remcos | 5705f860865c9fd9eb6a5609d3ea183b201e72fa45db0b06be00a4a6f665f82a

General

Target

Quote#SO2021010197.pdf.exe
Size

1.5MB
MD5

104064d4c0b681c9a7ae1f0c00fbff49
SHA1

af273bc182f0c492520811da54165534dcf89967
SHA256

5705f860865c9fd9eb6a5609d3ea183b201e72fa45db0b06be00a4a6f665f82a
SHA512

2e3f19c02580d678c1726b6840cf4e31c1abe5d393f7ca773a934a7ecf2bff1fdc055c60a5b4eec99338a72641aa20c7fbd5e1ad78ec6b29e72ea55fa381b225

Score

10^/10

remcos persistence ransomware rat

Malware Config

Extracted

Family

remcos

C2

91.193.75.185:1989

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

Quote#SO2021010197.pdf.exesystem32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Quote#SO2021010197.pdf.exe\""	Quote#SO2021010197.pdf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Programs\\system32.exe\""	system32.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 4 IoCs

Processes:

system32.exesystem32.exesystem32.exesystem32.exe

pid process

2196 system32.exe
2320 system32.exe
1680 system32.exe
1624 system32.exe

pid	process
2196	system32.exe
2320	system32.exe
1680	system32.exe
1624	system32.exe

Drops startup file 4 IoCs

Processes:

system32.exeQuote#SO2021010197.pdf.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32.exe	system32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Quote#SO2021010197.pdf.exe	Quote#SO2021010197.pdf.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Quote#SO2021010197.pdf.exe	Quote#SO2021010197.pdf.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32.exe	system32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Quote#SO2021010197.pdf.exesystem32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Quote#SO2021010197.pdf.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Quote#SO2021010197.pdf.exe"	Quote#SO2021010197.pdf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\system32.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Programs\\system32.exe"	system32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082

Suspicious use of SetThreadContext 4 IoCs

Processes:

Quote#SO2021010197.pdf.exeQuote#SO2021010197.pdf.exesystem32.exesystem32.exe

description	pid	process	target process
PID 644 set thread context of 2932	644	Quote#SO2021010197.pdf.exe	Quote#SO2021010197.pdf.exe
PID 2932 set thread context of 1944	2932	Quote#SO2021010197.pdf.exe	Quote#SO2021010197.pdf.exe
PID 2196 set thread context of 2320	2196	system32.exe	system32.exe
PID 2320 set thread context of 1624	2320	system32.exe	system32.exe

Modifies registry class 1 IoCs

Processes:

Quote#SO2021010197.pdf.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings Quote#SO2021010197.pdf.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

system32.exe

pid process

2320 system32.exe
2320 system32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

system32.exe

description pid process

Token: SeDebugPrivilege 2320 system32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	Quote#SO2021010197.pdf.exe

pid	process
2320	system32.exe
2320	system32.exe

description	pid	process
Token: SeDebugPrivilege	2320	system32.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

Quote#SO2021010197.pdf.exeQuote#SO2021010197.pdf.exeQuote#SO2021010197.pdf.exeWScript.execmd.exesystem32.exesystem32.exesystem32.exe

description	pid	process	target process
PID 644 wrote to memory of 2932	644	Quote#SO2021010197.pdf.exe	Quote#SO2021010197.pdf.exe
PID 644 wrote to memory of 2932	644	Quote#SO2021010197.pdf.exe	Quote#SO2021010197.pdf.exe
PID 644 wrote to memory of 2932	644	Quote#SO2021010197.pdf.exe	Quote#SO2021010197.pdf.exe
PID 644 wrote to memory of 2932	644	Quote#SO2021010197.pdf.exe	Quote#SO2021010197.pdf.exe
PID 644 wrote to memory of 2932	644	Quote#SO2021010197.pdf.exe	Quote#SO2021010197.pdf.exe
PID 644 wrote to memory of 2932	644	Quote#SO2021010197.pdf.exe	Quote#SO2021010197.pdf.exe
PID 644 wrote to memory of 2932	644	Quote#SO2021010197.pdf.exe	Quote#SO2021010197.pdf.exe
PID 644 wrote to memory of 2932	644	Quote#SO2021010197.pdf.exe	Quote#SO2021010197.pdf.exe
PID 2932 wrote to memory of 1944	2932	Quote#SO2021010197.pdf.exe	Quote#SO2021010197.pdf.exe
PID 2932 wrote to memory of 1944	2932	Quote#SO2021010197.pdf.exe	Quote#SO2021010197.pdf.exe
PID 2932 wrote to memory of 1944	2932	Quote#SO2021010197.pdf.exe	Quote#SO2021010197.pdf.exe
PID 2932 wrote to memory of 1944	2932	Quote#SO2021010197.pdf.exe	Quote#SO2021010197.pdf.exe
PID 2932 wrote to memory of 1944	2932	Quote#SO2021010197.pdf.exe	Quote#SO2021010197.pdf.exe
PID 2932 wrote to memory of 1944	2932	Quote#SO2021010197.pdf.exe	Quote#SO2021010197.pdf.exe
PID 2932 wrote to memory of 1944	2932	Quote#SO2021010197.pdf.exe	Quote#SO2021010197.pdf.exe
PID 2932 wrote to memory of 1944	2932	Quote#SO2021010197.pdf.exe	Quote#SO2021010197.pdf.exe
PID 2932 wrote to memory of 1944	2932	Quote#SO2021010197.pdf.exe	Quote#SO2021010197.pdf.exe
PID 2932 wrote to memory of 1944	2932	Quote#SO2021010197.pdf.exe	Quote#SO2021010197.pdf.exe
PID 1944 wrote to memory of 2868	1944	Quote#SO2021010197.pdf.exe	WScript.exe
PID 1944 wrote to memory of 2868	1944	Quote#SO2021010197.pdf.exe	WScript.exe
PID 1944 wrote to memory of 2868	1944	Quote#SO2021010197.pdf.exe	WScript.exe
PID 2868 wrote to memory of 2100	2868	WScript.exe	cmd.exe
PID 2868 wrote to memory of 2100	2868	WScript.exe	cmd.exe
PID 2868 wrote to memory of 2100	2868	WScript.exe	cmd.exe
PID 2100 wrote to memory of 2196	2100	cmd.exe	system32.exe
PID 2100 wrote to memory of 2196	2100	cmd.exe	system32.exe
PID 2100 wrote to memory of 2196	2100	cmd.exe	system32.exe
PID 2196 wrote to memory of 2320	2196	system32.exe	system32.exe
PID 2196 wrote to memory of 2320	2196	system32.exe	system32.exe
PID 2196 wrote to memory of 2320	2196	system32.exe	system32.exe
PID 2196 wrote to memory of 2320	2196	system32.exe	system32.exe
PID 2196 wrote to memory of 2320	2196	system32.exe	system32.exe
PID 2196 wrote to memory of 2320	2196	system32.exe	system32.exe
PID 2196 wrote to memory of 2320	2196	system32.exe	system32.exe
PID 2196 wrote to memory of 2320	2196	system32.exe	system32.exe
PID 2320 wrote to memory of 1680	2320	system32.exe	system32.exe
PID 2320 wrote to memory of 1680	2320	system32.exe	system32.exe
PID 2320 wrote to memory of 1680	2320	system32.exe	system32.exe
PID 2320 wrote to memory of 1624	2320	system32.exe	system32.exe
PID 2320 wrote to memory of 1624	2320	system32.exe	system32.exe
PID 2320 wrote to memory of 1624	2320	system32.exe	system32.exe
PID 2320 wrote to memory of 1624	2320	system32.exe	system32.exe
PID 2320 wrote to memory of 1624	2320	system32.exe	system32.exe
PID 2320 wrote to memory of 1624	2320	system32.exe	system32.exe
PID 2320 wrote to memory of 1624	2320	system32.exe	system32.exe
PID 2320 wrote to memory of 1624	2320	system32.exe	system32.exe
PID 2320 wrote to memory of 1624	2320	system32.exe	system32.exe
PID 2320 wrote to memory of 1624	2320	system32.exe	system32.exe
PID 1624 wrote to memory of 3224	1624	system32.exe	svchost.exe
PID 1624 wrote to memory of 3224	1624	system32.exe	svchost.exe
PID 1624 wrote to memory of 3224	1624	system32.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\Quote#SO2021010197.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Quote#SO2021010197.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:644

C:\Users\Admin\AppData\Local\Temp\Quote#SO2021010197.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Quote#SO2021010197.pdf.exe"
2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2932

C:\Users\Admin\AppData\Local\Temp\Quote#SO2021010197.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Quote#SO2021010197.pdf.exe"
3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:2868

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Programs\system32.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:2100

C:\Users\Admin\AppData\Roaming\Programs\system32.exe
C:\Users\Admin\AppData\Roaming\Programs\system32.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2196

C:\Users\Admin\AppData\Roaming\Programs\system32.exe
"C:\Users\Admin\AppData\Roaming\Programs\system32.exe"
7⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320

C:\Users\Admin\AppData\Roaming\Programs\system32.exe
"C:\Users\Admin\AppData\Roaming\Programs\system32.exe"
8⤵
- Executes dropped EXE
PID:1680

C:\Users\Admin\AppData\Roaming\Programs\system32.exe
"C:\Users\Admin\AppData\Roaming\Programs\system32.exe"
8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
9⤵
PID:3224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quote#SO2021010197.pdf.exe.log

MD5
cad4f330a51860cdfed450ef21cb6e4e

SHA1
c4c74c51d71480fd0b28b445cb8dfecb338e29a1

SHA256
f8d51a4b0a2afcb5146bd405a1d8d54bba74140d2d1dac582ec3d3f7ed340820

SHA512
c40641ae2b28aa8a5f7f0a6b5904e6e362b9a8e5e9cecae85615ab9043e296682e314a0dd6559edeba7f76ae67ff21614f31a3ca1a0d45b038f93c9cdcc36fe1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\system32.exe.log

MD5
cad4f330a51860cdfed450ef21cb6e4e

SHA1
c4c74c51d71480fd0b28b445cb8dfecb338e29a1

SHA256
f8d51a4b0a2afcb5146bd405a1d8d54bba74140d2d1dac582ec3d3f7ed340820

SHA512
c40641ae2b28aa8a5f7f0a6b5904e6e362b9a8e5e9cecae85615ab9043e296682e314a0dd6559edeba7f76ae67ff21614f31a3ca1a0d45b038f93c9cdcc36fe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

MD5
139d1ffe3f418f4794b6359f239089a2

SHA1
579f8d9c97105a2a77566de7e802a26e4a27f4c8

SHA256
7c71958fda4cff7e2ae1d9309cd4c0143057ca52732926f640252fd5a7a9a2ca

SHA512
5b806812558c28ea195326cfe800a2a41377d5e1da1fb352c2aa3d5060237a5ba544dec6f52459a9ecf55b526280c7d9c6aa8a1b8544124b288a4235eb25c2d9

Download Submit
C:\Users\Admin\AppData\Roaming\Programs\system32.exe

MD5
104064d4c0b681c9a7ae1f0c00fbff49

SHA1
af273bc182f0c492520811da54165534dcf89967

SHA256
5705f860865c9fd9eb6a5609d3ea183b201e72fa45db0b06be00a4a6f665f82a

SHA512
2e3f19c02580d678c1726b6840cf4e31c1abe5d393f7ca773a934a7ecf2bff1fdc055c60a5b4eec99338a72641aa20c7fbd5e1ad78ec6b29e72ea55fa381b225

Download Submit
C:\Users\Admin\AppData\Roaming\Programs\system32.exe

MD5
104064d4c0b681c9a7ae1f0c00fbff49

SHA1
af273bc182f0c492520811da54165534dcf89967

SHA256
5705f860865c9fd9eb6a5609d3ea183b201e72fa45db0b06be00a4a6f665f82a

SHA512
2e3f19c02580d678c1726b6840cf4e31c1abe5d393f7ca773a934a7ecf2bff1fdc055c60a5b4eec99338a72641aa20c7fbd5e1ad78ec6b29e72ea55fa381b225

Download Submit
C:\Users\Admin\AppData\Roaming\Programs\system32.exe

MD5
104064d4c0b681c9a7ae1f0c00fbff49

SHA1
af273bc182f0c492520811da54165534dcf89967

SHA256
5705f860865c9fd9eb6a5609d3ea183b201e72fa45db0b06be00a4a6f665f82a

SHA512
2e3f19c02580d678c1726b6840cf4e31c1abe5d393f7ca773a934a7ecf2bff1fdc055c60a5b4eec99338a72641aa20c7fbd5e1ad78ec6b29e72ea55fa381b225

Download Submit
C:\Users\Admin\AppData\Roaming\Programs\system32.exe

MD5
104064d4c0b681c9a7ae1f0c00fbff49

SHA1
af273bc182f0c492520811da54165534dcf89967

SHA256
5705f860865c9fd9eb6a5609d3ea183b201e72fa45db0b06be00a4a6f665f82a

SHA512
2e3f19c02580d678c1726b6840cf4e31c1abe5d393f7ca773a934a7ecf2bff1fdc055c60a5b4eec99338a72641aa20c7fbd5e1ad78ec6b29e72ea55fa381b225

Download Submit
C:\Users\Admin\AppData\Roaming\Programs\system32.exe

MD5
104064d4c0b681c9a7ae1f0c00fbff49

SHA1
af273bc182f0c492520811da54165534dcf89967

SHA256
5705f860865c9fd9eb6a5609d3ea183b201e72fa45db0b06be00a4a6f665f82a

SHA512
2e3f19c02580d678c1726b6840cf4e31c1abe5d393f7ca773a934a7ecf2bff1fdc055c60a5b4eec99338a72641aa20c7fbd5e1ad78ec6b29e72ea55fa381b225

Download Submit
memory/644-2-0x0000000073F80000-0x000000007466E000-memory.dmp

Filesize
6.9MB

Download
memory/644-9-0x00000000059D0000-0x00000000059D1000-memory.dmp

Filesize
4KB

Download
memory/644-8-0x0000000003250000-0x0000000003251000-memory.dmp

Filesize
4KB

Download
memory/644-18-0x0000000003260000-0x0000000003261000-memory.dmp

Filesize
4KB

Download
memory/644-7-0x0000000001930000-0x0000000001931000-memory.dmp

Filesize
4KB

Download
memory/644-6-0x0000000005770000-0x0000000005771000-memory.dmp

Filesize
4KB

Download
memory/644-5-0x0000000005BD0000-0x0000000005BD1000-memory.dmp

Filesize
4KB

Download
memory/644-3-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/1624-52-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1624-50-0x0000000000413FA4-mapping.dmp

Download
memory/1944-22-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1944-21-0x0000000000413FA4-mapping.dmp

Download
memory/1944-20-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2100-25-0x0000000000000000-mapping.dmp

Download
memory/2196-26-0x0000000000000000-mapping.dmp

Download
memory/2196-29-0x0000000073F80000-0x000000007466E000-memory.dmp

Filesize
6.9MB

Download
memory/2196-36-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/2320-38-0x0000000010033B7E-mapping.dmp

Download
memory/2320-41-0x0000000073F80000-0x000000007466E000-memory.dmp

Filesize
6.9MB

Download
memory/2320-47-0x0000000005AD0000-0x0000000005AD1000-memory.dmp

Filesize
4KB

Download
memory/2868-23-0x0000000000000000-mapping.dmp

Download
memory/2932-19-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2932-13-0x0000000073F80000-0x000000007466E000-memory.dmp

Filesize
6.9MB

Download
memory/2932-11-0x0000000010033B7E-mapping.dmp

Download
memory/2932-10-0x0000000010000000-0x0000000010038000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads