remcos | 4bf0ad56b4d4a1f43e87c408340097995d6542d744b4af5c51aba1c1fefe5d7b

General

Target

CARPSOBRPROCVINCINGR43678530006 CARPSOBRPROCVINCINGR43678530008.exe
Size

733KB
MD5

1eb8fa1f2c8605c2d5db68008086757e
SHA1

d2d8e51076f4f98fb012e01066fceae5eb15836c
SHA256

4bf0ad56b4d4a1f43e87c408340097995d6542d744b4af5c51aba1c1fefe5d7b
SHA512

0d1e6bcdbdb9e09b2ed1379db0770c8fc4733e6d64bbaba1eb6caef4dc7eb524ad0964c0fe8b93a838e0dd31c566275339f1bd3596347134fe528c1d6616e560

Score

10^/10

remcos rat

Malware Config

Extracted

Family

remcos

C2

romancito24.duckdns.org:1717

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of SetThreadContext 1 IoCs

Processes:

CARPSOBRPROCVINCINGR43678530006 CARPSOBRPROCVINCINGR43678530008.exe

description	pid	process	target process
PID 1992 set thread context of 928	1992	CARPSOBRPROCVINCINGR43678530006 CARPSOBRPROCVINCINGR43678530008.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1468 schtasks.exe

pid	process
1468	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

CARPSOBRPROCVINCINGR43678530006 CARPSOBRPROCVINCINGR43678530008.exe

pid	process
1992	CARPSOBRPROCVINCINGR43678530006 CARPSOBRPROCVINCINGR43678530008.exe
1992	CARPSOBRPROCVINCINGR43678530006 CARPSOBRPROCVINCINGR43678530008.exe
1992	CARPSOBRPROCVINCINGR43678530006 CARPSOBRPROCVINCINGR43678530008.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

CARPSOBRPROCVINCINGR43678530006 CARPSOBRPROCVINCINGR43678530008.exe

description pid process

Token: SeDebugPrivilege 1992 CARPSOBRPROCVINCINGR43678530006 CARPSOBRPROCVINCINGR43678530008.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegSvcs.exe

pid process

928 RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1992	CARPSOBRPROCVINCINGR43678530006 CARPSOBRPROCVINCINGR43678530008.exe

pid	process
928	RegSvcs.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

CARPSOBRPROCVINCINGR43678530006 CARPSOBRPROCVINCINGR43678530008.exe

description	pid	process	target process
PID 1992 wrote to memory of 1468	1992	CARPSOBRPROCVINCINGR43678530006 CARPSOBRPROCVINCINGR43678530008.exe	schtasks.exe
PID 1992 wrote to memory of 1468	1992	CARPSOBRPROCVINCINGR43678530006 CARPSOBRPROCVINCINGR43678530008.exe	schtasks.exe
PID 1992 wrote to memory of 1468	1992	CARPSOBRPROCVINCINGR43678530006 CARPSOBRPROCVINCINGR43678530008.exe	schtasks.exe
PID 1992 wrote to memory of 1468	1992	CARPSOBRPROCVINCINGR43678530006 CARPSOBRPROCVINCINGR43678530008.exe	schtasks.exe
PID 1992 wrote to memory of 552	1992	CARPSOBRPROCVINCINGR43678530006 CARPSOBRPROCVINCINGR43678530008.exe	RegSvcs.exe
PID 1992 wrote to memory of 552	1992	CARPSOBRPROCVINCINGR43678530006 CARPSOBRPROCVINCINGR43678530008.exe	RegSvcs.exe
PID 1992 wrote to memory of 552	1992	CARPSOBRPROCVINCINGR43678530006 CARPSOBRPROCVINCINGR43678530008.exe	RegSvcs.exe
PID 1992 wrote to memory of 552	1992	CARPSOBRPROCVINCINGR43678530006 CARPSOBRPROCVINCINGR43678530008.exe	RegSvcs.exe
PID 1992 wrote to memory of 552	1992	CARPSOBRPROCVINCINGR43678530006 CARPSOBRPROCVINCINGR43678530008.exe	RegSvcs.exe
PID 1992 wrote to memory of 552	1992	CARPSOBRPROCVINCINGR43678530006 CARPSOBRPROCVINCINGR43678530008.exe	RegSvcs.exe
PID 1992 wrote to memory of 552	1992	CARPSOBRPROCVINCINGR43678530006 CARPSOBRPROCVINCINGR43678530008.exe	RegSvcs.exe
PID 1992 wrote to memory of 928	1992	CARPSOBRPROCVINCINGR43678530006 CARPSOBRPROCVINCINGR43678530008.exe	RegSvcs.exe
PID 1992 wrote to memory of 928	1992	CARPSOBRPROCVINCINGR43678530006 CARPSOBRPROCVINCINGR43678530008.exe	RegSvcs.exe
PID 1992 wrote to memory of 928	1992	CARPSOBRPROCVINCINGR43678530006 CARPSOBRPROCVINCINGR43678530008.exe	RegSvcs.exe
PID 1992 wrote to memory of 928	1992	CARPSOBRPROCVINCINGR43678530006 CARPSOBRPROCVINCINGR43678530008.exe	RegSvcs.exe
PID 1992 wrote to memory of 928	1992	CARPSOBRPROCVINCINGR43678530006 CARPSOBRPROCVINCINGR43678530008.exe	RegSvcs.exe
PID 1992 wrote to memory of 928	1992	CARPSOBRPROCVINCINGR43678530006 CARPSOBRPROCVINCINGR43678530008.exe	RegSvcs.exe
PID 1992 wrote to memory of 928	1992	CARPSOBRPROCVINCINGR43678530006 CARPSOBRPROCVINCINGR43678530008.exe	RegSvcs.exe
PID 1992 wrote to memory of 928	1992	CARPSOBRPROCVINCINGR43678530006 CARPSOBRPROCVINCINGR43678530008.exe	RegSvcs.exe
PID 1992 wrote to memory of 928	1992	CARPSOBRPROCVINCINGR43678530006 CARPSOBRPROCVINCINGR43678530008.exe	RegSvcs.exe
PID 1992 wrote to memory of 928	1992	CARPSOBRPROCVINCINGR43678530006 CARPSOBRPROCVINCINGR43678530008.exe	RegSvcs.exe
PID 1992 wrote to memory of 928	1992	CARPSOBRPROCVINCINGR43678530006 CARPSOBRPROCVINCINGR43678530008.exe	RegSvcs.exe
PID 1992 wrote to memory of 928	1992	CARPSOBRPROCVINCINGR43678530006 CARPSOBRPROCVINCINGR43678530008.exe	RegSvcs.exe
PID 1992 wrote to memory of 928	1992	CARPSOBRPROCVINCINGR43678530006 CARPSOBRPROCVINCINGR43678530008.exe	RegSvcs.exe
PID 1992 wrote to memory of 928	1992	CARPSOBRPROCVINCINGR43678530006 CARPSOBRPROCVINCINGR43678530008.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\CARPSOBRPROCVINCINGR43678530006 CARPSOBRPROCVINCINGR43678530008.exe
"C:\Users\Admin\AppData\Local\Temp\CARPSOBRPROCVINCINGR43678530006 CARPSOBRPROCVINCINGR43678530008.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XTfVRG" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFD24.tmp"
2⤵
- Creates scheduled task(s)
PID:1468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
PID:552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
- Suspicious use of SetWindowsHookEx
PID:928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpFD24.tmp

MD5
a4b86f618bed49c01c72f495df97d3b0

SHA1
a3669fb139884765645d7d61e85420fe7bc495ed

SHA256
50660f9b51a7c585b3bd771b83cc6a496e6b4d48b7b15419eae0c732382d468a

SHA512
5717004f05c66c85ae673e62ed7a2676fe256dd29b5ef38dc2b41788e636b663ce0e06740a3bda5281d3bc5252c27fdff2ae109a6b9e4026d620203713dc6de3

Download Submit
memory/928-68-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/928-69-0x0000000000413E54-mapping.dmp

Download
memory/928-70-0x0000000075B31000-0x0000000075B33000-memory.dmp

Filesize
8KB

Download
memory/928-71-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1468-66-0x0000000000000000-mapping.dmp

Download
memory/1992-60-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/1992-62-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download
memory/1992-63-0x0000000000350000-0x000000000035E000-memory.dmp

Filesize
56KB

Download
memory/1992-64-0x0000000005760000-0x000000000581A000-memory.dmp

Filesize
744KB

Download
memory/1992-65-0x0000000004FB0000-0x0000000005021000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads