remcos | 46336468a43514fedfce240a5a3ca440c938d465c59fba6ce8d3b9383c5521cd

General

Target

richiealvin.exe
Size

791KB
MD5

57cbb0c81ccbd1c74fa39bd6d1d32884
SHA1

bbb48a60aa774829cd22d86dfe0530fb79b35b83
SHA256

46336468a43514fedfce240a5a3ca440c938d465c59fba6ce8d3b9383c5521cd
SHA512

aef00ecb214cde6efd34664494421c9724b7c8d77a55a33f0a043245cefa3c290d032a930f9e175d2d3d47f9dd5a3665002cd208f6474c63c938551351ada1ff

Score

10^/10

remcos ransomware rat

Malware Config

Extracted

Family

remcos

C2

91.193.75.185:1989

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 3 IoCs

Processes:

system32.exesystem32.exesystem32.exe

pid process

1172 system32.exe
1612 system32.exe
1868 system32.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1632 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082

pid	process
1172	system32.exe
1612	system32.exe
1868	system32.exe

pid	process
1632	cmd.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

richiealvin.exesystem32.exe

description	pid	process	target process
PID 1088 set thread context of 1524	1088	richiealvin.exe	richiealvin.exe
PID 1172 set thread context of 1868	1172	system32.exe	system32.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1220 schtasks.exe
1780 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

system32.exe

pid process

1172 system32.exe
1172 system32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

richiealvin.exesystem32.exe

description pid process

Token: SeDebugPrivilege 1088 richiealvin.exe
Token: SeDebugPrivilege 1172 system32.exe

pid	process
1220	schtasks.exe
1780	schtasks.exe

pid	process
1172	system32.exe
1172	system32.exe

description	pid	process
Token: SeDebugPrivilege	1088	richiealvin.exe
Token: SeDebugPrivilege	1172	system32.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

richiealvin.exerichiealvin.exeWScript.execmd.exesystem32.exesystem32.exe

description	pid	process	target process
PID 1088 wrote to memory of 1220	1088	richiealvin.exe	schtasks.exe
PID 1088 wrote to memory of 1220	1088	richiealvin.exe	schtasks.exe
PID 1088 wrote to memory of 1220	1088	richiealvin.exe	schtasks.exe
PID 1088 wrote to memory of 1220	1088	richiealvin.exe	schtasks.exe
PID 1088 wrote to memory of 1524	1088	richiealvin.exe	richiealvin.exe
PID 1088 wrote to memory of 1524	1088	richiealvin.exe	richiealvin.exe
PID 1088 wrote to memory of 1524	1088	richiealvin.exe	richiealvin.exe
PID 1088 wrote to memory of 1524	1088	richiealvin.exe	richiealvin.exe
PID 1088 wrote to memory of 1524	1088	richiealvin.exe	richiealvin.exe
PID 1088 wrote to memory of 1524	1088	richiealvin.exe	richiealvin.exe
PID 1088 wrote to memory of 1524	1088	richiealvin.exe	richiealvin.exe
PID 1088 wrote to memory of 1524	1088	richiealvin.exe	richiealvin.exe
PID 1088 wrote to memory of 1524	1088	richiealvin.exe	richiealvin.exe
PID 1088 wrote to memory of 1524	1088	richiealvin.exe	richiealvin.exe
PID 1088 wrote to memory of 1524	1088	richiealvin.exe	richiealvin.exe
PID 1524 wrote to memory of 112	1524	richiealvin.exe	WScript.exe
PID 1524 wrote to memory of 112	1524	richiealvin.exe	WScript.exe
PID 1524 wrote to memory of 112	1524	richiealvin.exe	WScript.exe
PID 1524 wrote to memory of 112	1524	richiealvin.exe	WScript.exe
PID 112 wrote to memory of 1632	112	WScript.exe	cmd.exe
PID 112 wrote to memory of 1632	112	WScript.exe	cmd.exe
PID 112 wrote to memory of 1632	112	WScript.exe	cmd.exe
PID 112 wrote to memory of 1632	112	WScript.exe	cmd.exe
PID 1632 wrote to memory of 1172	1632	cmd.exe	system32.exe
PID 1632 wrote to memory of 1172	1632	cmd.exe	system32.exe
PID 1632 wrote to memory of 1172	1632	cmd.exe	system32.exe
PID 1632 wrote to memory of 1172	1632	cmd.exe	system32.exe
PID 1172 wrote to memory of 1780	1172	system32.exe	schtasks.exe
PID 1172 wrote to memory of 1780	1172	system32.exe	schtasks.exe
PID 1172 wrote to memory of 1780	1172	system32.exe	schtasks.exe
PID 1172 wrote to memory of 1780	1172	system32.exe	schtasks.exe
PID 1172 wrote to memory of 1612	1172	system32.exe	system32.exe
PID 1172 wrote to memory of 1612	1172	system32.exe	system32.exe
PID 1172 wrote to memory of 1612	1172	system32.exe	system32.exe
PID 1172 wrote to memory of 1612	1172	system32.exe	system32.exe
PID 1172 wrote to memory of 1868	1172	system32.exe	system32.exe
PID 1172 wrote to memory of 1868	1172	system32.exe	system32.exe
PID 1172 wrote to memory of 1868	1172	system32.exe	system32.exe
PID 1172 wrote to memory of 1868	1172	system32.exe	system32.exe
PID 1172 wrote to memory of 1868	1172	system32.exe	system32.exe
PID 1172 wrote to memory of 1868	1172	system32.exe	system32.exe
PID 1172 wrote to memory of 1868	1172	system32.exe	system32.exe
PID 1172 wrote to memory of 1868	1172	system32.exe	system32.exe
PID 1172 wrote to memory of 1868	1172	system32.exe	system32.exe
PID 1172 wrote to memory of 1868	1172	system32.exe	system32.exe
PID 1172 wrote to memory of 1868	1172	system32.exe	system32.exe
PID 1868 wrote to memory of 956	1868	system32.exe	svchost.exe
PID 1868 wrote to memory of 956	1868	system32.exe	svchost.exe
PID 1868 wrote to memory of 956	1868	system32.exe	svchost.exe
PID 1868 wrote to memory of 956	1868	system32.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\richiealvin.exe
"C:\Users\Admin\AppData\Local\Temp\richiealvin.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FTZWsOJmyD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6D34.tmp"
2⤵
- Creates scheduled task(s)
PID:1220

C:\Users\Admin\AppData\Local\Temp\richiealvin.exe
"C:\Users\Admin\AppData\Local\Temp\richiealvin.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:112

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Programs\system32.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632

C:\Users\Admin\AppData\Roaming\Programs\system32.exe
C:\Users\Admin\AppData\Roaming\Programs\system32.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1172

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FTZWsOJmyD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp48F2.tmp"
6⤵
- Creates scheduled task(s)
PID:1780

C:\Users\Admin\AppData\Roaming\Programs\system32.exe
"C:\Users\Admin\AppData\Roaming\Programs\system32.exe"
6⤵
- Executes dropped EXE
PID:1612

C:\Users\Admin\AppData\Roaming\Programs\system32.exe
"C:\Users\Admin\AppData\Roaming\Programs\system32.exe"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
PID:956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
139d1ffe3f418f4794b6359f239089a2

SHA1
579f8d9c97105a2a77566de7e802a26e4a27f4c8

SHA256
7c71958fda4cff7e2ae1d9309cd4c0143057ca52732926f640252fd5a7a9a2ca

SHA512
5b806812558c28ea195326cfe800a2a41377d5e1da1fb352c2aa3d5060237a5ba544dec6f52459a9ecf55b526280c7d9c6aa8a1b8544124b288a4235eb25c2d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp48F2.tmp
MD5
9c46e836ffdc413c2603c50708a89200

SHA1
5264c6fac3e833a821ef543e68f3d65a964611f3

SHA256
8dd57a1f45aed1c0c4dcbb78605662fa3f7d30d534af53ca587a9c077a4920a9

SHA512
bfa7db63c95c4b6f891342f371c850da5d3781530f8c7fea3833a804ee966689eee912713ea8ba1882000d479515afc7701e70dfe89c2540a7d6f15f5d3100c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6D34.tmp
MD5
9c46e836ffdc413c2603c50708a89200

SHA1
5264c6fac3e833a821ef543e68f3d65a964611f3

SHA256
8dd57a1f45aed1c0c4dcbb78605662fa3f7d30d534af53ca587a9c077a4920a9

SHA512
bfa7db63c95c4b6f891342f371c850da5d3781530f8c7fea3833a804ee966689eee912713ea8ba1882000d479515afc7701e70dfe89c2540a7d6f15f5d3100c8

Download Submit
C:\Users\Admin\AppData\Roaming\Programs\system32.exe
MD5
57cbb0c81ccbd1c74fa39bd6d1d32884

SHA1
bbb48a60aa774829cd22d86dfe0530fb79b35b83

SHA256
46336468a43514fedfce240a5a3ca440c938d465c59fba6ce8d3b9383c5521cd

SHA512
aef00ecb214cde6efd34664494421c9724b7c8d77a55a33f0a043245cefa3c290d032a930f9e175d2d3d47f9dd5a3665002cd208f6474c63c938551351ada1ff

Download Submit
C:\Users\Admin\AppData\Roaming\Programs\system32.exe
MD5
57cbb0c81ccbd1c74fa39bd6d1d32884

SHA1
bbb48a60aa774829cd22d86dfe0530fb79b35b83

SHA256
46336468a43514fedfce240a5a3ca440c938d465c59fba6ce8d3b9383c5521cd

SHA512
aef00ecb214cde6efd34664494421c9724b7c8d77a55a33f0a043245cefa3c290d032a930f9e175d2d3d47f9dd5a3665002cd208f6474c63c938551351ada1ff

Download Submit
C:\Users\Admin\AppData\Roaming\Programs\system32.exe
MD5
57cbb0c81ccbd1c74fa39bd6d1d32884

SHA1
bbb48a60aa774829cd22d86dfe0530fb79b35b83

SHA256
46336468a43514fedfce240a5a3ca440c938d465c59fba6ce8d3b9383c5521cd

SHA512
aef00ecb214cde6efd34664494421c9724b7c8d77a55a33f0a043245cefa3c290d032a930f9e175d2d3d47f9dd5a3665002cd208f6474c63c938551351ada1ff

Download Submit
C:\Users\Admin\AppData\Roaming\Programs\system32.exe
MD5
57cbb0c81ccbd1c74fa39bd6d1d32884

SHA1
bbb48a60aa774829cd22d86dfe0530fb79b35b83

SHA256
46336468a43514fedfce240a5a3ca440c938d465c59fba6ce8d3b9383c5521cd

SHA512
aef00ecb214cde6efd34664494421c9724b7c8d77a55a33f0a043245cefa3c290d032a930f9e175d2d3d47f9dd5a3665002cd208f6474c63c938551351ada1ff

Download Submit
\Users\Admin\AppData\Roaming\Programs\system32.exe
MD5
57cbb0c81ccbd1c74fa39bd6d1d32884

SHA1
bbb48a60aa774829cd22d86dfe0530fb79b35b83

SHA256
46336468a43514fedfce240a5a3ca440c938d465c59fba6ce8d3b9383c5521cd

SHA512
aef00ecb214cde6efd34664494421c9724b7c8d77a55a33f0a043245cefa3c290d032a930f9e175d2d3d47f9dd5a3665002cd208f6474c63c938551351ada1ff

Download Submit
memory/112-18-0x00000000027E0000-0x00000000027E4000-memory.dmp

Filesize
16KB

Download
memory/112-14-0x0000000000000000-mapping.dmp

Download
memory/1088-6-0x0000000000210000-0x0000000000233000-memory.dmp

Filesize
140KB

Download
memory/1088-2-0x0000000074660000-0x0000000074D4E000-memory.dmp

Filesize
6.9MB

Download
memory/1088-7-0x0000000000C70000-0x0000000000CC9000-memory.dmp

Filesize
356KB

Download
memory/1088-5-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/1088-3-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/1172-27-0x0000000004910000-0x0000000004911000-memory.dmp

Filesize
4KB

Download
memory/1172-21-0x0000000000000000-mapping.dmp

Download
memory/1172-23-0x00000000745E0000-0x0000000074CCE000-memory.dmp

Filesize
6.9MB

Download
memory/1172-24-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/1220-8-0x0000000000000000-mapping.dmp

Download
memory/1524-13-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1524-12-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/1524-11-0x0000000000413FA4-mapping.dmp

Download
memory/1524-10-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1632-17-0x0000000000000000-mapping.dmp

Download
memory/1780-29-0x0000000000000000-mapping.dmp

Download
memory/1868-33-0x0000000000413FA4-mapping.dmp

Download
memory/1868-36-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads