remcos | 9c46d85d692df86280e483d3d3814b0d46f14e9469df7f4f0e53253a1e8f8e98

General

Target

NEW PURCHASE ORDER LISTED ITEMS.exe
Size

645KB
MD5

5e8ff1a9ec1192bae73ec97729e46d63
SHA1

2efd06ad72483238327a9570043159d0ab9ece34
SHA256

15acacbd5c928108c9db5e319f23e493f45c3a0c8e8b979f7e760675f916ae2b
SHA512

a083c78f12bb5d40c9141d12781d3bf013347d0345307df1d6533753b40dac5f26e8e75610bc5b84821525670af42cc4a2736ba868359548290985593453e146

Score

10^/10

remcos rat

Malware Config

Extracted

Family

remcos

C2

79.134.225.49:1953

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

NEW PURCHASE ORDER LISTED ITEMS.exe

description pid process target process

PID 4020 set thread context of 3728 4020 NEW PURCHASE ORDER LISTED ITEMS.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1324 schtasks.exe

description	pid	process	target process
PID 4020 set thread context of 3728	4020	NEW PURCHASE ORDER LISTED ITEMS.exe	vbc.exe

pid	process
1324	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

NEW PURCHASE ORDER LISTED ITEMS.exe

pid	process
4020	NEW PURCHASE ORDER LISTED ITEMS.exe
4020	NEW PURCHASE ORDER LISTED ITEMS.exe
4020	NEW PURCHASE ORDER LISTED ITEMS.exe
4020	NEW PURCHASE ORDER LISTED ITEMS.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

NEW PURCHASE ORDER LISTED ITEMS.exe

description pid process

Token: SeDebugPrivilege 4020 NEW PURCHASE ORDER LISTED ITEMS.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vbc.exe

pid process

3728 vbc.exe

description	pid	process
Token: SeDebugPrivilege	4020	NEW PURCHASE ORDER LISTED ITEMS.exe

pid	process
3728	vbc.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

NEW PURCHASE ORDER LISTED ITEMS.exe

description	pid	process	target process
PID 4020 wrote to memory of 1324	4020	NEW PURCHASE ORDER LISTED ITEMS.exe	schtasks.exe
PID 4020 wrote to memory of 1324	4020	NEW PURCHASE ORDER LISTED ITEMS.exe	schtasks.exe
PID 4020 wrote to memory of 1324	4020	NEW PURCHASE ORDER LISTED ITEMS.exe	schtasks.exe
PID 4020 wrote to memory of 3728	4020	NEW PURCHASE ORDER LISTED ITEMS.exe	vbc.exe
PID 4020 wrote to memory of 3728	4020	NEW PURCHASE ORDER LISTED ITEMS.exe	vbc.exe
PID 4020 wrote to memory of 3728	4020	NEW PURCHASE ORDER LISTED ITEMS.exe	vbc.exe
PID 4020 wrote to memory of 3728	4020	NEW PURCHASE ORDER LISTED ITEMS.exe	vbc.exe
PID 4020 wrote to memory of 3728	4020	NEW PURCHASE ORDER LISTED ITEMS.exe	vbc.exe
PID 4020 wrote to memory of 3728	4020	NEW PURCHASE ORDER LISTED ITEMS.exe	vbc.exe
PID 4020 wrote to memory of 3728	4020	NEW PURCHASE ORDER LISTED ITEMS.exe	vbc.exe
PID 4020 wrote to memory of 3728	4020	NEW PURCHASE ORDER LISTED ITEMS.exe	vbc.exe
PID 4020 wrote to memory of 3728	4020	NEW PURCHASE ORDER LISTED ITEMS.exe	vbc.exe
PID 4020 wrote to memory of 3728	4020	NEW PURCHASE ORDER LISTED ITEMS.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\NEW PURCHASE ORDER LISTED ITEMS.exe
"C:\Users\Admin\AppData\Local\Temp\NEW PURCHASE ORDER LISTED ITEMS.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4020

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GiaNEJvKkikVXu" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA28A.tmp"
2⤵
- Creates scheduled task(s)
PID:1324

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:3728

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA28A.tmp
MD5
9d14f3a2a9bb4a39c9c1a24a869555bd

SHA1
deb3ab33d2ba85a12920486c49430e93bb527e03

SHA256
4581034769ff4de9112b0a108b18f8436bcc9f2158b2c2e3439c0d3da66fcfa1

SHA512
0f34db798c8b28796ae5d9fc039ac4f772d94c88b7d34327673374d743bc77af26f3766112f42db6a5d33f879adf7b399bc07fe6f7fe5c9d6444e71e0b614593

Download Submit
memory/1324-116-0x0000000000000000-mapping.dmp

Download
memory/3728-118-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3728-119-0x0000000000413FA4-mapping.dmp

Download
memory/3728-120-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4020-114-0x0000000002610000-0x0000000002611000-memory.dmp

Filesize
4KB

Download
memory/4020-115-0x0000000002611000-0x0000000002612000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads