remcos | d65a05ac95914160ce98904bf3f203f99d8261dbda038d2309419d345f78e2d8

General

Target

hsCNXH5WfPktCMH.exe
Size

1.1MB
MD5

e5a2da8ed26dafdba1593c27e93fe424
SHA1

9b365ea6cc2a88b2a32d56f4a079ea3fa7a1a6b9
SHA256

d65a05ac95914160ce98904bf3f203f99d8261dbda038d2309419d345f78e2d8
SHA512

79e7cd6dd43674c7e6a187e7aa4c895b149b4aefc445b18457956a7edde66ba6981e18933c63331786445d36e221f14da5dcab0602b40bed6b9940110adc8d1d

Score

10^/10

remcos evasion rat trojan

Malware Config

Extracted

Family

remcos

C2

217.138.212.58:52667

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Suspicious use of SetThreadContext 1 IoCs

Processes:

hsCNXH5WfPktCMH.exe

description pid process target process

PID 1824 set thread context of 2664 1824 hsCNXH5WfPktCMH.exe hsCNXH5WfPktCMH.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2384 schtasks.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3104 reg.exe

description	pid	process	target process
PID 1824 set thread context of 2664	1824	hsCNXH5WfPktCMH.exe	hsCNXH5WfPktCMH.exe

pid	process
2384	schtasks.exe

pid	process
3104	reg.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

hsCNXH5WfPktCMH.exepowershell.exepowershell.exepowershell.exe

pid	process
1824	hsCNXH5WfPktCMH.exe
1824	hsCNXH5WfPktCMH.exe
1824	hsCNXH5WfPktCMH.exe
1824	hsCNXH5WfPktCMH.exe
2140	powershell.exe
1196	powershell.exe
1592	powershell.exe
2140	powershell.exe
1196	powershell.exe
1592	powershell.exe
2140	powershell.exe
1196	powershell.exe
1592	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

hsCNXH5WfPktCMH.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1824	hsCNXH5WfPktCMH.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	1196	powershell.exe
Token: SeDebugPrivilege	1592	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

hsCNXH5WfPktCMH.exe

pid process

2664 hsCNXH5WfPktCMH.exe

pid	process
2664	hsCNXH5WfPktCMH.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

hsCNXH5WfPktCMH.exehsCNXH5WfPktCMH.execmd.exe

description	pid	process	target process
PID 1824 wrote to memory of 1196	1824	hsCNXH5WfPktCMH.exe	powershell.exe
PID 1824 wrote to memory of 1196	1824	hsCNXH5WfPktCMH.exe	powershell.exe
PID 1824 wrote to memory of 1196	1824	hsCNXH5WfPktCMH.exe	powershell.exe
PID 1824 wrote to memory of 2140	1824	hsCNXH5WfPktCMH.exe	powershell.exe
PID 1824 wrote to memory of 2140	1824	hsCNXH5WfPktCMH.exe	powershell.exe
PID 1824 wrote to memory of 2140	1824	hsCNXH5WfPktCMH.exe	powershell.exe
PID 1824 wrote to memory of 2384	1824	hsCNXH5WfPktCMH.exe	schtasks.exe
PID 1824 wrote to memory of 2384	1824	hsCNXH5WfPktCMH.exe	schtasks.exe
PID 1824 wrote to memory of 2384	1824	hsCNXH5WfPktCMH.exe	schtasks.exe
PID 1824 wrote to memory of 1592	1824	hsCNXH5WfPktCMH.exe	powershell.exe
PID 1824 wrote to memory of 1592	1824	hsCNXH5WfPktCMH.exe	powershell.exe
PID 1824 wrote to memory of 1592	1824	hsCNXH5WfPktCMH.exe	powershell.exe
PID 1824 wrote to memory of 2664	1824	hsCNXH5WfPktCMH.exe	hsCNXH5WfPktCMH.exe
PID 1824 wrote to memory of 2664	1824	hsCNXH5WfPktCMH.exe	hsCNXH5WfPktCMH.exe
PID 1824 wrote to memory of 2664	1824	hsCNXH5WfPktCMH.exe	hsCNXH5WfPktCMH.exe
PID 1824 wrote to memory of 2664	1824	hsCNXH5WfPktCMH.exe	hsCNXH5WfPktCMH.exe
PID 1824 wrote to memory of 2664	1824	hsCNXH5WfPktCMH.exe	hsCNXH5WfPktCMH.exe
PID 1824 wrote to memory of 2664	1824	hsCNXH5WfPktCMH.exe	hsCNXH5WfPktCMH.exe
PID 1824 wrote to memory of 2664	1824	hsCNXH5WfPktCMH.exe	hsCNXH5WfPktCMH.exe
PID 1824 wrote to memory of 2664	1824	hsCNXH5WfPktCMH.exe	hsCNXH5WfPktCMH.exe
PID 1824 wrote to memory of 2664	1824	hsCNXH5WfPktCMH.exe	hsCNXH5WfPktCMH.exe
PID 1824 wrote to memory of 2664	1824	hsCNXH5WfPktCMH.exe	hsCNXH5WfPktCMH.exe
PID 1824 wrote to memory of 2664	1824	hsCNXH5WfPktCMH.exe	hsCNXH5WfPktCMH.exe
PID 1824 wrote to memory of 2664	1824	hsCNXH5WfPktCMH.exe	hsCNXH5WfPktCMH.exe
PID 2664 wrote to memory of 3832	2664	hsCNXH5WfPktCMH.exe	cmd.exe
PID 2664 wrote to memory of 3832	2664	hsCNXH5WfPktCMH.exe	cmd.exe
PID 2664 wrote to memory of 3832	2664	hsCNXH5WfPktCMH.exe	cmd.exe
PID 3832 wrote to memory of 3104	3832	cmd.exe	reg.exe
PID 3832 wrote to memory of 3104	3832	cmd.exe	reg.exe
PID 3832 wrote to memory of 3104	3832	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\hsCNXH5WfPktCMH.exe
"C:\Users\Admin\AppData\Local\Temp\hsCNXH5WfPktCMH.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\hsCNXH5WfPktCMH.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1196

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NgFXSXBboDHspt.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2140

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NgFXSXBboDHspt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9CBE.tmp"
2⤵
- Creates scheduled task(s)
PID:2384

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NgFXSXBboDHspt.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Users\Admin\AppData\Local\Temp\hsCNXH5WfPktCMH.exe
"C:\Users\Admin\AppData\Local\Temp\hsCNXH5WfPktCMH.exe"
2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- Suspicious use of WriteProcessMemory
PID:3832

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
4⤵
- Modifies registry key
PID:3104

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Bypass User Account Control

1

T1088

Scheduled Task

1

T1053

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
e6bd4f182fb23cf6861120f7b426b540

SHA1
c9849cc8ebcfe8a3440945e966eefd5d9c52b4a7

SHA256
8c3c2e93c77c8818e9eec66c4e587b1394e64c28637bc9f16b162932d3e87564

SHA512
ca7023de66080d68ea4ef82379faa5ae6759ba4d7fd2d8590095cfa716cacd3650b622f4585271e9c6ed58db04ad36f4e0240399cdea7cdcff21655af2e8c71c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9CBE.tmp
MD5
ac73bb861793bccf7ca831e5e3ca0990

SHA1
209fa608013e914be64e8fa8b075f01dc719daf0

SHA256
e51570e55100e488ce2f22cccb3bc853e4cc370e955a2ec154fe4e2c2e58b54c

SHA512
e052035a323416965acccace21cecb798e15a7d450bdeda430be0a829622e1317cdbe1956b2ed4a9c75e5898aa8a29e2b3f35519d3cd1ba90b5825f5ca1462a1

Download Submit
memory/1196-165-0x0000000008820000-0x0000000008821000-memory.dmp

Filesize
4KB

Download
memory/1196-194-0x000000007E100000-0x000000007E101000-memory.dmp

Filesize
4KB

Download
memory/1196-130-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

Filesize
4KB

Download
memory/1196-163-0x0000000007E70000-0x0000000007E71000-memory.dmp

Filesize
4KB

Download
memory/1196-144-0x0000000006FE2000-0x0000000006FE3000-memory.dmp

Filesize
4KB

Download
memory/1196-143-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

Filesize
4KB

Download
memory/1196-125-0x0000000000000000-mapping.dmp

Download
memory/1196-198-0x0000000006FE3000-0x0000000006FE4000-memory.dmp

Filesize
4KB

Download
memory/1196-132-0x0000000007620000-0x0000000007621000-memory.dmp

Filesize
4KB

Download
memory/1592-168-0x0000000006E62000-0x0000000006E63000-memory.dmp

Filesize
4KB

Download
memory/1592-196-0x000000007F150000-0x000000007F151000-memory.dmp

Filesize
4KB

Download
memory/1592-167-0x0000000006E60000-0x0000000006E61000-memory.dmp

Filesize
4KB

Download
memory/1592-137-0x0000000000000000-mapping.dmp

Download
memory/1592-199-0x0000000006E63000-0x0000000006E64000-memory.dmp

Filesize
4KB

Download
memory/1824-118-0x00000000056C0000-0x00000000056C1000-memory.dmp

Filesize
4KB

Download
memory/1824-119-0x00000000055C0000-0x00000000055C1000-memory.dmp

Filesize
4KB

Download
memory/1824-117-0x0000000005B20000-0x0000000005B21000-memory.dmp

Filesize
4KB

Download
memory/1824-124-0x00000000073E0000-0x0000000007458000-memory.dmp

Filesize
480KB

Download
memory/1824-123-0x0000000001490000-0x000000000153D000-memory.dmp

Filesize
692KB

Download
memory/1824-122-0x0000000005600000-0x0000000005601000-memory.dmp

Filesize
4KB

Download
memory/1824-120-0x0000000005820000-0x0000000005821000-memory.dmp

Filesize
4KB

Download
memory/1824-114-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/1824-116-0x0000000005510000-0x0000000005511000-memory.dmp

Filesize
4KB

Download
memory/1824-121-0x00000000059F0000-0x00000000059FD000-memory.dmp

Filesize
52KB

Download
memory/2140-191-0x00000000098B0000-0x00000000098E3000-memory.dmp

Filesize
204KB

Download
memory/2140-195-0x000000007E0F0000-0x000000007E0F1000-memory.dmp

Filesize
4KB

Download
memory/2140-126-0x0000000000000000-mapping.dmp

Download
memory/2140-140-0x0000000007930000-0x0000000007931000-memory.dmp

Filesize
4KB

Download
memory/2140-152-0x0000000008260000-0x0000000008261000-memory.dmp

Filesize
4KB

Download
memory/2140-147-0x00000000081B0000-0x00000000081B1000-memory.dmp

Filesize
4KB

Download
memory/2140-169-0x0000000008AF0000-0x0000000008AF1000-memory.dmp

Filesize
4KB

Download
memory/2140-145-0x0000000008140000-0x0000000008141000-memory.dmp

Filesize
4KB

Download
memory/2140-148-0x0000000005102000-0x0000000005103000-memory.dmp

Filesize
4KB

Download
memory/2140-146-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/2140-197-0x0000000005103000-0x0000000005104000-memory.dmp

Filesize
4KB

Download
memory/2384-127-0x0000000000000000-mapping.dmp

Download
memory/2664-139-0x000000000042EEEF-mapping.dmp

Download
memory/2664-150-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2664-138-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3104-158-0x0000000000000000-mapping.dmp

Download
memory/3832-142-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads