remcos | a494c1e303160d0fb163cdd38cd218288239e93376b7e5e9ee85274430f6f1fb

General

Target

GVK Price Request,pdf.exe
Size

805KB
MD5

32bfc580410f46ca74f9b599bbf68d98
SHA1

51c281312fdcb3b5ac040e93045f0c176ceb90ff
SHA256

a494c1e303160d0fb163cdd38cd218288239e93376b7e5e9ee85274430f6f1fb
SHA512

b99928537fc19ad34db40fb03b09973a358e5b2c6d5babe0d24fde0e264a0ecefd11de0cb36987fdec6400c2a2582a7d992efc6b67e482fab6afed04fbc399ea

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

C2

macho.hopto.org:2477

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 1 IoCs

Processes:

image.exe

pid process

532 image.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1660 cmd.exe

pid	process
532	image.exe

pid	process
1660	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\	RegSvcs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\image = "\"C:\\Users\\Admin\\AppData\\Roaming\\Internet Explorer\\image.exe\""	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

GVK Price Request,pdf.exe

description pid process target process

PID 1996 set thread context of 1116 1996 GVK Price Request,pdf.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1732 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1068 PING.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

GVK Price Request,pdf.exe

pid process

1996 GVK Price Request,pdf.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

GVK Price Request,pdf.exe

description pid process

Token: SeDebugPrivilege 1996 GVK Price Request,pdf.exe

description	pid	process	target process
PID 1996 set thread context of 1116	1996	GVK Price Request,pdf.exe	RegSvcs.exe

pid	process
1732	schtasks.exe

pid	process
1068	PING.EXE

pid	process
1996	GVK Price Request,pdf.exe

description	pid	process
Token: SeDebugPrivilege	1996	GVK Price Request,pdf.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

GVK Price Request,pdf.exeRegSvcs.execmd.exe

description	pid	process	target process
PID 1996 wrote to memory of 1732	1996	GVK Price Request,pdf.exe	schtasks.exe
PID 1996 wrote to memory of 1732	1996	GVK Price Request,pdf.exe	schtasks.exe
PID 1996 wrote to memory of 1732	1996	GVK Price Request,pdf.exe	schtasks.exe
PID 1996 wrote to memory of 1732	1996	GVK Price Request,pdf.exe	schtasks.exe
PID 1996 wrote to memory of 1116	1996	GVK Price Request,pdf.exe	RegSvcs.exe
PID 1996 wrote to memory of 1116	1996	GVK Price Request,pdf.exe	RegSvcs.exe
PID 1996 wrote to memory of 1116	1996	GVK Price Request,pdf.exe	RegSvcs.exe
PID 1996 wrote to memory of 1116	1996	GVK Price Request,pdf.exe	RegSvcs.exe
PID 1996 wrote to memory of 1116	1996	GVK Price Request,pdf.exe	RegSvcs.exe
PID 1996 wrote to memory of 1116	1996	GVK Price Request,pdf.exe	RegSvcs.exe
PID 1996 wrote to memory of 1116	1996	GVK Price Request,pdf.exe	RegSvcs.exe
PID 1996 wrote to memory of 1116	1996	GVK Price Request,pdf.exe	RegSvcs.exe
PID 1996 wrote to memory of 1116	1996	GVK Price Request,pdf.exe	RegSvcs.exe
PID 1996 wrote to memory of 1116	1996	GVK Price Request,pdf.exe	RegSvcs.exe
PID 1996 wrote to memory of 1116	1996	GVK Price Request,pdf.exe	RegSvcs.exe
PID 1996 wrote to memory of 1116	1996	GVK Price Request,pdf.exe	RegSvcs.exe
PID 1996 wrote to memory of 1116	1996	GVK Price Request,pdf.exe	RegSvcs.exe
PID 1116 wrote to memory of 1660	1116	RegSvcs.exe	cmd.exe
PID 1116 wrote to memory of 1660	1116	RegSvcs.exe	cmd.exe
PID 1116 wrote to memory of 1660	1116	RegSvcs.exe	cmd.exe
PID 1116 wrote to memory of 1660	1116	RegSvcs.exe	cmd.exe
PID 1116 wrote to memory of 1660	1116	RegSvcs.exe	cmd.exe
PID 1116 wrote to memory of 1660	1116	RegSvcs.exe	cmd.exe
PID 1116 wrote to memory of 1660	1116	RegSvcs.exe	cmd.exe
PID 1660 wrote to memory of 1068	1660	cmd.exe	PING.EXE
PID 1660 wrote to memory of 1068	1660	cmd.exe	PING.EXE
PID 1660 wrote to memory of 1068	1660	cmd.exe	PING.EXE
PID 1660 wrote to memory of 1068	1660	cmd.exe	PING.EXE
PID 1660 wrote to memory of 532	1660	cmd.exe	image.exe
PID 1660 wrote to memory of 532	1660	cmd.exe	image.exe
PID 1660 wrote to memory of 532	1660	cmd.exe	image.exe
PID 1660 wrote to memory of 532	1660	cmd.exe	image.exe
PID 1660 wrote to memory of 532	1660	cmd.exe	image.exe
PID 1660 wrote to memory of 532	1660	cmd.exe	image.exe
PID 1660 wrote to memory of 532	1660	cmd.exe	image.exe

C:\Users\Admin\AppData\Local\Temp\GVK Price Request,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\GVK Price Request,pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GepToze" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4D94.tmp"
2⤵
- Creates scheduled task(s)
PID:1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\SysWOW64\PING.EXE
PING 127.0.0.1 -n 2
4⤵
- Runs ping.exe
PID:1068

C:\Users\Admin\AppData\Roaming\Internet Explorer\image.exe
"C:\Users\Admin\AppData\Roaming\Internet Explorer\image.exe"
4⤵
- Executes dropped EXE
PID:532

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.bat
MD5
8b960bfd398f1a71ec9a180dde824d1f

SHA1
d7ad085d060cfa62f91fe41ed83da42c3f7e4948

SHA256
bc10b3ecbcdd03a0a82c4b94673075746ab64a7290029cc6d7768b15515430d5

SHA512
0743465397d5610710575c07e3b3bdc74ffeeaff44db91fd2430cec6fc95b6dfd2cde1b07a9dabc2202390e0689c8e305dccdd61a987520f2e8d0d27ba30a94a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4D94.tmp
MD5
905edc160cd2cae702bedc25a30b348a

SHA1
7db929825fb20fee57ff14ff1b5f946ce43477c6

SHA256
7f9e00005d876f10d89d2d2fd7637c7c21434a568a411effd4c889f80755c4cf

SHA512
fe6c24bb22d4b931f147f2b9dd29f5151561e858cc93395506a533480fcce77d0e502a7c9064feb69f40d60b742f62bc4024d6a2f944d788948c17bb7ea7293f

Download Submit
C:\Users\Admin\AppData\Roaming\Internet Explorer\image.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Roaming\Internet Explorer\image.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
\Users\Admin\AppData\Roaming\Internet Explorer\image.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
memory/532-80-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/532-79-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/532-77-0x0000000000000000-mapping.dmp

Download
memory/1068-74-0x0000000000000000-mapping.dmp

Download
memory/1116-71-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1116-70-0x00000000767B1000-0x00000000767B3000-memory.dmp

Filesize
8KB

Download
memory/1116-69-0x000000000040FD88-mapping.dmp

Download
memory/1116-68-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1660-72-0x0000000000000000-mapping.dmp

Download
memory/1732-66-0x0000000000000000-mapping.dmp

Download
memory/1996-60-0x0000000001210000-0x0000000001211000-memory.dmp

Filesize
4KB

Download
memory/1996-65-0x0000000000BD0000-0x0000000000C25000-memory.dmp

Filesize
340KB

Download
memory/1996-64-0x0000000005110000-0x00000000051A6000-memory.dmp

Filesize
600KB

Download
memory/1996-63-0x0000000000490000-0x000000000049E000-memory.dmp

Filesize
56KB

Download
memory/1996-62-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads