remcos | 46336468a43514fedfce240a5a3ca440c938d465c59fba6ce8d3b9383c5521cd

General

Target

richiealvin.exe
Size

791KB
MD5

57cbb0c81ccbd1c74fa39bd6d1d32884
SHA1

bbb48a60aa774829cd22d86dfe0530fb79b35b83
SHA256

46336468a43514fedfce240a5a3ca440c938d465c59fba6ce8d3b9383c5521cd
SHA512

aef00ecb214cde6efd34664494421c9724b7c8d77a55a33f0a043245cefa3c290d032a930f9e175d2d3d47f9dd5a3665002cd208f6474c63c938551351ada1ff

Score

10^/10

remcos ransomware rat

Malware Config

Extracted

Family

remcos

C2

91.193.75.185:1989

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

system32.exesystem32.exe

pid process

564 system32.exe
1604 system32.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

816 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082

pid	process
564	system32.exe
1604	system32.exe

pid	process
816	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

richiealvin.exesystem32.exesystem32.exe

description	pid	process	target process
PID 2028 set thread context of 2000	2028	richiealvin.exe	richiealvin.exe
PID 564 set thread context of 1604	564	system32.exe	system32.exe
PID 1604 set thread context of 1632	1604	system32.exe	svchost.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1820 schtasks.exe
1028 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

system32.exe

pid process

564 system32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

richiealvin.exesystem32.exe

description pid process

Token: SeDebugPrivilege 2028 richiealvin.exe
Token: SeDebugPrivilege 564 system32.exe

pid	process
1820	schtasks.exe
1028	schtasks.exe

pid	process
564	system32.exe

description	pid	process
Token: SeDebugPrivilege	2028	richiealvin.exe
Token: SeDebugPrivilege	564	system32.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

richiealvin.exerichiealvin.exeWScript.execmd.exesystem32.exesystem32.exe

description	pid	process	target process
PID 2028 wrote to memory of 1820	2028	richiealvin.exe	schtasks.exe
PID 2028 wrote to memory of 1820	2028	richiealvin.exe	schtasks.exe
PID 2028 wrote to memory of 1820	2028	richiealvin.exe	schtasks.exe
PID 2028 wrote to memory of 1820	2028	richiealvin.exe	schtasks.exe
PID 2028 wrote to memory of 2000	2028	richiealvin.exe	richiealvin.exe
PID 2028 wrote to memory of 2000	2028	richiealvin.exe	richiealvin.exe
PID 2028 wrote to memory of 2000	2028	richiealvin.exe	richiealvin.exe
PID 2028 wrote to memory of 2000	2028	richiealvin.exe	richiealvin.exe
PID 2028 wrote to memory of 2000	2028	richiealvin.exe	richiealvin.exe
PID 2028 wrote to memory of 2000	2028	richiealvin.exe	richiealvin.exe
PID 2028 wrote to memory of 2000	2028	richiealvin.exe	richiealvin.exe
PID 2028 wrote to memory of 2000	2028	richiealvin.exe	richiealvin.exe
PID 2028 wrote to memory of 2000	2028	richiealvin.exe	richiealvin.exe
PID 2028 wrote to memory of 2000	2028	richiealvin.exe	richiealvin.exe
PID 2028 wrote to memory of 2000	2028	richiealvin.exe	richiealvin.exe
PID 2000 wrote to memory of 760	2000	richiealvin.exe	WScript.exe
PID 2000 wrote to memory of 760	2000	richiealvin.exe	WScript.exe
PID 2000 wrote to memory of 760	2000	richiealvin.exe	WScript.exe
PID 2000 wrote to memory of 760	2000	richiealvin.exe	WScript.exe
PID 760 wrote to memory of 816	760	WScript.exe	cmd.exe
PID 760 wrote to memory of 816	760	WScript.exe	cmd.exe
PID 760 wrote to memory of 816	760	WScript.exe	cmd.exe
PID 760 wrote to memory of 816	760	WScript.exe	cmd.exe
PID 816 wrote to memory of 564	816	cmd.exe	system32.exe
PID 816 wrote to memory of 564	816	cmd.exe	system32.exe
PID 816 wrote to memory of 564	816	cmd.exe	system32.exe
PID 816 wrote to memory of 564	816	cmd.exe	system32.exe
PID 564 wrote to memory of 1028	564	system32.exe	schtasks.exe
PID 564 wrote to memory of 1028	564	system32.exe	schtasks.exe
PID 564 wrote to memory of 1028	564	system32.exe	schtasks.exe
PID 564 wrote to memory of 1028	564	system32.exe	schtasks.exe
PID 564 wrote to memory of 1604	564	system32.exe	system32.exe
PID 564 wrote to memory of 1604	564	system32.exe	system32.exe
PID 564 wrote to memory of 1604	564	system32.exe	system32.exe
PID 564 wrote to memory of 1604	564	system32.exe	system32.exe
PID 564 wrote to memory of 1604	564	system32.exe	system32.exe
PID 564 wrote to memory of 1604	564	system32.exe	system32.exe
PID 564 wrote to memory of 1604	564	system32.exe	system32.exe
PID 564 wrote to memory of 1604	564	system32.exe	system32.exe
PID 564 wrote to memory of 1604	564	system32.exe	system32.exe
PID 564 wrote to memory of 1604	564	system32.exe	system32.exe
PID 564 wrote to memory of 1604	564	system32.exe	system32.exe
PID 1604 wrote to memory of 1632	1604	system32.exe	svchost.exe
PID 1604 wrote to memory of 1632	1604	system32.exe	svchost.exe
PID 1604 wrote to memory of 1632	1604	system32.exe	svchost.exe
PID 1604 wrote to memory of 1632	1604	system32.exe	svchost.exe
PID 1604 wrote to memory of 1632	1604	system32.exe	svchost.exe
PID 1604 wrote to memory of 1632	1604	system32.exe	svchost.exe
PID 1604 wrote to memory of 1632	1604	system32.exe	svchost.exe
PID 1604 wrote to memory of 1632	1604	system32.exe	svchost.exe
PID 1604 wrote to memory of 1632	1604	system32.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\richiealvin.exe
"C:\Users\Admin\AppData\Local\Temp\richiealvin.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FTZWsOJmyD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD8E1.tmp"
2⤵
- Creates scheduled task(s)
PID:1820

C:\Users\Admin\AppData\Local\Temp\richiealvin.exe
"C:\Users\Admin\AppData\Local\Temp\richiealvin.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Programs\system32.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:816

C:\Users\Admin\AppData\Roaming\Programs\system32.exe
C:\Users\Admin\AppData\Roaming\Programs\system32.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:564

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FTZWsOJmyD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA535.tmp"
6⤵
- Creates scheduled task(s)
PID:1028

C:\Users\Admin\AppData\Roaming\Programs\system32.exe
"C:\Users\Admin\AppData\Roaming\Programs\system32.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
PID:1632

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
139d1ffe3f418f4794b6359f239089a2

SHA1
579f8d9c97105a2a77566de7e802a26e4a27f4c8

SHA256
7c71958fda4cff7e2ae1d9309cd4c0143057ca52732926f640252fd5a7a9a2ca

SHA512
5b806812558c28ea195326cfe800a2a41377d5e1da1fb352c2aa3d5060237a5ba544dec6f52459a9ecf55b526280c7d9c6aa8a1b8544124b288a4235eb25c2d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA535.tmp
MD5
6f329a045864521bf6dfabdd0d6ba600

SHA1
b638602bfe8fbe87ba460042e214977a092fabc0

SHA256
cff30cc94055aaa85fd49c8b4824a0ff10ce3d22945bbe65113003de231b1ac6

SHA512
956fac8704056826acd51dc00430e8b7f8d0c9d6cd9bd317972529b32d645303f50749d2368c750374c0bf9f636123cf1f6f26181967c9a26dc21f94c9b0685c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD8E1.tmp
MD5
6f329a045864521bf6dfabdd0d6ba600

SHA1
b638602bfe8fbe87ba460042e214977a092fabc0

SHA256
cff30cc94055aaa85fd49c8b4824a0ff10ce3d22945bbe65113003de231b1ac6

SHA512
956fac8704056826acd51dc00430e8b7f8d0c9d6cd9bd317972529b32d645303f50749d2368c750374c0bf9f636123cf1f6f26181967c9a26dc21f94c9b0685c

Download Submit
C:\Users\Admin\AppData\Roaming\Programs\system32.exe
MD5
57cbb0c81ccbd1c74fa39bd6d1d32884

SHA1
bbb48a60aa774829cd22d86dfe0530fb79b35b83

SHA256
46336468a43514fedfce240a5a3ca440c938d465c59fba6ce8d3b9383c5521cd

SHA512
aef00ecb214cde6efd34664494421c9724b7c8d77a55a33f0a043245cefa3c290d032a930f9e175d2d3d47f9dd5a3665002cd208f6474c63c938551351ada1ff

Download Submit
C:\Users\Admin\AppData\Roaming\Programs\system32.exe
MD5
57cbb0c81ccbd1c74fa39bd6d1d32884

SHA1
bbb48a60aa774829cd22d86dfe0530fb79b35b83

SHA256
46336468a43514fedfce240a5a3ca440c938d465c59fba6ce8d3b9383c5521cd

SHA512
aef00ecb214cde6efd34664494421c9724b7c8d77a55a33f0a043245cefa3c290d032a930f9e175d2d3d47f9dd5a3665002cd208f6474c63c938551351ada1ff

Download Submit
C:\Users\Admin\AppData\Roaming\Programs\system32.exe
MD5
57cbb0c81ccbd1c74fa39bd6d1d32884

SHA1
bbb48a60aa774829cd22d86dfe0530fb79b35b83

SHA256
46336468a43514fedfce240a5a3ca440c938d465c59fba6ce8d3b9383c5521cd

SHA512
aef00ecb214cde6efd34664494421c9724b7c8d77a55a33f0a043245cefa3c290d032a930f9e175d2d3d47f9dd5a3665002cd208f6474c63c938551351ada1ff

Download Submit
\Users\Admin\AppData\Roaming\Programs\system32.exe
MD5
57cbb0c81ccbd1c74fa39bd6d1d32884

SHA1
bbb48a60aa774829cd22d86dfe0530fb79b35b83

SHA256
46336468a43514fedfce240a5a3ca440c938d465c59fba6ce8d3b9383c5521cd

SHA512
aef00ecb214cde6efd34664494421c9724b7c8d77a55a33f0a043245cefa3c290d032a930f9e175d2d3d47f9dd5a3665002cd208f6474c63c938551351ada1ff

Download Submit
memory/564-27-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/564-24-0x0000000001350000-0x0000000001351000-memory.dmp

Filesize
4KB

Download
memory/564-23-0x0000000074E60000-0x000000007554E000-memory.dmp

Filesize
6.9MB

Download
memory/564-21-0x0000000000000000-mapping.dmp

Download
memory/760-18-0x0000000002870000-0x0000000002874000-memory.dmp

Filesize
16KB

Download
memory/760-13-0x0000000000000000-mapping.dmp

Download
memory/816-17-0x0000000000000000-mapping.dmp

Download
memory/1028-29-0x0000000000000000-mapping.dmp

Download
memory/1604-32-0x0000000000413FA4-mapping.dmp

Download
memory/1604-37-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1632-35-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1632-36-0x00000000004A82A6-mapping.dmp

Download
memory/1820-8-0x0000000000000000-mapping.dmp

Download
memory/2000-12-0x0000000075C31000-0x0000000075C33000-memory.dmp

Filesize
8KB

Download
memory/2000-11-0x0000000000413FA4-mapping.dmp

Download
memory/2000-10-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2000-16-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2028-7-0x0000000004E50000-0x0000000004EA9000-memory.dmp

Filesize
356KB

Download
memory/2028-3-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/2028-5-0x0000000000A90000-0x0000000000AB3000-memory.dmp

Filesize
140KB

Download
memory/2028-6-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/2028-2-0x0000000074EE0000-0x00000000755CE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads