remcos | 46336468a43514fedfce240a5a3ca440c938d465c59fba6ce8d3b9383c5521cd

General

Target

richiealvin.exe
Size

791KB
MD5

57cbb0c81ccbd1c74fa39bd6d1d32884
SHA1

bbb48a60aa774829cd22d86dfe0530fb79b35b83
SHA256

46336468a43514fedfce240a5a3ca440c938d465c59fba6ce8d3b9383c5521cd
SHA512

aef00ecb214cde6efd34664494421c9724b7c8d77a55a33f0a043245cefa3c290d032a930f9e175d2d3d47f9dd5a3665002cd208f6474c63c938551351ada1ff

Score

10^/10

remcos ransomware rat

Malware Config

Extracted

Family

remcos

C2

91.193.75.185:1989

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

system32.exesystem32.exe

pid process

2684 system32.exe
1436 system32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082

pid	process
2684	system32.exe
1436	system32.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

richiealvin.exesystem32.exe

description	pid	process	target process
PID 4092 set thread context of 564	4092	richiealvin.exe	richiealvin.exe
PID 2684 set thread context of 1436	2684	system32.exe	system32.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3212 schtasks.exe
2932 schtasks.exe
Modifies registry class 1 IoCs

Processes:

richiealvin.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings richiealvin.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

richiealvin.exesystem32.exe

pid process

4092 richiealvin.exe
2684 system32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

richiealvin.exesystem32.exe

description pid process

Token: SeDebugPrivilege 4092 richiealvin.exe
Token: SeDebugPrivilege 2684 system32.exe

pid	process
3212	schtasks.exe
2932	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	richiealvin.exe

pid	process
4092	richiealvin.exe
2684	system32.exe

description	pid	process
Token: SeDebugPrivilege	4092	richiealvin.exe
Token: SeDebugPrivilege	2684	system32.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

richiealvin.exerichiealvin.exeWScript.execmd.exesystem32.exesystem32.exe

description	pid	process	target process
PID 4092 wrote to memory of 3212	4092	richiealvin.exe	schtasks.exe
PID 4092 wrote to memory of 3212	4092	richiealvin.exe	schtasks.exe
PID 4092 wrote to memory of 3212	4092	richiealvin.exe	schtasks.exe
PID 4092 wrote to memory of 564	4092	richiealvin.exe	richiealvin.exe
PID 4092 wrote to memory of 564	4092	richiealvin.exe	richiealvin.exe
PID 4092 wrote to memory of 564	4092	richiealvin.exe	richiealvin.exe
PID 4092 wrote to memory of 564	4092	richiealvin.exe	richiealvin.exe
PID 4092 wrote to memory of 564	4092	richiealvin.exe	richiealvin.exe
PID 4092 wrote to memory of 564	4092	richiealvin.exe	richiealvin.exe
PID 4092 wrote to memory of 564	4092	richiealvin.exe	richiealvin.exe
PID 4092 wrote to memory of 564	4092	richiealvin.exe	richiealvin.exe
PID 4092 wrote to memory of 564	4092	richiealvin.exe	richiealvin.exe
PID 4092 wrote to memory of 564	4092	richiealvin.exe	richiealvin.exe
PID 564 wrote to memory of 864	564	richiealvin.exe	WScript.exe
PID 564 wrote to memory of 864	564	richiealvin.exe	WScript.exe
PID 564 wrote to memory of 864	564	richiealvin.exe	WScript.exe
PID 864 wrote to memory of 416	864	WScript.exe	cmd.exe
PID 864 wrote to memory of 416	864	WScript.exe	cmd.exe
PID 864 wrote to memory of 416	864	WScript.exe	cmd.exe
PID 416 wrote to memory of 2684	416	cmd.exe	system32.exe
PID 416 wrote to memory of 2684	416	cmd.exe	system32.exe
PID 416 wrote to memory of 2684	416	cmd.exe	system32.exe
PID 2684 wrote to memory of 2932	2684	system32.exe	schtasks.exe
PID 2684 wrote to memory of 2932	2684	system32.exe	schtasks.exe
PID 2684 wrote to memory of 2932	2684	system32.exe	schtasks.exe
PID 2684 wrote to memory of 1436	2684	system32.exe	system32.exe
PID 2684 wrote to memory of 1436	2684	system32.exe	system32.exe
PID 2684 wrote to memory of 1436	2684	system32.exe	system32.exe
PID 2684 wrote to memory of 1436	2684	system32.exe	system32.exe
PID 2684 wrote to memory of 1436	2684	system32.exe	system32.exe
PID 2684 wrote to memory of 1436	2684	system32.exe	system32.exe
PID 2684 wrote to memory of 1436	2684	system32.exe	system32.exe
PID 2684 wrote to memory of 1436	2684	system32.exe	system32.exe
PID 2684 wrote to memory of 1436	2684	system32.exe	system32.exe
PID 2684 wrote to memory of 1436	2684	system32.exe	system32.exe
PID 1436 wrote to memory of 3976	1436	system32.exe	svchost.exe
PID 1436 wrote to memory of 3976	1436	system32.exe	svchost.exe
PID 1436 wrote to memory of 3976	1436	system32.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\richiealvin.exe
"C:\Users\Admin\AppData\Local\Temp\richiealvin.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4092

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FTZWsOJmyD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp14B2.tmp"
2⤵
- Creates scheduled task(s)
PID:3212

C:\Users\Admin\AppData\Local\Temp\richiealvin.exe
"C:\Users\Admin\AppData\Local\Temp\richiealvin.exe"
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:564

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Programs\system32.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:416

C:\Users\Admin\AppData\Roaming\Programs\system32.exe
C:\Users\Admin\AppData\Roaming\Programs\system32.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FTZWsOJmyD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF3E6.tmp"
6⤵
- Creates scheduled task(s)
PID:2932

C:\Users\Admin\AppData\Roaming\Programs\system32.exe
"C:\Users\Admin\AppData\Roaming\Programs\system32.exe"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1436

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
PID:3976

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
139d1ffe3f418f4794b6359f239089a2

SHA1
579f8d9c97105a2a77566de7e802a26e4a27f4c8

SHA256
7c71958fda4cff7e2ae1d9309cd4c0143057ca52732926f640252fd5a7a9a2ca

SHA512
5b806812558c28ea195326cfe800a2a41377d5e1da1fb352c2aa3d5060237a5ba544dec6f52459a9ecf55b526280c7d9c6aa8a1b8544124b288a4235eb25c2d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp14B2.tmp
MD5
320b729a8ca1092f36a7438a5659fab4

SHA1
2b4f68a8f3bc40aacdffab8a62fae1ce301700a3

SHA256
79c611df1eb6d4da52290b41b21135dded53b281124acc5e9abe4058ce345074

SHA512
99094cc470428eee88535c5839caad11d6d8266d9ea191839ffcc47b2f95c633de6daf405a99416c9373d15b3792b13dbf417f71250ad4990b34b6a2eadb6f90

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF3E6.tmp
MD5
320b729a8ca1092f36a7438a5659fab4

SHA1
2b4f68a8f3bc40aacdffab8a62fae1ce301700a3

SHA256
79c611df1eb6d4da52290b41b21135dded53b281124acc5e9abe4058ce345074

SHA512
99094cc470428eee88535c5839caad11d6d8266d9ea191839ffcc47b2f95c633de6daf405a99416c9373d15b3792b13dbf417f71250ad4990b34b6a2eadb6f90

Download Submit
C:\Users\Admin\AppData\Roaming\Programs\system32.exe
MD5
57cbb0c81ccbd1c74fa39bd6d1d32884

SHA1
bbb48a60aa774829cd22d86dfe0530fb79b35b83

SHA256
46336468a43514fedfce240a5a3ca440c938d465c59fba6ce8d3b9383c5521cd

SHA512
aef00ecb214cde6efd34664494421c9724b7c8d77a55a33f0a043245cefa3c290d032a930f9e175d2d3d47f9dd5a3665002cd208f6474c63c938551351ada1ff

Download Submit
C:\Users\Admin\AppData\Roaming\Programs\system32.exe
MD5
57cbb0c81ccbd1c74fa39bd6d1d32884

SHA1
bbb48a60aa774829cd22d86dfe0530fb79b35b83

SHA256
46336468a43514fedfce240a5a3ca440c938d465c59fba6ce8d3b9383c5521cd

SHA512
aef00ecb214cde6efd34664494421c9724b7c8d77a55a33f0a043245cefa3c290d032a930f9e175d2d3d47f9dd5a3665002cd208f6474c63c938551351ada1ff

Download Submit
C:\Users\Admin\AppData\Roaming\Programs\system32.exe
MD5
57cbb0c81ccbd1c74fa39bd6d1d32884

SHA1
bbb48a60aa774829cd22d86dfe0530fb79b35b83

SHA256
46336468a43514fedfce240a5a3ca440c938d465c59fba6ce8d3b9383c5521cd

SHA512
aef00ecb214cde6efd34664494421c9724b7c8d77a55a33f0a043245cefa3c290d032a930f9e175d2d3d47f9dd5a3665002cd208f6474c63c938551351ada1ff

Download Submit
memory/416-19-0x0000000000000000-mapping.dmp

Download
memory/564-15-0x0000000000413FA4-mapping.dmp

Download
memory/564-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/564-18-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/864-16-0x0000000000000000-mapping.dmp

Download
memory/1436-38-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1436-36-0x0000000000413FA4-mapping.dmp

Download
memory/2684-23-0x00000000739A0000-0x000000007408E000-memory.dmp

Filesize
6.9MB

Download
memory/2684-31-0x0000000004F40000-0x0000000004F41000-memory.dmp

Filesize
4KB

Download
memory/2684-20-0x0000000000000000-mapping.dmp

Download
memory/2932-33-0x0000000000000000-mapping.dmp

Download
memory/3212-12-0x0000000000000000-mapping.dmp

Download
memory/4092-2-0x00000000739A0000-0x000000007408E000-memory.dmp

Filesize
6.9MB

Download
memory/4092-6-0x0000000005690000-0x0000000005691000-memory.dmp

Filesize
4KB

Download
memory/4092-7-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/4092-8-0x0000000005630000-0x0000000005631000-memory.dmp

Filesize
4KB

Download
memory/4092-9-0x0000000005640000-0x0000000005663000-memory.dmp

Filesize
140KB

Download
memory/4092-5-0x0000000005B90000-0x0000000005B91000-memory.dmp

Filesize
4KB

Download
memory/4092-11-0x0000000006360000-0x00000000063B9000-memory.dmp

Filesize
356KB

Download
memory/4092-3-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4092-10-0x00000000058A0000-0x00000000058A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads