ecc09311da32dd0bb058c662daa81a

SHA256
2ef6c2b43605980600ac03eeb27ab81f07374c2d9f63d47b0bec0a9b598ac206

SHA512
a108c69647aba2d1ac945307847e58c1091d8448914f392209027510a54c8a4f4ff28419158afa39f725ef16f08683a6f48b3b5de616d915fdf53d73aa3bbd62

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAF8.tmp
MD5
c55bcb2217da2962d80e07cac3feecef

SHA1
6bcfb5f9d6ecc09311da32dd0bb058c662daa81a

SHA256
2ef6c2b43605980600ac03eeb27ab81f07374c2d9f63d47b0bec0a9b598ac206

SHA512
a108c69647aba2d1ac945307847e58c1091d8448914f392209027510a54c8a4f4ff28419158afa39f725ef16f08683a6f48b3b5de616d915fdf53d73aa3bbd62

Download Submit
C:\Users\Admin\AppData\Roaming\system\system.exe
MD5
4810953a88b4104013572a726d93a4de

SHA1
091ba6e7499ad3f3c44a699aca801c69203a4fc8

SHA256
83e2e475905c185d7114012d68a15aecf822c14a1e1bda9bf55441062a01fba1

SHA512
7b94158df0b2e48a81f2ee439baf8dbbcea64e812faa41d2f570d15300266ef52558d651b85a6ca89744c66886bb2cdd0623cc7016e4c8926a336c1565117181

Download Submit
C:\Users\Admin\AppData\Roaming\system\system.exe
MD5
4810953a88b4104013572a726d93a4de

SHA1
091ba6e7499ad3f3c44a699aca801c69203a4fc8

SHA256
83e2e475905c185d7114012d68a15aecf822c14a1e1bda9bf55441062a01fba1

SHA512
7b94158df0b2e48a81f2ee439baf8dbbcea64e812faa41d2f570d15300266ef52558d651b85a6ca89744c66886bb2cdd0623cc7016e4c8926a336c1565117181

Download Submit
C:\Users\Admin\AppData\Roaming\system\system.exe
MD5
4810953a88b4104013572a726d93a4de

SHA1
091ba6e7499ad3f3c44a699aca801c69203a4fc8

SHA256
83e2e475905c185d7114012d68a15aecf822c14a1e1bda9bf55441062a01fba1

SHA512
7b94158df0b2e48a81f2ee439baf8dbbcea64e812faa41d2f570d15300266ef52558d651b85a6ca89744c66886bb2cdd0623cc7016e4c8926a336c1565117181

Download Submit
memory/580-12-0x0000000000000000-mapping.dmp

Download
memory/724-15-0x0000000000413FA4-mapping.dmp

Download
memory/724-16-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/724-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1200-17-0x0000000000000000-mapping.dmp

Download
memory/1580-19-0x0000000000000000-mapping.dmp

Download
memory/1868-23-0x00000000739D0000-0x00000000740BE000-memory.dmp

Filesize
6.9MB

Download
memory/1868-20-0x0000000000000000-mapping.dmp

Download
memory/2556-33-0x0000000000000000-mapping.dmp

Download
memory/2960-36-0x0000000000413FA4-mapping.dmp

Download
memory/2960-38-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3984-40-0x00000000004A7B2E-mapping.dmp

Download
memory/3984-39-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/4796-2-0x00000000739D0000-0x00000000740BE000-memory.dmp

Filesize
6.9MB

Download
memory/4796-6-0x00000000059F0000-0x00000000059F1000-memory.dmp

Filesize
4KB

Download
memory/4796-11-0x00000000060F0000-0x000000000614F000-memory.dmp

Filesize
380KB

Download
memory/4796-5-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/4796-7-0x00000000054F0000-0x00000000054F1000-memory.dmp

Filesize
4KB

Download
memory/4796-3-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/4796-8-0x0000000002E30000-0x0000000002E31000-memory.dmp

Filesize
4KB

Download
memory/4796-9-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download
memory/4796-10-0x0000000005660000-0x0000000005672000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads