remcos | a494c1e303160d0fb163cdd38cd218288239e93376b7e5e9ee85274430f6f1fb

General

Target

GVK Price Request,pdf.exe
Size

805KB
MD5

32bfc580410f46ca74f9b599bbf68d98
SHA1

51c281312fdcb3b5ac040e93045f0c176ceb90ff
SHA256

a494c1e303160d0fb163cdd38cd218288239e93376b7e5e9ee85274430f6f1fb
SHA512

b99928537fc19ad34db40fb03b09973a358e5b2c6d5babe0d24fde0e264a0ecefd11de0cb36987fdec6400c2a2582a7d992efc6b67e482fab6afed04fbc399ea

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

C2

macho.hopto.org:2477

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 1 IoCs

Processes:

image.exe

pid process

1252 image.exe

pid	process
1252	image.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\	RegSvcs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\image = "\"C:\\Users\\Admin\\AppData\\Roaming\\Internet Explorer\\image.exe\""	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

GVK Price Request,pdf.exe

description pid process target process

PID 4064 set thread context of 3172 4064 GVK Price Request,pdf.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2320 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2184 PING.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

GVK Price Request,pdf.exe

pid process

4064 GVK Price Request,pdf.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

GVK Price Request,pdf.exe

description pid process

Token: SeDebugPrivilege 4064 GVK Price Request,pdf.exe

description	pid	process	target process
PID 4064 set thread context of 3172	4064	GVK Price Request,pdf.exe	RegSvcs.exe

pid	process
2320	schtasks.exe

pid	process
2184	PING.EXE

pid	process
4064	GVK Price Request,pdf.exe

description	pid	process
Token: SeDebugPrivilege	4064	GVK Price Request,pdf.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

GVK Price Request,pdf.exeRegSvcs.execmd.exe

description	pid	process	target process
PID 4064 wrote to memory of 2320	4064	GVK Price Request,pdf.exe	schtasks.exe
PID 4064 wrote to memory of 2320	4064	GVK Price Request,pdf.exe	schtasks.exe
PID 4064 wrote to memory of 2320	4064	GVK Price Request,pdf.exe	schtasks.exe
PID 4064 wrote to memory of 3172	4064	GVK Price Request,pdf.exe	RegSvcs.exe
PID 4064 wrote to memory of 3172	4064	GVK Price Request,pdf.exe	RegSvcs.exe
PID 4064 wrote to memory of 3172	4064	GVK Price Request,pdf.exe	RegSvcs.exe
PID 4064 wrote to memory of 3172	4064	GVK Price Request,pdf.exe	RegSvcs.exe
PID 4064 wrote to memory of 3172	4064	GVK Price Request,pdf.exe	RegSvcs.exe
PID 4064 wrote to memory of 3172	4064	GVK Price Request,pdf.exe	RegSvcs.exe
PID 4064 wrote to memory of 3172	4064	GVK Price Request,pdf.exe	RegSvcs.exe
PID 4064 wrote to memory of 3172	4064	GVK Price Request,pdf.exe	RegSvcs.exe
PID 4064 wrote to memory of 3172	4064	GVK Price Request,pdf.exe	RegSvcs.exe
PID 3172 wrote to memory of 1236	3172	RegSvcs.exe	cmd.exe
PID 3172 wrote to memory of 1236	3172	RegSvcs.exe	cmd.exe
PID 3172 wrote to memory of 1236	3172	RegSvcs.exe	cmd.exe
PID 1236 wrote to memory of 2184	1236	cmd.exe	PING.EXE
PID 1236 wrote to memory of 2184	1236	cmd.exe	PING.EXE
PID 1236 wrote to memory of 2184	1236	cmd.exe	PING.EXE
PID 1236 wrote to memory of 1252	1236	cmd.exe	image.exe
PID 1236 wrote to memory of 1252	1236	cmd.exe	image.exe
PID 1236 wrote to memory of 1252	1236	cmd.exe	image.exe

C:\Users\Admin\AppData\Local\Temp\GVK Price Request,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\GVK Price Request,pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4064

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GepToze" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBE21.tmp"
2⤵
- Creates scheduled task(s)
PID:2320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1236

C:\Windows\SysWOW64\PING.EXE
PING 127.0.0.1 -n 2
4⤵
- Runs ping.exe
PID:2184

C:\Users\Admin\AppData\Roaming\Internet Explorer\image.exe
"C:\Users\Admin\AppData\Roaming\Internet Explorer\image.exe"
4⤵
- Executes dropped EXE
PID:1252

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.bat
MD5
8b960bfd398f1a71ec9a180dde824d1f

SHA1
d7ad085d060cfa62f91fe41ed83da42c3f7e4948

SHA256
bc10b3ecbcdd03a0a82c4b94673075746ab64a7290029cc6d7768b15515430d5

SHA512
0743465397d5610710575c07e3b3bdc74ffeeaff44db91fd2430cec6fc95b6dfd2cde1b07a9dabc2202390e0689c8e305dccdd61a987520f2e8d0d27ba30a94a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBE21.tmp
MD5
73fd342e1fbb646e2022759e9cd0fa07

SHA1
62a426e2fc098c574f5f70f297580b0ba689f381

SHA256
32e875c3d7c27cdcad26e6ed927ee575f155d25edea19d6d19fbd5f5a68ae7c7

SHA512
7af38a633d84722e1c8ed2492902e20428147b82a6c5990868a61dabd80a17a76b3fd8b4d2fcc4cc1c03dde2bae10af0758c2c91e4ddbacff2a3e9e22a07dbed

Download Submit
C:\Users\Admin\AppData\Roaming\Internet Explorer\image.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Roaming\Internet Explorer\image.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
memory/1236-128-0x0000000000000000-mapping.dmp

Download
memory/1252-137-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

Filesize
4KB

Download
memory/1252-136-0x0000000004C10000-0x0000000004C11000-memory.dmp

Filesize
4KB

Download
memory/1252-135-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/1252-132-0x0000000000000000-mapping.dmp

Download
memory/2184-130-0x0000000000000000-mapping.dmp

Download
memory/2320-124-0x0000000000000000-mapping.dmp

Download
memory/3172-131-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3172-126-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3172-127-0x000000000040FD88-mapping.dmp

Download
memory/4064-123-0x0000000000F50000-0x0000000000FA5000-memory.dmp

Filesize
340KB

Download
memory/4064-114-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/4064-122-0x0000000005F00000-0x0000000005F96000-memory.dmp

Filesize
600KB

Download
memory/4064-121-0x0000000005110000-0x000000000511E000-memory.dmp

Filesize
56KB

Download
memory/4064-120-0x00000000050B0000-0x0000000005142000-memory.dmp

Filesize
584KB

Download
memory/4064-119-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/4064-118-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/4064-117-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download
memory/4064-116-0x00000000056A0000-0x00000000056A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads