remcos | 64e7a4dbad57f1c217a17ad6214d29230ac8ba813d001fdaa35f17fd83f62cf3

General

Target

TNT Receipt_AWB no#87993766478,pdf.exe
Size

715KB
MD5

27a9e4f59f0735c1cd5b6fec688fe6f4
SHA1

86de7e9b35afb3726a925b1a1b7bd00c81c2f6a9
SHA256

64e7a4dbad57f1c217a17ad6214d29230ac8ba813d001fdaa35f17fd83f62cf3
SHA512

1bfc5666172ce59267c58d70347060f5b696dc7414bd1b7efc20f8a544da7c671e9943c3e364ddebdbd734e0de14743f5c5244691d7306973486596376bf75e1

Score

10^/10

remcos rat suricata

Malware Config

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
suricata: ET MALWARE Remocs 3.x Unencrypted Checkin
suricata: ET MALWARE Remocs 3.x Unencrypted Checkin
suricata
suricata: ET MALWARE Remocs 3.x Unencrypted Server Response
suricata: ET MALWARE Remocs 3.x Unencrypted Server Response
suricata
Executes dropped EXE 1 IoCs

Processes:

fkvd.exe

pid process

1196 fkvd.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1196	fkvd.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

TNT Receipt_AWB no#87993766478,pdf.exefkvd.exe

description	pid	process	target process
PID 540 set thread context of 552	540	TNT Receipt_AWB no#87993766478,pdf.exe	vbc.exe
PID 1196 set thread context of 864	1196	fkvd.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1168 schtasks.exe
1564 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

TNT Receipt_AWB no#87993766478,pdf.exefkvd.exe

description pid process

Token: SeDebugPrivilege 540 TNT Receipt_AWB no#87993766478,pdf.exe
Token: SeDebugPrivilege 1196 fkvd.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vbc.exe

pid process

552 vbc.exe

pid	process
1168	schtasks.exe
1564	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	540	TNT Receipt_AWB no#87993766478,pdf.exe
Token: SeDebugPrivilege	1196	fkvd.exe

pid	process
552	vbc.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

TNT Receipt_AWB no#87993766478,pdf.execmd.exetaskeng.exefkvd.execmd.exe

description	pid	process	target process
PID 540 wrote to memory of 552	540	TNT Receipt_AWB no#87993766478,pdf.exe	vbc.exe
PID 540 wrote to memory of 552	540	TNT Receipt_AWB no#87993766478,pdf.exe	vbc.exe
PID 540 wrote to memory of 552	540	TNT Receipt_AWB no#87993766478,pdf.exe	vbc.exe
PID 540 wrote to memory of 552	540	TNT Receipt_AWB no#87993766478,pdf.exe	vbc.exe
PID 540 wrote to memory of 552	540	TNT Receipt_AWB no#87993766478,pdf.exe	vbc.exe
PID 540 wrote to memory of 552	540	TNT Receipt_AWB no#87993766478,pdf.exe	vbc.exe
PID 540 wrote to memory of 552	540	TNT Receipt_AWB no#87993766478,pdf.exe	vbc.exe
PID 540 wrote to memory of 552	540	TNT Receipt_AWB no#87993766478,pdf.exe	vbc.exe
PID 540 wrote to memory of 552	540	TNT Receipt_AWB no#87993766478,pdf.exe	vbc.exe
PID 540 wrote to memory of 552	540	TNT Receipt_AWB no#87993766478,pdf.exe	vbc.exe
PID 540 wrote to memory of 552	540	TNT Receipt_AWB no#87993766478,pdf.exe	vbc.exe
PID 540 wrote to memory of 552	540	TNT Receipt_AWB no#87993766478,pdf.exe	vbc.exe
PID 540 wrote to memory of 552	540	TNT Receipt_AWB no#87993766478,pdf.exe	vbc.exe
PID 540 wrote to memory of 928	540	TNT Receipt_AWB no#87993766478,pdf.exe	cmd.exe
PID 540 wrote to memory of 928	540	TNT Receipt_AWB no#87993766478,pdf.exe	cmd.exe
PID 540 wrote to memory of 928	540	TNT Receipt_AWB no#87993766478,pdf.exe	cmd.exe
PID 540 wrote to memory of 928	540	TNT Receipt_AWB no#87993766478,pdf.exe	cmd.exe
PID 540 wrote to memory of 1628	540	TNT Receipt_AWB no#87993766478,pdf.exe	cmd.exe
PID 540 wrote to memory of 1628	540	TNT Receipt_AWB no#87993766478,pdf.exe	cmd.exe
PID 540 wrote to memory of 1628	540	TNT Receipt_AWB no#87993766478,pdf.exe	cmd.exe
PID 540 wrote to memory of 1628	540	TNT Receipt_AWB no#87993766478,pdf.exe	cmd.exe
PID 928 wrote to memory of 1168	928	cmd.exe	schtasks.exe
PID 928 wrote to memory of 1168	928	cmd.exe	schtasks.exe
PID 928 wrote to memory of 1168	928	cmd.exe	schtasks.exe
PID 928 wrote to memory of 1168	928	cmd.exe	schtasks.exe
PID 1972 wrote to memory of 1196	1972	taskeng.exe	fkvd.exe
PID 1972 wrote to memory of 1196	1972	taskeng.exe	fkvd.exe
PID 1972 wrote to memory of 1196	1972	taskeng.exe	fkvd.exe
PID 1972 wrote to memory of 1196	1972	taskeng.exe	fkvd.exe
PID 1196 wrote to memory of 864	1196	fkvd.exe	vbc.exe
PID 1196 wrote to memory of 864	1196	fkvd.exe	vbc.exe
PID 1196 wrote to memory of 864	1196	fkvd.exe	vbc.exe
PID 1196 wrote to memory of 864	1196	fkvd.exe	vbc.exe
PID 1196 wrote to memory of 864	1196	fkvd.exe	vbc.exe
PID 1196 wrote to memory of 864	1196	fkvd.exe	vbc.exe
PID 1196 wrote to memory of 864	1196	fkvd.exe	vbc.exe
PID 1196 wrote to memory of 864	1196	fkvd.exe	vbc.exe
PID 1196 wrote to memory of 864	1196	fkvd.exe	vbc.exe
PID 1196 wrote to memory of 864	1196	fkvd.exe	vbc.exe
PID 1196 wrote to memory of 864	1196	fkvd.exe	vbc.exe
PID 1196 wrote to memory of 864	1196	fkvd.exe	vbc.exe
PID 1196 wrote to memory of 864	1196	fkvd.exe	vbc.exe
PID 1196 wrote to memory of 956	1196	fkvd.exe	cmd.exe
PID 1196 wrote to memory of 956	1196	fkvd.exe	cmd.exe
PID 1196 wrote to memory of 956	1196	fkvd.exe	cmd.exe
PID 1196 wrote to memory of 956	1196	fkvd.exe	cmd.exe
PID 1196 wrote to memory of 1732	1196	fkvd.exe	cmd.exe
PID 1196 wrote to memory of 1732	1196	fkvd.exe	cmd.exe
PID 1196 wrote to memory of 1732	1196	fkvd.exe	cmd.exe
PID 1196 wrote to memory of 1732	1196	fkvd.exe	cmd.exe
PID 956 wrote to memory of 1564	956	cmd.exe	schtasks.exe
PID 956 wrote to memory of 1564	956	cmd.exe	schtasks.exe
PID 956 wrote to memory of 1564	956	cmd.exe	schtasks.exe
PID 956 wrote to memory of 1564	956	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\TNT Receipt_AWB no#87993766478,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\TNT Receipt_AWB no#87993766478,pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:552

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\fkvd\fkvd.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:928

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\fkvd\fkvd.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1168

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\TNT Receipt_AWB no#87993766478,pdf.exe" "C:\Users\Admin\AppData\Roaming\fkvd\fkvd.exe"
2⤵
PID:1628

C:\Windows\system32\taskeng.exe
taskeng.exe {ADDD33D1-C12A-438F-A2FB-A49949E76BDD} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1972

C:\Users\Admin\AppData\Roaming\fkvd\fkvd.exe
C:\Users\Admin\AppData\Roaming\fkvd\fkvd.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:864

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\fkvd\fkvd.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\fkvd\fkvd.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1564

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\fkvd\fkvd.exe" "C:\Users\Admin\AppData\Roaming\fkvd\fkvd.exe"
3⤵
PID:1732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\fkvd\fkvd.exe
MD5
27a9e4f59f0735c1cd5b6fec688fe6f4

SHA1
86de7e9b35afb3726a925b1a1b7bd00c81c2f6a9

SHA256
64e7a4dbad57f1c217a17ad6214d29230ac8ba813d001fdaa35f17fd83f62cf3

SHA512
1bfc5666172ce59267c58d70347060f5b696dc7414bd1b7efc20f8a544da7c671e9943c3e364ddebdbd734e0de14743f5c5244691d7306973486596376bf75e1

Download Submit
C:\Users\Admin\AppData\Roaming\fkvd\fkvd.exe
MD5
27a9e4f59f0735c1cd5b6fec688fe6f4

SHA1
86de7e9b35afb3726a925b1a1b7bd00c81c2f6a9

SHA256
64e7a4dbad57f1c217a17ad6214d29230ac8ba813d001fdaa35f17fd83f62cf3

SHA512
1bfc5666172ce59267c58d70347060f5b696dc7414bd1b7efc20f8a544da7c671e9943c3e364ddebdbd734e0de14743f5c5244691d7306973486596376bf75e1

Download Submit
memory/540-54-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/540-56-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

Filesize
4KB

Download
memory/552-67-0x00000000767F1000-0x00000000767F3000-memory.dmp

Filesize
8KB

Download
memory/552-66-0x000000000042FC39-mapping.dmp

Download
memory/552-61-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/552-62-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/552-63-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/552-64-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/552-65-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/552-57-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/552-59-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/552-58-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/552-71-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/552-60-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/864-87-0x000000000042FC39-mapping.dmp

Download
memory/928-68-0x0000000000000000-mapping.dmp

Download
memory/956-89-0x0000000000000000-mapping.dmp

Download
memory/1168-70-0x0000000000000000-mapping.dmp

Download
memory/1196-75-0x0000000001350000-0x0000000001351000-memory.dmp

Filesize
4KB

Download
memory/1196-77-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download
memory/1196-73-0x0000000000000000-mapping.dmp

Download
memory/1564-91-0x0000000000000000-mapping.dmp

Download
memory/1628-69-0x0000000000000000-mapping.dmp

Download
memory/1732-90-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads