remcos | 6ce1eb96c697ce276022f1a14fe7da73f910487fcfb384d676b28aa55f0c05ca

General

Target

CONFIRM ORDER_O452-11189H6U77,pdf.exe
Size

743KB
MD5

a10b06acd92325678e2b960544c9257f
SHA1

754dfa9962325d7ad6676779bafcd8b5e18d6978
SHA256

6ce1eb96c697ce276022f1a14fe7da73f910487fcfb384d676b28aa55f0c05ca
SHA512

8fef2e063e121fdf49f2d1fedb35aa6bd17fcf15e775f2460d473f13783e9e9f256765c3da6b7aa8334dd096d69c6b5774ba1ee7f703f6e07a4acaabdcc0a249

Score

10^/10

remcos evasion rat

Malware Config

Extracted

Family

remcos

C2

goddywin.freedynamicdns.net:6712

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CONFIRM ORDER_O452-11189H6U77,pdf.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	CONFIRM ORDER_O452-11189H6U77,pdf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	CONFIRM ORDER_O452-11189H6U77,pdf.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

CONFIRM ORDER_O452-11189H6U77,pdf.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CONFIRM ORDER_O452-11189H6U77,pdf.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	CONFIRM ORDER_O452-11189H6U77,pdf.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

CONFIRM ORDER_O452-11189H6U77,pdf.exe

description pid process target process

PID 3988 set thread context of 780 3988 CONFIRM ORDER_O452-11189H6U77,pdf.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4048 schtasks.exe

description	pid	process	target process
PID 3988 set thread context of 780	3988	CONFIRM ORDER_O452-11189H6U77,pdf.exe	vbc.exe

pid	process
4048	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

CONFIRM ORDER_O452-11189H6U77,pdf.exepowershell.exepowershell.exepowershell.exe

pid	process
3988	CONFIRM ORDER_O452-11189H6U77,pdf.exe
3988	CONFIRM ORDER_O452-11189H6U77,pdf.exe
3988	CONFIRM ORDER_O452-11189H6U77,pdf.exe
1340	powershell.exe
2712	powershell.exe
3988	CONFIRM ORDER_O452-11189H6U77,pdf.exe
3988	CONFIRM ORDER_O452-11189H6U77,pdf.exe
3988	CONFIRM ORDER_O452-11189H6U77,pdf.exe
3988	CONFIRM ORDER_O452-11189H6U77,pdf.exe
1340	powershell.exe
2712	powershell.exe
2492	powershell.exe
2492	powershell.exe
2712	powershell.exe
1340	powershell.exe
2492	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

CONFIRM ORDER_O452-11189H6U77,pdf.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3988	CONFIRM ORDER_O452-11189H6U77,pdf.exe
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	2492	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

CONFIRM ORDER_O452-11189H6U77,pdf.exe

description	pid	process	target process
PID 3988 wrote to memory of 1340	3988	CONFIRM ORDER_O452-11189H6U77,pdf.exe	powershell.exe
PID 3988 wrote to memory of 1340	3988	CONFIRM ORDER_O452-11189H6U77,pdf.exe	powershell.exe
PID 3988 wrote to memory of 1340	3988	CONFIRM ORDER_O452-11189H6U77,pdf.exe	powershell.exe
PID 3988 wrote to memory of 2712	3988	CONFIRM ORDER_O452-11189H6U77,pdf.exe	powershell.exe
PID 3988 wrote to memory of 2712	3988	CONFIRM ORDER_O452-11189H6U77,pdf.exe	powershell.exe
PID 3988 wrote to memory of 2712	3988	CONFIRM ORDER_O452-11189H6U77,pdf.exe	powershell.exe
PID 3988 wrote to memory of 4048	3988	CONFIRM ORDER_O452-11189H6U77,pdf.exe	schtasks.exe
PID 3988 wrote to memory of 4048	3988	CONFIRM ORDER_O452-11189H6U77,pdf.exe	schtasks.exe
PID 3988 wrote to memory of 4048	3988	CONFIRM ORDER_O452-11189H6U77,pdf.exe	schtasks.exe
PID 3988 wrote to memory of 2492	3988	CONFIRM ORDER_O452-11189H6U77,pdf.exe	powershell.exe
PID 3988 wrote to memory of 2492	3988	CONFIRM ORDER_O452-11189H6U77,pdf.exe	powershell.exe
PID 3988 wrote to memory of 2492	3988	CONFIRM ORDER_O452-11189H6U77,pdf.exe	powershell.exe
PID 3988 wrote to memory of 2836	3988	CONFIRM ORDER_O452-11189H6U77,pdf.exe	vbc.exe
PID 3988 wrote to memory of 2836	3988	CONFIRM ORDER_O452-11189H6U77,pdf.exe	vbc.exe
PID 3988 wrote to memory of 2836	3988	CONFIRM ORDER_O452-11189H6U77,pdf.exe	vbc.exe
PID 3988 wrote to memory of 3240	3988	CONFIRM ORDER_O452-11189H6U77,pdf.exe	vbc.exe
PID 3988 wrote to memory of 3240	3988	CONFIRM ORDER_O452-11189H6U77,pdf.exe	vbc.exe
PID 3988 wrote to memory of 3240	3988	CONFIRM ORDER_O452-11189H6U77,pdf.exe	vbc.exe
PID 3988 wrote to memory of 780	3988	CONFIRM ORDER_O452-11189H6U77,pdf.exe	vbc.exe
PID 3988 wrote to memory of 780	3988	CONFIRM ORDER_O452-11189H6U77,pdf.exe	vbc.exe
PID 3988 wrote to memory of 780	3988	CONFIRM ORDER_O452-11189H6U77,pdf.exe	vbc.exe
PID 3988 wrote to memory of 780	3988	CONFIRM ORDER_O452-11189H6U77,pdf.exe	vbc.exe
PID 3988 wrote to memory of 780	3988	CONFIRM ORDER_O452-11189H6U77,pdf.exe	vbc.exe
PID 3988 wrote to memory of 780	3988	CONFIRM ORDER_O452-11189H6U77,pdf.exe	vbc.exe
PID 3988 wrote to memory of 780	3988	CONFIRM ORDER_O452-11189H6U77,pdf.exe	vbc.exe
PID 3988 wrote to memory of 780	3988	CONFIRM ORDER_O452-11189H6U77,pdf.exe	vbc.exe
PID 3988 wrote to memory of 780	3988	CONFIRM ORDER_O452-11189H6U77,pdf.exe	vbc.exe
PID 3988 wrote to memory of 780	3988	CONFIRM ORDER_O452-11189H6U77,pdf.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\CONFIRM ORDER_O452-11189H6U77,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\CONFIRM ORDER_O452-11189H6U77,pdf.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3988

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\CONFIRM ORDER_O452-11189H6U77,pdf.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JttnSaHiiAm.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JttnSaHiiAm" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC92D.tmp"
2⤵
- Creates scheduled task(s)
PID:4048

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JttnSaHiiAm.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:2836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:3240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
648563aa76007c473bc243584f865457

SHA1
27d84e879a7c45419f05000b3b76485b08c32367

SHA256
35a765f6c3f4e0bc6e2230deb56b8d7bbf78863e1fb45cc4085c2f8a691057fe

SHA512
b5cde990015d4c47a6db0da8a28cd8221b65505dbf4a982f3ebb4417aca8e689e472124aa40e93cb5b6a409c18f14a83b72d2f0a54768e931a1d5cef9ef5f2f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
83765874ed7f0b62c6e306f693546cde

SHA1
8b352c080536fa826192bfc9178c1768ec5deb75

SHA256
b611ae9bfa175484a3dc889acfa676d63207744de8ce8e21ef24d2faa1ed7073

SHA512
787c51016da736bea88fc19f8cd992556669f16ad380536f3355984b6dac7f6abc62a53b04193c47d729cbef2986d940a5659364b4b26d25789aac969a775540

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC92D.tmp

MD5
747517610e07aeaf465b828077f20eef

SHA1
7c4ed4185d76ef3a8a0825083a5c2e9c8d445508

SHA256
ecf81cb6938045355d47313dfdba285117ca0292ab46f55998f35fa128e02afd

SHA512
18eca453747cde4e70ae9a8e7962a4e9815ed4b2af35917657e61c46ae51a2b1a6b3c14eddab33fb75a14ab58afa59381031e6bf9c08325fc376163533b29dd7

Download Submit
memory/780-165-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/780-149-0x0000000000413FA4-mapping.dmp

Download
memory/780-148-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1340-157-0x0000000007A50000-0x0000000007A51000-memory.dmp

Filesize
4KB

Download
memory/1340-142-0x0000000007C60000-0x0000000007C61000-memory.dmp

Filesize
4KB

Download
memory/1340-124-0x0000000000000000-mapping.dmp

Download
memory/1340-191-0x00000000090B0000-0x00000000090E3000-memory.dmp

Filesize
204KB

Download
memory/1340-128-0x0000000004800000-0x0000000004801000-memory.dmp

Filesize
4KB

Download
memory/1340-129-0x0000000007370000-0x0000000007371000-memory.dmp

Filesize
4KB

Download
memory/1340-131-0x0000000006D32000-0x0000000006D33000-memory.dmp

Filesize
4KB

Download
memory/1340-130-0x0000000006D30000-0x0000000006D31000-memory.dmp

Filesize
4KB

Download
memory/1340-193-0x000000007EF10000-0x000000007EF11000-memory.dmp

Filesize
4KB

Download
memory/1340-194-0x0000000006D33000-0x0000000006D34000-memory.dmp

Filesize
4KB

Download
memory/1340-134-0x0000000007270000-0x0000000007271000-memory.dmp

Filesize
4KB

Download
memory/1340-138-0x00000000079A0000-0x00000000079A1000-memory.dmp

Filesize
4KB

Download
memory/2492-167-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/2492-168-0x0000000000C12000-0x0000000000C13000-memory.dmp

Filesize
4KB

Download
memory/2492-147-0x0000000000000000-mapping.dmp

Download
memory/2492-197-0x0000000000C13000-0x0000000000C14000-memory.dmp

Filesize
4KB

Download
memory/2492-196-0x000000007EE50000-0x000000007EE51000-memory.dmp

Filesize
4KB

Download
memory/2712-195-0x0000000007363000-0x0000000007364000-memory.dmp

Filesize
4KB

Download
memory/2712-169-0x00000000086E0000-0x00000000086E1000-memory.dmp

Filesize
4KB

Download
memory/2712-162-0x0000000008450000-0x0000000008451000-memory.dmp

Filesize
4KB

Download
memory/2712-161-0x0000000007362000-0x0000000007363000-memory.dmp

Filesize
4KB

Download
memory/2712-132-0x0000000000000000-mapping.dmp

Download
memory/2712-159-0x0000000007360000-0x0000000007361000-memory.dmp

Filesize
4KB

Download
memory/2712-192-0x000000007EF50000-0x000000007EF51000-memory.dmp

Filesize
4KB

Download
memory/3988-123-0x0000000008760000-0x0000000008797000-memory.dmp

Filesize
220KB

Download
memory/3988-121-0x0000000005590000-0x000000000559D000-memory.dmp

Filesize
52KB

Download
memory/3988-114-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/3988-120-0x00000000055B0000-0x0000000005AAE000-memory.dmp

Filesize
5.0MB

Download
memory/3988-119-0x0000000005470000-0x0000000005471000-memory.dmp

Filesize
4KB

Download
memory/3988-125-0x000000000BB10000-0x000000000BB11000-memory.dmp

Filesize
4KB

Download
memory/3988-122-0x00000000014E0000-0x0000000001555000-memory.dmp

Filesize
468KB

Download
memory/3988-118-0x00000000055B0000-0x00000000055B1000-memory.dmp

Filesize
4KB

Download
memory/3988-117-0x00000000054A0000-0x00000000054A1000-memory.dmp

Filesize
4KB

Download
memory/3988-116-0x0000000005AB0000-0x0000000005AB1000-memory.dmp

Filesize
4KB

Download
memory/4048-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads