remcos | 46336468a43514fedfce240a5a3ca440c938d465c59fba6ce8d3b9383c5521cd

General

Target

richiealvin.exe
Size

791KB
MD5

57cbb0c81ccbd1c74fa39bd6d1d32884
SHA1

bbb48a60aa774829cd22d86dfe0530fb79b35b83
SHA256

46336468a43514fedfce240a5a3ca440c938d465c59fba6ce8d3b9383c5521cd
SHA512

aef00ecb214cde6efd34664494421c9724b7c8d77a55a33f0a043245cefa3c290d032a930f9e175d2d3d47f9dd5a3665002cd208f6474c63c938551351ada1ff

Score

10^/10

remcos ransomware rat

Malware Config

Extracted

Family

remcos

C2

91.193.75.185:1989

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 3 IoCs

Processes:

system32.exesystem32.exesystem32.exe

pid process

3008 system32.exe
3332 system32.exe
984 system32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082

pid	process
3008	system32.exe
3332	system32.exe
984	system32.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

richiealvin.exesystem32.exesystem32.exe

description	pid	process	target process
PID 840 set thread context of 1672	840	richiealvin.exe	richiealvin.exe
PID 3008 set thread context of 984	3008	system32.exe	system32.exe
PID 984 set thread context of 572	984	system32.exe	svchost.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3468 schtasks.exe
2168 schtasks.exe
Modifies registry class 1 IoCs

Processes:

richiealvin.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings richiealvin.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

richiealvin.exesystem32.exe

pid process

840 richiealvin.exe
3008 system32.exe
3008 system32.exe
3008 system32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

richiealvin.exesystem32.exe

description pid process

Token: SeDebugPrivilege 840 richiealvin.exe
Token: SeDebugPrivilege 3008 system32.exe

pid	process
3468	schtasks.exe
2168	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	richiealvin.exe

pid	process
840	richiealvin.exe
3008	system32.exe
3008	system32.exe
3008	system32.exe

description	pid	process
Token: SeDebugPrivilege	840	richiealvin.exe
Token: SeDebugPrivilege	3008	system32.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

richiealvin.exerichiealvin.exeWScript.execmd.exesystem32.exesystem32.exe

description	pid	process	target process
PID 840 wrote to memory of 3468	840	richiealvin.exe	schtasks.exe
PID 840 wrote to memory of 3468	840	richiealvin.exe	schtasks.exe
PID 840 wrote to memory of 3468	840	richiealvin.exe	schtasks.exe
PID 840 wrote to memory of 1672	840	richiealvin.exe	richiealvin.exe
PID 840 wrote to memory of 1672	840	richiealvin.exe	richiealvin.exe
PID 840 wrote to memory of 1672	840	richiealvin.exe	richiealvin.exe
PID 840 wrote to memory of 1672	840	richiealvin.exe	richiealvin.exe
PID 840 wrote to memory of 1672	840	richiealvin.exe	richiealvin.exe
PID 840 wrote to memory of 1672	840	richiealvin.exe	richiealvin.exe
PID 840 wrote to memory of 1672	840	richiealvin.exe	richiealvin.exe
PID 840 wrote to memory of 1672	840	richiealvin.exe	richiealvin.exe
PID 840 wrote to memory of 1672	840	richiealvin.exe	richiealvin.exe
PID 840 wrote to memory of 1672	840	richiealvin.exe	richiealvin.exe
PID 1672 wrote to memory of 2736	1672	richiealvin.exe	WScript.exe
PID 1672 wrote to memory of 2736	1672	richiealvin.exe	WScript.exe
PID 1672 wrote to memory of 2736	1672	richiealvin.exe	WScript.exe
PID 2736 wrote to memory of 3728	2736	WScript.exe	cmd.exe
PID 2736 wrote to memory of 3728	2736	WScript.exe	cmd.exe
PID 2736 wrote to memory of 3728	2736	WScript.exe	cmd.exe
PID 3728 wrote to memory of 3008	3728	cmd.exe	system32.exe
PID 3728 wrote to memory of 3008	3728	cmd.exe	system32.exe
PID 3728 wrote to memory of 3008	3728	cmd.exe	system32.exe
PID 3008 wrote to memory of 2168	3008	system32.exe	schtasks.exe
PID 3008 wrote to memory of 2168	3008	system32.exe	schtasks.exe
PID 3008 wrote to memory of 2168	3008	system32.exe	schtasks.exe
PID 3008 wrote to memory of 3332	3008	system32.exe	system32.exe
PID 3008 wrote to memory of 3332	3008	system32.exe	system32.exe
PID 3008 wrote to memory of 3332	3008	system32.exe	system32.exe
PID 3008 wrote to memory of 984	3008	system32.exe	system32.exe
PID 3008 wrote to memory of 984	3008	system32.exe	system32.exe
PID 3008 wrote to memory of 984	3008	system32.exe	system32.exe
PID 3008 wrote to memory of 984	3008	system32.exe	system32.exe
PID 3008 wrote to memory of 984	3008	system32.exe	system32.exe
PID 3008 wrote to memory of 984	3008	system32.exe	system32.exe
PID 3008 wrote to memory of 984	3008	system32.exe	system32.exe
PID 3008 wrote to memory of 984	3008	system32.exe	system32.exe
PID 3008 wrote to memory of 984	3008	system32.exe	system32.exe
PID 3008 wrote to memory of 984	3008	system32.exe	system32.exe
PID 984 wrote to memory of 572	984	system32.exe	svchost.exe
PID 984 wrote to memory of 572	984	system32.exe	svchost.exe
PID 984 wrote to memory of 572	984	system32.exe	svchost.exe
PID 984 wrote to memory of 572	984	system32.exe	svchost.exe
PID 984 wrote to memory of 572	984	system32.exe	svchost.exe
PID 984 wrote to memory of 572	984	system32.exe	svchost.exe
PID 984 wrote to memory of 572	984	system32.exe	svchost.exe
PID 984 wrote to memory of 572	984	system32.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\richiealvin.exe
"C:\Users\Admin\AppData\Local\Temp\richiealvin.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FTZWsOJmyD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5C98.tmp"
2⤵
- Creates scheduled task(s)
PID:3468

C:\Users\Admin\AppData\Local\Temp\richiealvin.exe
"C:\Users\Admin\AppData\Local\Temp\richiealvin.exe"
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:2736

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Programs\system32.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:3728

C:\Users\Admin\AppData\Roaming\Programs\system32.exe
C:\Users\Admin\AppData\Roaming\Programs\system32.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FTZWsOJmyD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp361F.tmp"
6⤵
- Creates scheduled task(s)
PID:2168

C:\Users\Admin\AppData\Roaming\Programs\system32.exe
"C:\Users\Admin\AppData\Roaming\Programs\system32.exe"
6⤵
- Executes dropped EXE
PID:3332

C:\Users\Admin\AppData\Roaming\Programs\system32.exe
"C:\Users\Admin\AppData\Roaming\Programs\system32.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:984

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
PID:572

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
139d1ffe3f418f4794b6359f239089a2

SHA1
579f8d9c97105a2a77566de7e802a26e4a27f4c8

SHA256
7c71958fda4cff7e2ae1d9309cd4c0143057ca52732926f640252fd5a7a9a2ca

SHA512
5b806812558c28ea195326cfe800a2a41377d5e1da1fb352c2aa3d5060237a5ba544dec6f52459a9ecf55b526280c7d9c6aa8a1b8544124b288a4235eb25c2d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp361F.tmp
MD5
73dbae3535c92cee14b7d2dabd0e57ea

SHA1
6de3c4fb92a8296cf44bde4c1e0637c3e9afbd89

SHA256
012dfb76d609c0c9e5fe9f73f79ed04d70e92664cddc0219ae3cf016193636cc

SHA512
8f48b3d6d07e50b68771e4f584b9e4a8f21846643da97eabd03983d79e4099e2f5d81abb77285c701c50153d61873a2aa2f1deb69081d0fcd212af2c81187efa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5C98.tmp
MD5
73dbae3535c92cee14b7d2dabd0e57ea

SHA1
6de3c4fb92a8296cf44bde4c1e0637c3e9afbd89

SHA256
012dfb76d609c0c9e5fe9f73f79ed04d70e92664cddc0219ae3cf016193636cc

SHA512
8f48b3d6d07e50b68771e4f584b9e4a8f21846643da97eabd03983d79e4099e2f5d81abb77285c701c50153d61873a2aa2f1deb69081d0fcd212af2c81187efa

Download Submit
C:\Users\Admin\AppData\Roaming\Programs\system32.exe
MD5
57cbb0c81ccbd1c74fa39bd6d1d32884

SHA1
bbb48a60aa774829cd22d86dfe0530fb79b35b83

SHA256
46336468a43514fedfce240a5a3ca440c938d465c59fba6ce8d3b9383c5521cd

SHA512
aef00ecb214cde6efd34664494421c9724b7c8d77a55a33f0a043245cefa3c290d032a930f9e175d2d3d47f9dd5a3665002cd208f6474c63c938551351ada1ff

Download Submit
C:\Users\Admin\AppData\Roaming\Programs\system32.exe
MD5
57cbb0c81ccbd1c74fa39bd6d1d32884

SHA1
bbb48a60aa774829cd22d86dfe0530fb79b35b83

SHA256
46336468a43514fedfce240a5a3ca440c938d465c59fba6ce8d3b9383c5521cd

SHA512
aef00ecb214cde6efd34664494421c9724b7c8d77a55a33f0a043245cefa3c290d032a930f9e175d2d3d47f9dd5a3665002cd208f6474c63c938551351ada1ff

Download Submit
C:\Users\Admin\AppData\Roaming\Programs\system32.exe
MD5
57cbb0c81ccbd1c74fa39bd6d1d32884

SHA1
bbb48a60aa774829cd22d86dfe0530fb79b35b83

SHA256
46336468a43514fedfce240a5a3ca440c938d465c59fba6ce8d3b9383c5521cd

SHA512
aef00ecb214cde6efd34664494421c9724b7c8d77a55a33f0a043245cefa3c290d032a930f9e175d2d3d47f9dd5a3665002cd208f6474c63c938551351ada1ff

Download Submit
C:\Users\Admin\AppData\Roaming\Programs\system32.exe
MD5
57cbb0c81ccbd1c74fa39bd6d1d32884

SHA1
bbb48a60aa774829cd22d86dfe0530fb79b35b83

SHA256
46336468a43514fedfce240a5a3ca440c938d465c59fba6ce8d3b9383c5521cd

SHA512
aef00ecb214cde6efd34664494421c9724b7c8d77a55a33f0a043245cefa3c290d032a930f9e175d2d3d47f9dd5a3665002cd208f6474c63c938551351ada1ff

Download Submit
memory/572-39-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/572-40-0x00000000004A82A6-mapping.dmp

Download
memory/840-10-0x00000000056A0000-0x00000000056C3000-memory.dmp

Filesize
140KB

Download
memory/840-5-0x0000000005BA0000-0x0000000005BA1000-memory.dmp

Filesize
4KB

Download
memory/840-11-0x0000000006280000-0x00000000062D9000-memory.dmp

Filesize
356KB

Download
memory/840-6-0x0000000005580000-0x0000000005581000-memory.dmp

Filesize
4KB

Download
memory/840-2-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/840-3-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/840-9-0x00000000058D0000-0x00000000058D1000-memory.dmp

Filesize
4KB

Download
memory/840-8-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/840-7-0x0000000005740000-0x0000000005741000-memory.dmp

Filesize
4KB

Download
memory/984-41-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/984-37-0x0000000000413FA4-mapping.dmp

Download
memory/1672-17-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1672-15-0x0000000000413FA4-mapping.dmp

Download
memory/1672-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2168-33-0x0000000000000000-mapping.dmp

Download
memory/2736-16-0x0000000000000000-mapping.dmp

Download
memory/3008-30-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/3008-23-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/3008-20-0x0000000000000000-mapping.dmp

Download
memory/3468-12-0x0000000000000000-mapping.dmp

Download
memory/3728-19-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads