remcos | b9e467b94e968b2fb26ae2384d400eb37afd49b857644a754918d2d412eb74cc

General

Target

9d84e2e5d8e18157f7da91393112d8ad.exe
Size

762KB
MD5

9d84e2e5d8e18157f7da91393112d8ad
SHA1

77df25a58864a22c423d31644e635e2f075bbe87
SHA256

b9e467b94e968b2fb26ae2384d400eb37afd49b857644a754918d2d412eb74cc
SHA512

a62996b1981c87e897c0d25e14cc231c71347879024807314eb1a46d736fc1f39f9bd4220b7c8abbe35f35a3e6587659522ba6781091d4d9b0ba1c62e6159917

Score

10^/10

remcos rat

Malware Config

Extracted

Family

remcos

C2

megamoney2021.duckdns.org:26500

79.134.225.13:26500

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 4 IoCs

Processes:

update.exeupdate.exeupdate.exeupdate.exe

pid process

632 update.exe
3296 update.exe
3228 update.exe
3232 update.exe

pid	process
632	update.exe
3296	update.exe
3228	update.exe
3232	update.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

9d84e2e5d8e18157f7da91393112d8ad.exeupdate.exe

description	pid	process	target process
PID 412 set thread context of 3580	412	9d84e2e5d8e18157f7da91393112d8ad.exe	9d84e2e5d8e18157f7da91393112d8ad.exe
PID 632 set thread context of 3232	632	update.exe	update.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3948 schtasks.exe
3968 schtasks.exe

pid	process
3948	schtasks.exe
3968	schtasks.exe

Modifies registry class 1 IoCs

Processes:

9d84e2e5d8e18157f7da91393112d8ad.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	9d84e2e5d8e18157f7da91393112d8ad.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

update.exe

pid process

632 update.exe
632 update.exe
632 update.exe
632 update.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

update.exe

description pid process

Token: SeDebugPrivilege 632 update.exe

pid	process
632	update.exe
632	update.exe
632	update.exe
632	update.exe

description	pid	process
Token: SeDebugPrivilege	632	update.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

9d84e2e5d8e18157f7da91393112d8ad.exe9d84e2e5d8e18157f7da91393112d8ad.exeWScript.execmd.exeupdate.exe

description	pid	process	target process
PID 412 wrote to memory of 3948	412	9d84e2e5d8e18157f7da91393112d8ad.exe	schtasks.exe
PID 412 wrote to memory of 3948	412	9d84e2e5d8e18157f7da91393112d8ad.exe	schtasks.exe
PID 412 wrote to memory of 3948	412	9d84e2e5d8e18157f7da91393112d8ad.exe	schtasks.exe
PID 412 wrote to memory of 3580	412	9d84e2e5d8e18157f7da91393112d8ad.exe	9d84e2e5d8e18157f7da91393112d8ad.exe
PID 412 wrote to memory of 3580	412	9d84e2e5d8e18157f7da91393112d8ad.exe	9d84e2e5d8e18157f7da91393112d8ad.exe
PID 412 wrote to memory of 3580	412	9d84e2e5d8e18157f7da91393112d8ad.exe	9d84e2e5d8e18157f7da91393112d8ad.exe
PID 412 wrote to memory of 3580	412	9d84e2e5d8e18157f7da91393112d8ad.exe	9d84e2e5d8e18157f7da91393112d8ad.exe
PID 412 wrote to memory of 3580	412	9d84e2e5d8e18157f7da91393112d8ad.exe	9d84e2e5d8e18157f7da91393112d8ad.exe
PID 412 wrote to memory of 3580	412	9d84e2e5d8e18157f7da91393112d8ad.exe	9d84e2e5d8e18157f7da91393112d8ad.exe
PID 412 wrote to memory of 3580	412	9d84e2e5d8e18157f7da91393112d8ad.exe	9d84e2e5d8e18157f7da91393112d8ad.exe
PID 412 wrote to memory of 3580	412	9d84e2e5d8e18157f7da91393112d8ad.exe	9d84e2e5d8e18157f7da91393112d8ad.exe
PID 412 wrote to memory of 3580	412	9d84e2e5d8e18157f7da91393112d8ad.exe	9d84e2e5d8e18157f7da91393112d8ad.exe
PID 412 wrote to memory of 3580	412	9d84e2e5d8e18157f7da91393112d8ad.exe	9d84e2e5d8e18157f7da91393112d8ad.exe
PID 3580 wrote to memory of 2132	3580	9d84e2e5d8e18157f7da91393112d8ad.exe	WScript.exe
PID 3580 wrote to memory of 2132	3580	9d84e2e5d8e18157f7da91393112d8ad.exe	WScript.exe
PID 3580 wrote to memory of 2132	3580	9d84e2e5d8e18157f7da91393112d8ad.exe	WScript.exe
PID 2132 wrote to memory of 2644	2132	WScript.exe	cmd.exe
PID 2132 wrote to memory of 2644	2132	WScript.exe	cmd.exe
PID 2132 wrote to memory of 2644	2132	WScript.exe	cmd.exe
PID 2644 wrote to memory of 632	2644	cmd.exe	update.exe
PID 2644 wrote to memory of 632	2644	cmd.exe	update.exe
PID 2644 wrote to memory of 632	2644	cmd.exe	update.exe
PID 632 wrote to memory of 3968	632	update.exe	schtasks.exe
PID 632 wrote to memory of 3968	632	update.exe	schtasks.exe
PID 632 wrote to memory of 3968	632	update.exe	schtasks.exe
PID 632 wrote to memory of 3296	632	update.exe	update.exe
PID 632 wrote to memory of 3296	632	update.exe	update.exe
PID 632 wrote to memory of 3296	632	update.exe	update.exe
PID 632 wrote to memory of 3228	632	update.exe	update.exe
PID 632 wrote to memory of 3228	632	update.exe	update.exe
PID 632 wrote to memory of 3228	632	update.exe	update.exe
PID 632 wrote to memory of 3232	632	update.exe	update.exe
PID 632 wrote to memory of 3232	632	update.exe	update.exe
PID 632 wrote to memory of 3232	632	update.exe	update.exe
PID 632 wrote to memory of 3232	632	update.exe	update.exe
PID 632 wrote to memory of 3232	632	update.exe	update.exe
PID 632 wrote to memory of 3232	632	update.exe	update.exe
PID 632 wrote to memory of 3232	632	update.exe	update.exe
PID 632 wrote to memory of 3232	632	update.exe	update.exe
PID 632 wrote to memory of 3232	632	update.exe	update.exe
PID 632 wrote to memory of 3232	632	update.exe	update.exe

C:\Users\Admin\AppData\Local\Temp\9d84e2e5d8e18157f7da91393112d8ad.exe
"C:\Users\Admin\AppData\Local\Temp\9d84e2e5d8e18157f7da91393112d8ad.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:412

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NGFtet" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8379.tmp"
2⤵
- Creates scheduled task(s)
PID:3948

C:\Users\Admin\AppData\Local\Temp\9d84e2e5d8e18157f7da91393112d8ad.exe
"C:\Users\Admin\AppData\Local\Temp\9d84e2e5d8e18157f7da91393112d8ad.exe"
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3580

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:2132

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\windows\update.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2644

C:\Users\Admin\AppData\Roaming\windows\update.exe
C:\Users\Admin\AppData\Roaming\windows\update.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:632

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NGFtet" /XML "C:\Users\Admin\AppData\Local\Temp\tmp85D6.tmp"
6⤵
- Creates scheduled task(s)
PID:3968

C:\Users\Admin\AppData\Roaming\windows\update.exe
"C:\Users\Admin\AppData\Roaming\windows\update.exe"
6⤵
- Executes dropped EXE
PID:3296

C:\Users\Admin\AppData\Roaming\windows\update.exe
"C:\Users\Admin\AppData\Roaming\windows\update.exe"
6⤵
- Executes dropped EXE
PID:3228

C:\Users\Admin\AppData\Roaming\windows\update.exe
"C:\Users\Admin\AppData\Roaming\windows\update.exe"
6⤵
- Executes dropped EXE
PID:3232

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
8316548aa6ceaadc4f077d47d9391c61

SHA1
16c2a0ce8400c559db5873566056fb2f39a76a94

SHA256
b020536ab98017ec5f284bdf59d2c39e1731af44960dc89eb72223556a41885a

SHA512
75ec0760b8af5cd0b75e2d7147abc32b329a82d395712173def311d14d7d3f8caef8eba50e807357c54b93c86f4c24c999950f0bbce13b1bcb71854ecf2a09ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8379.tmp
MD5
b827e7696b3238b9f6d6d4b169d25322

SHA1
c229899fb24e90cb80356fee8d2d766c0e881fa3

SHA256
60ef82f66e27436564e07e30a05f4034450618996eb5b4c9ecffca82185328ab

SHA512
e2d91471111cc72ba59595fdef82b4b327ab402ec5f10af82a0226d1e60b0326ce698b068d9d6a746417a7e6f7365ee6ae96cdec659e8c5aee6bbf595d689cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp85D6.tmp
MD5
b827e7696b3238b9f6d6d4b169d25322

SHA1
c229899fb24e90cb80356fee8d2d766c0e881fa3

SHA256
60ef82f66e27436564e07e30a05f4034450618996eb5b4c9ecffca82185328ab

SHA512
e2d91471111cc72ba59595fdef82b4b327ab402ec5f10af82a0226d1e60b0326ce698b068d9d6a746417a7e6f7365ee6ae96cdec659e8c5aee6bbf595d689cdb

Download Submit
C:\Users\Admin\AppData\Roaming\windows\update.exe
MD5
9d84e2e5d8e18157f7da91393112d8ad

SHA1
77df25a58864a22c423d31644e635e2f075bbe87

SHA256
b9e467b94e968b2fb26ae2384d400eb37afd49b857644a754918d2d412eb74cc

SHA512
a62996b1981c87e897c0d25e14cc231c71347879024807314eb1a46d736fc1f39f9bd4220b7c8abbe35f35a3e6587659522ba6781091d4d9b0ba1c62e6159917

Download Submit
C:\Users\Admin\AppData\Roaming\windows\update.exe
MD5
9d84e2e5d8e18157f7da91393112d8ad

SHA1
77df25a58864a22c423d31644e635e2f075bbe87

SHA256
b9e467b94e968b2fb26ae2384d400eb37afd49b857644a754918d2d412eb74cc

SHA512
a62996b1981c87e897c0d25e14cc231c71347879024807314eb1a46d736fc1f39f9bd4220b7c8abbe35f35a3e6587659522ba6781091d4d9b0ba1c62e6159917

Download Submit
C:\Users\Admin\AppData\Roaming\windows\update.exe
MD5
9d84e2e5d8e18157f7da91393112d8ad

SHA1
77df25a58864a22c423d31644e635e2f075bbe87

SHA256
b9e467b94e968b2fb26ae2384d400eb37afd49b857644a754918d2d412eb74cc

SHA512
a62996b1981c87e897c0d25e14cc231c71347879024807314eb1a46d736fc1f39f9bd4220b7c8abbe35f35a3e6587659522ba6781091d4d9b0ba1c62e6159917

Download Submit
C:\Users\Admin\AppData\Roaming\windows\update.exe
MD5
9d84e2e5d8e18157f7da91393112d8ad

SHA1
77df25a58864a22c423d31644e635e2f075bbe87

SHA256
b9e467b94e968b2fb26ae2384d400eb37afd49b857644a754918d2d412eb74cc

SHA512
a62996b1981c87e897c0d25e14cc231c71347879024807314eb1a46d736fc1f39f9bd4220b7c8abbe35f35a3e6587659522ba6781091d4d9b0ba1c62e6159917

Download Submit
C:\Users\Admin\AppData\Roaming\windows\update.exe
MD5
9d84e2e5d8e18157f7da91393112d8ad

SHA1
77df25a58864a22c423d31644e635e2f075bbe87

SHA256
b9e467b94e968b2fb26ae2384d400eb37afd49b857644a754918d2d412eb74cc

SHA512
a62996b1981c87e897c0d25e14cc231c71347879024807314eb1a46d736fc1f39f9bd4220b7c8abbe35f35a3e6587659522ba6781091d4d9b0ba1c62e6159917

Download Submit
memory/412-7-0x00000000059C0000-0x00000000059C1000-memory.dmp

Filesize
4KB

Download
memory/412-12-0x0000000006510000-0x000000000656D000-memory.dmp

Filesize
372KB

Download
memory/412-11-0x0000000003590000-0x00000000035A2000-memory.dmp

Filesize
72KB

Download
memory/412-10-0x0000000005BD0000-0x0000000005BD1000-memory.dmp

Filesize
4KB

Download
memory/412-9-0x0000000003540000-0x0000000003541000-memory.dmp

Filesize
4KB

Download
memory/412-8-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/412-6-0x0000000005FB0000-0x0000000005FB1000-memory.dmp

Filesize
4KB

Download
memory/412-2-0x0000000073970000-0x000000007405E000-memory.dmp

Filesize
6.9MB

Download
memory/412-5-0x0000000005920000-0x0000000005921000-memory.dmp

Filesize
4KB

Download
memory/412-3-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/632-24-0x0000000073970000-0x000000007405E000-memory.dmp

Filesize
6.9MB

Download
memory/632-21-0x0000000000000000-mapping.dmp

Download
memory/632-32-0x0000000002B40000-0x0000000002B41000-memory.dmp

Filesize
4KB

Download
memory/2132-17-0x0000000000000000-mapping.dmp

Download
memory/2644-20-0x0000000000000000-mapping.dmp

Download
memory/3232-40-0x0000000000413FA4-mapping.dmp

Download
memory/3232-42-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3580-18-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3580-16-0x0000000000413FA4-mapping.dmp

Download
memory/3580-15-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3948-13-0x0000000000000000-mapping.dmp

Download
memory/3968-35-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads