remcos | 27a607812f2e113484b27f50f1337cad704713a356fb24a74103d8ef027da16d

General

Target

fhp2piUs5eKb4j2.exe
Size

1.3MB
MD5

b934c95a53feaa1acd4ab5ca1bb04a2c
SHA1

9adccdb7dbc4f5ad466855da3678df8a967afadc
SHA256

27a607812f2e113484b27f50f1337cad704713a356fb24a74103d8ef027da16d
SHA512

c29c14295f84a207fb3b80e75eb7fe7702f2f29b65e8406fe898907770f57f631db03c83b85d7a1e3fa88605a85d1f5231a4f17831ad9d98ba4e3d80b2ae97eb

Score

10^/10

remcos evasion persistence rat trojan

Malware Config

Extracted

Family

remcos

C2

217.138.212.58:52667

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 1 IoCs

Processes:

remcos.exe

pid process

2516 remcos.exe
Deletes itself 1 IoCs

Processes:

WScript.exe

pid process

2284 WScript.exe

pid	process
2516	remcos.exe

pid	process
2284	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

fhp2piUs5eKb4j2.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\	fhp2piUs5eKb4j2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	fhp2piUs5eKb4j2.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

fhp2piUs5eKb4j2.exe

description pid process target process

PID 3944 set thread context of 3108 3944 fhp2piUs5eKb4j2.exe fhp2piUs5eKb4j2.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3972 schtasks.exe
Modifies registry class 1 IoCs

Processes:

fhp2piUs5eKb4j2.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings fhp2piUs5eKb4j2.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1960 reg.exe

description	pid	process	target process
PID 3944 set thread context of 3108	3944	fhp2piUs5eKb4j2.exe	fhp2piUs5eKb4j2.exe

pid	process
3972	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	fhp2piUs5eKb4j2.exe

pid	process
1960	reg.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

fhp2piUs5eKb4j2.exepowershell.exepowershell.exepowershell.exe

pid	process
3944	fhp2piUs5eKb4j2.exe
3944	fhp2piUs5eKb4j2.exe
3944	fhp2piUs5eKb4j2.exe
3600	powershell.exe
3840	powershell.exe
2872	powershell.exe
3600	powershell.exe
3840	powershell.exe
2872	powershell.exe
3840	powershell.exe
3600	powershell.exe
2872	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

fhp2piUs5eKb4j2.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3944	fhp2piUs5eKb4j2.exe
Token: SeDebugPrivilege	3840	powershell.exe
Token: SeDebugPrivilege	3600	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

fhp2piUs5eKb4j2.exefhp2piUs5eKb4j2.execmd.exeWScript.execmd.exe

description	pid	process	target process
PID 3944 wrote to memory of 3600	3944	fhp2piUs5eKb4j2.exe	powershell.exe
PID 3944 wrote to memory of 3600	3944	fhp2piUs5eKb4j2.exe	powershell.exe
PID 3944 wrote to memory of 3600	3944	fhp2piUs5eKb4j2.exe	powershell.exe
PID 3944 wrote to memory of 3840	3944	fhp2piUs5eKb4j2.exe	powershell.exe
PID 3944 wrote to memory of 3840	3944	fhp2piUs5eKb4j2.exe	powershell.exe
PID 3944 wrote to memory of 3840	3944	fhp2piUs5eKb4j2.exe	powershell.exe
PID 3944 wrote to memory of 3972	3944	fhp2piUs5eKb4j2.exe	schtasks.exe
PID 3944 wrote to memory of 3972	3944	fhp2piUs5eKb4j2.exe	schtasks.exe
PID 3944 wrote to memory of 3972	3944	fhp2piUs5eKb4j2.exe	schtasks.exe
PID 3944 wrote to memory of 2872	3944	fhp2piUs5eKb4j2.exe	powershell.exe
PID 3944 wrote to memory of 2872	3944	fhp2piUs5eKb4j2.exe	powershell.exe
PID 3944 wrote to memory of 2872	3944	fhp2piUs5eKb4j2.exe	powershell.exe
PID 3944 wrote to memory of 3108	3944	fhp2piUs5eKb4j2.exe	fhp2piUs5eKb4j2.exe
PID 3944 wrote to memory of 3108	3944	fhp2piUs5eKb4j2.exe	fhp2piUs5eKb4j2.exe
PID 3944 wrote to memory of 3108	3944	fhp2piUs5eKb4j2.exe	fhp2piUs5eKb4j2.exe
PID 3944 wrote to memory of 3108	3944	fhp2piUs5eKb4j2.exe	fhp2piUs5eKb4j2.exe
PID 3944 wrote to memory of 3108	3944	fhp2piUs5eKb4j2.exe	fhp2piUs5eKb4j2.exe
PID 3944 wrote to memory of 3108	3944	fhp2piUs5eKb4j2.exe	fhp2piUs5eKb4j2.exe
PID 3944 wrote to memory of 3108	3944	fhp2piUs5eKb4j2.exe	fhp2piUs5eKb4j2.exe
PID 3944 wrote to memory of 3108	3944	fhp2piUs5eKb4j2.exe	fhp2piUs5eKb4j2.exe
PID 3944 wrote to memory of 3108	3944	fhp2piUs5eKb4j2.exe	fhp2piUs5eKb4j2.exe
PID 3944 wrote to memory of 3108	3944	fhp2piUs5eKb4j2.exe	fhp2piUs5eKb4j2.exe
PID 3944 wrote to memory of 3108	3944	fhp2piUs5eKb4j2.exe	fhp2piUs5eKb4j2.exe
PID 3944 wrote to memory of 3108	3944	fhp2piUs5eKb4j2.exe	fhp2piUs5eKb4j2.exe
PID 3108 wrote to memory of 500	3108	fhp2piUs5eKb4j2.exe	cmd.exe
PID 3108 wrote to memory of 500	3108	fhp2piUs5eKb4j2.exe	cmd.exe
PID 3108 wrote to memory of 500	3108	fhp2piUs5eKb4j2.exe	cmd.exe
PID 3108 wrote to memory of 2284	3108	fhp2piUs5eKb4j2.exe	WScript.exe
PID 3108 wrote to memory of 2284	3108	fhp2piUs5eKb4j2.exe	WScript.exe
PID 3108 wrote to memory of 2284	3108	fhp2piUs5eKb4j2.exe	WScript.exe
PID 500 wrote to memory of 1960	500	cmd.exe	reg.exe
PID 500 wrote to memory of 1960	500	cmd.exe	reg.exe
PID 500 wrote to memory of 1960	500	cmd.exe	reg.exe
PID 2284 wrote to memory of 188	2284	WScript.exe	cmd.exe
PID 2284 wrote to memory of 188	2284	WScript.exe	cmd.exe
PID 2284 wrote to memory of 188	2284	WScript.exe	cmd.exe
PID 188 wrote to memory of 2516	188	cmd.exe	remcos.exe
PID 188 wrote to memory of 2516	188	cmd.exe	remcos.exe
PID 188 wrote to memory of 2516	188	cmd.exe	remcos.exe

C:\Users\Admin\AppData\Local\Temp\fhp2piUs5eKb4j2.exe
"C:\Users\Admin\AppData\Local\Temp\fhp2piUs5eKb4j2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3944

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\fhp2piUs5eKb4j2.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3600

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hmZZhC.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3840

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hmZZhC" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBA39.tmp"
2⤵
- Creates scheduled task(s)
PID:3972

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hmZZhC.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2872

C:\Users\Admin\AppData\Local\Temp\fhp2piUs5eKb4j2.exe
"C:\Users\Admin\AppData\Local\Temp\fhp2piUs5eKb4j2.exe"
2⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3108

C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- Suspicious use of WriteProcessMemory
PID:500

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
4⤵
- Modifies registry key
PID:1960

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:188

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
5⤵
- Executes dropped EXE
PID:2516

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Bypass User Account Control

1

T1088

Scheduled Task

1

T1053

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

3

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
5f5aef33632d209f7b11ce5a6470252e

SHA1
4c10b472628c0d713d50bcd07795498813a3ef71

SHA256
daecd8c1dac960fa1b4df7ef52e37fa209aa36e017cfb35dd7e30bedeec4ff64

SHA512
f538d5ea79d0f6009cf0f864430f277c6bf1bbcb98197e8a056713846bb16003490695aaa643540b4a33887ecfd26e50ce56eaf8af17d5236537265a1e6ce244

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
ef2b3c837127220e7cdb1d61fa0ff626

SHA1
159c8b8bb0413b008d970d05c16e54bf716baa79

SHA256
856750bc7053ad648b0dba0a97eefdfb6354dd29c687b5f318156c414f9c5e14

SHA512
d6d406ab1fea21d504b932d78ab796fbccdf36e4ef2d9504bbba04e29dd9ced0ea5ed9cdc9ec92e4824dc76d082d70b059d95302fd243a4387bd6adc49b4e452

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
31137d520746be86e2355c5bf4b1b86d

SHA1
a68c1df5be5f07f4fd3a1dcc5c31b6bf671e20f7

SHA256
d865d578b3632369ed25255247b5357b77c562692a0d084491b4eb32c12a6722

SHA512
8321e3f9478484b02b05ca665f4eacd429663dc32965d588bbf94feac3a62187b1c7795acb243540fe1f9804946c538ab58c71256be256d1dc1e40b8a04a529c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBA39.tmp
MD5
6d91f0e3d3acd3c797d43cc1b82183e8

SHA1
23cefbbf277031825396d6b716d0e4e8c9b19d25

SHA256
09a8ae3980bb5eaf773ffde5c76562c86cac67f82b6b1cb9381ff953ea886479

SHA512
9014c67207dfc2b83271955e0b07c04e09ea5244d8fdf7ec1008b13d8e42575ff2ebc7ec16c1dbebd08d3afa076a480b1a3382808ac454254c141516b8e0a28f

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
b934c95a53feaa1acd4ab5ca1bb04a2c

SHA1
9adccdb7dbc4f5ad466855da3678df8a967afadc

SHA256
27a607812f2e113484b27f50f1337cad704713a356fb24a74103d8ef027da16d

SHA512
c29c14295f84a207fb3b80e75eb7fe7702f2f29b65e8406fe898907770f57f631db03c83b85d7a1e3fa88605a85d1f5231a4f17831ad9d98ba4e3d80b2ae97eb

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
b934c95a53feaa1acd4ab5ca1bb04a2c

SHA1
9adccdb7dbc4f5ad466855da3678df8a967afadc

SHA256
27a607812f2e113484b27f50f1337cad704713a356fb24a74103d8ef027da16d

SHA512
c29c14295f84a207fb3b80e75eb7fe7702f2f29b65e8406fe898907770f57f631db03c83b85d7a1e3fa88605a85d1f5231a4f17831ad9d98ba4e3d80b2ae97eb

Download Submit
memory/188-175-0x0000000000000000-mapping.dmp

Download
memory/500-145-0x0000000000000000-mapping.dmp

Download
memory/1960-170-0x0000000000000000-mapping.dmp

Download
memory/2284-157-0x0000000000000000-mapping.dmp

Download
memory/2516-183-0x0000000000000000-mapping.dmp

Download
memory/2516-198-0x0000000004FB0000-0x00000000054AE000-memory.dmp

Filesize
5.0MB

Download
memory/2872-155-0x0000000006472000-0x0000000006473000-memory.dmp

Filesize
4KB

Download
memory/2872-205-0x0000000006473000-0x0000000006474000-memory.dmp

Filesize
4KB

Download
memory/2872-160-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/2872-203-0x000000007ED20000-0x000000007ED21000-memory.dmp

Filesize
4KB

Download
memory/2872-137-0x0000000000000000-mapping.dmp

Download
memory/3108-159-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3108-142-0x000000000042EEEF-mapping.dmp

Download
memory/3108-141-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3600-168-0x0000000007B60000-0x0000000007B61000-memory.dmp

Filesize
4KB

Download
memory/3600-130-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/3600-206-0x0000000002BA3000-0x0000000002BA4000-memory.dmp

Filesize
4KB

Download
memory/3600-152-0x0000000002BA0000-0x0000000002BA1000-memory.dmp

Filesize
4KB

Download
memory/3600-153-0x0000000002BA2000-0x0000000002BA3000-memory.dmp

Filesize
4KB

Download
memory/3600-201-0x000000007E930000-0x000000007E931000-memory.dmp

Filesize
4KB

Download
memory/3600-125-0x0000000000000000-mapping.dmp

Download
memory/3600-171-0x0000000007E00000-0x0000000007E01000-memory.dmp

Filesize
4KB

Download
memory/3600-166-0x0000000007A20000-0x0000000007A21000-memory.dmp

Filesize
4KB

Download
memory/3600-132-0x0000000006EC0000-0x0000000006EC1000-memory.dmp

Filesize
4KB

Download
memory/3840-156-0x0000000006C40000-0x0000000006C41000-memory.dmp

Filesize
4KB

Download
memory/3840-143-0x00000000078B0000-0x00000000078B1000-memory.dmp

Filesize
4KB

Download
memory/3840-140-0x00000000079A0000-0x00000000079A1000-memory.dmp

Filesize
4KB

Download
memory/3840-126-0x0000000000000000-mapping.dmp

Download
memory/3840-138-0x0000000007180000-0x0000000007181000-memory.dmp

Filesize
4KB

Download
memory/3840-147-0x0000000007A10000-0x0000000007A11000-memory.dmp

Filesize
4KB

Download
memory/3840-158-0x0000000006C42000-0x0000000006C43000-memory.dmp

Filesize
4KB

Download
memory/3840-204-0x0000000006C43000-0x0000000006C44000-memory.dmp

Filesize
4KB

Download
memory/3840-202-0x000000007E6A0000-0x000000007E6A1000-memory.dmp

Filesize
4KB

Download
memory/3944-122-0x00000000055B0000-0x0000000005AAE000-memory.dmp

Filesize
5.0MB

Download
memory/3944-121-0x00000000056A0000-0x00000000056A9000-memory.dmp

Filesize
36KB

Download
memory/3944-123-0x0000000006230000-0x00000000062DF000-memory.dmp

Filesize
700KB

Download
memory/3944-120-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download
memory/3944-119-0x0000000005550000-0x0000000005551000-memory.dmp

Filesize
4KB

Download
memory/3944-124-0x0000000008770000-0x00000000087E8000-memory.dmp

Filesize
480KB

Download
memory/3944-114-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/3944-118-0x00000000055B0000-0x00000000055B1000-memory.dmp

Filesize
4KB

Download
memory/3944-117-0x0000000005AB0000-0x0000000005AB1000-memory.dmp

Filesize
4KB

Download
memory/3944-116-0x00000000053D0000-0x00000000053D1000-memory.dmp

Filesize
4KB

Download
memory/3972-129-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads