remcos | 7872569060f1dcfdd52b00cf82693bdd4fe7be317693ca46b762e6b2fefe46cc

General

Target

Shipping Documents.exe
Size

1.4MB
MD5

884b2cedeb9fe17414d65ddee32081b3
SHA1

7d4b3febd2306fb818ed8e1509a904f687cdd692
SHA256

7872569060f1dcfdd52b00cf82693bdd4fe7be317693ca46b762e6b2fefe46cc
SHA512

a86b44fd2da8396d74ab6d394d42b4b0464d5c4199ac7673aebefbafac9ac7fc0cb8528d957fd7443a06c4b8857ae20211c676cd4f142e2b52d12459a844e0b7
SSDEEP

24576:WEVgoA9sxuTFThs4UHhjgRj9Bm3hFwr1/osvR6BmAOe:xa19LO4Uu7ITonss

Score

10^/10

remcos starmoneynew rat

Malware Config

Extracted

Family

remcos

Botnet

StarMoneyNew

C2

185.252.178.35:41900

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-6RGOTF
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Shipping Documents.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Shipping Documents.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Shipping Documents.exe

description pid process target process

PID 2984 set thread context of 4788 2984 Shipping Documents.exe Shipping Documents.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

964 schtasks.exe

description	pid	process	target process
PID 2984 set thread context of 4788	2984	Shipping Documents.exe	Shipping Documents.exe

pid	process
964	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

Shipping Documents.exepowershell.exe

pid	process
2984	Shipping Documents.exe
176	powershell.exe
2984	Shipping Documents.exe
2984	Shipping Documents.exe
2984	Shipping Documents.exe
2984	Shipping Documents.exe
2984	Shipping Documents.exe
2984	Shipping Documents.exe
2984	Shipping Documents.exe
2984	Shipping Documents.exe
2984	Shipping Documents.exe
176	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Shipping Documents.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2984 Shipping Documents.exe
Token: SeDebugPrivilege 176 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Shipping Documents.exe

pid process

2984 Shipping Documents.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Shipping Documents.exe

pid process

2984 Shipping Documents.exe

description	pid	process
Token: SeDebugPrivilege	2984	Shipping Documents.exe
Token: SeDebugPrivilege	176	powershell.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

Shipping Documents.exe

description	pid	process	target process
PID 2984 wrote to memory of 176	2984	Shipping Documents.exe	powershell.exe
PID 2984 wrote to memory of 176	2984	Shipping Documents.exe	powershell.exe
PID 2984 wrote to memory of 176	2984	Shipping Documents.exe	powershell.exe
PID 2984 wrote to memory of 964	2984	Shipping Documents.exe	schtasks.exe
PID 2984 wrote to memory of 964	2984	Shipping Documents.exe	schtasks.exe
PID 2984 wrote to memory of 964	2984	Shipping Documents.exe	schtasks.exe
PID 2984 wrote to memory of 3444	2984	Shipping Documents.exe	Shipping Documents.exe
PID 2984 wrote to memory of 3444	2984	Shipping Documents.exe	Shipping Documents.exe
PID 2984 wrote to memory of 3444	2984	Shipping Documents.exe	Shipping Documents.exe
PID 2984 wrote to memory of 3456	2984	Shipping Documents.exe	Shipping Documents.exe
PID 2984 wrote to memory of 3456	2984	Shipping Documents.exe	Shipping Documents.exe
PID 2984 wrote to memory of 3456	2984	Shipping Documents.exe	Shipping Documents.exe
PID 2984 wrote to memory of 3768	2984	Shipping Documents.exe	Shipping Documents.exe
PID 2984 wrote to memory of 3768	2984	Shipping Documents.exe	Shipping Documents.exe
PID 2984 wrote to memory of 3768	2984	Shipping Documents.exe	Shipping Documents.exe
PID 2984 wrote to memory of 3484	2984	Shipping Documents.exe	Shipping Documents.exe
PID 2984 wrote to memory of 3484	2984	Shipping Documents.exe	Shipping Documents.exe
PID 2984 wrote to memory of 3484	2984	Shipping Documents.exe	Shipping Documents.exe
PID 2984 wrote to memory of 4788	2984	Shipping Documents.exe	Shipping Documents.exe
PID 2984 wrote to memory of 4788	2984	Shipping Documents.exe	Shipping Documents.exe
PID 2984 wrote to memory of 4788	2984	Shipping Documents.exe	Shipping Documents.exe
PID 2984 wrote to memory of 4788	2984	Shipping Documents.exe	Shipping Documents.exe
PID 2984 wrote to memory of 4788	2984	Shipping Documents.exe	Shipping Documents.exe
PID 2984 wrote to memory of 4788	2984	Shipping Documents.exe	Shipping Documents.exe
PID 2984 wrote to memory of 4788	2984	Shipping Documents.exe	Shipping Documents.exe
PID 2984 wrote to memory of 4788	2984	Shipping Documents.exe	Shipping Documents.exe
PID 2984 wrote to memory of 4788	2984	Shipping Documents.exe	Shipping Documents.exe
PID 2984 wrote to memory of 4788	2984	Shipping Documents.exe	Shipping Documents.exe
PID 2984 wrote to memory of 4788	2984	Shipping Documents.exe	Shipping Documents.exe
PID 2984 wrote to memory of 4788	2984	Shipping Documents.exe	Shipping Documents.exe

C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe
"C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2984

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\qruEqctPQXCh.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:176

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qruEqctPQXCh" /XML "C:\Users\Admin\AppData\Local\Temp\tmp634E.tmp"
2⤵
- Creates scheduled task(s)
PID:964

C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe
"C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe"
2⤵
PID:3444

C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe
"C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe"
2⤵
PID:3456

C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe
"C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe"
2⤵
PID:3768

C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe
"C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe"
2⤵
PID:3484

C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe
"C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe"
2⤵
PID:4788

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp634E.tmp
Filesize
1KB

MD5
0779dc40d52ce66c7d46653aba6416be

SHA1
7f5a8d13ef11a71660f7e59d2cbf822fa6afddad

SHA256
f862b6a5fcb8413020200805b5021d6be10a089057afa202716de4f9067aacf4

SHA512
61110e1883e3009c69df58e77b66624a55174e0f9a8c33a31a7c360428756cb4be732caf2833524e40b2b2c6524a476237165b31e5da0481ed721a26beb95bbc

Download Submit
memory/176-156-0x0000000071900000-0x000000007194C000-memory.dmp

Filesize
304KB

Download
memory/176-140-0x0000000002730000-0x0000000002766000-memory.dmp

Filesize
216KB

Download
memory/176-165-0x0000000007680000-0x0000000007688000-memory.dmp

Filesize
32KB

Download
memory/176-164-0x00000000076A0000-0x00000000076BA000-memory.dmp

Filesize
104KB

Download
memory/176-163-0x0000000004DC0000-0x0000000004DCE000-memory.dmp

Filesize
56KB

Download
memory/176-138-0x0000000000000000-mapping.dmp

Download
memory/176-161-0x00000000075D0000-0x0000000007666000-memory.dmp

Filesize
600KB

Download
memory/176-160-0x00000000073C0000-0x00000000073CA000-memory.dmp

Filesize
40KB

Download
memory/176-159-0x0000000007350000-0x000000000736A000-memory.dmp

Filesize
104KB

Download
memory/176-142-0x0000000005140000-0x0000000005768000-memory.dmp

Filesize
6.2MB

Download
memory/176-143-0x0000000004F80000-0x0000000004FA2000-memory.dmp

Filesize
136KB

Download
memory/176-158-0x00000000079A0000-0x000000000801A000-memory.dmp

Filesize
6.5MB

Download
memory/176-157-0x00000000065F0000-0x000000000660E000-memory.dmp

Filesize
120KB

Download
memory/176-155-0x0000000006610000-0x0000000006642000-memory.dmp

Filesize
200KB

Download
memory/176-154-0x0000000006040000-0x000000000605E000-memory.dmp

Filesize
120KB

Download
memory/176-152-0x0000000005770000-0x00000000057D6000-memory.dmp

Filesize
408KB

Download
memory/964-139-0x0000000000000000-mapping.dmp

Download
memory/2984-134-0x0000000005050000-0x00000000050E2000-memory.dmp

Filesize
584KB

Download
memory/2984-133-0x0000000005600000-0x0000000005BA4000-memory.dmp

Filesize
5.6MB

Download
memory/2984-132-0x0000000000550000-0x00000000006BA000-memory.dmp

Filesize
1.4MB

Download
memory/2984-137-0x00000000090E0000-0x0000000009146000-memory.dmp

Filesize
408KB

Download
memory/2984-136-0x0000000008DA0000-0x0000000008E3C000-memory.dmp

Filesize
624KB

Download
memory/2984-135-0x00000000051F0000-0x00000000051FA000-memory.dmp

Filesize
40KB

Download
memory/3444-144-0x0000000000000000-mapping.dmp

Download
memory/3456-145-0x0000000000000000-mapping.dmp

Download
memory/3484-147-0x0000000000000000-mapping.dmp

Download
memory/3768-146-0x0000000000000000-mapping.dmp

Download
memory/4788-150-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4788-151-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4788-162-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4788-153-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4788-149-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4788-148-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads