remcos | ca3bb8d7b3a66189add3fdd0dac2403783af3e4d36a117aad422647e3d7223d9

General

Target

a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe
Size

1.1MB
MD5

86e5451f3367e6580295e46b33d3d8ea
SHA1

b27ac49886349182a8f3cb9cdd7eaed0438ba3a3
SHA256

a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49
SHA512

1b0bfc3df08ef499b2c1d7d24f9e31a027c98592645512d73cd58b50f12d52fda4a1287a7a61e6e7ce63a418db393c3546586ea6bf043e8a9de873a2e0ac85eb

Score

10^/10

remcos 10 rat

Malware Config

Extracted

Family

remcos

Version

2.7.0 Pro

Botnet

10

C2

duckdne7832732.duckdns.org:1718

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-RN68N0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of SetThreadContext 1 IoCs

Processes:

a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe

description	pid	process	target process
PID 2004 set thread context of 572	2004	a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

808 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe

pid process

2004 a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe

description pid process

Token: SeDebugPrivilege 2004 a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegSvcs.exe

pid process

572 RegSvcs.exe

pid	process
808	schtasks.exe

pid	process
2004	a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe

description	pid	process
Token: SeDebugPrivilege	2004	a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe

pid	process
572	RegSvcs.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe

description	pid	process	target process
PID 2004 wrote to memory of 808	2004	a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe	schtasks.exe
PID 2004 wrote to memory of 808	2004	a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe	schtasks.exe
PID 2004 wrote to memory of 808	2004	a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe	schtasks.exe
PID 2004 wrote to memory of 808	2004	a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe	schtasks.exe
PID 2004 wrote to memory of 572	2004	a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe	RegSvcs.exe
PID 2004 wrote to memory of 572	2004	a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe	RegSvcs.exe
PID 2004 wrote to memory of 572	2004	a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe	RegSvcs.exe
PID 2004 wrote to memory of 572	2004	a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe	RegSvcs.exe
PID 2004 wrote to memory of 572	2004	a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe	RegSvcs.exe
PID 2004 wrote to memory of 572	2004	a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe	RegSvcs.exe
PID 2004 wrote to memory of 572	2004	a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe	RegSvcs.exe
PID 2004 wrote to memory of 572	2004	a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe	RegSvcs.exe
PID 2004 wrote to memory of 572	2004	a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe	RegSvcs.exe
PID 2004 wrote to memory of 572	2004	a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe	RegSvcs.exe
PID 2004 wrote to memory of 572	2004	a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe	RegSvcs.exe
PID 2004 wrote to memory of 572	2004	a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe	RegSvcs.exe
PID 2004 wrote to memory of 572	2004	a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe	RegSvcs.exe
PID 2004 wrote to memory of 572	2004	a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe
"C:\Users\Admin\AppData\Local\Temp\a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VuYmmGpWGSWON" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFF92.tmp"
2⤵
- Creates scheduled task(s)
PID:808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
- Suspicious use of SetWindowsHookEx
PID:572

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpFF92.tmp
MD5
623e1303dec20aee0f6d1df21508fc31

SHA1
4db1473e3931ef1dd632728dbcaa8c54fc360721

SHA256
75f63c31898e3bc05e582c587d878ee2f05ef2ad76e5d5c5cba727d22e006850

SHA512
2b7851907747e6f8c52435efcac9d3fd67947192a5c3f65e9198a0d5141509e0793105ba6186e0d0a1a9af9b20898b92aec9394ecc353ae43bdac90e2a939dd8

Download Submit
memory/572-67-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/572-66-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/572-71-0x0000000000401000-0x0000000000421000-memory.dmp

Filesize
128KB

Download
memory/572-70-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/572-68-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/572-63-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/572-65-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/572-64-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/572-62-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2004-57-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/2004-56-0x0000000076731000-0x0000000076733000-memory.dmp

Filesize
8KB

Download
memory/2004-55-0x0000000001000000-0x0000000001112000-memory.dmp

Filesize
1.1MB

Download
memory/2004-60-0x0000000005120000-0x0000000005146000-memory.dmp

Filesize
152KB

Download
memory/2004-59-0x0000000005010000-0x0000000005082000-memory.dmp

Filesize
456KB

Download
memory/2004-58-0x00000000009A0000-0x00000000009AA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads