remcos | 0d0f9ca99e1de30499a97020eb01a4cda5744eadff4faf56a79f8080c515002c

General

Target

a7cQje0wGxiZkwL.exe
Size

1.1MB
MD5

366d029855541c19d5951ac825e04a33
SHA1

43cc316caf1cd9d3f53e0a81ef6baf0b58b8ec1b
SHA256

0d0f9ca99e1de30499a97020eb01a4cda5744eadff4faf56a79f8080c515002c
SHA512

fbc9ad9f3d475e208ec526b5f1c3c7b7c9c21b98c732947d041b23784473e87dbb4c091a57250eb1412a95f821382fd4aa21941e6c136ac6ab402dde8f5a70b2

Score

10^/10

remcos evasion rat trojan

Malware Config

Extracted

Family

remcos

C2

217.138.212.58:52667

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Suspicious use of SetThreadContext 1 IoCs

Processes:

a7cQje0wGxiZkwL.exe

description pid process target process

PID 2208 set thread context of 3568 2208 a7cQje0wGxiZkwL.exe a7cQje0wGxiZkwL.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2988 schtasks.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2696 reg.exe

description	pid	process	target process
PID 2208 set thread context of 3568	2208	a7cQje0wGxiZkwL.exe	a7cQje0wGxiZkwL.exe

pid	process
2988	schtasks.exe

pid	process
2696	reg.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

a7cQje0wGxiZkwL.exepowershell.exepowershell.exepowershell.exe

pid	process
2208	a7cQje0wGxiZkwL.exe
2208	a7cQje0wGxiZkwL.exe
2208	a7cQje0wGxiZkwL.exe
1184	powershell.exe
2404	powershell.exe
2208	a7cQje0wGxiZkwL.exe
1292	powershell.exe
1184	powershell.exe
2404	powershell.exe
1292	powershell.exe
1292	powershell.exe
2404	powershell.exe
1184	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

a7cQje0wGxiZkwL.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2208	a7cQje0wGxiZkwL.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	1292	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

a7cQje0wGxiZkwL.exe

pid process

3568 a7cQje0wGxiZkwL.exe

pid	process
3568	a7cQje0wGxiZkwL.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

a7cQje0wGxiZkwL.exea7cQje0wGxiZkwL.execmd.exe

description	pid	process	target process
PID 2208 wrote to memory of 1184	2208	a7cQje0wGxiZkwL.exe	powershell.exe
PID 2208 wrote to memory of 1184	2208	a7cQje0wGxiZkwL.exe	powershell.exe
PID 2208 wrote to memory of 1184	2208	a7cQje0wGxiZkwL.exe	powershell.exe
PID 2208 wrote to memory of 2404	2208	a7cQje0wGxiZkwL.exe	powershell.exe
PID 2208 wrote to memory of 2404	2208	a7cQje0wGxiZkwL.exe	powershell.exe
PID 2208 wrote to memory of 2404	2208	a7cQje0wGxiZkwL.exe	powershell.exe
PID 2208 wrote to memory of 2988	2208	a7cQje0wGxiZkwL.exe	schtasks.exe
PID 2208 wrote to memory of 2988	2208	a7cQje0wGxiZkwL.exe	schtasks.exe
PID 2208 wrote to memory of 2988	2208	a7cQje0wGxiZkwL.exe	schtasks.exe
PID 2208 wrote to memory of 1292	2208	a7cQje0wGxiZkwL.exe	powershell.exe
PID 2208 wrote to memory of 1292	2208	a7cQje0wGxiZkwL.exe	powershell.exe
PID 2208 wrote to memory of 1292	2208	a7cQje0wGxiZkwL.exe	powershell.exe
PID 2208 wrote to memory of 3568	2208	a7cQje0wGxiZkwL.exe	a7cQje0wGxiZkwL.exe
PID 2208 wrote to memory of 3568	2208	a7cQje0wGxiZkwL.exe	a7cQje0wGxiZkwL.exe
PID 2208 wrote to memory of 3568	2208	a7cQje0wGxiZkwL.exe	a7cQje0wGxiZkwL.exe
PID 2208 wrote to memory of 3568	2208	a7cQje0wGxiZkwL.exe	a7cQje0wGxiZkwL.exe
PID 2208 wrote to memory of 3568	2208	a7cQje0wGxiZkwL.exe	a7cQje0wGxiZkwL.exe
PID 2208 wrote to memory of 3568	2208	a7cQje0wGxiZkwL.exe	a7cQje0wGxiZkwL.exe
PID 2208 wrote to memory of 3568	2208	a7cQje0wGxiZkwL.exe	a7cQje0wGxiZkwL.exe
PID 2208 wrote to memory of 3568	2208	a7cQje0wGxiZkwL.exe	a7cQje0wGxiZkwL.exe
PID 2208 wrote to memory of 3568	2208	a7cQje0wGxiZkwL.exe	a7cQje0wGxiZkwL.exe
PID 2208 wrote to memory of 3568	2208	a7cQje0wGxiZkwL.exe	a7cQje0wGxiZkwL.exe
PID 2208 wrote to memory of 3568	2208	a7cQje0wGxiZkwL.exe	a7cQje0wGxiZkwL.exe
PID 2208 wrote to memory of 3568	2208	a7cQje0wGxiZkwL.exe	a7cQje0wGxiZkwL.exe
PID 3568 wrote to memory of 2652	3568	a7cQje0wGxiZkwL.exe	cmd.exe
PID 3568 wrote to memory of 2652	3568	a7cQje0wGxiZkwL.exe	cmd.exe
PID 3568 wrote to memory of 2652	3568	a7cQje0wGxiZkwL.exe	cmd.exe
PID 2652 wrote to memory of 2696	2652	cmd.exe	reg.exe
PID 2652 wrote to memory of 2696	2652	cmd.exe	reg.exe
PID 2652 wrote to memory of 2696	2652	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\a7cQje0wGxiZkwL.exe
"C:\Users\Admin\AppData\Local\Temp\a7cQje0wGxiZkwL.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a7cQje0wGxiZkwL.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1184

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\RdavlHklkSi.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2404

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RdavlHklkSi" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9CBE.tmp"
2⤵
- Creates scheduled task(s)
PID:2988

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\RdavlHklkSi.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1292

C:\Users\Admin\AppData\Local\Temp\a7cQje0wGxiZkwL.exe
"C:\Users\Admin\AppData\Local\Temp\a7cQje0wGxiZkwL.exe"
2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3568

C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- Suspicious use of WriteProcessMemory
PID:2652

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
4⤵
- Modifies registry key
PID:2696

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Bypass User Account Control

1

T1088

Scheduled Task

1

T1053

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
11ce2ab2e76708925b9dafea955c802b

SHA1
77be28b05848020f9cabc14938f07734d78c5e89

SHA256
abb5a27ab29d1cd7820261ca74b56747245746e1fa4adf76289a57df7ed09826

SHA512
90861254dd94cae23da2c8108395ed3004f28e85696020a0cb2e7adbd57ae5d701d79818a2f7c3399344af87cf09906697cc3d4906a69b912d3d711bedcc1a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9CBE.tmp
MD5
806e072897149c5d915017261c68153d

SHA1
da6336a10f70a90fc8aacfcf34d0d30bb8801b39

SHA256
f23946ca6d26a4f2b0ee6bde249fb2fc8e824161660863aedf9152219102b981

SHA512
5d15fa4d1b88585d4bc422d58015b3560227b6a56fdcdc6cf84ea773c8a00233eb19d071a52e4f6a70d2a983ab691a05ca84d177b7cbb62f732cb9bcc9c4d634

Download Submit
memory/1184-143-0x0000000007FA0000-0x0000000007FA1000-memory.dmp

Filesize
4KB

Download
memory/1184-198-0x0000000007073000-0x0000000007074000-memory.dmp

Filesize
4KB

Download
memory/1184-166-0x0000000008760000-0x0000000008761000-memory.dmp

Filesize
4KB

Download
memory/1184-196-0x000000007F590000-0x000000007F591000-memory.dmp

Filesize
4KB

Download
memory/1184-154-0x0000000007072000-0x0000000007073000-memory.dmp

Filesize
4KB

Download
memory/1184-153-0x0000000007070000-0x0000000007071000-memory.dmp

Filesize
4KB

Download
memory/1184-124-0x0000000000000000-mapping.dmp

Download
memory/1184-141-0x0000000007F30000-0x0000000007F31000-memory.dmp

Filesize
4KB

Download
memory/1184-164-0x0000000007D20000-0x0000000007D21000-memory.dmp

Filesize
4KB

Download
memory/1184-128-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/1184-130-0x00000000076B0000-0x00000000076B1000-memory.dmp

Filesize
4KB

Download
memory/1184-139-0x00000000075F0000-0x00000000075F1000-memory.dmp

Filesize
4KB

Download
memory/1184-136-0x0000000007550000-0x0000000007551000-memory.dmp

Filesize
4KB

Download
memory/1292-137-0x0000000000000000-mapping.dmp

Download
memory/1292-194-0x000000007F640000-0x000000007F641000-memory.dmp

Filesize
4KB

Download
memory/1292-199-0x00000000073F3000-0x00000000073F4000-memory.dmp

Filesize
4KB

Download
memory/1292-162-0x00000000073F2000-0x00000000073F3000-memory.dmp

Filesize
4KB

Download
memory/1292-193-0x0000000009AB0000-0x0000000009AE3000-memory.dmp

Filesize
204KB

Download
memory/1292-161-0x00000000073F0000-0x00000000073F1000-memory.dmp

Filesize
4KB

Download
memory/2208-117-0x00000000059C0000-0x00000000059C1000-memory.dmp

Filesize
4KB

Download
memory/2208-123-0x000000000A280000-0x000000000A2F7000-memory.dmp

Filesize
476KB

Download
memory/2208-122-0x0000000001890000-0x000000000193C000-memory.dmp

Filesize
688KB

Download
memory/2208-121-0x0000000005EB0000-0x0000000005EB6000-memory.dmp

Filesize
24KB

Download
memory/2208-114-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

Filesize
4KB

Download
memory/2208-118-0x0000000005A60000-0x0000000005A61000-memory.dmp

Filesize
4KB

Download
memory/2208-116-0x0000000005EC0000-0x0000000005EC1000-memory.dmp

Filesize
4KB

Download
memory/2208-119-0x00000000059A0000-0x00000000059A1000-memory.dmp

Filesize
4KB

Download
memory/2208-120-0x00000000059C0000-0x0000000005EBE000-memory.dmp

Filesize
5.0MB

Download
memory/2404-127-0x0000000000000000-mapping.dmp

Download
memory/2404-170-0x00000000080A0000-0x00000000080A1000-memory.dmp

Filesize
4KB

Download
memory/2404-157-0x0000000006BB0000-0x0000000006BB1000-memory.dmp

Filesize
4KB

Download
memory/2404-195-0x000000007F320000-0x000000007F321000-memory.dmp

Filesize
4KB

Download
memory/2404-159-0x0000000006BB2000-0x0000000006BB3000-memory.dmp

Filesize
4KB

Download
memory/2404-197-0x0000000006BB3000-0x0000000006BB4000-memory.dmp

Filesize
4KB

Download
memory/2652-142-0x0000000000000000-mapping.dmp

Download
memory/2696-163-0x0000000000000000-mapping.dmp

Download
memory/2988-129-0x0000000000000000-mapping.dmp

Download
memory/3568-160-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3568-140-0x000000000042EEEF-mapping.dmp

Download
memory/3568-138-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads