remcos | 258853d56c202ea083607ec4d523335ed00c948afbf926f3cb62b4e962531812

General

Target

VINCPORPROCEPORFRAUFIS346440007 VINCPORPROCEPORFRAUFIS346440009.exe
Size

571KB
MD5

49fb65d6058d42c8eded715bf9029c57
SHA1

7eb2579aaae05ea1c30d2d71cd349857e725ed08
SHA256

258853d56c202ea083607ec4d523335ed00c948afbf926f3cb62b4e962531812
SHA512

d54d6fe594988e322755e177910fb815632a9e44b476a1da91c7605715de4968286f1d16e557e2baa8450c543380ceecd3d97e1ae5adea0466ad30174385b920

Score

10^/10

remcos rat

Malware Config

Extracted

Family

remcos

C2

indira8923.duckdns.org:1717

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of SetThreadContext 1 IoCs

Processes:

VINCPORPROCEPORFRAUFIS346440007 VINCPORPROCEPORFRAUFIS346440009.exe

description	pid	process	target process
PID 1084 set thread context of 1120	1084	VINCPORPROCEPORFRAUFIS346440007 VINCPORPROCEPORFRAUFIS346440009.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

600 schtasks.exe

pid	process
600	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

VINCPORPROCEPORFRAUFIS346440007 VINCPORPROCEPORFRAUFIS346440009.exe

pid	process
1084	VINCPORPROCEPORFRAUFIS346440007 VINCPORPROCEPORFRAUFIS346440009.exe
1084	VINCPORPROCEPORFRAUFIS346440007 VINCPORPROCEPORFRAUFIS346440009.exe
1084	VINCPORPROCEPORFRAUFIS346440007 VINCPORPROCEPORFRAUFIS346440009.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegSvcs.exe

pid process

1120 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

VINCPORPROCEPORFRAUFIS346440007 VINCPORPROCEPORFRAUFIS346440009.exe

description pid process

Token: SeDebugPrivilege 1084 VINCPORPROCEPORFRAUFIS346440007 VINCPORPROCEPORFRAUFIS346440009.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegSvcs.exe

pid process

1120 RegSvcs.exe

pid	process
1120	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1084	VINCPORPROCEPORFRAUFIS346440007 VINCPORPROCEPORFRAUFIS346440009.exe

pid	process
1120	RegSvcs.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

VINCPORPROCEPORFRAUFIS346440007 VINCPORPROCEPORFRAUFIS346440009.exe

description	pid	process	target process
PID 1084 wrote to memory of 600	1084	VINCPORPROCEPORFRAUFIS346440007 VINCPORPROCEPORFRAUFIS346440009.exe	schtasks.exe
PID 1084 wrote to memory of 600	1084	VINCPORPROCEPORFRAUFIS346440007 VINCPORPROCEPORFRAUFIS346440009.exe	schtasks.exe
PID 1084 wrote to memory of 600	1084	VINCPORPROCEPORFRAUFIS346440007 VINCPORPROCEPORFRAUFIS346440009.exe	schtasks.exe
PID 1084 wrote to memory of 600	1084	VINCPORPROCEPORFRAUFIS346440007 VINCPORPROCEPORFRAUFIS346440009.exe	schtasks.exe
PID 1084 wrote to memory of 340	1084	VINCPORPROCEPORFRAUFIS346440007 VINCPORPROCEPORFRAUFIS346440009.exe	RegSvcs.exe
PID 1084 wrote to memory of 340	1084	VINCPORPROCEPORFRAUFIS346440007 VINCPORPROCEPORFRAUFIS346440009.exe	RegSvcs.exe
PID 1084 wrote to memory of 340	1084	VINCPORPROCEPORFRAUFIS346440007 VINCPORPROCEPORFRAUFIS346440009.exe	RegSvcs.exe
PID 1084 wrote to memory of 340	1084	VINCPORPROCEPORFRAUFIS346440007 VINCPORPROCEPORFRAUFIS346440009.exe	RegSvcs.exe
PID 1084 wrote to memory of 340	1084	VINCPORPROCEPORFRAUFIS346440007 VINCPORPROCEPORFRAUFIS346440009.exe	RegSvcs.exe
PID 1084 wrote to memory of 340	1084	VINCPORPROCEPORFRAUFIS346440007 VINCPORPROCEPORFRAUFIS346440009.exe	RegSvcs.exe
PID 1084 wrote to memory of 340	1084	VINCPORPROCEPORFRAUFIS346440007 VINCPORPROCEPORFRAUFIS346440009.exe	RegSvcs.exe
PID 1084 wrote to memory of 1120	1084	VINCPORPROCEPORFRAUFIS346440007 VINCPORPROCEPORFRAUFIS346440009.exe	RegSvcs.exe
PID 1084 wrote to memory of 1120	1084	VINCPORPROCEPORFRAUFIS346440007 VINCPORPROCEPORFRAUFIS346440009.exe	RegSvcs.exe
PID 1084 wrote to memory of 1120	1084	VINCPORPROCEPORFRAUFIS346440007 VINCPORPROCEPORFRAUFIS346440009.exe	RegSvcs.exe
PID 1084 wrote to memory of 1120	1084	VINCPORPROCEPORFRAUFIS346440007 VINCPORPROCEPORFRAUFIS346440009.exe	RegSvcs.exe
PID 1084 wrote to memory of 1120	1084	VINCPORPROCEPORFRAUFIS346440007 VINCPORPROCEPORFRAUFIS346440009.exe	RegSvcs.exe
PID 1084 wrote to memory of 1120	1084	VINCPORPROCEPORFRAUFIS346440007 VINCPORPROCEPORFRAUFIS346440009.exe	RegSvcs.exe
PID 1084 wrote to memory of 1120	1084	VINCPORPROCEPORFRAUFIS346440007 VINCPORPROCEPORFRAUFIS346440009.exe	RegSvcs.exe
PID 1084 wrote to memory of 1120	1084	VINCPORPROCEPORFRAUFIS346440007 VINCPORPROCEPORFRAUFIS346440009.exe	RegSvcs.exe
PID 1084 wrote to memory of 1120	1084	VINCPORPROCEPORFRAUFIS346440007 VINCPORPROCEPORFRAUFIS346440009.exe	RegSvcs.exe
PID 1084 wrote to memory of 1120	1084	VINCPORPROCEPORFRAUFIS346440007 VINCPORPROCEPORFRAUFIS346440009.exe	RegSvcs.exe
PID 1084 wrote to memory of 1120	1084	VINCPORPROCEPORFRAUFIS346440007 VINCPORPROCEPORFRAUFIS346440009.exe	RegSvcs.exe
PID 1084 wrote to memory of 1120	1084	VINCPORPROCEPORFRAUFIS346440007 VINCPORPROCEPORFRAUFIS346440009.exe	RegSvcs.exe
PID 1084 wrote to memory of 1120	1084	VINCPORPROCEPORFRAUFIS346440007 VINCPORPROCEPORFRAUFIS346440009.exe	RegSvcs.exe
PID 1084 wrote to memory of 1120	1084	VINCPORPROCEPORFRAUFIS346440007 VINCPORPROCEPORFRAUFIS346440009.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\VINCPORPROCEPORFRAUFIS346440007 VINCPORPROCEPORFRAUFIS346440009.exe
"C:\Users\Admin\AppData\Local\Temp\VINCPORPROCEPORFRAUFIS346440007 VINCPORPROCEPORFRAUFIS346440009.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uytviDOfOOB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8EF7.tmp"
2⤵
- Creates scheduled task(s)
PID:600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
PID:340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1120

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8EF7.tmp
MD5
2e5518a1b1c67c07b187bdf4884bb66e

SHA1
79054ab52742e94a2b3a2f89f2a0d8a807260626

SHA256
6c2467b1fdf3dab5fdf1a704465ec5471759188a6e4186cf73a09dd87b80b17e

SHA512
a4b967d80e13b11342bd51650740958bf5a89201ccebf215ab5bd87af882c008b43ea796ea17835288620df23272f9c4f1613d7ddaee282e7389be87b6233275

Download Submit
memory/600-65-0x0000000000000000-mapping.dmp

Download
memory/1084-59-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/1084-61-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/1084-62-0x0000000000510000-0x0000000000515000-memory.dmp

Filesize
20KB

Download
memory/1084-63-0x0000000005960000-0x00000000059F5000-memory.dmp

Filesize
596KB

Download
memory/1084-64-0x0000000002080000-0x00000000020CB000-memory.dmp

Filesize
300KB

Download
memory/1120-67-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1120-68-0x0000000000413E54-mapping.dmp

Download
memory/1120-69-0x00000000752F1000-0x00000000752F3000-memory.dmp

Filesize
8KB

Download
memory/1120-70-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads