remcos | 0c873ba18e7449a4e0110dbef0fce6cbe36ce0649a743d84675800bb2caa1938

General

Target

0000090000902021.exe
Size

354KB
MD5

4decfb66c5f4b06dfd047292f6e18d7c
SHA1

0d0d42946b325aba13e75514513e363601582815
SHA256

0c873ba18e7449a4e0110dbef0fce6cbe36ce0649a743d84675800bb2caa1938
SHA512

58f8bc7145d997eb3a67890f5c5a94889e564df64aea86f6fd31af9185b9da466d5bc1927feb31743a1fa00c707d1b8e6fc046f3beeb881413076d85f26f1050

Score

10^/10

remcos rat

Malware Config

Extracted

Family

remcos

C2

72.11.157.241:4445

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Suspicious use of SetThreadContext 1 IoCs

Processes:

0000090000902021.exe

description pid process target process

PID 3888 set thread context of 3928 3888 0000090000902021.exe 0000090000902021.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

212 schtasks.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

0000090000902021.exe

pid process

3928 0000090000902021.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

0000090000902021.exe

pid process

3888 0000090000902021.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

0000090000902021.exe

pid process

3928 0000090000902021.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

0000090000902021.exe

pid process

3928 0000090000902021.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

0000090000902021.exe

pid process

3928 0000090000902021.exe

description	pid	process	target process
PID 3888 set thread context of 3928	3888	0000090000902021.exe	0000090000902021.exe

pid	process
212	schtasks.exe

pid	process
3928	0000090000902021.exe

pid	process
3888	0000090000902021.exe

pid	process
3928	0000090000902021.exe

pid	process
3928	0000090000902021.exe

pid	process
3928	0000090000902021.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

0000090000902021.execmd.exe

description	pid	process	target process
PID 3888 wrote to memory of 1960	3888	0000090000902021.exe	cmd.exe
PID 3888 wrote to memory of 1960	3888	0000090000902021.exe	cmd.exe
PID 3888 wrote to memory of 1960	3888	0000090000902021.exe	cmd.exe
PID 3888 wrote to memory of 3512	3888	0000090000902021.exe	cmd.exe
PID 3888 wrote to memory of 3512	3888	0000090000902021.exe	cmd.exe
PID 3888 wrote to memory of 3512	3888	0000090000902021.exe	cmd.exe
PID 3888 wrote to memory of 3928	3888	0000090000902021.exe	0000090000902021.exe
PID 3888 wrote to memory of 3928	3888	0000090000902021.exe	0000090000902021.exe
PID 3888 wrote to memory of 3928	3888	0000090000902021.exe	0000090000902021.exe
PID 3888 wrote to memory of 3928	3888	0000090000902021.exe	0000090000902021.exe
PID 3512 wrote to memory of 212	3512	cmd.exe	schtasks.exe
PID 3512 wrote to memory of 212	3512	cmd.exe	schtasks.exe
PID 3512 wrote to memory of 212	3512	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\0000090000902021.exe
"C:\Users\Admin\AppData\Local\Temp\0000090000902021.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1960

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\2e7933cd4c36479e897d47cded967c74.xml"
2⤵
- Suspicious use of WriteProcessMemory
PID:3512

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\2e7933cd4c36479e897d47cded967c74.xml"
3⤵
- Creates scheduled task(s)
PID:212

C:\Users\Admin\AppData\Local\Temp\0000090000902021.exe
"C:\Users\Admin\AppData\Local\Temp\0000090000902021.exe"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3928

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2e7933cd4c36479e897d47cded967c74.xml
MD5
aa2f6636e997aaa0b01fbc78b1dabe52

SHA1
fd462100fc91975dcbea8e361cf1eb8a70f6ad54

SHA256
d710b6eda22285684579d8b547e5be2f48883c4bf8db39993b00df30f9dc8723

SHA512
6540a3bbdbd3ab51679d5b32380e6c288bf6eba2777d067d40bfe65642ccafecd18028b102dfa46ac189d84282da2b6cb202a4f307587c5639f86834788f5104

Download Submit
memory/212-9-0x0000000000000000-mapping.dmp

Download
memory/1960-2-0x0000000000000000-mapping.dmp

Download
memory/3512-3-0x0000000000000000-mapping.dmp

Download
memory/3928-4-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3928-5-0x00000000004172EC-mapping.dmp

Download
memory/3928-7-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3928-8-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads