remcos | 741ffe5460a43194d3a8cf76729abd8f6a5fb7d991e219037215920195a38c5e

General

Target

Query_Ref_5787533_pdf.exe
Size

957KB
MD5

0b7883cd326d76228c722b69541cb9a3
SHA1

bf513758205dda0b62084d9b9718042aad5c836c
SHA256

741ffe5460a43194d3a8cf76729abd8f6a5fb7d991e219037215920195a38c5e
SHA512

2bc401cc1ce71ee9f783a67433be84dfa14d2b52715586a2a318cad51db15d3de09370a4ff580efa05935c91e5f7658794467166c5af38f65b8027d310a7b612

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

C2

kjdes.ddns.net:6062

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 1 IoCs

Processes:

remcos.exe

pid process

3808 remcos.exe
Deletes itself 1 IoCs

Processes:

WScript.exe

pid process

3588 WScript.exe

pid	process
3808	remcos.exe

pid	process
3588	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Query_Ref_5787533_pdf.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\	Query_Ref_5787533_pdf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	Query_Ref_5787533_pdf.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Query_Ref_5787533_pdf.exe

description pid process target process

PID 2208 set thread context of 1132 2208 Query_Ref_5787533_pdf.exe Query_Ref_5787533_pdf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4076 schtasks.exe
Modifies registry class 1 IoCs

Processes:

Query_Ref_5787533_pdf.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings Query_Ref_5787533_pdf.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Query_Ref_5787533_pdf.exe

pid process

2208 Query_Ref_5787533_pdf.exe
2208 Query_Ref_5787533_pdf.exe
2208 Query_Ref_5787533_pdf.exe
2208 Query_Ref_5787533_pdf.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Query_Ref_5787533_pdf.exe

description pid process

Token: SeDebugPrivilege 2208 Query_Ref_5787533_pdf.exe

description	pid	process	target process
PID 2208 set thread context of 1132	2208	Query_Ref_5787533_pdf.exe	Query_Ref_5787533_pdf.exe

pid	process
4076	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	Query_Ref_5787533_pdf.exe

pid	process
2208	Query_Ref_5787533_pdf.exe
2208	Query_Ref_5787533_pdf.exe
2208	Query_Ref_5787533_pdf.exe
2208	Query_Ref_5787533_pdf.exe

description	pid	process
Token: SeDebugPrivilege	2208	Query_Ref_5787533_pdf.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

Query_Ref_5787533_pdf.exeQuery_Ref_5787533_pdf.exeWScript.execmd.exe

description	pid	process	target process
PID 2208 wrote to memory of 4076	2208	Query_Ref_5787533_pdf.exe	schtasks.exe
PID 2208 wrote to memory of 4076	2208	Query_Ref_5787533_pdf.exe	schtasks.exe
PID 2208 wrote to memory of 4076	2208	Query_Ref_5787533_pdf.exe	schtasks.exe
PID 2208 wrote to memory of 1132	2208	Query_Ref_5787533_pdf.exe	Query_Ref_5787533_pdf.exe
PID 2208 wrote to memory of 1132	2208	Query_Ref_5787533_pdf.exe	Query_Ref_5787533_pdf.exe
PID 2208 wrote to memory of 1132	2208	Query_Ref_5787533_pdf.exe	Query_Ref_5787533_pdf.exe
PID 2208 wrote to memory of 1132	2208	Query_Ref_5787533_pdf.exe	Query_Ref_5787533_pdf.exe
PID 2208 wrote to memory of 1132	2208	Query_Ref_5787533_pdf.exe	Query_Ref_5787533_pdf.exe
PID 2208 wrote to memory of 1132	2208	Query_Ref_5787533_pdf.exe	Query_Ref_5787533_pdf.exe
PID 2208 wrote to memory of 1132	2208	Query_Ref_5787533_pdf.exe	Query_Ref_5787533_pdf.exe
PID 2208 wrote to memory of 1132	2208	Query_Ref_5787533_pdf.exe	Query_Ref_5787533_pdf.exe
PID 2208 wrote to memory of 1132	2208	Query_Ref_5787533_pdf.exe	Query_Ref_5787533_pdf.exe
PID 2208 wrote to memory of 1132	2208	Query_Ref_5787533_pdf.exe	Query_Ref_5787533_pdf.exe
PID 2208 wrote to memory of 1132	2208	Query_Ref_5787533_pdf.exe	Query_Ref_5787533_pdf.exe
PID 2208 wrote to memory of 1132	2208	Query_Ref_5787533_pdf.exe	Query_Ref_5787533_pdf.exe
PID 1132 wrote to memory of 3588	1132	Query_Ref_5787533_pdf.exe	WScript.exe
PID 1132 wrote to memory of 3588	1132	Query_Ref_5787533_pdf.exe	WScript.exe
PID 1132 wrote to memory of 3588	1132	Query_Ref_5787533_pdf.exe	WScript.exe
PID 3588 wrote to memory of 3496	3588	WScript.exe	cmd.exe
PID 3588 wrote to memory of 3496	3588	WScript.exe	cmd.exe
PID 3588 wrote to memory of 3496	3588	WScript.exe	cmd.exe
PID 3496 wrote to memory of 3808	3496	cmd.exe	remcos.exe
PID 3496 wrote to memory of 3808	3496	cmd.exe	remcos.exe
PID 3496 wrote to memory of 3808	3496	cmd.exe	remcos.exe

C:\Users\Admin\AppData\Local\Temp\Query_Ref_5787533_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Query_Ref_5787533_pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YwDUrECuAdTV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA50B.tmp"
2⤵
- Creates scheduled task(s)
PID:4076

C:\Users\Admin\AppData\Local\Temp\Query_Ref_5787533_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Query_Ref_5787533_pdf.exe"
2⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1132

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:3588

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:3496

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
5⤵
- Executes dropped EXE
PID:3808

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
b296f9f1ff59fdbf02ee4324414e09e5

SHA1
31221dea05c20aacc89efd78390d1bc6ca1a3105

SHA256
eb6c18a8da55031aaea75fd038ddd78dbf309b7febdd859668d1e083a989e983

SHA512
63e0cbe2e34ec331530daf0f62f7c76ff1b0aaac88aadc25436e18e212b4628f8c1b7c17d3f7df3a2ff2b6a0bbb5a95a905b66662cedfd3a9c6b4c21f8d39c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA50B.tmp
MD5
b4cb918564828be2392b7b59fd4dd24f

SHA1
1c173d546b6ae2ba23f50e3904eb43091f091969

SHA256
50d0d863440f31f28a5f511e02003bdd29eda1098dc30e27e4323462cf441b9e

SHA512
b3a95fd421d1fb01cb52404b4fe09951ad21279eb857b899d3a175284a7a721693d6d61935ae5f6117fac9d2a8472748798e0587e452fc99f2d4f9c70dce3182

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
0b7883cd326d76228c722b69541cb9a3

SHA1
bf513758205dda0b62084d9b9718042aad5c836c

SHA256
741ffe5460a43194d3a8cf76729abd8f6a5fb7d991e219037215920195a38c5e

SHA512
2bc401cc1ce71ee9f783a67433be84dfa14d2b52715586a2a318cad51db15d3de09370a4ff580efa05935c91e5f7658794467166c5af38f65b8027d310a7b612

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
0b7883cd326d76228c722b69541cb9a3

SHA1
bf513758205dda0b62084d9b9718042aad5c836c

SHA256
741ffe5460a43194d3a8cf76729abd8f6a5fb7d991e219037215920195a38c5e

SHA512
2bc401cc1ce71ee9f783a67433be84dfa14d2b52715586a2a318cad51db15d3de09370a4ff580efa05935c91e5f7658794467166c5af38f65b8027d310a7b612

Download Submit
memory/1132-130-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1132-126-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1132-127-0x000000000042EEEF-mapping.dmp

Download
memory/2208-117-0x0000000005930000-0x0000000005931000-memory.dmp

Filesize
4KB

Download
memory/2208-121-0x0000000005AD0000-0x0000000005AD9000-memory.dmp

Filesize
36KB

Download
memory/2208-122-0x0000000007D00000-0x0000000007DB6000-memory.dmp

Filesize
728KB

Download
memory/2208-123-0x000000000A3A0000-0x000000000A425000-memory.dmp

Filesize
532KB

Download
memory/2208-116-0x0000000005D50000-0x0000000005D51000-memory.dmp

Filesize
4KB

Download
memory/2208-119-0x0000000005850000-0x0000000005D4E000-memory.dmp

Filesize
5.0MB

Download
memory/2208-120-0x00000000058D0000-0x00000000058D1000-memory.dmp

Filesize
4KB

Download
memory/2208-118-0x00000000059D0000-0x00000000059D1000-memory.dmp

Filesize
4KB

Download
memory/2208-114-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

Filesize
4KB

Download
memory/3496-131-0x0000000000000000-mapping.dmp

Download
memory/3588-128-0x0000000000000000-mapping.dmp

Download
memory/3808-132-0x0000000000000000-mapping.dmp

Download
memory/3808-142-0x0000000004D50000-0x0000000004DE2000-memory.dmp

Filesize
584KB

Download
memory/4076-124-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads