remcos | ce97e49dca586f267017b8d8778e65e58ca39162d738f696704ce287ad502d9b

General

Target

INVOICE-PDF- SCAN COPY.exe
Size

1.5MB
MD5

e6a1db28e3fa9241f8a37fc24a6bd0e7
SHA1

7c3c1c035d5022f035928fba257af94fe4ad81c6
SHA256

ce97e49dca586f267017b8d8778e65e58ca39162d738f696704ce287ad502d9b
SHA512

b3faf1f325fa73d685ce8a44f48d886198c2a07c12aa11c77d017c5f078fa8806f7fd944777dc5a017cdddda356b32c62a2d5a9c7d2df03d6d17c8a55bc03c01

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

C2

eileenwmsscm.duckdns.org:2558

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 1 IoCs

Processes:

remcos.exe

pid process

1512 remcos.exe

pid	process
1512	remcos.exe

Drops startup file 1 IoCs

Processes:

INVOICE-PDF- SCAN COPY.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.url	INVOICE-PDF- SCAN COPY.exe

Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1236 cmd.exe

pid	process
1236	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

INVOICE-PDF- SCAN COPY.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	INVOICE-PDF- SCAN COPY.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	INVOICE-PDF- SCAN COPY.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

INVOICE-PDF- SCAN COPY.exe

description pid process target process

PID 296 set thread context of 316 296 INVOICE-PDF- SCAN COPY.exe INVOICE-PDF- SCAN COPY.exe

description	pid	process	target process
PID 296 set thread context of 316	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe

Suspicious behavior: MapViewOfSection 44 IoCs

Processes:

INVOICE-PDF- SCAN COPY.exe

pid	process
296	INVOICE-PDF- SCAN COPY.exe
296	INVOICE-PDF- SCAN COPY.exe
296	INVOICE-PDF- SCAN COPY.exe
296	INVOICE-PDF- SCAN COPY.exe
296	INVOICE-PDF- SCAN COPY.exe
296	INVOICE-PDF- SCAN COPY.exe
296	INVOICE-PDF- SCAN COPY.exe
296	INVOICE-PDF- SCAN COPY.exe
296	INVOICE-PDF- SCAN COPY.exe
296	INVOICE-PDF- SCAN COPY.exe
296	INVOICE-PDF- SCAN COPY.exe
296	INVOICE-PDF- SCAN COPY.exe
296	INVOICE-PDF- SCAN COPY.exe
296	INVOICE-PDF- SCAN COPY.exe
296	INVOICE-PDF- SCAN COPY.exe
296	INVOICE-PDF- SCAN COPY.exe
296	INVOICE-PDF- SCAN COPY.exe
296	INVOICE-PDF- SCAN COPY.exe
296	INVOICE-PDF- SCAN COPY.exe
296	INVOICE-PDF- SCAN COPY.exe
296	INVOICE-PDF- SCAN COPY.exe
296	INVOICE-PDF- SCAN COPY.exe
296	INVOICE-PDF- SCAN COPY.exe
296	INVOICE-PDF- SCAN COPY.exe
296	INVOICE-PDF- SCAN COPY.exe
296	INVOICE-PDF- SCAN COPY.exe
296	INVOICE-PDF- SCAN COPY.exe
296	INVOICE-PDF- SCAN COPY.exe
296	INVOICE-PDF- SCAN COPY.exe
296	INVOICE-PDF- SCAN COPY.exe
296	INVOICE-PDF- SCAN COPY.exe
296	INVOICE-PDF- SCAN COPY.exe
296	INVOICE-PDF- SCAN COPY.exe
296	INVOICE-PDF- SCAN COPY.exe
296	INVOICE-PDF- SCAN COPY.exe
296	INVOICE-PDF- SCAN COPY.exe
296	INVOICE-PDF- SCAN COPY.exe
296	INVOICE-PDF- SCAN COPY.exe
296	INVOICE-PDF- SCAN COPY.exe
296	INVOICE-PDF- SCAN COPY.exe
296	INVOICE-PDF- SCAN COPY.exe
296	INVOICE-PDF- SCAN COPY.exe
296	INVOICE-PDF- SCAN COPY.exe
296	INVOICE-PDF- SCAN COPY.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

INVOICE-PDF- SCAN COPY.exeremcos.exe

pid process

296 INVOICE-PDF- SCAN COPY.exe
296 INVOICE-PDF- SCAN COPY.exe
296 INVOICE-PDF- SCAN COPY.exe
1512 remcos.exe
1512 remcos.exe
1512 remcos.exe
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

INVOICE-PDF- SCAN COPY.exeremcos.exe

pid process

296 INVOICE-PDF- SCAN COPY.exe
296 INVOICE-PDF- SCAN COPY.exe
296 INVOICE-PDF- SCAN COPY.exe
1512 remcos.exe
1512 remcos.exe
1512 remcos.exe

Suspicious use of WriteProcessMemory 189 IoCs

Processes:

INVOICE-PDF- SCAN COPY.exe

description	pid	process	target process
PID 296 wrote to memory of 1060	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 1060	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 1060	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 1060	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 1216	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 1216	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 1216	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 1216	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 1364	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 1364	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 1364	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 1364	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 1444	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 1444	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 1444	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 1444	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 1220	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 1220	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 1220	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 1220	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 608	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 608	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 608	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 608	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 880	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 880	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 880	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 880	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 1376	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 1376	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 1376	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 1376	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 1292	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 1292	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 1292	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 1292	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 1588	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 1588	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 1588	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 1588	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 1576	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 1576	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 1576	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 1576	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 1680	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 1680	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 1680	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 1680	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 1624	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 1624	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 1624	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 1624	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 1580	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 1580	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 1580	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 1580	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 764	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 764	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 764	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 764	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 396	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 396	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 396	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe
PID 296 wrote to memory of 396	296	INVOICE-PDF- SCAN COPY.exe	INVOICE-PDF- SCAN COPY.exe

C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:296

C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe"
2⤵
PID:1060

C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe"
2⤵
PID:1216

C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe"
2⤵
PID:1364

C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe"
2⤵
PID:1292

C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe"
2⤵
PID:1624

C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe"
2⤵
PID:1580

C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe"
2⤵
PID:1680

C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe"
2⤵
PID:1576

C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe"
2⤵
PID:1588

C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe"
2⤵
PID:1376

C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe"
2⤵
PID:880

C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe"
2⤵
PID:608

C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe"
2⤵
PID:1220

C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe"
2⤵
PID:1444

C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe"
2⤵
PID:764

C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe"
2⤵
PID:396

C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe"
2⤵
PID:332

C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe"
2⤵
PID:556

C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe"
2⤵
PID:1020

C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe"
2⤵
PID:572

C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe"
2⤵
PID:1516

C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe"
2⤵
PID:976

C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe"
2⤵
PID:700

C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe"
2⤵
PID:772

C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe"
2⤵
PID:816

C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe"
2⤵
PID:1940

C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe"
2⤵
PID:948

C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe"
2⤵
PID:592

C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe"
2⤵
PID:616

C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe"
2⤵
PID:964

C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe"
2⤵
PID:544

C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe"
2⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe"
2⤵
PID:1144

C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe"
2⤵
PID:1324

C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe"
2⤵
PID:1468

C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe"
2⤵
PID:560

C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe"
2⤵
PID:1928

C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe"
2⤵
PID:1520

C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe"
2⤵
PID:680

C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe"
2⤵
PID:888

C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe"
2⤵
PID:2032

C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe"
2⤵
PID:1668

C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe"
2⤵
PID:1660

C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE-PDF- SCAN COPY.exe"
2⤵
- Adds Run key to start application
PID:316

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
PID:1084

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
4⤵
- Loads dropped DLL
PID:1236

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
5⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

MD5
b92d64fe5b1d1f59df4b738262aea8df

SHA1
c8fb1981759c2d9bb2ec91b705985fba5fc7af63

SHA256
fa20e9aab03dc8e9f1910aaf0cf42662379fa16ae3a22642084fb97fa3d4f83a

SHA512
2566248b93c0cfb0414f033b8dd18bbd4f88180093eac2861107289bcb4ee160f9593706ff1f7d1f2e4ecea430d67a5a2897551a4f9ebd82b707243e300520e2

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

MD5
e6a1db28e3fa9241f8a37fc24a6bd0e7

SHA1
7c3c1c035d5022f035928fba257af94fe4ad81c6

SHA256
ce97e49dca586f267017b8d8778e65e58ca39162d738f696704ce287ad502d9b

SHA512
b3faf1f325fa73d685ce8a44f48d886198c2a07c12aa11c77d017c5f078fa8806f7fd944777dc5a017cdddda356b32c62a2d5a9c7d2df03d6d17c8a55bc03c01

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

MD5
e6a1db28e3fa9241f8a37fc24a6bd0e7

SHA1
7c3c1c035d5022f035928fba257af94fe4ad81c6

SHA256
ce97e49dca586f267017b8d8778e65e58ca39162d738f696704ce287ad502d9b

SHA512
b3faf1f325fa73d685ce8a44f48d886198c2a07c12aa11c77d017c5f078fa8806f7fd944777dc5a017cdddda356b32c62a2d5a9c7d2df03d6d17c8a55bc03c01

Download Submit
\Users\Admin\AppData\Roaming\Remcos\remcos.exe

MD5
e6a1db28e3fa9241f8a37fc24a6bd0e7

SHA1
7c3c1c035d5022f035928fba257af94fe4ad81c6

SHA256
ce97e49dca586f267017b8d8778e65e58ca39162d738f696704ce287ad502d9b

SHA512
b3faf1f325fa73d685ce8a44f48d886198c2a07c12aa11c77d017c5f078fa8806f7fd944777dc5a017cdddda356b32c62a2d5a9c7d2df03d6d17c8a55bc03c01

Download Submit
memory/296-7-0x00000000000B0000-0x00000000000B3000-memory.dmp

Filesize
12KB

Download
memory/296-5-0x0000000000150000-0x0000000000171000-memory.dmp

Filesize
132KB

Download
memory/296-2-0x0000000076381000-0x0000000076383000-memory.dmp

Filesize
8KB

Download
memory/316-6-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/316-3-0x0000000000413FA4-mapping.dmp

Download
memory/1084-8-0x0000000000000000-mapping.dmp

Download
memory/1084-12-0x0000000002770000-0x0000000002774000-memory.dmp

Filesize
16KB

Download
memory/1236-11-0x0000000000000000-mapping.dmp

Download
memory/1512-15-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads