remcos | 5454ec6037767c7c675551dafd7c023e8bd974f7fce965aa94505b19151895f2

General

Target

INQUIRY.exe
Size

447KB
MD5

455e8ece9f31a1becb15adcab5be0b37
SHA1

a86310fe3489c342393deef49828d8d633570916
SHA256

5454ec6037767c7c675551dafd7c023e8bd974f7fce965aa94505b19151895f2
SHA512

ca6edf7d575bffb19a78b31d94bdb7e1f30c41c2a77c412495a833be99049f007b7d3c678696f27b77d9b02018e1cb28970d99fdd80c93c2f1e2eb1d459784a6

Score

10^/10

remcos rat

Malware Config

Extracted

Family

remcos

C2

45.144.225.221:5090

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Suspicious use of SetThreadContext 1 IoCs

Processes:

INQUIRY.exe

description pid process target process

PID 780 set thread context of 2172 780 INQUIRY.exe INQUIRY.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3552 schtasks.exe

description	pid	process	target process
PID 780 set thread context of 2172	780	INQUIRY.exe	INQUIRY.exe

pid	process
3552	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

INQUIRY.exepowershell.exepowershell.exepowershell.exe

pid	process
780	INQUIRY.exe
780	INQUIRY.exe
780	INQUIRY.exe
2136	powershell.exe
1268	powershell.exe
1316	powershell.exe
1268	powershell.exe
2136	powershell.exe
1316	powershell.exe
2136	powershell.exe
1268	powershell.exe
1316	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

INQUIRY.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	780	INQUIRY.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	1268	powershell.exe
Token: SeDebugPrivilege	1316	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

INQUIRY.exe

pid process

2172 INQUIRY.exe

pid	process
2172	INQUIRY.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

INQUIRY.exe

description	pid	process	target process
PID 780 wrote to memory of 2136	780	INQUIRY.exe	powershell.exe
PID 780 wrote to memory of 2136	780	INQUIRY.exe	powershell.exe
PID 780 wrote to memory of 2136	780	INQUIRY.exe	powershell.exe
PID 780 wrote to memory of 1268	780	INQUIRY.exe	powershell.exe
PID 780 wrote to memory of 1268	780	INQUIRY.exe	powershell.exe
PID 780 wrote to memory of 1268	780	INQUIRY.exe	powershell.exe
PID 780 wrote to memory of 3552	780	INQUIRY.exe	schtasks.exe
PID 780 wrote to memory of 3552	780	INQUIRY.exe	schtasks.exe
PID 780 wrote to memory of 3552	780	INQUIRY.exe	schtasks.exe
PID 780 wrote to memory of 1316	780	INQUIRY.exe	powershell.exe
PID 780 wrote to memory of 1316	780	INQUIRY.exe	powershell.exe
PID 780 wrote to memory of 1316	780	INQUIRY.exe	powershell.exe
PID 780 wrote to memory of 2172	780	INQUIRY.exe	INQUIRY.exe
PID 780 wrote to memory of 2172	780	INQUIRY.exe	INQUIRY.exe
PID 780 wrote to memory of 2172	780	INQUIRY.exe	INQUIRY.exe
PID 780 wrote to memory of 2172	780	INQUIRY.exe	INQUIRY.exe
PID 780 wrote to memory of 2172	780	INQUIRY.exe	INQUIRY.exe
PID 780 wrote to memory of 2172	780	INQUIRY.exe	INQUIRY.exe
PID 780 wrote to memory of 2172	780	INQUIRY.exe	INQUIRY.exe
PID 780 wrote to memory of 2172	780	INQUIRY.exe	INQUIRY.exe
PID 780 wrote to memory of 2172	780	INQUIRY.exe	INQUIRY.exe

C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe
"C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:780

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2136

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\brrAhy.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1268

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\brrAhy" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAC1F.tmp"
2⤵
- Creates scheduled task(s)
PID:3552

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\brrAhy.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe
"C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:2172

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
99ecf228b7bbcdeda1e1bafc8c695f16

SHA1
b01a7d72a30bf85a4ba703b9652a3026e02ce869

SHA256
64890ba41b8fdeeef0b67d9dde4d5a1e85795c6a95d10429f40e7f359e2b49d5

SHA512
2a933bcef750a1f9bb20d36409910f398d3489e5463c4f2b63ff913adc3096d79e2e6b3e83d3a4ced8ece4beb3b69318bfd44974e19bff44cc7f5f1bbd860260

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAC1F.tmp
MD5
d4e487e33241b7bbf632b161e9997bc5

SHA1
76fe6bc2404d063e525050e0854b3c630a962841

SHA256
72f849cdb5903f49921199a2d2e2605bfc38eda90d30ee1efcc04726295d92ea

SHA512
b3fc86215398d0e18e21cb8ab3cdb957bcd9bde146b5097df0dc35b168dc8c5c0a1446e4024a8a717294ddae2502dd11a49160583f476af5bf96ef34bc4023ed

Download Submit
memory/780-114-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/780-117-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/780-119-0x0000000005060000-0x000000000555E000-memory.dmp

Filesize
5.0MB

Download
memory/780-121-0x0000000005B60000-0x0000000005B6D000-memory.dmp

Filesize
52KB

Download
memory/780-122-0x0000000002890000-0x00000000028FF000-memory.dmp

Filesize
444KB

Download
memory/780-123-0x00000000082A0000-0x00000000082CB000-memory.dmp

Filesize
172KB

Download
memory/780-118-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download
memory/780-116-0x0000000005560000-0x0000000005561000-memory.dmp

Filesize
4KB

Download
memory/780-120-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/1268-129-0x0000000000000000-mapping.dmp

Download
memory/1268-196-0x0000000006693000-0x0000000006694000-memory.dmp

Filesize
4KB

Download
memory/1268-193-0x000000007EE60000-0x000000007EE61000-memory.dmp

Filesize
4KB

Download
memory/1268-160-0x0000000006690000-0x0000000006691000-memory.dmp

Filesize
4KB

Download
memory/1268-188-0x0000000008AE0000-0x0000000008B13000-memory.dmp

Filesize
204KB

Download
memory/1268-162-0x0000000006692000-0x0000000006693000-memory.dmp

Filesize
4KB

Download
memory/1316-197-0x0000000007233000-0x0000000007234000-memory.dmp

Filesize
4KB

Download
memory/1316-194-0x000000007F140000-0x000000007F141000-memory.dmp

Filesize
4KB

Download
memory/1316-139-0x0000000000000000-mapping.dmp

Download
memory/1316-165-0x0000000007232000-0x0000000007233000-memory.dmp

Filesize
4KB

Download
memory/1316-164-0x0000000007230000-0x0000000007231000-memory.dmp

Filesize
4KB

Download
memory/2136-127-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/2136-124-0x0000000000000000-mapping.dmp

Download
memory/2136-159-0x0000000008160000-0x0000000008161000-memory.dmp

Filesize
4KB

Download
memory/2136-145-0x0000000007940000-0x0000000007941000-memory.dmp

Filesize
4KB

Download
memory/2136-140-0x0000000006FD0000-0x0000000006FD1000-memory.dmp

Filesize
4KB

Download
memory/2136-157-0x0000000007780000-0x0000000007781000-memory.dmp

Filesize
4KB

Download
memory/2136-141-0x00000000076F0000-0x00000000076F1000-memory.dmp

Filesize
4KB

Download
memory/2136-132-0x0000000001000000-0x0000000001001000-memory.dmp

Filesize
4KB

Download
memory/2136-166-0x0000000007FE0000-0x0000000007FE1000-memory.dmp

Filesize
4KB

Download
memory/2136-128-0x00000000070C0000-0x00000000070C1000-memory.dmp

Filesize
4KB

Download
memory/2136-192-0x000000007E820000-0x000000007E821000-memory.dmp

Filesize
4KB

Download
memory/2136-138-0x0000000006F30000-0x0000000006F31000-memory.dmp

Filesize
4KB

Download
memory/2136-133-0x0000000001002000-0x0000000001003000-memory.dmp

Filesize
4KB

Download
memory/2136-195-0x0000000001003000-0x0000000001004000-memory.dmp

Filesize
4KB

Download
memory/2172-163-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2172-142-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2172-143-0x000000000040FD88-mapping.dmp

Download
memory/3552-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads