remcos | 9c46d85d692df86280e483d3d3814b0d46f14e9469df7f4f0e53253a1e8f8e98

General

Target

NEW PURCHASE ORDER LISTED ITEMS.exe
Size

645KB
MD5

5e8ff1a9ec1192bae73ec97729e46d63
SHA1

2efd06ad72483238327a9570043159d0ab9ece34
SHA256

15acacbd5c928108c9db5e319f23e493f45c3a0c8e8b979f7e760675f916ae2b
SHA512

a083c78f12bb5d40c9141d12781d3bf013347d0345307df1d6533753b40dac5f26e8e75610bc5b84821525670af42cc4a2736ba868359548290985593453e146

Score

10^/10

remcos rat

Malware Config

Extracted

Family

remcos

C2

79.134.225.49:1953

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

NEW PURCHASE ORDER LISTED ITEMS.exe

description pid process target process

PID 1748 set thread context of 1868 1748 NEW PURCHASE ORDER LISTED ITEMS.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1572 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

NEW PURCHASE ORDER LISTED ITEMS.exe

pid process

1748 NEW PURCHASE ORDER LISTED ITEMS.exe
1748 NEW PURCHASE ORDER LISTED ITEMS.exe
1748 NEW PURCHASE ORDER LISTED ITEMS.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

NEW PURCHASE ORDER LISTED ITEMS.exe

description pid process

Token: SeDebugPrivilege 1748 NEW PURCHASE ORDER LISTED ITEMS.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vbc.exe

pid process

1868 vbc.exe

description	pid	process	target process
PID 1748 set thread context of 1868	1748	NEW PURCHASE ORDER LISTED ITEMS.exe	vbc.exe

pid	process
1572	schtasks.exe

pid	process
1748	NEW PURCHASE ORDER LISTED ITEMS.exe
1748	NEW PURCHASE ORDER LISTED ITEMS.exe
1748	NEW PURCHASE ORDER LISTED ITEMS.exe

description	pid	process
Token: SeDebugPrivilege	1748	NEW PURCHASE ORDER LISTED ITEMS.exe

pid	process
1868	vbc.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

NEW PURCHASE ORDER LISTED ITEMS.exe

description	pid	process	target process
PID 1748 wrote to memory of 1572	1748	NEW PURCHASE ORDER LISTED ITEMS.exe	schtasks.exe
PID 1748 wrote to memory of 1572	1748	NEW PURCHASE ORDER LISTED ITEMS.exe	schtasks.exe
PID 1748 wrote to memory of 1572	1748	NEW PURCHASE ORDER LISTED ITEMS.exe	schtasks.exe
PID 1748 wrote to memory of 1572	1748	NEW PURCHASE ORDER LISTED ITEMS.exe	schtasks.exe
PID 1748 wrote to memory of 1868	1748	NEW PURCHASE ORDER LISTED ITEMS.exe	vbc.exe
PID 1748 wrote to memory of 1868	1748	NEW PURCHASE ORDER LISTED ITEMS.exe	vbc.exe
PID 1748 wrote to memory of 1868	1748	NEW PURCHASE ORDER LISTED ITEMS.exe	vbc.exe
PID 1748 wrote to memory of 1868	1748	NEW PURCHASE ORDER LISTED ITEMS.exe	vbc.exe
PID 1748 wrote to memory of 1868	1748	NEW PURCHASE ORDER LISTED ITEMS.exe	vbc.exe
PID 1748 wrote to memory of 1868	1748	NEW PURCHASE ORDER LISTED ITEMS.exe	vbc.exe
PID 1748 wrote to memory of 1868	1748	NEW PURCHASE ORDER LISTED ITEMS.exe	vbc.exe
PID 1748 wrote to memory of 1868	1748	NEW PURCHASE ORDER LISTED ITEMS.exe	vbc.exe
PID 1748 wrote to memory of 1868	1748	NEW PURCHASE ORDER LISTED ITEMS.exe	vbc.exe
PID 1748 wrote to memory of 1868	1748	NEW PURCHASE ORDER LISTED ITEMS.exe	vbc.exe
PID 1748 wrote to memory of 1868	1748	NEW PURCHASE ORDER LISTED ITEMS.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\NEW PURCHASE ORDER LISTED ITEMS.exe
"C:\Users\Admin\AppData\Local\Temp\NEW PURCHASE ORDER LISTED ITEMS.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GiaNEJvKkikVXu" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA055.tmp"
2⤵
- Creates scheduled task(s)
PID:1572

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:1868

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA055.tmp
MD5
122b05e1619ad3316065b12d2dd246c5

SHA1
1ca7115838679e8d360ac5c0e75e49099764027c

SHA256
3a49b1fb0d14c977885222e7c6a4ba2dfd6e1270bca74c0a45e105529f4eeb19

SHA512
6b15b001cced7b2545026e7f0451757fb9fc2390587d34612d5697b2a66a50c80bdd7d7fae4c1dd96f82bc80c67f6555af9c26ae30e13a11ef3dfa1b2aecd97e

Download Submit
memory/1572-62-0x0000000000000000-mapping.dmp

Download
memory/1748-59-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download
memory/1748-60-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/1748-61-0x0000000000311000-0x0000000000312000-memory.dmp

Filesize
4KB

Download
memory/1868-64-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1868-65-0x0000000000413FA4-mapping.dmp

Download
memory/1868-67-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads