remcos | bba34099de8e5e947f218de51e0f490f07ec6063bc22c39cf375785528cb3f90

General

Target

Qheh4UMIdke3dE9.exe
Size

955KB
MD5

7e6e20dc66ea2df596fb1e3bcc404eed
SHA1

a79811d90049759cbc1c5293ee8dd5832df20f2c
SHA256

bba34099de8e5e947f218de51e0f490f07ec6063bc22c39cf375785528cb3f90
SHA512

e3ead638252e6c2ce1d731538baf51eb8e914022496f585f6f2c0ca4692a3c1a501030b2a718e127ebf6727253891ea158c5044783dcfc150b19e7e85cd8a434

Score

10^/10

remcos evasion persistence rat trojan

Malware Config

Extracted

Family

remcos

C2

192.3.141.183:8078

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 1 IoCs

Processes:

remcos.exe

pid process

3104 remcos.exe

pid	process
3104	remcos.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Qheh4UMIdke3dE9.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	Qheh4UMIdke3dE9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	Qheh4UMIdke3dE9.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Qheh4UMIdke3dE9.exe

description pid process target process

PID 856 set thread context of 792 856 Qheh4UMIdke3dE9.exe Qheh4UMIdke3dE9.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3848 schtasks.exe
Modifies registry class 1 IoCs

Processes:

Qheh4UMIdke3dE9.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings Qheh4UMIdke3dE9.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1184 reg.exe

description	pid	process	target process
PID 856 set thread context of 792	856	Qheh4UMIdke3dE9.exe	Qheh4UMIdke3dE9.exe

pid	process
3848	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	Qheh4UMIdke3dE9.exe

pid	process
1184	reg.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

Qheh4UMIdke3dE9.exepowershell.exepowershell.exepowershell.exe

pid	process
856	Qheh4UMIdke3dE9.exe
856	Qheh4UMIdke3dE9.exe
856	Qheh4UMIdke3dE9.exe
2096	powershell.exe
2200	powershell.exe
3752	powershell.exe
2096	powershell.exe
3752	powershell.exe
2200	powershell.exe
2200	powershell.exe
3752	powershell.exe
2096	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Qheh4UMIdke3dE9.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	856	Qheh4UMIdke3dE9.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	3752	powershell.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

Qheh4UMIdke3dE9.exeQheh4UMIdke3dE9.execmd.exeWScript.execmd.exe

description	pid	process	target process
PID 856 wrote to memory of 3752	856	Qheh4UMIdke3dE9.exe	powershell.exe
PID 856 wrote to memory of 3752	856	Qheh4UMIdke3dE9.exe	powershell.exe
PID 856 wrote to memory of 3752	856	Qheh4UMIdke3dE9.exe	powershell.exe
PID 856 wrote to memory of 2096	856	Qheh4UMIdke3dE9.exe	powershell.exe
PID 856 wrote to memory of 2096	856	Qheh4UMIdke3dE9.exe	powershell.exe
PID 856 wrote to memory of 2096	856	Qheh4UMIdke3dE9.exe	powershell.exe
PID 856 wrote to memory of 3848	856	Qheh4UMIdke3dE9.exe	schtasks.exe
PID 856 wrote to memory of 3848	856	Qheh4UMIdke3dE9.exe	schtasks.exe
PID 856 wrote to memory of 3848	856	Qheh4UMIdke3dE9.exe	schtasks.exe
PID 856 wrote to memory of 2200	856	Qheh4UMIdke3dE9.exe	powershell.exe
PID 856 wrote to memory of 2200	856	Qheh4UMIdke3dE9.exe	powershell.exe
PID 856 wrote to memory of 2200	856	Qheh4UMIdke3dE9.exe	powershell.exe
PID 856 wrote to memory of 2220	856	Qheh4UMIdke3dE9.exe	Qheh4UMIdke3dE9.exe
PID 856 wrote to memory of 2220	856	Qheh4UMIdke3dE9.exe	Qheh4UMIdke3dE9.exe
PID 856 wrote to memory of 2220	856	Qheh4UMIdke3dE9.exe	Qheh4UMIdke3dE9.exe
PID 856 wrote to memory of 792	856	Qheh4UMIdke3dE9.exe	Qheh4UMIdke3dE9.exe
PID 856 wrote to memory of 792	856	Qheh4UMIdke3dE9.exe	Qheh4UMIdke3dE9.exe
PID 856 wrote to memory of 792	856	Qheh4UMIdke3dE9.exe	Qheh4UMIdke3dE9.exe
PID 856 wrote to memory of 792	856	Qheh4UMIdke3dE9.exe	Qheh4UMIdke3dE9.exe
PID 856 wrote to memory of 792	856	Qheh4UMIdke3dE9.exe	Qheh4UMIdke3dE9.exe
PID 856 wrote to memory of 792	856	Qheh4UMIdke3dE9.exe	Qheh4UMIdke3dE9.exe
PID 856 wrote to memory of 792	856	Qheh4UMIdke3dE9.exe	Qheh4UMIdke3dE9.exe
PID 856 wrote to memory of 792	856	Qheh4UMIdke3dE9.exe	Qheh4UMIdke3dE9.exe
PID 856 wrote to memory of 792	856	Qheh4UMIdke3dE9.exe	Qheh4UMIdke3dE9.exe
PID 856 wrote to memory of 792	856	Qheh4UMIdke3dE9.exe	Qheh4UMIdke3dE9.exe
PID 856 wrote to memory of 792	856	Qheh4UMIdke3dE9.exe	Qheh4UMIdke3dE9.exe
PID 856 wrote to memory of 792	856	Qheh4UMIdke3dE9.exe	Qheh4UMIdke3dE9.exe
PID 792 wrote to memory of 3268	792	Qheh4UMIdke3dE9.exe	cmd.exe
PID 792 wrote to memory of 3268	792	Qheh4UMIdke3dE9.exe	cmd.exe
PID 792 wrote to memory of 3268	792	Qheh4UMIdke3dE9.exe	cmd.exe
PID 3268 wrote to memory of 1184	3268	cmd.exe	reg.exe
PID 3268 wrote to memory of 1184	3268	cmd.exe	reg.exe
PID 3268 wrote to memory of 1184	3268	cmd.exe	reg.exe
PID 792 wrote to memory of 3928	792	Qheh4UMIdke3dE9.exe	WScript.exe
PID 792 wrote to memory of 3928	792	Qheh4UMIdke3dE9.exe	WScript.exe
PID 792 wrote to memory of 3928	792	Qheh4UMIdke3dE9.exe	WScript.exe
PID 3928 wrote to memory of 2676	3928	WScript.exe	cmd.exe
PID 3928 wrote to memory of 2676	3928	WScript.exe	cmd.exe
PID 3928 wrote to memory of 2676	3928	WScript.exe	cmd.exe
PID 2676 wrote to memory of 3104	2676	cmd.exe	remcos.exe
PID 2676 wrote to memory of 3104	2676	cmd.exe	remcos.exe
PID 2676 wrote to memory of 3104	2676	cmd.exe	remcos.exe

C:\Users\Admin\AppData\Local\Temp\Qheh4UMIdke3dE9.exe
"C:\Users\Admin\AppData\Local\Temp\Qheh4UMIdke3dE9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Qheh4UMIdke3dE9.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3752

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\aJYypNAjIP.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2096

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aJYypNAjIP" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5E29.tmp"
2⤵
- Creates scheduled task(s)
PID:3848

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\aJYypNAjIP.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2200

C:\Users\Admin\AppData\Local\Temp\Qheh4UMIdke3dE9.exe
"C:\Users\Admin\AppData\Local\Temp\Qheh4UMIdke3dE9.exe"
2⤵
PID:2220

C:\Users\Admin\AppData\Local\Temp\Qheh4UMIdke3dE9.exe
"C:\Users\Admin\AppData\Local\Temp\Qheh4UMIdke3dE9.exe"
2⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- Suspicious use of WriteProcessMemory
PID:3268

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
4⤵
- Modifies registry key
PID:1184

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:3928

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2676

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
5⤵
- Executes dropped EXE
PID:3104

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Bypass User Account Control

1

T1088

Scheduled Task

1

T1053

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

3

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
da28088bd9654fdfc6367ca1f54d378c

SHA1
7ad2887490acfebf4c59feacfd989298de5811d7

SHA256
1d0d2aee30e15b3d5a1997234b8df4a82d25ade5e885fd40bb92b6eaa212f423

SHA512
eecb4856ce87a91c001f48d4d83ba8ab1b26733967693384f9c3a9c68fc07b786ea30463d66f761f2cb6bec7963732d7caa5b1986f0135184bf2be9abaf80cf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
dd317f40f0eceb6d4fa6c746d260b3ba

SHA1
00226b2358286d29736d7d8c017f463b55a3f6c5

SHA256
cd3737fc5ba2ee49ceabf1d0d660c5a639d321df262b3f8249745fd1029cd45d

SHA512
51e8bdf441f23da68a323e8efa2fecf6a0613d5a032970407efa75366ca613ccf69d9b5a0dc955bdeb1172b5d0934cc02817d76577844e0a5dfc0c3a7a26326f

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
b92d64fe5b1d1f59df4b738262aea8df

SHA1
c8fb1981759c2d9bb2ec91b705985fba5fc7af63

SHA256
fa20e9aab03dc8e9f1910aaf0cf42662379fa16ae3a22642084fb97fa3d4f83a

SHA512
2566248b93c0cfb0414f033b8dd18bbd4f88180093eac2861107289bcb4ee160f9593706ff1f7d1f2e4ecea430d67a5a2897551a4f9ebd82b707243e300520e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5E29.tmp
MD5
87a1638e914fa351c0b95fbe25e530aa

SHA1
dceceb520df92da687268ec442197850c71b1b93

SHA256
2805a7785b40cc8969e734472841d0d7d0d2a91f21931806c2c976e65a9f399b

SHA512
141c3d3e282a19830d532eb1eb6d343484972e102e1a586b101fa2a69ed777822e98df112fd4ce7cef1f9ab143df27685bcab349dfddae2ebf6b2dd4fd05ab8b

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
7e6e20dc66ea2df596fb1e3bcc404eed

SHA1
a79811d90049759cbc1c5293ee8dd5832df20f2c

SHA256
bba34099de8e5e947f218de51e0f490f07ec6063bc22c39cf375785528cb3f90

SHA512
e3ead638252e6c2ce1d731538baf51eb8e914022496f585f6f2c0ca4692a3c1a501030b2a718e127ebf6727253891ea158c5044783dcfc150b19e7e85cd8a434

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
MD5
7e6e20dc66ea2df596fb1e3bcc404eed

SHA1
a79811d90049759cbc1c5293ee8dd5832df20f2c

SHA256
bba34099de8e5e947f218de51e0f490f07ec6063bc22c39cf375785528cb3f90

SHA512
e3ead638252e6c2ce1d731538baf51eb8e914022496f585f6f2c0ca4692a3c1a501030b2a718e127ebf6727253891ea158c5044783dcfc150b19e7e85cd8a434

Download Submit
memory/792-151-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/792-143-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/792-144-0x000000000042EEEF-mapping.dmp

Download
memory/856-122-0x0000000008B50000-0x0000000008C02000-memory.dmp

Filesize
712KB

Download
memory/856-121-0x0000000001850000-0x0000000001930000-memory.dmp

Filesize
896KB

Download
memory/856-120-0x00000000062A0000-0x00000000062A1000-memory.dmp

Filesize
4KB

Download
memory/856-119-0x00000000058F0000-0x00000000058FE000-memory.dmp

Filesize
56KB

Download
memory/856-118-0x0000000005A40000-0x0000000005A41000-memory.dmp

Filesize
4KB

Download
memory/856-114-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/856-117-0x00000000059A0000-0x00000000059A1000-memory.dmp

Filesize
4KB

Download
memory/856-116-0x0000000005B90000-0x0000000005B91000-memory.dmp

Filesize
4KB

Download
memory/1184-147-0x0000000000000000-mapping.dmp

Download
memory/2096-205-0x0000000006E23000-0x0000000006E24000-memory.dmp

Filesize
4KB

Download
memory/2096-179-0x00000000083F0000-0x00000000083F1000-memory.dmp

Filesize
4KB

Download
memory/2096-176-0x0000000006F00000-0x0000000006F01000-memory.dmp

Filesize
4KB

Download
memory/2096-203-0x000000007F170000-0x000000007F171000-memory.dmp

Filesize
4KB

Download
memory/2096-136-0x0000000006E22000-0x0000000006E23000-memory.dmp

Filesize
4KB

Download
memory/2096-156-0x0000000007340000-0x0000000007341000-memory.dmp

Filesize
4KB

Download
memory/2096-135-0x0000000006E20000-0x0000000006E21000-memory.dmp

Filesize
4KB

Download
memory/2096-132-0x0000000007460000-0x0000000007461000-memory.dmp

Filesize
4KB

Download
memory/2096-126-0x0000000000000000-mapping.dmp

Download
memory/2200-150-0x0000000004332000-0x0000000004333000-memory.dmp

Filesize
4KB

Download
memory/2200-182-0x0000000007E00000-0x0000000007E01000-memory.dmp

Filesize
4KB

Download
memory/2200-159-0x0000000007520000-0x0000000007521000-memory.dmp

Filesize
4KB

Download
memory/2200-149-0x0000000004330000-0x0000000004331000-memory.dmp

Filesize
4KB

Download
memory/2200-206-0x0000000004333000-0x0000000004334000-memory.dmp

Filesize
4KB

Download
memory/2200-201-0x000000007ED50000-0x000000007ED51000-memory.dmp

Filesize
4KB

Download
memory/2200-139-0x0000000000000000-mapping.dmp

Download
memory/2676-162-0x0000000000000000-mapping.dmp

Download
memory/3104-163-0x0000000000000000-mapping.dmp

Download
memory/3104-175-0x0000000005920000-0x0000000005921000-memory.dmp

Filesize
4KB

Download
memory/3268-146-0x0000000000000000-mapping.dmp

Download
memory/3752-204-0x0000000006E03000-0x0000000006E04000-memory.dmp

Filesize
4KB

Download
memory/3752-202-0x000000007EF70000-0x000000007EF71000-memory.dmp

Filesize
4KB

Download
memory/3752-168-0x0000000007F30000-0x0000000007F31000-memory.dmp

Filesize
4KB

Download
memory/3752-137-0x0000000006E02000-0x0000000006E03000-memory.dmp

Filesize
4KB

Download
memory/3752-134-0x0000000006E00000-0x0000000006E01000-memory.dmp

Filesize
4KB

Download
memory/3752-153-0x0000000007B20000-0x0000000007B21000-memory.dmp

Filesize
4KB

Download
memory/3752-127-0x0000000006E10000-0x0000000006E11000-memory.dmp

Filesize
4KB

Download
memory/3752-123-0x0000000000000000-mapping.dmp

Download
memory/3848-130-0x0000000000000000-mapping.dmp

Download
memory/3928-148-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads