remcos | 39fc3bd4df8f4ef4f7ceaa9d41626bf066fa423db69713eaf3105e4bf97fc3da

General

Target

RR.exe
Size

803KB
MD5

f31d91bf0dde9b21c9ab64883fe5e022
SHA1

675362cb546323a38842f3dbd000def375f9760f
SHA256

39fc3bd4df8f4ef4f7ceaa9d41626bf066fa423db69713eaf3105e4bf97fc3da
SHA512

0f4e66006d71f37b2179d67a905923868ef0832aefa1929e7d9d0fa9d4ef7278d7509579463ff7b3a3d6f3992f4816c2e82975df5c4ed982d4b1ed6b06071ab9

Score

10^/10

remcos rat

Malware Config

Extracted

Family

remcos

C2

shahzad73.ddns.net:2404

shahzad73.casacam.net:2404

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Suspicious use of SetThreadContext 1 IoCs

Processes:

RR.exe

description pid process target process

PID 2020 set thread context of 804 2020 RR.exe RR.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2004 schtasks.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RR.exe

pid process

804 RR.exe

description	pid	process	target process
PID 2020 set thread context of 804	2020	RR.exe	RR.exe

pid	process
2004	schtasks.exe

pid	process
804	RR.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

RR.exe

description	pid	process	target process
PID 2020 wrote to memory of 2004	2020	RR.exe	schtasks.exe
PID 2020 wrote to memory of 2004	2020	RR.exe	schtasks.exe
PID 2020 wrote to memory of 2004	2020	RR.exe	schtasks.exe
PID 2020 wrote to memory of 2004	2020	RR.exe	schtasks.exe
PID 2020 wrote to memory of 804	2020	RR.exe	RR.exe
PID 2020 wrote to memory of 804	2020	RR.exe	RR.exe
PID 2020 wrote to memory of 804	2020	RR.exe	RR.exe
PID 2020 wrote to memory of 804	2020	RR.exe	RR.exe
PID 2020 wrote to memory of 804	2020	RR.exe	RR.exe
PID 2020 wrote to memory of 804	2020	RR.exe	RR.exe
PID 2020 wrote to memory of 804	2020	RR.exe	RR.exe
PID 2020 wrote to memory of 804	2020	RR.exe	RR.exe
PID 2020 wrote to memory of 804	2020	RR.exe	RR.exe
PID 2020 wrote to memory of 804	2020	RR.exe	RR.exe
PID 2020 wrote to memory of 804	2020	RR.exe	RR.exe

C:\Users\Admin\AppData\Local\Temp\RR.exe
"C:\Users\Admin\AppData\Local\Temp\RR.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eHVFQKLt" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB2BC.tmp"
2⤵
- Creates scheduled task(s)
PID:2004

C:\Users\Admin\AppData\Local\Temp\RR.exe
"{path}"
2⤵
- Suspicious use of SetWindowsHookEx
PID:804

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB2BC.tmp
MD5
29343dc94bf2f557c4c73f17ae786939

SHA1
07c563e2a828664eddb82cc5feb1e10c264469e6

SHA256
740314429b3f42e275af31d887fd7b4a6f0b3599ade2aeee7420c33127d1a245

SHA512
02e2946e1aa9935e07bd97f3e0a5711a59455ef37273da4d3f4f1670090bb5dff78bb8994b9143ef6543ce8213d3daf108a40cada5d6e47d569de5419c33f839

Download Submit
memory/804-68-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/804-69-0x0000000000413FA4-mapping.dmp

Download
memory/804-70-0x0000000076281000-0x0000000076283000-memory.dmp

Filesize
8KB

Download
memory/804-71-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2004-66-0x0000000000000000-mapping.dmp

Download
memory/2020-60-0x00000000013E0000-0x00000000013E1000-memory.dmp

Filesize
4KB

Download
memory/2020-62-0x0000000007150000-0x0000000007151000-memory.dmp

Filesize
4KB

Download
memory/2020-63-0x00000000004F0000-0x00000000004F5000-memory.dmp

Filesize
20KB

Download
memory/2020-64-0x0000000008200000-0x00000000082A5000-memory.dmp

Filesize
660KB

Download
memory/2020-65-0x0000000000E20000-0x0000000000E7C000-memory.dmp

Filesize
368KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads