remcos | 8b89ce7d6ebc740d866706db34cdf17acbd53745c78244b4ac23179dd1776ba2

General

Target

3.exe
Size

546KB
MD5

bdbef8f67b0fb0b9f9d370b69b5d5c03
SHA1

dc4e13a346a2ec29830580ab41f4034bad9dafed
SHA256

8b89ce7d6ebc740d866706db34cdf17acbd53745c78244b4ac23179dd1776ba2
SHA512

60bdb75c159612ac3552f47af5fb6be81a83956213990ce9589c34a5ce05a80862a6fb5772df78f997a7468bef7db6c05227907dd6333ed72dada4f9ee0fb64e

Score

10^/10

remcos rat

Malware Config

Extracted

Family

remcos

C2

zubby2468.hopto.org:8905

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Suspicious use of SetThreadContext 1 IoCs

Processes:

3.exe

description pid process target process

PID 1852 set thread context of 3996 1852 3.exe 3.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2220 schtasks.exe

description	pid	process	target process
PID 1852 set thread context of 3996	1852	3.exe	3.exe

pid	process
2220	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

3.exepowershell.exepowershell.exepowershell.exe

pid	process
1852	3.exe
1852	3.exe
1852	3.exe
1756	powershell.exe
580	powershell.exe
1852	3.exe
1756	powershell.exe
3364	powershell.exe
580	powershell.exe
3364	powershell.exe
1756	powershell.exe
580	powershell.exe
3364	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

3.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1852	3.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	580	powershell.exe
Token: SeDebugPrivilege	3364	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

3.exe

description	pid	process	target process
PID 1852 wrote to memory of 580	1852	3.exe	powershell.exe
PID 1852 wrote to memory of 580	1852	3.exe	powershell.exe
PID 1852 wrote to memory of 580	1852	3.exe	powershell.exe
PID 1852 wrote to memory of 1756	1852	3.exe	powershell.exe
PID 1852 wrote to memory of 1756	1852	3.exe	powershell.exe
PID 1852 wrote to memory of 1756	1852	3.exe	powershell.exe
PID 1852 wrote to memory of 2220	1852	3.exe	schtasks.exe
PID 1852 wrote to memory of 2220	1852	3.exe	schtasks.exe
PID 1852 wrote to memory of 2220	1852	3.exe	schtasks.exe
PID 1852 wrote to memory of 3364	1852	3.exe	powershell.exe
PID 1852 wrote to memory of 3364	1852	3.exe	powershell.exe
PID 1852 wrote to memory of 3364	1852	3.exe	powershell.exe
PID 1852 wrote to memory of 3996	1852	3.exe	3.exe
PID 1852 wrote to memory of 3996	1852	3.exe	3.exe
PID 1852 wrote to memory of 3996	1852	3.exe	3.exe
PID 1852 wrote to memory of 3996	1852	3.exe	3.exe
PID 1852 wrote to memory of 3996	1852	3.exe	3.exe
PID 1852 wrote to memory of 3996	1852	3.exe	3.exe
PID 1852 wrote to memory of 3996	1852	3.exe	3.exe
PID 1852 wrote to memory of 3996	1852	3.exe	3.exe
PID 1852 wrote to memory of 3996	1852	3.exe	3.exe
PID 1852 wrote to memory of 3996	1852	3.exe	3.exe

C:\Users\Admin\AppData\Local\Temp\3.exe
"C:\Users\Admin\AppData\Local\Temp\3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:580

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IUjKtcqxqIGX.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IUjKtcqxqIGX" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE494.tmp"
2⤵
- Creates scheduled task(s)
PID:2220

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IUjKtcqxqIGX.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3364

C:\Users\Admin\AppData\Local\Temp\3.exe
"C:\Users\Admin\AppData\Local\Temp\3.exe"
2⤵
PID:3996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
0cfa07133ce7bafe15817906a7e5b2a7

SHA1
4d2129db4f2b85a6569a296c873ec2030b7f7d2f

SHA256
ac71a4da838aea24e918b120a69a085e0990d58d8780f4cbb611beecdd83287c

SHA512
967669d2732e13b6b06f6ee33daebbc2491da526769274b098ba6e9844d48f2d220d28e8c5a523377358c8b6b07bffa64c1f5f71f4a33f0b2a109ecc12446231

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
f85a4b04f6ec887ed8cf47c2a98c7b30

SHA1
c3caa60d6aeb280914c8ebe7c5eb391d31f580e4

SHA256
2a2de1aa4f78f707f0ce8fc48068f7c6a3aa70ad4e35515e64a7bb6b5b8dd890

SHA512
0a46c6dae69b903dd5ee99f0f37d9deddab1011ed94e087b50f4dcc78fd5bab7a6937136f36da91a49a44eb71d3a7a7c30b09412acc708b4d590bc0bff434bc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE494.tmp
MD5
ab1037522f2586e03af8754d2a2a6339

SHA1
7d3e408548dd6a861b77e06119bd533df561dd27

SHA256
6f0f01a4a3dfedbea7b0560af4176faa4ffbefffe4fd3a76af12944c3e7f89dd

SHA512
b2f19318f5e6e6c5f15df0f13499fa9121b7a7ef605fd9f56652d5aaeec4963349c68297c87e6253b38e053cf1ad134f1d05b606d7da1b85b43d886941684834

Download Submit
memory/580-129-0x0000000004640000-0x0000000004641000-memory.dmp

Filesize
4KB

Download
memory/580-195-0x0000000006D93000-0x0000000006D94000-memory.dmp

Filesize
4KB

Download
memory/580-192-0x000000007ED70000-0x000000007ED71000-memory.dmp

Filesize
4KB

Download
memory/580-186-0x0000000009140000-0x0000000009173000-memory.dmp

Filesize
204KB

Download
memory/580-150-0x0000000006D92000-0x0000000006D93000-memory.dmp

Filesize
4KB

Download
memory/580-148-0x0000000006D90000-0x0000000006D91000-memory.dmp

Filesize
4KB

Download
memory/580-124-0x0000000000000000-mapping.dmp

Download
memory/580-130-0x00000000073D0000-0x00000000073D1000-memory.dmp

Filesize
4KB

Download
memory/1756-160-0x0000000008BC0000-0x0000000008BC1000-memory.dmp

Filesize
4KB

Download
memory/1756-193-0x000000007F9C0000-0x000000007F9C1000-memory.dmp

Filesize
4KB

Download
memory/1756-125-0x0000000000000000-mapping.dmp

Download
memory/1756-136-0x00000000078B0000-0x00000000078B1000-memory.dmp

Filesize
4KB

Download
memory/1756-138-0x0000000007A50000-0x0000000007A51000-memory.dmp

Filesize
4KB

Download
memory/1756-139-0x0000000007B30000-0x0000000007B31000-memory.dmp

Filesize
4KB

Download
memory/1756-142-0x00000000083C0000-0x00000000083C1000-memory.dmp

Filesize
4KB

Download
memory/1756-194-0x0000000007573000-0x0000000007574000-memory.dmp

Filesize
4KB

Download
memory/1756-166-0x0000000008A60000-0x0000000008A61000-memory.dmp

Filesize
4KB

Download
memory/1756-159-0x00000000081E0000-0x00000000081E1000-memory.dmp

Filesize
4KB

Download
memory/1756-156-0x0000000007572000-0x0000000007573000-memory.dmp

Filesize
4KB

Download
memory/1756-153-0x0000000007570000-0x0000000007571000-memory.dmp

Filesize
4KB

Download
memory/1852-119-0x00000000055B0000-0x0000000005AAE000-memory.dmp

Filesize
5.0MB

Download
memory/1852-123-0x00000000059F0000-0x0000000005A26000-memory.dmp

Filesize
216KB

Download
memory/1852-120-0x00000000030D0000-0x00000000030D1000-memory.dmp

Filesize
4KB

Download
memory/1852-121-0x0000000005830000-0x000000000583D000-memory.dmp

Filesize
52KB

Download
memory/1852-117-0x00000000055B0000-0x00000000055B1000-memory.dmp

Filesize
4KB

Download
memory/1852-114-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/1852-118-0x0000000005650000-0x0000000005651000-memory.dmp

Filesize
4KB

Download
memory/1852-116-0x0000000005AB0000-0x0000000005AB1000-memory.dmp

Filesize
4KB

Download
memory/1852-122-0x0000000001420000-0x0000000001494000-memory.dmp

Filesize
464KB

Download
memory/2220-127-0x0000000000000000-mapping.dmp

Download
memory/3364-196-0x000000007EDF0000-0x000000007EDF1000-memory.dmp

Filesize
4KB

Download
memory/3364-140-0x0000000000000000-mapping.dmp

Download
memory/3364-152-0x0000000000E70000-0x0000000000E71000-memory.dmp

Filesize
4KB

Download
memory/3364-155-0x0000000000E72000-0x0000000000E73000-memory.dmp

Filesize
4KB

Download
memory/3364-197-0x0000000000E73000-0x0000000000E74000-memory.dmp

Filesize
4KB

Download
memory/3996-144-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3996-145-0x0000000000413FA4-mapping.dmp

Download
memory/3996-157-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads