remcos | 5705f860865c9fd9eb6a5609d3ea183b201e72fa45db0b06be00a4a6f665f82a

General

Target

Quote#SO2021010197.pdf.exe
Size

1.5MB
MD5

104064d4c0b681c9a7ae1f0c00fbff49
SHA1

af273bc182f0c492520811da54165534dcf89967
SHA256

5705f860865c9fd9eb6a5609d3ea183b201e72fa45db0b06be00a4a6f665f82a
SHA512

2e3f19c02580d678c1726b6840cf4e31c1abe5d393f7ca773a934a7ecf2bff1fdc055c60a5b4eec99338a72641aa20c7fbd5e1ad78ec6b29e72ea55fa381b225

Score

10^/10

remcos persistence ransomware rat

Malware Config

Extracted

Family

remcos

C2

91.193.75.185:1989

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

Quote#SO2021010197.pdf.exesystem32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Quote#SO2021010197.pdf.exe\""	Quote#SO2021010197.pdf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Programs\\system32.exe\""	system32.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 3 IoCs

Processes:

system32.exesystem32.exesystem32.exe

pid process

1840 system32.exe
1804 system32.exe
1616 system32.exe

pid	process
1840	system32.exe
1804	system32.exe
1616	system32.exe

Drops startup file 4 IoCs

Processes:

Quote#SO2021010197.pdf.exesystem32.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Quote#SO2021010197.pdf.exe	Quote#SO2021010197.pdf.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Quote#SO2021010197.pdf.exe	Quote#SO2021010197.pdf.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32.exe	system32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32.exe	system32.exe

Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1460 cmd.exe
1460 cmd.exe

pid	process
1460	cmd.exe
1460	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Quote#SO2021010197.pdf.exesystem32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Quote#SO2021010197.pdf.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Quote#SO2021010197.pdf.exe"	Quote#SO2021010197.pdf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\system32.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Programs\\system32.exe"	system32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082

Suspicious use of SetThreadContext 5 IoCs

Processes:

Quote#SO2021010197.pdf.exeQuote#SO2021010197.pdf.exesystem32.exesystem32.exesystem32.exe

description	pid	process	target process
PID 1152 set thread context of 1828	1152	Quote#SO2021010197.pdf.exe	Quote#SO2021010197.pdf.exe
PID 1828 set thread context of 1120	1828	Quote#SO2021010197.pdf.exe	Quote#SO2021010197.pdf.exe
PID 1840 set thread context of 1804	1840	system32.exe	system32.exe
PID 1804 set thread context of 1616	1804	system32.exe	system32.exe
PID 1616 set thread context of 1708	1616	system32.exe	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Quote#SO2021010197.pdf.exe

pid process

1828 Quote#SO2021010197.pdf.exe
1828 Quote#SO2021010197.pdf.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Quote#SO2021010197.pdf.exe

description pid process

Token: SeDebugPrivilege 1828 Quote#SO2021010197.pdf.exe

pid	process
1828	Quote#SO2021010197.pdf.exe
1828	Quote#SO2021010197.pdf.exe

description	pid	process
Token: SeDebugPrivilege	1828	Quote#SO2021010197.pdf.exe

Suspicious use of WriteProcessMemory 65 IoCs

Processes:

Quote#SO2021010197.pdf.exeQuote#SO2021010197.pdf.exeQuote#SO2021010197.pdf.exeWScript.execmd.exesystem32.exesystem32.exesystem32.exe

description	pid	process	target process
PID 1152 wrote to memory of 1828	1152	Quote#SO2021010197.pdf.exe	Quote#SO2021010197.pdf.exe
PID 1152 wrote to memory of 1828	1152	Quote#SO2021010197.pdf.exe	Quote#SO2021010197.pdf.exe
PID 1152 wrote to memory of 1828	1152	Quote#SO2021010197.pdf.exe	Quote#SO2021010197.pdf.exe
PID 1152 wrote to memory of 1828	1152	Quote#SO2021010197.pdf.exe	Quote#SO2021010197.pdf.exe
PID 1152 wrote to memory of 1828	1152	Quote#SO2021010197.pdf.exe	Quote#SO2021010197.pdf.exe
PID 1152 wrote to memory of 1828	1152	Quote#SO2021010197.pdf.exe	Quote#SO2021010197.pdf.exe
PID 1152 wrote to memory of 1828	1152	Quote#SO2021010197.pdf.exe	Quote#SO2021010197.pdf.exe
PID 1152 wrote to memory of 1828	1152	Quote#SO2021010197.pdf.exe	Quote#SO2021010197.pdf.exe
PID 1152 wrote to memory of 1828	1152	Quote#SO2021010197.pdf.exe	Quote#SO2021010197.pdf.exe
PID 1828 wrote to memory of 1008	1828	Quote#SO2021010197.pdf.exe	Quote#SO2021010197.pdf.exe
PID 1828 wrote to memory of 1008	1828	Quote#SO2021010197.pdf.exe	Quote#SO2021010197.pdf.exe
PID 1828 wrote to memory of 1008	1828	Quote#SO2021010197.pdf.exe	Quote#SO2021010197.pdf.exe
PID 1828 wrote to memory of 1008	1828	Quote#SO2021010197.pdf.exe	Quote#SO2021010197.pdf.exe
PID 1828 wrote to memory of 1120	1828	Quote#SO2021010197.pdf.exe	Quote#SO2021010197.pdf.exe
PID 1828 wrote to memory of 1120	1828	Quote#SO2021010197.pdf.exe	Quote#SO2021010197.pdf.exe
PID 1828 wrote to memory of 1120	1828	Quote#SO2021010197.pdf.exe	Quote#SO2021010197.pdf.exe
PID 1828 wrote to memory of 1120	1828	Quote#SO2021010197.pdf.exe	Quote#SO2021010197.pdf.exe
PID 1828 wrote to memory of 1120	1828	Quote#SO2021010197.pdf.exe	Quote#SO2021010197.pdf.exe
PID 1828 wrote to memory of 1120	1828	Quote#SO2021010197.pdf.exe	Quote#SO2021010197.pdf.exe
PID 1828 wrote to memory of 1120	1828	Quote#SO2021010197.pdf.exe	Quote#SO2021010197.pdf.exe
PID 1828 wrote to memory of 1120	1828	Quote#SO2021010197.pdf.exe	Quote#SO2021010197.pdf.exe
PID 1828 wrote to memory of 1120	1828	Quote#SO2021010197.pdf.exe	Quote#SO2021010197.pdf.exe
PID 1828 wrote to memory of 1120	1828	Quote#SO2021010197.pdf.exe	Quote#SO2021010197.pdf.exe
PID 1828 wrote to memory of 1120	1828	Quote#SO2021010197.pdf.exe	Quote#SO2021010197.pdf.exe
PID 1120 wrote to memory of 664	1120	Quote#SO2021010197.pdf.exe	WScript.exe
PID 1120 wrote to memory of 664	1120	Quote#SO2021010197.pdf.exe	WScript.exe
PID 1120 wrote to memory of 664	1120	Quote#SO2021010197.pdf.exe	WScript.exe
PID 1120 wrote to memory of 664	1120	Quote#SO2021010197.pdf.exe	WScript.exe
PID 664 wrote to memory of 1460	664	WScript.exe	cmd.exe
PID 664 wrote to memory of 1460	664	WScript.exe	cmd.exe
PID 664 wrote to memory of 1460	664	WScript.exe	cmd.exe
PID 664 wrote to memory of 1460	664	WScript.exe	cmd.exe
PID 1460 wrote to memory of 1840	1460	cmd.exe	system32.exe
PID 1460 wrote to memory of 1840	1460	cmd.exe	system32.exe
PID 1460 wrote to memory of 1840	1460	cmd.exe	system32.exe
PID 1460 wrote to memory of 1840	1460	cmd.exe	system32.exe
PID 1840 wrote to memory of 1804	1840	system32.exe	system32.exe
PID 1840 wrote to memory of 1804	1840	system32.exe	system32.exe
PID 1840 wrote to memory of 1804	1840	system32.exe	system32.exe
PID 1840 wrote to memory of 1804	1840	system32.exe	system32.exe
PID 1840 wrote to memory of 1804	1840	system32.exe	system32.exe
PID 1840 wrote to memory of 1804	1840	system32.exe	system32.exe
PID 1840 wrote to memory of 1804	1840	system32.exe	system32.exe
PID 1840 wrote to memory of 1804	1840	system32.exe	system32.exe
PID 1840 wrote to memory of 1804	1840	system32.exe	system32.exe
PID 1804 wrote to memory of 1616	1804	system32.exe	system32.exe
PID 1804 wrote to memory of 1616	1804	system32.exe	system32.exe
PID 1804 wrote to memory of 1616	1804	system32.exe	system32.exe
PID 1804 wrote to memory of 1616	1804	system32.exe	system32.exe
PID 1804 wrote to memory of 1616	1804	system32.exe	system32.exe
PID 1804 wrote to memory of 1616	1804	system32.exe	system32.exe
PID 1804 wrote to memory of 1616	1804	system32.exe	system32.exe
PID 1804 wrote to memory of 1616	1804	system32.exe	system32.exe
PID 1804 wrote to memory of 1616	1804	system32.exe	system32.exe
PID 1804 wrote to memory of 1616	1804	system32.exe	system32.exe
PID 1804 wrote to memory of 1616	1804	system32.exe	system32.exe
PID 1616 wrote to memory of 1708	1616	system32.exe	svchost.exe
PID 1616 wrote to memory of 1708	1616	system32.exe	svchost.exe
PID 1616 wrote to memory of 1708	1616	system32.exe	svchost.exe
PID 1616 wrote to memory of 1708	1616	system32.exe	svchost.exe
PID 1616 wrote to memory of 1708	1616	system32.exe	svchost.exe
PID 1616 wrote to memory of 1708	1616	system32.exe	svchost.exe
PID 1616 wrote to memory of 1708	1616	system32.exe	svchost.exe
PID 1616 wrote to memory of 1708	1616	system32.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\Quote#SO2021010197.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Quote#SO2021010197.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1152

C:\Users\Admin\AppData\Local\Temp\Quote#SO2021010197.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Quote#SO2021010197.pdf.exe"
2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1828

C:\Users\Admin\AppData\Local\Temp\Quote#SO2021010197.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Quote#SO2021010197.pdf.exe"
3⤵
PID:1008

C:\Users\Admin\AppData\Local\Temp\Quote#SO2021010197.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Quote#SO2021010197.pdf.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:664

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Programs\system32.exe"
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1460

C:\Users\Admin\AppData\Roaming\Programs\system32.exe
C:\Users\Admin\AppData\Roaming\Programs\system32.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1840

C:\Users\Admin\AppData\Roaming\Programs\system32.exe
"C:\Users\Admin\AppData\Roaming\Programs\system32.exe"
7⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1804

C:\Users\Admin\AppData\Roaming\Programs\system32.exe
"C:\Users\Admin\AppData\Roaming\Programs\system32.exe"
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
9⤵
PID:1708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

MD5
139d1ffe3f418f4794b6359f239089a2

SHA1
579f8d9c97105a2a77566de7e802a26e4a27f4c8

SHA256
7c71958fda4cff7e2ae1d9309cd4c0143057ca52732926f640252fd5a7a9a2ca

SHA512
5b806812558c28ea195326cfe800a2a41377d5e1da1fb352c2aa3d5060237a5ba544dec6f52459a9ecf55b526280c7d9c6aa8a1b8544124b288a4235eb25c2d9

Download Submit
C:\Users\Admin\AppData\Roaming\Programs\system32.exe

MD5
104064d4c0b681c9a7ae1f0c00fbff49

SHA1
af273bc182f0c492520811da54165534dcf89967

SHA256
5705f860865c9fd9eb6a5609d3ea183b201e72fa45db0b06be00a4a6f665f82a

SHA512
2e3f19c02580d678c1726b6840cf4e31c1abe5d393f7ca773a934a7ecf2bff1fdc055c60a5b4eec99338a72641aa20c7fbd5e1ad78ec6b29e72ea55fa381b225

Download Submit
C:\Users\Admin\AppData\Roaming\Programs\system32.exe

MD5
104064d4c0b681c9a7ae1f0c00fbff49

SHA1
af273bc182f0c492520811da54165534dcf89967

SHA256
5705f860865c9fd9eb6a5609d3ea183b201e72fa45db0b06be00a4a6f665f82a

SHA512
2e3f19c02580d678c1726b6840cf4e31c1abe5d393f7ca773a934a7ecf2bff1fdc055c60a5b4eec99338a72641aa20c7fbd5e1ad78ec6b29e72ea55fa381b225

Download Submit
C:\Users\Admin\AppData\Roaming\Programs\system32.exe

MD5
104064d4c0b681c9a7ae1f0c00fbff49

SHA1
af273bc182f0c492520811da54165534dcf89967

SHA256
5705f860865c9fd9eb6a5609d3ea183b201e72fa45db0b06be00a4a6f665f82a

SHA512
2e3f19c02580d678c1726b6840cf4e31c1abe5d393f7ca773a934a7ecf2bff1fdc055c60a5b4eec99338a72641aa20c7fbd5e1ad78ec6b29e72ea55fa381b225

Download Submit
C:\Users\Admin\AppData\Roaming\Programs\system32.exe

MD5
104064d4c0b681c9a7ae1f0c00fbff49

SHA1
af273bc182f0c492520811da54165534dcf89967

SHA256
5705f860865c9fd9eb6a5609d3ea183b201e72fa45db0b06be00a4a6f665f82a

SHA512
2e3f19c02580d678c1726b6840cf4e31c1abe5d393f7ca773a934a7ecf2bff1fdc055c60a5b4eec99338a72641aa20c7fbd5e1ad78ec6b29e72ea55fa381b225

Download Submit
\Users\Admin\AppData\Roaming\Programs\system32.exe

MD5
104064d4c0b681c9a7ae1f0c00fbff49

SHA1
af273bc182f0c492520811da54165534dcf89967

SHA256
5705f860865c9fd9eb6a5609d3ea183b201e72fa45db0b06be00a4a6f665f82a

SHA512
2e3f19c02580d678c1726b6840cf4e31c1abe5d393f7ca773a934a7ecf2bff1fdc055c60a5b4eec99338a72641aa20c7fbd5e1ad78ec6b29e72ea55fa381b225

Download Submit
\Users\Admin\AppData\Roaming\Programs\system32.exe

MD5
104064d4c0b681c9a7ae1f0c00fbff49

SHA1
af273bc182f0c492520811da54165534dcf89967

SHA256
5705f860865c9fd9eb6a5609d3ea183b201e72fa45db0b06be00a4a6f665f82a

SHA512
2e3f19c02580d678c1726b6840cf4e31c1abe5d393f7ca773a934a7ecf2bff1fdc055c60a5b4eec99338a72641aa20c7fbd5e1ad78ec6b29e72ea55fa381b225

Download Submit
memory/664-16-0x0000000000000000-mapping.dmp

Download
memory/664-21-0x00000000025D0000-0x00000000025D4000-memory.dmp

Filesize
16KB

Download
memory/1120-13-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1120-14-0x0000000000413FA4-mapping.dmp

Download
memory/1120-15-0x00000000760C1000-0x00000000760C3000-memory.dmp

Filesize
8KB

Download
memory/1120-19-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1152-5-0x0000000004260000-0x0000000004261000-memory.dmp

Filesize
4KB

Download
memory/1152-2-0x0000000074360000-0x0000000074A4E000-memory.dmp

Filesize
6.9MB

Download
memory/1152-3-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/1152-11-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/1460-20-0x0000000000000000-mapping.dmp

Download
memory/1616-45-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1616-40-0x0000000000413FA4-mapping.dmp

Download
memory/1708-44-0x000000000055C6BE-mapping.dmp

Download
memory/1708-43-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/1804-38-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/1804-35-0x0000000010000000-0x0000000010038000-memory.dmp

Filesize
224KB

Download
memory/1804-34-0x00000000742E0000-0x00000000749CE000-memory.dmp

Filesize
6.9MB

Download
memory/1804-32-0x0000000010033B7E-mapping.dmp

Download
memory/1828-12-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/1828-9-0x0000000010000000-0x0000000010038000-memory.dmp

Filesize
224KB

Download
memory/1828-8-0x0000000074360000-0x0000000074A4E000-memory.dmp

Filesize
6.9MB

Download
memory/1828-7-0x0000000010033B7E-mapping.dmp

Download
memory/1828-6-0x0000000010000000-0x0000000010038000-memory.dmp

Filesize
224KB

Download
memory/1840-30-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/1840-28-0x00000000011B0000-0x00000000011B1000-memory.dmp

Filesize
4KB

Download
memory/1840-27-0x00000000742E0000-0x00000000749CE000-memory.dmp

Filesize
6.9MB

Download
memory/1840-25-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads