remcos | f8b5e14a549989e51f567b5a7be04f6187d7bd4067e957e66152ecbf73893a47

General

Target

MC International Trading - products list.exe
Size

1.0MB
MD5

1749cf9fe03ca7ee146bf316831f01b2
SHA1

c87d534728d266847e4a7665d82c4a9553c60ccc
SHA256

f8b5e14a549989e51f567b5a7be04f6187d7bd4067e957e66152ecbf73893a47
SHA512

1a6b0be1b92493698ced5e663fa0fa3811ef9ca897d029d1c98c698e680f110f4c548f7bc5f13d5d987b359991dfada6e1f81e2fbc715ec98160d4de6c87b317

Score

10^/10

remcos rat

Malware Config

Extracted

Family

remcos

C2

185.136.171.240:4044

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of SetThreadContext 1 IoCs

Processes:

MC International Trading - products list.exe

description	pid	process	target process
PID 296 set thread context of 1516	296	MC International Trading - products list.exe	MC International Trading - products list.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

472 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

MC International Trading - products list.exe

pid process

296 MC International Trading - products list.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MC International Trading - products list.exe

description pid process

Token: SeDebugPrivilege 296 MC International Trading - products list.exe

pid	process
472	schtasks.exe

pid	process
296	MC International Trading - products list.exe

description	pid	process
Token: SeDebugPrivilege	296	MC International Trading - products list.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

MC International Trading - products list.exe

description	pid	process	target process
PID 296 wrote to memory of 472	296	MC International Trading - products list.exe	schtasks.exe
PID 296 wrote to memory of 472	296	MC International Trading - products list.exe	schtasks.exe
PID 296 wrote to memory of 472	296	MC International Trading - products list.exe	schtasks.exe
PID 296 wrote to memory of 472	296	MC International Trading - products list.exe	schtasks.exe
PID 296 wrote to memory of 1516	296	MC International Trading - products list.exe	MC International Trading - products list.exe
PID 296 wrote to memory of 1516	296	MC International Trading - products list.exe	MC International Trading - products list.exe
PID 296 wrote to memory of 1516	296	MC International Trading - products list.exe	MC International Trading - products list.exe
PID 296 wrote to memory of 1516	296	MC International Trading - products list.exe	MC International Trading - products list.exe
PID 296 wrote to memory of 1516	296	MC International Trading - products list.exe	MC International Trading - products list.exe
PID 296 wrote to memory of 1516	296	MC International Trading - products list.exe	MC International Trading - products list.exe
PID 296 wrote to memory of 1516	296	MC International Trading - products list.exe	MC International Trading - products list.exe
PID 296 wrote to memory of 1516	296	MC International Trading - products list.exe	MC International Trading - products list.exe
PID 296 wrote to memory of 1516	296	MC International Trading - products list.exe	MC International Trading - products list.exe
PID 296 wrote to memory of 1516	296	MC International Trading - products list.exe	MC International Trading - products list.exe

C:\Users\Admin\AppData\Local\Temp\MC International Trading - products list.exe
"C:\Users\Admin\AppData\Local\Temp\MC International Trading - products list.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:296

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AilChTvm" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAC85.tmp"
2⤵
- Creates scheduled task(s)
PID:472

C:\Users\Admin\AppData\Local\Temp\MC International Trading - products list.exe
"C:\Users\Admin\AppData\Local\Temp\MC International Trading - products list.exe"
2⤵
PID:1516

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpAC85.tmp
MD5
efd769ae42b47e0efbf139b40bb7cdf9

SHA1
a43186b6d3bd76e1c819a0cc50d15a6fddc6f381

SHA256
1350177819816afeb6d4c8b03ad3eafe14e8ce74eef3eea67e46d3d8e927e23e

SHA512
aafe1e56229d3fd19eeb86bc30ff4e7ca2b95a29410938f8668cc7c0cada4a686d9fe9521d79059805ec7e07bd3a6b2867f168324d3613b84c101600b8df971d

Download Submit
memory/296-2-0x00000000748D0000-0x0000000074FBE000-memory.dmp

Filesize
6.9MB

Download
memory/296-3-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download
memory/296-5-0x0000000004F50000-0x0000000004F51000-memory.dmp

Filesize
4KB

Download
memory/296-6-0x0000000000460000-0x0000000000473000-memory.dmp

Filesize
76KB

Download
memory/296-7-0x00000000048D0000-0x000000000496A000-memory.dmp

Filesize
616KB

Download
memory/472-8-0x0000000000000000-mapping.dmp

Download
memory/1516-10-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1516-11-0x000000000040FD88-mapping.dmp

Download
memory/1516-12-0x0000000076381000-0x0000000076383000-memory.dmp

Filesize
8KB

Download
memory/1516-13-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads