remcos | 0823947e84275cb6348efabe268b0cb461ffc0f9ec3f6a6e97d514bf7cd4310d

General

Target

RFQ_211844_PR20Q-6706.pdf.exe
Size

798KB
MD5

e906dcfa1f501b9599e0ca8b1948dba9
SHA1

f91c2ba6c48e545d5e1573e5af96c70596de6e5a
SHA256

0823947e84275cb6348efabe268b0cb461ffc0f9ec3f6a6e97d514bf7cd4310d
SHA512

056062ea44ebb7e68b60bf80ecf45fb2eb6e1790023856cf6cdfa1f8c63f5c2232cd2a63d59aee14513e9df309f893d6fe1bee0b6bb1731ba82beec5ec9bfe2c

Score

10^/10

remcos rat

Malware Config

Extracted

Family

remcos

C2

194.5.97.174:1990

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

system.exesystem.exe

pid process

2740 system.exe
3976 system.exe

pid	process
2740	system.exe
3976	system.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

RFQ_211844_PR20Q-6706.pdf.exesystem.exe

description	pid	process	target process
PID 972 set thread context of 1180	972	RFQ_211844_PR20Q-6706.pdf.exe	RFQ_211844_PR20Q-6706.pdf.exe
PID 2740 set thread context of 3976	2740	system.exe	system.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4052 schtasks.exe
2388 schtasks.exe
Modifies registry class 1 IoCs

Processes:

RFQ_211844_PR20Q-6706.pdf.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings RFQ_211844_PR20Q-6706.pdf.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

system.exe

description pid process

Token: SeDebugPrivilege 2740 system.exe

pid	process
4052	schtasks.exe
2388	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	RFQ_211844_PR20Q-6706.pdf.exe

description	pid	process
Token: SeDebugPrivilege	2740	system.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

RFQ_211844_PR20Q-6706.pdf.exeRFQ_211844_PR20Q-6706.pdf.exeWScript.execmd.exesystem.exesystem.exe

description	pid	process	target process
PID 972 wrote to memory of 4052	972	RFQ_211844_PR20Q-6706.pdf.exe	schtasks.exe
PID 972 wrote to memory of 4052	972	RFQ_211844_PR20Q-6706.pdf.exe	schtasks.exe
PID 972 wrote to memory of 4052	972	RFQ_211844_PR20Q-6706.pdf.exe	schtasks.exe
PID 972 wrote to memory of 1180	972	RFQ_211844_PR20Q-6706.pdf.exe	RFQ_211844_PR20Q-6706.pdf.exe
PID 972 wrote to memory of 1180	972	RFQ_211844_PR20Q-6706.pdf.exe	RFQ_211844_PR20Q-6706.pdf.exe
PID 972 wrote to memory of 1180	972	RFQ_211844_PR20Q-6706.pdf.exe	RFQ_211844_PR20Q-6706.pdf.exe
PID 972 wrote to memory of 1180	972	RFQ_211844_PR20Q-6706.pdf.exe	RFQ_211844_PR20Q-6706.pdf.exe
PID 972 wrote to memory of 1180	972	RFQ_211844_PR20Q-6706.pdf.exe	RFQ_211844_PR20Q-6706.pdf.exe
PID 972 wrote to memory of 1180	972	RFQ_211844_PR20Q-6706.pdf.exe	RFQ_211844_PR20Q-6706.pdf.exe
PID 972 wrote to memory of 1180	972	RFQ_211844_PR20Q-6706.pdf.exe	RFQ_211844_PR20Q-6706.pdf.exe
PID 972 wrote to memory of 1180	972	RFQ_211844_PR20Q-6706.pdf.exe	RFQ_211844_PR20Q-6706.pdf.exe
PID 972 wrote to memory of 1180	972	RFQ_211844_PR20Q-6706.pdf.exe	RFQ_211844_PR20Q-6706.pdf.exe
PID 972 wrote to memory of 1180	972	RFQ_211844_PR20Q-6706.pdf.exe	RFQ_211844_PR20Q-6706.pdf.exe
PID 1180 wrote to memory of 3120	1180	RFQ_211844_PR20Q-6706.pdf.exe	WScript.exe
PID 1180 wrote to memory of 3120	1180	RFQ_211844_PR20Q-6706.pdf.exe	WScript.exe
PID 1180 wrote to memory of 3120	1180	RFQ_211844_PR20Q-6706.pdf.exe	WScript.exe
PID 3120 wrote to memory of 808	3120	WScript.exe	cmd.exe
PID 3120 wrote to memory of 808	3120	WScript.exe	cmd.exe
PID 3120 wrote to memory of 808	3120	WScript.exe	cmd.exe
PID 808 wrote to memory of 2740	808	cmd.exe	system.exe
PID 808 wrote to memory of 2740	808	cmd.exe	system.exe
PID 808 wrote to memory of 2740	808	cmd.exe	system.exe
PID 2740 wrote to memory of 2388	2740	system.exe	schtasks.exe
PID 2740 wrote to memory of 2388	2740	system.exe	schtasks.exe
PID 2740 wrote to memory of 2388	2740	system.exe	schtasks.exe
PID 2740 wrote to memory of 3976	2740	system.exe	system.exe
PID 2740 wrote to memory of 3976	2740	system.exe	system.exe
PID 2740 wrote to memory of 3976	2740	system.exe	system.exe
PID 2740 wrote to memory of 3976	2740	system.exe	system.exe
PID 2740 wrote to memory of 3976	2740	system.exe	system.exe
PID 2740 wrote to memory of 3976	2740	system.exe	system.exe
PID 2740 wrote to memory of 3976	2740	system.exe	system.exe
PID 2740 wrote to memory of 3976	2740	system.exe	system.exe
PID 2740 wrote to memory of 3976	2740	system.exe	system.exe
PID 2740 wrote to memory of 3976	2740	system.exe	system.exe
PID 3976 wrote to memory of 2596	3976	system.exe	svchost.exe
PID 3976 wrote to memory of 2596	3976	system.exe	svchost.exe
PID 3976 wrote to memory of 2596	3976	system.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\RFQ_211844_PR20Q-6706.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ_211844_PR20Q-6706.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:972

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kBYyHmpq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp443D.tmp"
2⤵
- Creates scheduled task(s)
PID:4052

C:\Users\Admin\AppData\Local\Temp\RFQ_211844_PR20Q-6706.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ_211844_PR20Q-6706.pdf.exe"
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1180

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:3120

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\system\system.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:808

C:\Users\Admin\AppData\Roaming\system\system.exe
C:\Users\Admin\AppData\Roaming\system\system.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kBYyHmpq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp36EA.tmp"
6⤵
- Creates scheduled task(s)
PID:2388

C:\Users\Admin\AppData\Roaming\system\system.exe
"C:\Users\Admin\AppData\Roaming\system\system.exe"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3976

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
PID:2596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
2e69fc0af0a1b7a454e3177c7ae1fb6e

SHA1
b1e7a58a7a2a989ecd90c7e482d83c5a192e78b5

SHA256
c21b9bda033a514ba156f1741e7a9957c6792faa441d00ccf190bd76694cb912

SHA512
c64d04cce74cd25914a8a7c8904ac6267bf5c4c3f44feb54bf6f3a85f87af7283390687bdae5120dab83ce0a3874c00831af6671b1ec78e2d33ed27670f8ec2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp36EA.tmp
MD5
43e122f541197f5e06f068678f718e11

SHA1
528b8a6460d7c86730c8c006f0818256ff0016a7

SHA256
6fd63fe5e6b4cae89b2af294d28aaf5b72dd47042959367626a4aa56504459fe

SHA512
9bf4105c9c93666f60238af7cd3bb063081d3f3f3fc45f2c4240be7d58959deaa00e81dc1a7fdd93ee103725af90f7efe4d20ad2c84a8156b11f0824cf0bbcc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp443D.tmp
MD5
43e122f541197f5e06f068678f718e11

SHA1
528b8a6460d7c86730c8c006f0818256ff0016a7

SHA256
6fd63fe5e6b4cae89b2af294d28aaf5b72dd47042959367626a4aa56504459fe

SHA512
9bf4105c9c93666f60238af7cd3bb063081d3f3f3fc45f2c4240be7d58959deaa00e81dc1a7fdd93ee103725af90f7efe4d20ad2c84a8156b11f0824cf0bbcc1

Download Submit
C:\Users\Admin\AppData\Roaming\system\system.exe
MD5
e906dcfa1f501b9599e0ca8b1948dba9

SHA1
f91c2ba6c48e545d5e1573e5af96c70596de6e5a

SHA256
0823947e84275cb6348efabe268b0cb461ffc0f9ec3f6a6e97d514bf7cd4310d

SHA512
056062ea44ebb7e68b60bf80ecf45fb2eb6e1790023856cf6cdfa1f8c63f5c2232cd2a63d59aee14513e9df309f893d6fe1bee0b6bb1731ba82beec5ec9bfe2c

Download Submit
C:\Users\Admin\AppData\Roaming\system\system.exe
MD5
e906dcfa1f501b9599e0ca8b1948dba9

SHA1
f91c2ba6c48e545d5e1573e5af96c70596de6e5a

SHA256
0823947e84275cb6348efabe268b0cb461ffc0f9ec3f6a6e97d514bf7cd4310d

SHA512
056062ea44ebb7e68b60bf80ecf45fb2eb6e1790023856cf6cdfa1f8c63f5c2232cd2a63d59aee14513e9df309f893d6fe1bee0b6bb1731ba82beec5ec9bfe2c

Download Submit
C:\Users\Admin\AppData\Roaming\system\system.exe
MD5
e906dcfa1f501b9599e0ca8b1948dba9

SHA1
f91c2ba6c48e545d5e1573e5af96c70596de6e5a

SHA256
0823947e84275cb6348efabe268b0cb461ffc0f9ec3f6a6e97d514bf7cd4310d

SHA512
056062ea44ebb7e68b60bf80ecf45fb2eb6e1790023856cf6cdfa1f8c63f5c2232cd2a63d59aee14513e9df309f893d6fe1bee0b6bb1731ba82beec5ec9bfe2c

Download Submit
memory/808-19-0x0000000000000000-mapping.dmp

Download
memory/972-9-0x00000000053B0000-0x00000000053B1000-memory.dmp

Filesize
4KB

Download
memory/972-8-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/972-3-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/972-10-0x0000000005190000-0x00000000051A2000-memory.dmp

Filesize
72KB

Download
memory/972-5-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/972-11-0x0000000005E30000-0x0000000005E88000-memory.dmp

Filesize
352KB

Download
memory/972-6-0x0000000005630000-0x0000000005631000-memory.dmp

Filesize
4KB

Download
memory/972-7-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/972-2-0x0000000073A30000-0x000000007411E000-memory.dmp

Filesize
6.9MB

Download
memory/1180-15-0x0000000000413FA4-mapping.dmp

Download
memory/1180-16-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1180-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2388-33-0x0000000000000000-mapping.dmp

Download
memory/2740-20-0x0000000000000000-mapping.dmp

Download
memory/2740-23-0x0000000073A30000-0x000000007411E000-memory.dmp

Filesize
6.9MB

Download
memory/3120-17-0x0000000000000000-mapping.dmp

Download
memory/3976-36-0x0000000000413FA4-mapping.dmp

Download
memory/3976-38-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4052-12-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads