remcos | e1951d7c32816561ef8f00f5612a088479e1edb3a8cdbc7b7a48d8b60de5c541

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
16-09-2022 10:23

Target

rem order.scr.exe
Size

1.2MB
MD5

03b3d450a89959d30f4bfee50b157ad0
SHA1

0f47f3a40e0f2ababb272e54bf49fab8f0990009
SHA256

e1951d7c32816561ef8f00f5612a088479e1edb3a8cdbc7b7a48d8b60de5c541
SHA512

a5e3d89cb9c621dbb1bf89db362f064a32242a362bfd9b564f1e5d000f4b8ae6f82e1f82ddb7a44b70e6217fe760be2b67f940207b4ee9d3610f022080133d60
SSDEEP

24576:YlubgKHsv8FE3UkFDYukPLx1S1cayY6Hnt+I0w4hp:Y4sKMUq3Uk50l1IxyrtAwe

Score

10^/10

Family

remcos

Botnet

IP-REMCOS

91.192.100.12:2404

Attributes

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Suspicious use of SetThreadContext 1 IoCs

Processes:

rem order.scr.exe

description pid process target process

PID 4400 set thread context of 4612 4400 rem order.scr.exe rem order.scr.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rem order.scr.exe

pid process

4400 rem order.scr.exe
4400 rem order.scr.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rem order.scr.exe

description pid process

Token: SeDebugPrivilege 4400 rem order.scr.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rem order.scr.exe

pid process

4400 rem order.scr.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

rem order.scr.exe

pid process

4400 rem order.scr.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

rem order.scr.exe

pid process

4612 rem order.scr.exe

description	pid	process	target process
PID 4400 set thread context of 4612	4400	rem order.scr.exe	rem order.scr.exe

pid	process
4400	rem order.scr.exe
4400	rem order.scr.exe

description	pid	process
Token: SeDebugPrivilege	4400	rem order.scr.exe

pid	process
4400	rem order.scr.exe

pid	process
4400	rem order.scr.exe

pid	process
4612	rem order.scr.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

rem order.scr.exe

description	pid	process	target process
PID 4400 wrote to memory of 4188	4400	rem order.scr.exe	rem order.scr.exe
PID 4400 wrote to memory of 4188	4400	rem order.scr.exe	rem order.scr.exe
PID 4400 wrote to memory of 4188	4400	rem order.scr.exe	rem order.scr.exe
PID 4400 wrote to memory of 4612	4400	rem order.scr.exe	rem order.scr.exe
PID 4400 wrote to memory of 4612	4400	rem order.scr.exe	rem order.scr.exe
PID 4400 wrote to memory of 4612	4400	rem order.scr.exe	rem order.scr.exe
PID 4400 wrote to memory of 4612	4400	rem order.scr.exe	rem order.scr.exe
PID 4400 wrote to memory of 4612	4400	rem order.scr.exe	rem order.scr.exe
PID 4400 wrote to memory of 4612	4400	rem order.scr.exe	rem order.scr.exe
PID 4400 wrote to memory of 4612	4400	rem order.scr.exe	rem order.scr.exe
PID 4400 wrote to memory of 4612	4400	rem order.scr.exe	rem order.scr.exe
PID 4400 wrote to memory of 4612	4400	rem order.scr.exe	rem order.scr.exe
PID 4400 wrote to memory of 4612	4400	rem order.scr.exe	rem order.scr.exe
PID 4400 wrote to memory of 4612	4400	rem order.scr.exe	rem order.scr.exe
PID 4400 wrote to memory of 4612	4400	rem order.scr.exe	rem order.scr.exe

C:\Users\Admin\AppData\Local\Temp\rem order.scr.exe
"C:\Users\Admin\AppData\Local\Temp\rem order.scr.exe"
2⤵
PID:4188

C:\Users\Admin\AppData\Local\Temp\rem order.scr.exe
"C:\Users\Admin\AppData\Local\Temp\rem order.scr.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:4612

memory/4188-138-0x0000000000000000-mapping.dmp

Download
memory/4400-135-0x0000000005380000-0x000000000538A000-memory.dmp

Filesize
40KB

Download
memory/4400-134-0x0000000005410000-0x00000000054A2000-memory.dmp

Filesize
584KB

Download
memory/4400-132-0x00000000008A0000-0x00000000009DE000-memory.dmp

Filesize
1.2MB

Download
memory/4400-136-0x0000000009000000-0x000000000909C000-memory.dmp

Filesize
624KB

Download
memory/4400-137-0x00000000090A0000-0x0000000009106000-memory.dmp

Filesize
408KB

Download
memory/4400-133-0x00000000059C0000-0x0000000005F64000-memory.dmp

Filesize
5.6MB

Download
memory/4612-139-0x0000000000000000-mapping.dmp

Download
memory/4612-140-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4612-141-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4612-142-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4612-143-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4612-144-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download