remcos | 741ffe5460a43194d3a8cf76729abd8f6a5fb7d991e219037215920195a38c5e

General

Target

Query_Ref_5787533_pdf.exe
Size

957KB
MD5

0b7883cd326d76228c722b69541cb9a3
SHA1

bf513758205dda0b62084d9b9718042aad5c836c
SHA256

741ffe5460a43194d3a8cf76729abd8f6a5fb7d991e219037215920195a38c5e
SHA512

2bc401cc1ce71ee9f783a67433be84dfa14d2b52715586a2a318cad51db15d3de09370a4ff580efa05935c91e5f7658794467166c5af38f65b8027d310a7b612

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

C2

kjdes.ddns.net:6062

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 1 IoCs

Processes:

remcos.exe

pid process

1520 remcos.exe
Deletes itself 1 IoCs

Processes:

WScript.exe

pid process

1016 WScript.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1636 cmd.exe

pid	process
1520	remcos.exe

pid	process
1016	WScript.exe

pid	process
1636	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Query_Ref_5787533_pdf.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\	Query_Ref_5787533_pdf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	Query_Ref_5787533_pdf.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Query_Ref_5787533_pdf.exe

description pid process target process

PID 452 set thread context of 816 452 Query_Ref_5787533_pdf.exe Query_Ref_5787533_pdf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

676 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Query_Ref_5787533_pdf.exe

pid process

452 Query_Ref_5787533_pdf.exe
452 Query_Ref_5787533_pdf.exe
452 Query_Ref_5787533_pdf.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Query_Ref_5787533_pdf.exe

description pid process

Token: SeDebugPrivilege 452 Query_Ref_5787533_pdf.exe

description	pid	process	target process
PID 452 set thread context of 816	452	Query_Ref_5787533_pdf.exe	Query_Ref_5787533_pdf.exe

pid	process
676	schtasks.exe

pid	process
452	Query_Ref_5787533_pdf.exe
452	Query_Ref_5787533_pdf.exe
452	Query_Ref_5787533_pdf.exe

description	pid	process
Token: SeDebugPrivilege	452	Query_Ref_5787533_pdf.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

Query_Ref_5787533_pdf.exeQuery_Ref_5787533_pdf.exeWScript.execmd.exe

description	pid	process	target process
PID 452 wrote to memory of 676	452	Query_Ref_5787533_pdf.exe	schtasks.exe
PID 452 wrote to memory of 676	452	Query_Ref_5787533_pdf.exe	schtasks.exe
PID 452 wrote to memory of 676	452	Query_Ref_5787533_pdf.exe	schtasks.exe
PID 452 wrote to memory of 676	452	Query_Ref_5787533_pdf.exe	schtasks.exe
PID 452 wrote to memory of 816	452	Query_Ref_5787533_pdf.exe	Query_Ref_5787533_pdf.exe
PID 452 wrote to memory of 816	452	Query_Ref_5787533_pdf.exe	Query_Ref_5787533_pdf.exe
PID 452 wrote to memory of 816	452	Query_Ref_5787533_pdf.exe	Query_Ref_5787533_pdf.exe
PID 452 wrote to memory of 816	452	Query_Ref_5787533_pdf.exe	Query_Ref_5787533_pdf.exe
PID 452 wrote to memory of 816	452	Query_Ref_5787533_pdf.exe	Query_Ref_5787533_pdf.exe
PID 452 wrote to memory of 816	452	Query_Ref_5787533_pdf.exe	Query_Ref_5787533_pdf.exe
PID 452 wrote to memory of 816	452	Query_Ref_5787533_pdf.exe	Query_Ref_5787533_pdf.exe
PID 452 wrote to memory of 816	452	Query_Ref_5787533_pdf.exe	Query_Ref_5787533_pdf.exe
PID 452 wrote to memory of 816	452	Query_Ref_5787533_pdf.exe	Query_Ref_5787533_pdf.exe
PID 452 wrote to memory of 816	452	Query_Ref_5787533_pdf.exe	Query_Ref_5787533_pdf.exe
PID 452 wrote to memory of 816	452	Query_Ref_5787533_pdf.exe	Query_Ref_5787533_pdf.exe
PID 452 wrote to memory of 816	452	Query_Ref_5787533_pdf.exe	Query_Ref_5787533_pdf.exe
PID 452 wrote to memory of 816	452	Query_Ref_5787533_pdf.exe	Query_Ref_5787533_pdf.exe
PID 816 wrote to memory of 1016	816	Query_Ref_5787533_pdf.exe	WScript.exe
PID 816 wrote to memory of 1016	816	Query_Ref_5787533_pdf.exe	WScript.exe
PID 816 wrote to memory of 1016	816	Query_Ref_5787533_pdf.exe	WScript.exe
PID 816 wrote to memory of 1016	816	Query_Ref_5787533_pdf.exe	WScript.exe
PID 1016 wrote to memory of 1636	1016	WScript.exe	cmd.exe
PID 1016 wrote to memory of 1636	1016	WScript.exe	cmd.exe
PID 1016 wrote to memory of 1636	1016	WScript.exe	cmd.exe
PID 1016 wrote to memory of 1636	1016	WScript.exe	cmd.exe
PID 1636 wrote to memory of 1520	1636	cmd.exe	remcos.exe
PID 1636 wrote to memory of 1520	1636	cmd.exe	remcos.exe
PID 1636 wrote to memory of 1520	1636	cmd.exe	remcos.exe
PID 1636 wrote to memory of 1520	1636	cmd.exe	remcos.exe

C:\Users\Admin\AppData\Local\Temp\Query_Ref_5787533_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Query_Ref_5787533_pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:452

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YwDUrECuAdTV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA026.tmp"
2⤵
- Creates scheduled task(s)
PID:676

C:\Users\Admin\AppData\Local\Temp\Query_Ref_5787533_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Query_Ref_5787533_pdf.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
5⤵
- Executes dropped EXE
PID:1520

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
b296f9f1ff59fdbf02ee4324414e09e5

SHA1
31221dea05c20aacc89efd78390d1bc6ca1a3105

SHA256
eb6c18a8da55031aaea75fd038ddd78dbf309b7febdd859668d1e083a989e983

SHA512
63e0cbe2e34ec331530daf0f62f7c76ff1b0aaac88aadc25436e18e212b4628f8c1b7c17d3f7df3a2ff2b6a0bbb5a95a905b66662cedfd3a9c6b4c21f8d39c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA026.tmp
MD5
aaf597073639b958600e71a7de863f07

SHA1
47d98a2fbe9ca16d67df25d23ce74d159f40f365

SHA256
42005de8a587718594e45c1ab2b8a7b9138d3e289b006e98688c848ebd7e4357

SHA512
c867d66cae1fe2535dc189521df2bc876d926012df7c55f21a9f9ee0cf73874c29dcb9313bfad0216dfdc12eb867a5815b5a5f369ea5be3465c761a7eaecc40d

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
0b7883cd326d76228c722b69541cb9a3

SHA1
bf513758205dda0b62084d9b9718042aad5c836c

SHA256
741ffe5460a43194d3a8cf76729abd8f6a5fb7d991e219037215920195a38c5e

SHA512
2bc401cc1ce71ee9f783a67433be84dfa14d2b52715586a2a318cad51db15d3de09370a4ff580efa05935c91e5f7658794467166c5af38f65b8027d310a7b612

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
0b7883cd326d76228c722b69541cb9a3

SHA1
bf513758205dda0b62084d9b9718042aad5c836c

SHA256
741ffe5460a43194d3a8cf76729abd8f6a5fb7d991e219037215920195a38c5e

SHA512
2bc401cc1ce71ee9f783a67433be84dfa14d2b52715586a2a318cad51db15d3de09370a4ff580efa05935c91e5f7658794467166c5af38f65b8027d310a7b612

Download Submit
\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
0b7883cd326d76228c722b69541cb9a3

SHA1
bf513758205dda0b62084d9b9718042aad5c836c

SHA256
741ffe5460a43194d3a8cf76729abd8f6a5fb7d991e219037215920195a38c5e

SHA512
2bc401cc1ce71ee9f783a67433be84dfa14d2b52715586a2a318cad51db15d3de09370a4ff580efa05935c91e5f7658794467166c5af38f65b8027d310a7b612

Download Submit
memory/452-62-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/452-63-0x0000000000460000-0x0000000000469000-memory.dmp

Filesize
36KB

Download
memory/452-64-0x00000000052E0000-0x0000000005396000-memory.dmp

Filesize
728KB

Download
memory/452-65-0x0000000004DB0000-0x0000000004E35000-memory.dmp

Filesize
532KB

Download
memory/452-60-0x0000000001230000-0x0000000001231000-memory.dmp

Filesize
4KB

Download
memory/676-66-0x0000000000000000-mapping.dmp

Download
memory/816-74-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/816-70-0x00000000753E1000-0x00000000753E3000-memory.dmp

Filesize
8KB

Download
memory/816-69-0x000000000042EEEF-mapping.dmp

Download
memory/816-68-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1016-71-0x0000000000000000-mapping.dmp

Download
memory/1520-78-0x0000000000000000-mapping.dmp

Download
memory/1520-80-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/1520-83-0x0000000004D00000-0x0000000004D01000-memory.dmp

Filesize
4KB

Download
memory/1636-75-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads