remcos | a86743b847fa22b82c7c17cac4c3af8684f14ba5d7ff4028f123596911ee3835

Analysis

max time kernel
149s
max time network
148s
platform
windows10_x64
resource
win10v20210410
submitted
21-04-2021 11:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OC CVE6535 _TVOP-MIO 21(C) 2021,pdf.exe
Size

319KB
MD5

b400ac4dcee9fd535224fcd33224f6b1
SHA1

129db06c1a8281584e1c5440389841a4ea49ec62
SHA256

6cc2dd1c821a1d47200a054998657e3ddec7bc0cd81e4e4a7edffa3f0f3ca724
SHA512

e8fc66b31e231eed6b8a2d0e75351a719ff8d0d5b9b065cdb66fdcefe62bfa44702585523c6be0049ea601513b812efd5536e3e188a40223d9a186aaa061df35

Score

10^/10

remcos rat

Malware Config

Extracted

Family

remcos

blessmegod.ddns.net:3866

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Loads dropped DLL 1 IoCs

Processes:

OC CVE6535 _TVOP-MIO 21(C) 2021,pdf.exe

pid process

2256 OC CVE6535 _TVOP-MIO 21(C) 2021,pdf.exe

pid	process
2256	OC CVE6535 _TVOP-MIO 21(C) 2021,pdf.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

description	pid	process	target process
PID 2256 set thread context of 1952	2256	OC CVE6535 _TVOP-MIO 21(C) 2021,pdf.exe	OC CVE6535 _TVOP-MIO 21(C) 2021,pdf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

OC CVE6535 _TVOP-MIO 21(C) 2021,pdf.exe

pid process

2256 OC CVE6535 _TVOP-MIO 21(C) 2021,pdf.exe

pid	process
2256	OC CVE6535 _TVOP-MIO 21(C) 2021,pdf.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

description	pid	process	target process
PID 2256 wrote to memory of 1952	2256	OC CVE6535 _TVOP-MIO 21(C) 2021,pdf.exe	OC CVE6535 _TVOP-MIO 21(C) 2021,pdf.exe
PID 2256 wrote to memory of 1952	2256	OC CVE6535 _TVOP-MIO 21(C) 2021,pdf.exe	OC CVE6535 _TVOP-MIO 21(C) 2021,pdf.exe
PID 2256 wrote to memory of 1952	2256	OC CVE6535 _TVOP-MIO 21(C) 2021,pdf.exe	OC CVE6535 _TVOP-MIO 21(C) 2021,pdf.exe
PID 2256 wrote to memory of 1952	2256	OC CVE6535 _TVOP-MIO 21(C) 2021,pdf.exe	OC CVE6535 _TVOP-MIO 21(C) 2021,pdf.exe

C:\Users\Admin\AppData\Local\Temp\OC CVE6535 _TVOP-MIO 21(C) 2021,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\OC CVE6535 _TVOP-MIO 21(C) 2021,pdf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2256

C:\Users\Admin\AppData\Local\Temp\OC CVE6535 _TVOP-MIO 21(C) 2021,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\OC CVE6535 _TVOP-MIO 21(C) 2021,pdf.exe"
2⤵
PID:1952

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsp1351.tmp\kdzh1wlq.dll
MD5
8c66ccb054b0aef6712493b4e8a778f0

SHA1
8641231119dd7474e4fc3ebefb7ba61e619d3077

SHA256
bf79d9461d99892f78c5d7466681e39a0b97af3884853d37af69a041d7183991

SHA512
2c55ed748d4dc554f6576cd6a8332ed616a2743690b548006fb1d5858e146adad07ce383ac2010472214a8e9c0c1028e38325b2d971d7a2157b332c9dbd78547

Download Submit
memory/1952-117-0x0000000000413FA4-mapping.dmp

Download
memory/1952-118-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2256-115-0x0000000002D50000-0x0000000002D51000-memory.dmp

Filesize
4KB

Download
memory/2256-116-0x0000000002D51000-0x0000000002D56000-memory.dmp

Filesize
20KB

Download