remcos | 3f968649c02fd5ee3f14e1d30803512bebc391ceac8005e76d3be87276df10ea

General

Target

Tender Offer.doc.rtf
Size

609KB
MD5

398a7dca0715973d3a91a0383613acb6
SHA1

b5a0830f536f8a2cf50ef1b133eeac9f992e3213
SHA256

3f968649c02fd5ee3f14e1d30803512bebc391ceac8005e76d3be87276df10ea
SHA512

8e64601754da1b5b9b9a93f35ac8fd63085bec5aa8b0f67728613712b6648988d56efdb3907b05c3a19e0582cbbeeb712320cab2c57a59a3eb046582d2b43103

Score

10^/10

remcos rat

Malware Config

Extracted

Family

remcos

C2

79.134.225.17:2050

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

7 1676 EQNEDT32.EXE
Executes dropped EXE 2 IoCs

Processes:

dutyx4793.exedutyx4793.exe

pid process

1016 dutyx4793.exe
1088 dutyx4793.exe
Loads dropped DLL 1 IoCs

Processes:

EQNEDT32.EXE

pid process

1676 EQNEDT32.EXE
Suspicious use of SetThreadContext 1 IoCs

Processes:

dutyx4793.exe

description pid process target process

PID 1016 set thread context of 1088 1016 dutyx4793.exe dutyx4793.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1200 schtasks.exe
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1676 EQNEDT32.EXE

flow	pid	process
7	1676	EQNEDT32.EXE

pid	process
1016	dutyx4793.exe
1088	dutyx4793.exe

pid	process
1676	EQNEDT32.EXE

description	pid	process	target process
PID 1016 set thread context of 1088	1016	dutyx4793.exe	dutyx4793.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1200	schtasks.exe

pid	process
1676	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1040 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

dutyx4793.exe

pid process

1016 dutyx4793.exe
1016 dutyx4793.exe
1016 dutyx4793.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

dutyx4793.exe

description pid process

Token: SeDebugPrivilege 1016 dutyx4793.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

WINWORD.EXEdutyx4793.exe

pid process

1040 WINWORD.EXE
1040 WINWORD.EXE
1088 dutyx4793.exe

pid	process
1040	WINWORD.EXE

pid	process
1016	dutyx4793.exe
1016	dutyx4793.exe
1016	dutyx4793.exe

description	pid	process
Token: SeDebugPrivilege	1016	dutyx4793.exe

pid	process
1040	WINWORD.EXE
1040	WINWORD.EXE
1088	dutyx4793.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEdutyx4793.exe

description	pid	process	target process
PID 1676 wrote to memory of 1016	1676	EQNEDT32.EXE	dutyx4793.exe
PID 1676 wrote to memory of 1016	1676	EQNEDT32.EXE	dutyx4793.exe
PID 1676 wrote to memory of 1016	1676	EQNEDT32.EXE	dutyx4793.exe
PID 1676 wrote to memory of 1016	1676	EQNEDT32.EXE	dutyx4793.exe
PID 1040 wrote to memory of 1604	1040	WINWORD.EXE	splwow64.exe
PID 1040 wrote to memory of 1604	1040	WINWORD.EXE	splwow64.exe
PID 1040 wrote to memory of 1604	1040	WINWORD.EXE	splwow64.exe
PID 1040 wrote to memory of 1604	1040	WINWORD.EXE	splwow64.exe
PID 1016 wrote to memory of 1200	1016	dutyx4793.exe	schtasks.exe
PID 1016 wrote to memory of 1200	1016	dutyx4793.exe	schtasks.exe
PID 1016 wrote to memory of 1200	1016	dutyx4793.exe	schtasks.exe
PID 1016 wrote to memory of 1200	1016	dutyx4793.exe	schtasks.exe
PID 1016 wrote to memory of 1088	1016	dutyx4793.exe	dutyx4793.exe
PID 1016 wrote to memory of 1088	1016	dutyx4793.exe	dutyx4793.exe
PID 1016 wrote to memory of 1088	1016	dutyx4793.exe	dutyx4793.exe
PID 1016 wrote to memory of 1088	1016	dutyx4793.exe	dutyx4793.exe
PID 1016 wrote to memory of 1088	1016	dutyx4793.exe	dutyx4793.exe
PID 1016 wrote to memory of 1088	1016	dutyx4793.exe	dutyx4793.exe
PID 1016 wrote to memory of 1088	1016	dutyx4793.exe	dutyx4793.exe
PID 1016 wrote to memory of 1088	1016	dutyx4793.exe	dutyx4793.exe
PID 1016 wrote to memory of 1088	1016	dutyx4793.exe	dutyx4793.exe
PID 1016 wrote to memory of 1088	1016	dutyx4793.exe	dutyx4793.exe
PID 1016 wrote to memory of 1088	1016	dutyx4793.exe	dutyx4793.exe
PID 1016 wrote to memory of 1088	1016	dutyx4793.exe	dutyx4793.exe
PID 1016 wrote to memory of 1088	1016	dutyx4793.exe	dutyx4793.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Tender Offer.doc.rtf"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1040

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1604

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1676

C:\Users\Admin\AppData\Roaming\dutyx4793.exe
"C:\Users\Admin\AppData\Roaming\dutyx4793.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\augPTtA" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE051.tmp"
3⤵
- Creates scheduled task(s)
PID:1200

C:\Users\Admin\AppData\Roaming\dutyx4793.exe
"C:\Users\Admin\AppData\Roaming\dutyx4793.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1088

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Exploitation for Client Execution

1

T1203

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE051.tmp
MD5
b2cab156876d9bbcd4b747b35175bb9a

SHA1
6b56f749ac0c89ca43c6f7a0b112c11c4a62eb10

SHA256
34a2dfb29061e5c27f67fce0e399df32e28e06d66d00ef162cdadeef6212dae6

SHA512
dec97d2d2619f08f4c6c3886bb85d8c77320c9ac48e4d7b385b05d3669b50f49f6ba78391eedc498c32b6e6f6d4fd14cd0780776424f246bbd60f2e9e7a176e3

Download Submit
C:\Users\Admin\AppData\Roaming\dutyx4793.exe
MD5
801f5b2e55c1168dfa6b1e6d0c8c9663

SHA1
38b46a6b87c58bf2818daba967e90f30abc7b3ce

SHA256
54b91d6b1324d8b3dec856922b4566b362535d84538297b612c5323e9230daf0

SHA512
dfbc195c9cd2eb8470cb0cea788f40009dc59055211e9f6fb2ee4333e69e51e78c815a20738c662e86e36a9bacabb4511e99d4ab535f5ad4f83747ed488052bc

Download Submit
C:\Users\Admin\AppData\Roaming\dutyx4793.exe
MD5
801f5b2e55c1168dfa6b1e6d0c8c9663

SHA1
38b46a6b87c58bf2818daba967e90f30abc7b3ce

SHA256
54b91d6b1324d8b3dec856922b4566b362535d84538297b612c5323e9230daf0

SHA512
dfbc195c9cd2eb8470cb0cea788f40009dc59055211e9f6fb2ee4333e69e51e78c815a20738c662e86e36a9bacabb4511e99d4ab535f5ad4f83747ed488052bc

Download Submit
C:\Users\Admin\AppData\Roaming\dutyx4793.exe
MD5
801f5b2e55c1168dfa6b1e6d0c8c9663

SHA1
38b46a6b87c58bf2818daba967e90f30abc7b3ce

SHA256
54b91d6b1324d8b3dec856922b4566b362535d84538297b612c5323e9230daf0

SHA512
dfbc195c9cd2eb8470cb0cea788f40009dc59055211e9f6fb2ee4333e69e51e78c815a20738c662e86e36a9bacabb4511e99d4ab535f5ad4f83747ed488052bc

Download Submit
\Users\Admin\AppData\Roaming\dutyx4793.exe
MD5
801f5b2e55c1168dfa6b1e6d0c8c9663

SHA1
38b46a6b87c58bf2818daba967e90f30abc7b3ce

SHA256
54b91d6b1324d8b3dec856922b4566b362535d84538297b612c5323e9230daf0

SHA512
dfbc195c9cd2eb8470cb0cea788f40009dc59055211e9f6fb2ee4333e69e51e78c815a20738c662e86e36a9bacabb4511e99d4ab535f5ad4f83747ed488052bc

Download Submit
memory/1016-70-0x0000000004D70000-0x0000000004D71000-memory.dmp

Filesize
4KB

Download
memory/1016-78-0x000000000B5C0000-0x000000000B632000-memory.dmp

Filesize
456KB

Download
memory/1016-64-0x0000000000000000-mapping.dmp

Download
memory/1016-67-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/1016-69-0x00000000004D0000-0x00000000004D9000-memory.dmp

Filesize
36KB

Download
memory/1016-75-0x0000000007600000-0x0000000007682000-memory.dmp

Filesize
520KB

Download
memory/1016-74-0x0000000005060000-0x0000000005105000-memory.dmp

Filesize
660KB

Download
memory/1040-73-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1040-59-0x0000000072491000-0x0000000072494000-memory.dmp

Filesize
12KB

Download
memory/1040-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1040-60-0x000000006FF11000-0x000000006FF13000-memory.dmp

Filesize
8KB

Download
memory/1088-79-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1088-80-0x000000000042EEEF-mapping.dmp

Download
memory/1088-83-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1200-76-0x0000000000000000-mapping.dmp

Download
memory/1604-72-0x000007FEFBA81000-0x000007FEFBA83000-memory.dmp

Filesize
8KB

Download
memory/1604-71-0x0000000000000000-mapping.dmp

Download
memory/1676-62-0x0000000074F31000-0x0000000074F33000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads