remcos | 0823947e84275cb6348efabe268b0cb461ffc0f9ec3f6a6e97d514bf7cd4310d

Analysis

max time kernel
151s
max time network
92s
platform
windows7_x64
resource
win7v20201028
submitted
15-01-2021 15:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RFQ_211844_PR20Q-6706.pdf.exe
Size

798KB
MD5

e906dcfa1f501b9599e0ca8b1948dba9
SHA1

f91c2ba6c48e545d5e1573e5af96c70596de6e5a
SHA256

0823947e84275cb6348efabe268b0cb461ffc0f9ec3f6a6e97d514bf7cd4310d
SHA512

056062ea44ebb7e68b60bf80ecf45fb2eb6e1790023856cf6cdfa1f8c63f5c2232cd2a63d59aee14513e9df309f893d6fe1bee0b6bb1731ba82beec5ec9bfe2c

Score

10^/10

remcos rat

Malware Config

Extracted

Family

remcos

194.5.97.174:1990

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 6 IoCs

Processes:

system.exesystem.exesystem.exesystem.exesystem.exesystem.exe

pid process

1560 system.exe
240 system.exe
1592 system.exe
1700 system.exe
2016 system.exe
2044 system.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

792 cmd.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

RFQ_211844_PR20Q-6706.pdf.exe

description pid process target process

PID 1068 set thread context of 576 1068 RFQ_211844_PR20Q-6706.pdf.exe RFQ_211844_PR20Q-6706.pdf.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

668 schtasks.exe
1512 schtasks.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

RFQ_211844_PR20Q-6706.pdf.exesystem.exe

pid process

1068 RFQ_211844_PR20Q-6706.pdf.exe
1068 RFQ_211844_PR20Q-6706.pdf.exe
1560 system.exe
1560 system.exe
1560 system.exe
1560 system.exe
1560 system.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RFQ_211844_PR20Q-6706.pdf.exesystem.exe

description pid process

Token: SeDebugPrivilege 1068 RFQ_211844_PR20Q-6706.pdf.exe
Token: SeDebugPrivilege 1560 system.exe

pid	process
1560	system.exe
240	system.exe
1592	system.exe
1700	system.exe
2016	system.exe
2044	system.exe

pid	process
792	cmd.exe

description	pid	process	target process
PID 1068 set thread context of 576	1068	RFQ_211844_PR20Q-6706.pdf.exe	RFQ_211844_PR20Q-6706.pdf.exe

pid	process
668	schtasks.exe
1512	schtasks.exe

pid	process
1068	RFQ_211844_PR20Q-6706.pdf.exe
1068	RFQ_211844_PR20Q-6706.pdf.exe
1560	system.exe
1560	system.exe
1560	system.exe
1560	system.exe
1560	system.exe

description	pid	process
Token: SeDebugPrivilege	1068	RFQ_211844_PR20Q-6706.pdf.exe
Token: SeDebugPrivilege	1560	system.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

RFQ_211844_PR20Q-6706.pdf.exeRFQ_211844_PR20Q-6706.pdf.exeWScript.execmd.exesystem.exe

description	pid	process	target process
PID 1068 wrote to memory of 668	1068	RFQ_211844_PR20Q-6706.pdf.exe	schtasks.exe
PID 1068 wrote to memory of 668	1068	RFQ_211844_PR20Q-6706.pdf.exe	schtasks.exe
PID 1068 wrote to memory of 668	1068	RFQ_211844_PR20Q-6706.pdf.exe	schtasks.exe
PID 1068 wrote to memory of 668	1068	RFQ_211844_PR20Q-6706.pdf.exe	schtasks.exe
PID 1068 wrote to memory of 968	1068	RFQ_211844_PR20Q-6706.pdf.exe	RFQ_211844_PR20Q-6706.pdf.exe
PID 1068 wrote to memory of 968	1068	RFQ_211844_PR20Q-6706.pdf.exe	RFQ_211844_PR20Q-6706.pdf.exe
PID 1068 wrote to memory of 968	1068	RFQ_211844_PR20Q-6706.pdf.exe	RFQ_211844_PR20Q-6706.pdf.exe
PID 1068 wrote to memory of 968	1068	RFQ_211844_PR20Q-6706.pdf.exe	RFQ_211844_PR20Q-6706.pdf.exe
PID 1068 wrote to memory of 576	1068	RFQ_211844_PR20Q-6706.pdf.exe	RFQ_211844_PR20Q-6706.pdf.exe
PID 1068 wrote to memory of 576	1068	RFQ_211844_PR20Q-6706.pdf.exe	RFQ_211844_PR20Q-6706.pdf.exe
PID 1068 wrote to memory of 576	1068	RFQ_211844_PR20Q-6706.pdf.exe	RFQ_211844_PR20Q-6706.pdf.exe
PID 1068 wrote to memory of 576	1068	RFQ_211844_PR20Q-6706.pdf.exe	RFQ_211844_PR20Q-6706.pdf.exe
PID 1068 wrote to memory of 576	1068	RFQ_211844_PR20Q-6706.pdf.exe	RFQ_211844_PR20Q-6706.pdf.exe
PID 1068 wrote to memory of 576	1068	RFQ_211844_PR20Q-6706.pdf.exe	RFQ_211844_PR20Q-6706.pdf.exe
PID 1068 wrote to memory of 576	1068	RFQ_211844_PR20Q-6706.pdf.exe	RFQ_211844_PR20Q-6706.pdf.exe
PID 1068 wrote to memory of 576	1068	RFQ_211844_PR20Q-6706.pdf.exe	RFQ_211844_PR20Q-6706.pdf.exe
PID 1068 wrote to memory of 576	1068	RFQ_211844_PR20Q-6706.pdf.exe	RFQ_211844_PR20Q-6706.pdf.exe
PID 1068 wrote to memory of 576	1068	RFQ_211844_PR20Q-6706.pdf.exe	RFQ_211844_PR20Q-6706.pdf.exe
PID 1068 wrote to memory of 576	1068	RFQ_211844_PR20Q-6706.pdf.exe	RFQ_211844_PR20Q-6706.pdf.exe
PID 576 wrote to memory of 1624	576	RFQ_211844_PR20Q-6706.pdf.exe	WScript.exe
PID 576 wrote to memory of 1624	576	RFQ_211844_PR20Q-6706.pdf.exe	WScript.exe
PID 576 wrote to memory of 1624	576	RFQ_211844_PR20Q-6706.pdf.exe	WScript.exe
PID 576 wrote to memory of 1624	576	RFQ_211844_PR20Q-6706.pdf.exe	WScript.exe
PID 1624 wrote to memory of 792	1624	WScript.exe	cmd.exe
PID 1624 wrote to memory of 792	1624	WScript.exe	cmd.exe
PID 1624 wrote to memory of 792	1624	WScript.exe	cmd.exe
PID 1624 wrote to memory of 792	1624	WScript.exe	cmd.exe
PID 792 wrote to memory of 1560	792	cmd.exe	system.exe
PID 792 wrote to memory of 1560	792	cmd.exe	system.exe
PID 792 wrote to memory of 1560	792	cmd.exe	system.exe
PID 792 wrote to memory of 1560	792	cmd.exe	system.exe
PID 1560 wrote to memory of 1512	1560	system.exe	schtasks.exe
PID 1560 wrote to memory of 1512	1560	system.exe	schtasks.exe
PID 1560 wrote to memory of 1512	1560	system.exe	schtasks.exe
PID 1560 wrote to memory of 1512	1560	system.exe	schtasks.exe
PID 1560 wrote to memory of 240	1560	system.exe	system.exe
PID 1560 wrote to memory of 240	1560	system.exe	system.exe
PID 1560 wrote to memory of 240	1560	system.exe	system.exe
PID 1560 wrote to memory of 240	1560	system.exe	system.exe
PID 1560 wrote to memory of 1592	1560	system.exe	system.exe
PID 1560 wrote to memory of 1592	1560	system.exe	system.exe
PID 1560 wrote to memory of 1592	1560	system.exe	system.exe
PID 1560 wrote to memory of 1592	1560	system.exe	system.exe
PID 1560 wrote to memory of 1700	1560	system.exe	system.exe
PID 1560 wrote to memory of 1700	1560	system.exe	system.exe
PID 1560 wrote to memory of 1700	1560	system.exe	system.exe
PID 1560 wrote to memory of 1700	1560	system.exe	system.exe
PID 1560 wrote to memory of 2016	1560	system.exe	system.exe
PID 1560 wrote to memory of 2016	1560	system.exe	system.exe
PID 1560 wrote to memory of 2016	1560	system.exe	system.exe
PID 1560 wrote to memory of 2016	1560	system.exe	system.exe
PID 1560 wrote to memory of 2044	1560	system.exe	system.exe
PID 1560 wrote to memory of 2044	1560	system.exe	system.exe
PID 1560 wrote to memory of 2044	1560	system.exe	system.exe
PID 1560 wrote to memory of 2044	1560	system.exe	system.exe

C:\Users\Admin\AppData\Local\Temp\RFQ_211844_PR20Q-6706.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ_211844_PR20Q-6706.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kBYyHmpq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3F03.tmp"
2⤵
- Creates scheduled task(s)
PID:668

C:\Users\Admin\AppData\Local\Temp\RFQ_211844_PR20Q-6706.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ_211844_PR20Q-6706.pdf.exe"
2⤵
PID:968

C:\Users\Admin\AppData\Local\Temp\RFQ_211844_PR20Q-6706.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ_211844_PR20Q-6706.pdf.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\system\system.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:792

C:\Users\Admin\AppData\Roaming\system\system.exe
C:\Users\Admin\AppData\Roaming\system\system.exe
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kBYyHmpq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2108.tmp"
6⤵
- Creates scheduled task(s)
PID:1512

C:\Users\Admin\AppData\Roaming\system\system.exe
"C:\Users\Admin\AppData\Roaming\system\system.exe"
6⤵
- Executes dropped EXE
PID:240

C:\Users\Admin\AppData\Roaming\system\system.exe
"C:\Users\Admin\AppData\Roaming\system\system.exe"
6⤵
- Executes dropped EXE
PID:1592

C:\Users\Admin\AppData\Roaming\system\system.exe
"C:\Users\Admin\AppData\Roaming\system\system.exe"
6⤵
- Executes dropped EXE
PID:2016

C:\Users\Admin\AppData\Roaming\system\system.exe
"C:\Users\Admin\AppData\Roaming\system\system.exe"
6⤵
- Executes dropped EXE
PID:1700

C:\Users\Admin\AppData\Roaming\system\system.exe
"C:\Users\Admin\AppData\Roaming\system\system.exe"
6⤵
- Executes dropped EXE
PID:2044

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
2e69fc0af0a1b7a454e3177c7ae1fb6e

SHA1
b1e7a58a7a2a989ecd90c7e482d83c5a192e78b5

SHA256
c21b9bda033a514ba156f1741e7a9957c6792faa441d00ccf190bd76694cb912

SHA512
c64d04cce74cd25914a8a7c8904ac6267bf5c4c3f44feb54bf6f3a85f87af7283390687bdae5120dab83ce0a3874c00831af6671b1ec78e2d33ed27670f8ec2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2108.tmp
MD5
689600a845d200d5e6383822be460195

SHA1
c8732dbd328dfbac07f9ce01f9721a70b33d3a06

SHA256
c7115f8690d320298823930e08d9a3da76158c806ea0fbef4027a36e7e460460

SHA512
eb49fe2ace4c0fa71b868d265d5b26b7db258c448e3da949ddabfe362e2b67acde9fe59d76cee3ede1b95aa26ca40a429d14aec507fcd7240c7887a9b4da972a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3F03.tmp
MD5
689600a845d200d5e6383822be460195

SHA1
c8732dbd328dfbac07f9ce01f9721a70b33d3a06

SHA256
c7115f8690d320298823930e08d9a3da76158c806ea0fbef4027a36e7e460460

SHA512
eb49fe2ace4c0fa71b868d265d5b26b7db258c448e3da949ddabfe362e2b67acde9fe59d76cee3ede1b95aa26ca40a429d14aec507fcd7240c7887a9b4da972a

Download Submit
C:\Users\Admin\AppData\Roaming\system\system.exe
MD5
e906dcfa1f501b9599e0ca8b1948dba9

SHA1
f91c2ba6c48e545d5e1573e5af96c70596de6e5a

SHA256
0823947e84275cb6348efabe268b0cb461ffc0f9ec3f6a6e97d514bf7cd4310d

SHA512
056062ea44ebb7e68b60bf80ecf45fb2eb6e1790023856cf6cdfa1f8c63f5c2232cd2a63d59aee14513e9df309f893d6fe1bee0b6bb1731ba82beec5ec9bfe2c

Download Submit
C:\Users\Admin\AppData\Roaming\system\system.exe
MD5
e906dcfa1f501b9599e0ca8b1948dba9

SHA1
f91c2ba6c48e545d5e1573e5af96c70596de6e5a

SHA256
0823947e84275cb6348efabe268b0cb461ffc0f9ec3f6a6e97d514bf7cd4310d

SHA512
056062ea44ebb7e68b60bf80ecf45fb2eb6e1790023856cf6cdfa1f8c63f5c2232cd2a63d59aee14513e9df309f893d6fe1bee0b6bb1731ba82beec5ec9bfe2c

Download Submit
C:\Users\Admin\AppData\Roaming\system\system.exe
MD5
e906dcfa1f501b9599e0ca8b1948dba9

SHA1
f91c2ba6c48e545d5e1573e5af96c70596de6e5a

SHA256
0823947e84275cb6348efabe268b0cb461ffc0f9ec3f6a6e97d514bf7cd4310d

SHA512
056062ea44ebb7e68b60bf80ecf45fb2eb6e1790023856cf6cdfa1f8c63f5c2232cd2a63d59aee14513e9df309f893d6fe1bee0b6bb1731ba82beec5ec9bfe2c

Download Submit
C:\Users\Admin\AppData\Roaming\system\system.exe
MD5
e906dcfa1f501b9599e0ca8b1948dba9

SHA1
f91c2ba6c48e545d5e1573e5af96c70596de6e5a

SHA256
0823947e84275cb6348efabe268b0cb461ffc0f9ec3f6a6e97d514bf7cd4310d

SHA512
056062ea44ebb7e68b60bf80ecf45fb2eb6e1790023856cf6cdfa1f8c63f5c2232cd2a63d59aee14513e9df309f893d6fe1bee0b6bb1731ba82beec5ec9bfe2c

Download Submit
C:\Users\Admin\AppData\Roaming\system\system.exe
MD5
e906dcfa1f501b9599e0ca8b1948dba9

SHA1
f91c2ba6c48e545d5e1573e5af96c70596de6e5a

SHA256
0823947e84275cb6348efabe268b0cb461ffc0f9ec3f6a6e97d514bf7cd4310d

SHA512
056062ea44ebb7e68b60bf80ecf45fb2eb6e1790023856cf6cdfa1f8c63f5c2232cd2a63d59aee14513e9df309f893d6fe1bee0b6bb1731ba82beec5ec9bfe2c

Download Submit
C:\Users\Admin\AppData\Roaming\system\system.exe
MD5
e906dcfa1f501b9599e0ca8b1948dba9

SHA1
f91c2ba6c48e545d5e1573e5af96c70596de6e5a

SHA256
0823947e84275cb6348efabe268b0cb461ffc0f9ec3f6a6e97d514bf7cd4310d

SHA512
056062ea44ebb7e68b60bf80ecf45fb2eb6e1790023856cf6cdfa1f8c63f5c2232cd2a63d59aee14513e9df309f893d6fe1bee0b6bb1731ba82beec5ec9bfe2c

Download Submit
C:\Users\Admin\AppData\Roaming\system\system.exe
MD5
e906dcfa1f501b9599e0ca8b1948dba9

SHA1
f91c2ba6c48e545d5e1573e5af96c70596de6e5a

SHA256
0823947e84275cb6348efabe268b0cb461ffc0f9ec3f6a6e97d514bf7cd4310d

SHA512
056062ea44ebb7e68b60bf80ecf45fb2eb6e1790023856cf6cdfa1f8c63f5c2232cd2a63d59aee14513e9df309f893d6fe1bee0b6bb1731ba82beec5ec9bfe2c

Download Submit
\Users\Admin\AppData\Roaming\system\system.exe
MD5
e906dcfa1f501b9599e0ca8b1948dba9

SHA1
f91c2ba6c48e545d5e1573e5af96c70596de6e5a

SHA256
0823947e84275cb6348efabe268b0cb461ffc0f9ec3f6a6e97d514bf7cd4310d

SHA512
056062ea44ebb7e68b60bf80ecf45fb2eb6e1790023856cf6cdfa1f8c63f5c2232cd2a63d59aee14513e9df309f893d6fe1bee0b6bb1731ba82beec5ec9bfe2c

Download Submit
memory/576-10-0x0000000000413FA4-mapping.dmp

Download
memory/576-11-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/576-9-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/668-7-0x0000000000000000-mapping.dmp

Download
memory/792-14-0x0000000000000000-mapping.dmp

Download
memory/1068-5-0x00000000003A0000-0x00000000003B2000-memory.dmp

Filesize
72KB

Download
memory/1068-6-0x0000000005150000-0x00000000051A8000-memory.dmp

Filesize
352KB

Download
memory/1068-2-0x0000000074710000-0x0000000074DFE000-memory.dmp

Filesize
6.9MB

Download
memory/1068-3-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1512-25-0x0000000000000000-mapping.dmp

Download
memory/1560-21-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1560-20-0x0000000074180000-0x000000007486E000-memory.dmp

Filesize
6.9MB

Download
memory/1560-18-0x0000000000000000-mapping.dmp

Download
memory/1624-15-0x0000000002650000-0x0000000002654000-memory.dmp

Filesize
16KB

Download
memory/1624-12-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads