remcos | c6cd969f7c4fb071f64c31cdf57dfe1a4015cd78f49fa880cd7144c0eaed3df4

General

Target

Shipping Document PL& BL 0980 ,pdf.exe
Size

800KB
MD5

7bbfadf6d555db358cab481b6e73d985
SHA1

8aad19b730b71b346af632fe78021ec76e3d849f
SHA256

c6cd969f7c4fb071f64c31cdf57dfe1a4015cd78f49fa880cd7144c0eaed3df4
SHA512

504d6d350dc40f1ec94d8a005fa226bfa992906fc07dc3bb0d5bfb25bf8c30271de4b78eb59e763fcbdb17be6e89b4901607e812d16c9ce64c6783371bcb42ad

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

C2

favour2021.ddns.net:1990

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

remcos.exeremcos.exe

pid process

1872 remcos.exe
3016 remcos.exe

pid	process
1872	remcos.exe
3016	remcos.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Shipping Document PL& BL 0980 ,pdf.exeremcos.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	Shipping Document PL& BL 0980 ,pdf.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	remcos.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\	Shipping Document PL& BL 0980 ,pdf.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Shipping Document PL& BL 0980 ,pdf.exeremcos.exe

description	pid	process	target process
PID 4808 set thread context of 368	4808	Shipping Document PL& BL 0980 ,pdf.exe	Shipping Document PL& BL 0980 ,pdf.exe
PID 1872 set thread context of 3016	1872	remcos.exe	remcos.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2572 schtasks.exe
592 schtasks.exe

pid	process
2572	schtasks.exe
592	schtasks.exe

Modifies registry class 1 IoCs

Processes:

Shipping Document PL& BL 0980 ,pdf.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	Shipping Document PL& BL 0980 ,pdf.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Shipping Document PL& BL 0980 ,pdf.exeremcos.exe

pid process

4808 Shipping Document PL& BL 0980 ,pdf.exe
1872 remcos.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Shipping Document PL& BL 0980 ,pdf.exeremcos.exe

description pid process

Token: SeDebugPrivilege 4808 Shipping Document PL& BL 0980 ,pdf.exe
Token: SeDebugPrivilege 1872 remcos.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

remcos.exe

pid process

3016 remcos.exe

pid	process
4808	Shipping Document PL& BL 0980 ,pdf.exe
1872	remcos.exe

description	pid	process
Token: SeDebugPrivilege	4808	Shipping Document PL& BL 0980 ,pdf.exe
Token: SeDebugPrivilege	1872	remcos.exe

pid	process
3016	remcos.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

Shipping Document PL& BL 0980 ,pdf.exeShipping Document PL& BL 0980 ,pdf.exeWScript.execmd.exeremcos.exe

description	pid	process	target process
PID 4808 wrote to memory of 592	4808	Shipping Document PL& BL 0980 ,pdf.exe	schtasks.exe
PID 4808 wrote to memory of 592	4808	Shipping Document PL& BL 0980 ,pdf.exe	schtasks.exe
PID 4808 wrote to memory of 592	4808	Shipping Document PL& BL 0980 ,pdf.exe	schtasks.exe
PID 4808 wrote to memory of 368	4808	Shipping Document PL& BL 0980 ,pdf.exe	Shipping Document PL& BL 0980 ,pdf.exe
PID 4808 wrote to memory of 368	4808	Shipping Document PL& BL 0980 ,pdf.exe	Shipping Document PL& BL 0980 ,pdf.exe
PID 4808 wrote to memory of 368	4808	Shipping Document PL& BL 0980 ,pdf.exe	Shipping Document PL& BL 0980 ,pdf.exe
PID 4808 wrote to memory of 368	4808	Shipping Document PL& BL 0980 ,pdf.exe	Shipping Document PL& BL 0980 ,pdf.exe
PID 4808 wrote to memory of 368	4808	Shipping Document PL& BL 0980 ,pdf.exe	Shipping Document PL& BL 0980 ,pdf.exe
PID 4808 wrote to memory of 368	4808	Shipping Document PL& BL 0980 ,pdf.exe	Shipping Document PL& BL 0980 ,pdf.exe
PID 4808 wrote to memory of 368	4808	Shipping Document PL& BL 0980 ,pdf.exe	Shipping Document PL& BL 0980 ,pdf.exe
PID 4808 wrote to memory of 368	4808	Shipping Document PL& BL 0980 ,pdf.exe	Shipping Document PL& BL 0980 ,pdf.exe
PID 4808 wrote to memory of 368	4808	Shipping Document PL& BL 0980 ,pdf.exe	Shipping Document PL& BL 0980 ,pdf.exe
PID 4808 wrote to memory of 368	4808	Shipping Document PL& BL 0980 ,pdf.exe	Shipping Document PL& BL 0980 ,pdf.exe
PID 368 wrote to memory of 1288	368	Shipping Document PL& BL 0980 ,pdf.exe	WScript.exe
PID 368 wrote to memory of 1288	368	Shipping Document PL& BL 0980 ,pdf.exe	WScript.exe
PID 368 wrote to memory of 1288	368	Shipping Document PL& BL 0980 ,pdf.exe	WScript.exe
PID 1288 wrote to memory of 1608	1288	WScript.exe	cmd.exe
PID 1288 wrote to memory of 1608	1288	WScript.exe	cmd.exe
PID 1288 wrote to memory of 1608	1288	WScript.exe	cmd.exe
PID 1608 wrote to memory of 1872	1608	cmd.exe	remcos.exe
PID 1608 wrote to memory of 1872	1608	cmd.exe	remcos.exe
PID 1608 wrote to memory of 1872	1608	cmd.exe	remcos.exe
PID 1872 wrote to memory of 2572	1872	remcos.exe	schtasks.exe
PID 1872 wrote to memory of 2572	1872	remcos.exe	schtasks.exe
PID 1872 wrote to memory of 2572	1872	remcos.exe	schtasks.exe
PID 1872 wrote to memory of 3016	1872	remcos.exe	remcos.exe
PID 1872 wrote to memory of 3016	1872	remcos.exe	remcos.exe
PID 1872 wrote to memory of 3016	1872	remcos.exe	remcos.exe
PID 1872 wrote to memory of 3016	1872	remcos.exe	remcos.exe
PID 1872 wrote to memory of 3016	1872	remcos.exe	remcos.exe
PID 1872 wrote to memory of 3016	1872	remcos.exe	remcos.exe
PID 1872 wrote to memory of 3016	1872	remcos.exe	remcos.exe
PID 1872 wrote to memory of 3016	1872	remcos.exe	remcos.exe
PID 1872 wrote to memory of 3016	1872	remcos.exe	remcos.exe
PID 1872 wrote to memory of 3016	1872	remcos.exe	remcos.exe

C:\Users\Admin\AppData\Local\Temp\Shipping Document PL& BL 0980 ,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Shipping Document PL& BL 0980 ,pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4808

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aPkByBtePgmjjx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp61C8.tmp"
2⤵
- Creates scheduled task(s)
PID:592

C:\Users\Admin\AppData\Local\Temp\Shipping Document PL& BL 0980 ,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Shipping Document PL& BL 0980 ,pdf.exe"
2⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:368

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1608

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1872

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aPkByBtePgmjjx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5F33.tmp"
6⤵
- Creates scheduled task(s)
PID:2572

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
"C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:3016

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
b92d64fe5b1d1f59df4b738262aea8df

SHA1
c8fb1981759c2d9bb2ec91b705985fba5fc7af63

SHA256
fa20e9aab03dc8e9f1910aaf0cf42662379fa16ae3a22642084fb97fa3d4f83a

SHA512
2566248b93c0cfb0414f033b8dd18bbd4f88180093eac2861107289bcb4ee160f9593706ff1f7d1f2e4ecea430d67a5a2897551a4f9ebd82b707243e300520e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5F33.tmp
MD5
ab78a25bdc090d0db25aafdbf660a7d5

SHA1
052b7bfdf6e65fb0bc95be35fb198d7b014f1784

SHA256
1900611f09d23a6291a8129550ce223d3e01346bf06e5374d35a609aeeed692c

SHA512
d7b85d7ef2290eaca8e2dd1c889506f56dc2098f7e78aa1aaa4ff425476e73055952b06433761205bdf7d2e2cfdb5fa8fea3b1725afb2338d0c1ef27e84af3a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp61C8.tmp
MD5
ab78a25bdc090d0db25aafdbf660a7d5

SHA1
052b7bfdf6e65fb0bc95be35fb198d7b014f1784

SHA256
1900611f09d23a6291a8129550ce223d3e01346bf06e5374d35a609aeeed692c

SHA512
d7b85d7ef2290eaca8e2dd1c889506f56dc2098f7e78aa1aaa4ff425476e73055952b06433761205bdf7d2e2cfdb5fa8fea3b1725afb2338d0c1ef27e84af3a1

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
7bbfadf6d555db358cab481b6e73d985

SHA1
8aad19b730b71b346af632fe78021ec76e3d849f

SHA256
c6cd969f7c4fb071f64c31cdf57dfe1a4015cd78f49fa880cd7144c0eaed3df4

SHA512
504d6d350dc40f1ec94d8a005fa226bfa992906fc07dc3bb0d5bfb25bf8c30271de4b78eb59e763fcbdb17be6e89b4901607e812d16c9ce64c6783371bcb42ad

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
7bbfadf6d555db358cab481b6e73d985

SHA1
8aad19b730b71b346af632fe78021ec76e3d849f

SHA256
c6cd969f7c4fb071f64c31cdf57dfe1a4015cd78f49fa880cd7144c0eaed3df4

SHA512
504d6d350dc40f1ec94d8a005fa226bfa992906fc07dc3bb0d5bfb25bf8c30271de4b78eb59e763fcbdb17be6e89b4901607e812d16c9ce64c6783371bcb42ad

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
7bbfadf6d555db358cab481b6e73d985

SHA1
8aad19b730b71b346af632fe78021ec76e3d849f

SHA256
c6cd969f7c4fb071f64c31cdf57dfe1a4015cd78f49fa880cd7144c0eaed3df4

SHA512
504d6d350dc40f1ec94d8a005fa226bfa992906fc07dc3bb0d5bfb25bf8c30271de4b78eb59e763fcbdb17be6e89b4901607e812d16c9ce64c6783371bcb42ad

Download Submit
memory/368-15-0x0000000000413FA4-mapping.dmp

Download
memory/368-18-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/368-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/592-12-0x0000000000000000-mapping.dmp

Download
memory/1288-16-0x0000000000000000-mapping.dmp

Download
memory/1608-19-0x0000000000000000-mapping.dmp

Download
memory/1872-31-0x0000000005B70000-0x0000000005B71000-memory.dmp

Filesize
4KB

Download
memory/1872-23-0x00000000739D0000-0x00000000740BE000-memory.dmp

Filesize
6.9MB

Download
memory/1872-20-0x0000000000000000-mapping.dmp

Download
memory/2572-33-0x0000000000000000-mapping.dmp

Download
memory/3016-36-0x0000000000413FA4-mapping.dmp

Download
memory/3016-38-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4808-9-0x0000000002D80000-0x0000000002D81000-memory.dmp

Filesize
4KB

Download
memory/4808-2-0x00000000739D0000-0x00000000740BE000-memory.dmp

Filesize
6.9MB

Download
memory/4808-7-0x0000000005320000-0x0000000005321000-memory.dmp

Filesize
4KB

Download
memory/4808-6-0x0000000005280000-0x0000000005281000-memory.dmp

Filesize
4KB

Download
memory/4808-8-0x00000000055B0000-0x00000000055B1000-memory.dmp

Filesize
4KB

Download
memory/4808-11-0x0000000005F00000-0x0000000005F59000-memory.dmp

Filesize
356KB

Download
memory/4808-10-0x0000000005250000-0x0000000005273000-memory.dmp

Filesize
140KB

Download
memory/4808-5-0x00000000056E0000-0x00000000056E1000-memory.dmp

Filesize
4KB

Download
memory/4808-3-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads