remcos | c6cd969f7c4fb071f64c31cdf57dfe1a4015cd78f49fa880cd7144c0eaed3df4

General

Target

Shipping Document PL& BL 0980 ,pdf.exe
Size

800KB
MD5

7bbfadf6d555db358cab481b6e73d985
SHA1

8aad19b730b71b346af632fe78021ec76e3d849f
SHA256

c6cd969f7c4fb071f64c31cdf57dfe1a4015cd78f49fa880cd7144c0eaed3df4
SHA512

504d6d350dc40f1ec94d8a005fa226bfa992906fc07dc3bb0d5bfb25bf8c30271de4b78eb59e763fcbdb17be6e89b4901607e812d16c9ce64c6783371bcb42ad

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

C2

favour2021.ddns.net:1990

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 3 IoCs

Processes:

remcos.exeremcos.exeremcos.exe

pid process

560 remcos.exe
1668 remcos.exe
1944 remcos.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1760 cmd.exe

pid	process
560	remcos.exe
1668	remcos.exe
1944	remcos.exe

pid	process
1760	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Shipping Document PL& BL 0980 ,pdf.exeremcos.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\	Shipping Document PL& BL 0980 ,pdf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	Shipping Document PL& BL 0980 ,pdf.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	remcos.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Shipping Document PL& BL 0980 ,pdf.exeremcos.exe

description	pid	process	target process
PID 1856 set thread context of 1716	1856	Shipping Document PL& BL 0980 ,pdf.exe	Shipping Document PL& BL 0980 ,pdf.exe
PID 560 set thread context of 1944	560	remcos.exe	remcos.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

672 schtasks.exe
2044 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

remcos.exe

pid process

560 remcos.exe
560 remcos.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Shipping Document PL& BL 0980 ,pdf.exeremcos.exe

description pid process

Token: SeDebugPrivilege 1856 Shipping Document PL& BL 0980 ,pdf.exe
Token: SeDebugPrivilege 560 remcos.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

remcos.exe

pid process

1944 remcos.exe

pid	process
672	schtasks.exe
2044	schtasks.exe

pid	process
560	remcos.exe
560	remcos.exe

description	pid	process
Token: SeDebugPrivilege	1856	Shipping Document PL& BL 0980 ,pdf.exe
Token: SeDebugPrivilege	560	remcos.exe

pid	process
1944	remcos.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

Shipping Document PL& BL 0980 ,pdf.exeShipping Document PL& BL 0980 ,pdf.exeWScript.execmd.exeremcos.exe

description	pid	process	target process
PID 1856 wrote to memory of 672	1856	Shipping Document PL& BL 0980 ,pdf.exe	schtasks.exe
PID 1856 wrote to memory of 672	1856	Shipping Document PL& BL 0980 ,pdf.exe	schtasks.exe
PID 1856 wrote to memory of 672	1856	Shipping Document PL& BL 0980 ,pdf.exe	schtasks.exe
PID 1856 wrote to memory of 672	1856	Shipping Document PL& BL 0980 ,pdf.exe	schtasks.exe
PID 1856 wrote to memory of 1716	1856	Shipping Document PL& BL 0980 ,pdf.exe	Shipping Document PL& BL 0980 ,pdf.exe
PID 1856 wrote to memory of 1716	1856	Shipping Document PL& BL 0980 ,pdf.exe	Shipping Document PL& BL 0980 ,pdf.exe
PID 1856 wrote to memory of 1716	1856	Shipping Document PL& BL 0980 ,pdf.exe	Shipping Document PL& BL 0980 ,pdf.exe
PID 1856 wrote to memory of 1716	1856	Shipping Document PL& BL 0980 ,pdf.exe	Shipping Document PL& BL 0980 ,pdf.exe
PID 1856 wrote to memory of 1716	1856	Shipping Document PL& BL 0980 ,pdf.exe	Shipping Document PL& BL 0980 ,pdf.exe
PID 1856 wrote to memory of 1716	1856	Shipping Document PL& BL 0980 ,pdf.exe	Shipping Document PL& BL 0980 ,pdf.exe
PID 1856 wrote to memory of 1716	1856	Shipping Document PL& BL 0980 ,pdf.exe	Shipping Document PL& BL 0980 ,pdf.exe
PID 1856 wrote to memory of 1716	1856	Shipping Document PL& BL 0980 ,pdf.exe	Shipping Document PL& BL 0980 ,pdf.exe
PID 1856 wrote to memory of 1716	1856	Shipping Document PL& BL 0980 ,pdf.exe	Shipping Document PL& BL 0980 ,pdf.exe
PID 1856 wrote to memory of 1716	1856	Shipping Document PL& BL 0980 ,pdf.exe	Shipping Document PL& BL 0980 ,pdf.exe
PID 1856 wrote to memory of 1716	1856	Shipping Document PL& BL 0980 ,pdf.exe	Shipping Document PL& BL 0980 ,pdf.exe
PID 1716 wrote to memory of 1628	1716	Shipping Document PL& BL 0980 ,pdf.exe	WScript.exe
PID 1716 wrote to memory of 1628	1716	Shipping Document PL& BL 0980 ,pdf.exe	WScript.exe
PID 1716 wrote to memory of 1628	1716	Shipping Document PL& BL 0980 ,pdf.exe	WScript.exe
PID 1716 wrote to memory of 1628	1716	Shipping Document PL& BL 0980 ,pdf.exe	WScript.exe
PID 1628 wrote to memory of 1760	1628	WScript.exe	cmd.exe
PID 1628 wrote to memory of 1760	1628	WScript.exe	cmd.exe
PID 1628 wrote to memory of 1760	1628	WScript.exe	cmd.exe
PID 1628 wrote to memory of 1760	1628	WScript.exe	cmd.exe
PID 1760 wrote to memory of 560	1760	cmd.exe	remcos.exe
PID 1760 wrote to memory of 560	1760	cmd.exe	remcos.exe
PID 1760 wrote to memory of 560	1760	cmd.exe	remcos.exe
PID 1760 wrote to memory of 560	1760	cmd.exe	remcos.exe
PID 560 wrote to memory of 2044	560	remcos.exe	schtasks.exe
PID 560 wrote to memory of 2044	560	remcos.exe	schtasks.exe
PID 560 wrote to memory of 2044	560	remcos.exe	schtasks.exe
PID 560 wrote to memory of 2044	560	remcos.exe	schtasks.exe
PID 560 wrote to memory of 1668	560	remcos.exe	remcos.exe
PID 560 wrote to memory of 1668	560	remcos.exe	remcos.exe
PID 560 wrote to memory of 1668	560	remcos.exe	remcos.exe
PID 560 wrote to memory of 1668	560	remcos.exe	remcos.exe
PID 560 wrote to memory of 1944	560	remcos.exe	remcos.exe
PID 560 wrote to memory of 1944	560	remcos.exe	remcos.exe
PID 560 wrote to memory of 1944	560	remcos.exe	remcos.exe
PID 560 wrote to memory of 1944	560	remcos.exe	remcos.exe
PID 560 wrote to memory of 1944	560	remcos.exe	remcos.exe
PID 560 wrote to memory of 1944	560	remcos.exe	remcos.exe
PID 560 wrote to memory of 1944	560	remcos.exe	remcos.exe
PID 560 wrote to memory of 1944	560	remcos.exe	remcos.exe
PID 560 wrote to memory of 1944	560	remcos.exe	remcos.exe
PID 560 wrote to memory of 1944	560	remcos.exe	remcos.exe
PID 560 wrote to memory of 1944	560	remcos.exe	remcos.exe

C:\Users\Admin\AppData\Local\Temp\Shipping Document PL& BL 0980 ,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Shipping Document PL& BL 0980 ,pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1856

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aPkByBtePgmjjx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7520.tmp"
2⤵
- Creates scheduled task(s)
PID:672

C:\Users\Admin\AppData\Local\Temp\Shipping Document PL& BL 0980 ,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Shipping Document PL& BL 0980 ,pdf.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:560

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aPkByBtePgmjjx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7790.tmp"
6⤵
- Creates scheduled task(s)
PID:2044

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
"C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
6⤵
- Executes dropped EXE
PID:1668

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
"C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1944

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
b92d64fe5b1d1f59df4b738262aea8df

SHA1
c8fb1981759c2d9bb2ec91b705985fba5fc7af63

SHA256
fa20e9aab03dc8e9f1910aaf0cf42662379fa16ae3a22642084fb97fa3d4f83a

SHA512
2566248b93c0cfb0414f033b8dd18bbd4f88180093eac2861107289bcb4ee160f9593706ff1f7d1f2e4ecea430d67a5a2897551a4f9ebd82b707243e300520e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7520.tmp
MD5
8a1f395f890907241e0806a10d8b5e1a

SHA1
9bd00acd8e4d80797f013005df9457b40bed7244

SHA256
d4b5fab7a3891224f068da453ceb02ab4ef660222797c18410f6b060a49366ea

SHA512
3c66230db0bac2175ee425bd58267c30aec71cb15b8d8e3072129e078864c10cce21093516556812f3ae76751211431a0a110f6fb45f626e738b2782fd880c6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7790.tmp
MD5
8a1f395f890907241e0806a10d8b5e1a

SHA1
9bd00acd8e4d80797f013005df9457b40bed7244

SHA256
d4b5fab7a3891224f068da453ceb02ab4ef660222797c18410f6b060a49366ea

SHA512
3c66230db0bac2175ee425bd58267c30aec71cb15b8d8e3072129e078864c10cce21093516556812f3ae76751211431a0a110f6fb45f626e738b2782fd880c6a

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
7bbfadf6d555db358cab481b6e73d985

SHA1
8aad19b730b71b346af632fe78021ec76e3d849f

SHA256
c6cd969f7c4fb071f64c31cdf57dfe1a4015cd78f49fa880cd7144c0eaed3df4

SHA512
504d6d350dc40f1ec94d8a005fa226bfa992906fc07dc3bb0d5bfb25bf8c30271de4b78eb59e763fcbdb17be6e89b4901607e812d16c9ce64c6783371bcb42ad

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
7bbfadf6d555db358cab481b6e73d985

SHA1
8aad19b730b71b346af632fe78021ec76e3d849f

SHA256
c6cd969f7c4fb071f64c31cdf57dfe1a4015cd78f49fa880cd7144c0eaed3df4

SHA512
504d6d350dc40f1ec94d8a005fa226bfa992906fc07dc3bb0d5bfb25bf8c30271de4b78eb59e763fcbdb17be6e89b4901607e812d16c9ce64c6783371bcb42ad

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
7bbfadf6d555db358cab481b6e73d985

SHA1
8aad19b730b71b346af632fe78021ec76e3d849f

SHA256
c6cd969f7c4fb071f64c31cdf57dfe1a4015cd78f49fa880cd7144c0eaed3df4

SHA512
504d6d350dc40f1ec94d8a005fa226bfa992906fc07dc3bb0d5bfb25bf8c30271de4b78eb59e763fcbdb17be6e89b4901607e812d16c9ce64c6783371bcb42ad

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
7bbfadf6d555db358cab481b6e73d985

SHA1
8aad19b730b71b346af632fe78021ec76e3d849f

SHA256
c6cd969f7c4fb071f64c31cdf57dfe1a4015cd78f49fa880cd7144c0eaed3df4

SHA512
504d6d350dc40f1ec94d8a005fa226bfa992906fc07dc3bb0d5bfb25bf8c30271de4b78eb59e763fcbdb17be6e89b4901607e812d16c9ce64c6783371bcb42ad

Download Submit
\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
7bbfadf6d555db358cab481b6e73d985

SHA1
8aad19b730b71b346af632fe78021ec76e3d849f

SHA256
c6cd969f7c4fb071f64c31cdf57dfe1a4015cd78f49fa880cd7144c0eaed3df4

SHA512
504d6d350dc40f1ec94d8a005fa226bfa992906fc07dc3bb0d5bfb25bf8c30271de4b78eb59e763fcbdb17be6e89b4901607e812d16c9ce64c6783371bcb42ad

Download Submit
memory/560-27-0x0000000004C70000-0x0000000004C71000-memory.dmp

Filesize
4KB

Download
memory/560-24-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/560-23-0x0000000073860000-0x0000000073F4E000-memory.dmp

Filesize
6.9MB

Download
memory/560-21-0x0000000000000000-mapping.dmp

Download
memory/672-8-0x0000000000000000-mapping.dmp

Download
memory/1628-18-0x00000000025B0000-0x00000000025B4000-memory.dmp

Filesize
16KB

Download
memory/1628-13-0x0000000000000000-mapping.dmp

Download
memory/1716-10-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1716-16-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1716-12-0x00000000767E1000-0x00000000767E3000-memory.dmp

Filesize
8KB

Download
memory/1716-11-0x0000000000413FA4-mapping.dmp

Download
memory/1760-17-0x0000000000000000-mapping.dmp

Download
memory/1856-2-0x0000000074590000-0x0000000074C7E000-memory.dmp

Filesize
6.9MB

Download
memory/1856-7-0x0000000000C20000-0x0000000000C79000-memory.dmp

Filesize
356KB

Download
memory/1856-6-0x0000000000870000-0x0000000000893000-memory.dmp

Filesize
140KB

Download
memory/1856-5-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/1856-3-0x00000000010D0000-0x00000000010D1000-memory.dmp

Filesize
4KB

Download
memory/1944-33-0x0000000000413FA4-mapping.dmp

Download
memory/1944-36-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2044-29-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads