remcos | 7788ed54eaa344eea1db37d5efaed03d0c8b1d811c8ad6361a448eb5d88cdbaf

General

Target

ADNOC_ RFQ Nº 100400806-02.exe
Size

1.1MB
MD5

1f5b694c435df053ef0704fd7eb0c94a
SHA1

442d0d0f9ccdbc5ed44cbaad5bd89e40a3112934
SHA256

7788ed54eaa344eea1db37d5efaed03d0c8b1d811c8ad6361a448eb5d88cdbaf
SHA512

bf48216dae6c8f5fc750c7bb11e593ef38ba8476724dfc1383d1084b2b5906901fd5ece387dec6da91fa7d2274a37e840fb1732998621f1ead345bbddab6c176

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

C2

abino.hopto.org:2404

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 1 IoCs

Processes:

remcos.exe

pid process

568 remcos.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2020 cmd.exe

pid	process
568	remcos.exe

pid	process
2020	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ADNOC_ RFQ Nº 100400806-02.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\	ADNOC_ RFQ Nº 100400806-02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	ADNOC_ RFQ Nº 100400806-02.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ADNOC_ RFQ Nº 100400806-02.exe

description pid process target process

PID 756 set thread context of 1720 756 ADNOC_ RFQ Nº 100400806-02.exe ADNOC_ RFQ Nº 100400806-02.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1884 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ADNOC_ RFQ Nº 100400806-02.exe

pid process

756 ADNOC_ RFQ Nº 100400806-02.exe
756 ADNOC_ RFQ Nº 100400806-02.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ADNOC_ RFQ Nº 100400806-02.exe

description pid process

Token: SeDebugPrivilege 756 ADNOC_ RFQ Nº 100400806-02.exe

description	pid	process	target process
PID 756 set thread context of 1720	756	ADNOC_ RFQ Nº 100400806-02.exe	ADNOC_ RFQ Nº 100400806-02.exe

pid	process
1884	schtasks.exe

pid	process
756	ADNOC_ RFQ Nº 100400806-02.exe
756	ADNOC_ RFQ Nº 100400806-02.exe

description	pid	process
Token: SeDebugPrivilege	756	ADNOC_ RFQ Nº 100400806-02.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

ADNOC_ RFQ Nº 100400806-02.exeADNOC_ RFQ Nº 100400806-02.exeWScript.execmd.exe

description	pid	process	target process
PID 756 wrote to memory of 1884	756	ADNOC_ RFQ Nº 100400806-02.exe	schtasks.exe
PID 756 wrote to memory of 1884	756	ADNOC_ RFQ Nº 100400806-02.exe	schtasks.exe
PID 756 wrote to memory of 1884	756	ADNOC_ RFQ Nº 100400806-02.exe	schtasks.exe
PID 756 wrote to memory of 1884	756	ADNOC_ RFQ Nº 100400806-02.exe	schtasks.exe
PID 756 wrote to memory of 1720	756	ADNOC_ RFQ Nº 100400806-02.exe	ADNOC_ RFQ Nº 100400806-02.exe
PID 756 wrote to memory of 1720	756	ADNOC_ RFQ Nº 100400806-02.exe	ADNOC_ RFQ Nº 100400806-02.exe
PID 756 wrote to memory of 1720	756	ADNOC_ RFQ Nº 100400806-02.exe	ADNOC_ RFQ Nº 100400806-02.exe
PID 756 wrote to memory of 1720	756	ADNOC_ RFQ Nº 100400806-02.exe	ADNOC_ RFQ Nº 100400806-02.exe
PID 756 wrote to memory of 1720	756	ADNOC_ RFQ Nº 100400806-02.exe	ADNOC_ RFQ Nº 100400806-02.exe
PID 756 wrote to memory of 1720	756	ADNOC_ RFQ Nº 100400806-02.exe	ADNOC_ RFQ Nº 100400806-02.exe
PID 756 wrote to memory of 1720	756	ADNOC_ RFQ Nº 100400806-02.exe	ADNOC_ RFQ Nº 100400806-02.exe
PID 756 wrote to memory of 1720	756	ADNOC_ RFQ Nº 100400806-02.exe	ADNOC_ RFQ Nº 100400806-02.exe
PID 756 wrote to memory of 1720	756	ADNOC_ RFQ Nº 100400806-02.exe	ADNOC_ RFQ Nº 100400806-02.exe
PID 756 wrote to memory of 1720	756	ADNOC_ RFQ Nº 100400806-02.exe	ADNOC_ RFQ Nº 100400806-02.exe
PID 756 wrote to memory of 1720	756	ADNOC_ RFQ Nº 100400806-02.exe	ADNOC_ RFQ Nº 100400806-02.exe
PID 756 wrote to memory of 1720	756	ADNOC_ RFQ Nº 100400806-02.exe	ADNOC_ RFQ Nº 100400806-02.exe
PID 756 wrote to memory of 1720	756	ADNOC_ RFQ Nº 100400806-02.exe	ADNOC_ RFQ Nº 100400806-02.exe
PID 1720 wrote to memory of 112	1720	ADNOC_ RFQ Nº 100400806-02.exe	WScript.exe
PID 1720 wrote to memory of 112	1720	ADNOC_ RFQ Nº 100400806-02.exe	WScript.exe
PID 1720 wrote to memory of 112	1720	ADNOC_ RFQ Nº 100400806-02.exe	WScript.exe
PID 1720 wrote to memory of 112	1720	ADNOC_ RFQ Nº 100400806-02.exe	WScript.exe
PID 112 wrote to memory of 2020	112	WScript.exe	cmd.exe
PID 112 wrote to memory of 2020	112	WScript.exe	cmd.exe
PID 112 wrote to memory of 2020	112	WScript.exe	cmd.exe
PID 112 wrote to memory of 2020	112	WScript.exe	cmd.exe
PID 2020 wrote to memory of 568	2020	cmd.exe	remcos.exe
PID 2020 wrote to memory of 568	2020	cmd.exe	remcos.exe
PID 2020 wrote to memory of 568	2020	cmd.exe	remcos.exe
PID 2020 wrote to memory of 568	2020	cmd.exe	remcos.exe

C:\Users\Admin\AppData\Local\Temp\ADNOC_ RFQ Nº 100400806-02.exe
"C:\Users\Admin\AppData\Local\Temp\ADNOC_ RFQ Nº 100400806-02.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nPgilW" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4579.tmp"
2⤵
- Creates scheduled task(s)
PID:1884

C:\Users\Admin\AppData\Local\Temp\ADNOC_ RFQ Nº 100400806-02.exe
"C:\Users\Admin\AppData\Local\Temp\ADNOC_ RFQ Nº 100400806-02.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:112

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
5⤵
- Executes dropped EXE
PID:568

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
b92d64fe5b1d1f59df4b738262aea8df

SHA1
c8fb1981759c2d9bb2ec91b705985fba5fc7af63

SHA256
fa20e9aab03dc8e9f1910aaf0cf42662379fa16ae3a22642084fb97fa3d4f83a

SHA512
2566248b93c0cfb0414f033b8dd18bbd4f88180093eac2861107289bcb4ee160f9593706ff1f7d1f2e4ecea430d67a5a2897551a4f9ebd82b707243e300520e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4579.tmp
MD5
4ac470e0c72d7993d03d30bf7be0f1c4

SHA1
a922a956518c5171bfc6fe70b541eff19ec48fe1

SHA256
acea1584c0616a055002bf8c4a8d4cb37575ec4e77107a63fb64ac82dc1074b9

SHA512
7b20c91c628b4a4218145b9648f4ae8bfa0dbc46ba292f64f5f562518e41e7228b7e33e0f6def7df89b1b08ff496980b48a986535e79474a4fad846ac5cf5e74

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
1f5b694c435df053ef0704fd7eb0c94a

SHA1
442d0d0f9ccdbc5ed44cbaad5bd89e40a3112934

SHA256
7788ed54eaa344eea1db37d5efaed03d0c8b1d811c8ad6361a448eb5d88cdbaf

SHA512
bf48216dae6c8f5fc750c7bb11e593ef38ba8476724dfc1383d1084b2b5906901fd5ece387dec6da91fa7d2274a37e840fb1732998621f1ead345bbddab6c176

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
1f5b694c435df053ef0704fd7eb0c94a

SHA1
442d0d0f9ccdbc5ed44cbaad5bd89e40a3112934

SHA256
7788ed54eaa344eea1db37d5efaed03d0c8b1d811c8ad6361a448eb5d88cdbaf

SHA512
bf48216dae6c8f5fc750c7bb11e593ef38ba8476724dfc1383d1084b2b5906901fd5ece387dec6da91fa7d2274a37e840fb1732998621f1ead345bbddab6c176

Download Submit
\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
1f5b694c435df053ef0704fd7eb0c94a

SHA1
442d0d0f9ccdbc5ed44cbaad5bd89e40a3112934

SHA256
7788ed54eaa344eea1db37d5efaed03d0c8b1d811c8ad6361a448eb5d88cdbaf

SHA512
bf48216dae6c8f5fc750c7bb11e593ef38ba8476724dfc1383d1084b2b5906901fd5ece387dec6da91fa7d2274a37e840fb1732998621f1ead345bbddab6c176

Download Submit
memory/112-71-0x0000000000000000-mapping.dmp

Download
memory/568-83-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/568-80-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/568-78-0x0000000000000000-mapping.dmp

Download
memory/756-64-0x00000000057E0000-0x0000000005891000-memory.dmp

Filesize
708KB

Download
memory/756-60-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/756-65-0x00000000058A0000-0x000000000591D000-memory.dmp

Filesize
500KB

Download
memory/756-62-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/756-63-0x0000000000440000-0x0000000000449000-memory.dmp

Filesize
36KB

Download
memory/1720-70-0x00000000750C1000-0x00000000750C3000-memory.dmp

Filesize
8KB

Download
memory/1720-74-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1720-68-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1720-69-0x000000000042EEEF-mapping.dmp

Download
memory/1884-66-0x0000000000000000-mapping.dmp

Download
memory/2020-75-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads