remcos | 1cfede541f45c372c43c2e9667323c6d7621b3f13d20ae7be93574a30a7c0633

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2023, 13:05

Target

1cfede541f45c372c43c2e9667323c6d7621b3f13d20ae7be93574a30a7c0633.exe
Size

74KB
MD5

45f5f116b2d8a8e00998fc1e9e4529d4
SHA1

4e95847d642c24529258567302eadd270e4c0294
SHA256

1cfede541f45c372c43c2e9667323c6d7621b3f13d20ae7be93574a30a7c0633
SHA512

5612e9ae0774a031edb1f6018df5c76b97e6cc8587bc4580994dc022a4675782b55931d45ef8072ba2f72d7106ef0af4acf1f8d85054eb6789a411d8004a6de0
SSDEEP

768:EGO5dN2mDSU2Ip4jBqltCF0AxEjenoB69+Fxt:vO55SFHBWAxEjc+V

Score

10^/10

Family

remcos

Botnet

RemoteHost

185.146.88.243:2404

Attributes

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Downloads MZ/PE file

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2280 set thread context of 452	2280	1cfede541f45c372c43c2e9667323c6d7621b3f13d20ae7be93574a30a7c0633.exe	79

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2280	1cfede541f45c372c43c2e9667323c6d7621b3f13d20ae7be93574a30a7c0633.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 452	2280	1cfede541f45c372c43c2e9667323c6d7621b3f13d20ae7be93574a30a7c0633.exe	79
PID 2280 wrote to memory of 452	2280	1cfede541f45c372c43c2e9667323c6d7621b3f13d20ae7be93574a30a7c0633.exe	79
PID 2280 wrote to memory of 452	2280	1cfede541f45c372c43c2e9667323c6d7621b3f13d20ae7be93574a30a7c0633.exe	79
PID 2280 wrote to memory of 452	2280	1cfede541f45c372c43c2e9667323c6d7621b3f13d20ae7be93574a30a7c0633.exe	79
PID 2280 wrote to memory of 452	2280	1cfede541f45c372c43c2e9667323c6d7621b3f13d20ae7be93574a30a7c0633.exe	79
PID 2280 wrote to memory of 452	2280	1cfede541f45c372c43c2e9667323c6d7621b3f13d20ae7be93574a30a7c0633.exe	79
PID 2280 wrote to memory of 452	2280	1cfede541f45c372c43c2e9667323c6d7621b3f13d20ae7be93574a30a7c0633.exe	79
PID 2280 wrote to memory of 452	2280	1cfede541f45c372c43c2e9667323c6d7621b3f13d20ae7be93574a30a7c0633.exe	79
PID 2280 wrote to memory of 452	2280	1cfede541f45c372c43c2e9667323c6d7621b3f13d20ae7be93574a30a7c0633.exe	79
PID 2280 wrote to memory of 452	2280	1cfede541f45c372c43c2e9667323c6d7621b3f13d20ae7be93574a30a7c0633.exe	79
PID 2280 wrote to memory of 452	2280	1cfede541f45c372c43c2e9667323c6d7621b3f13d20ae7be93574a30a7c0633.exe	79
PID 2280 wrote to memory of 452	2280	1cfede541f45c372c43c2e9667323c6d7621b3f13d20ae7be93574a30a7c0633.exe	79

C:\Users\Admin\AppData\Local\Temp\1cfede541f45c372c43c2e9667323c6d7621b3f13d20ae7be93574a30a7c0633.exe
"C:\Users\Admin\AppData\Local\Temp\1cfede541f45c372c43c2e9667323c6d7621b3f13d20ae7be93574a30a7c0633.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\SysWOW64\mspaint.exe
  "C:\Windows\SysWOW64\mspaint.exe"
  2⤵
  PID:452

memory/452-135-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/452-136-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/452-137-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/452-138-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/452-139-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2280-132-0x0000000000970000-0x0000000000988000-memory.dmp

Filesize
96KB

Download
memory/2280-133-0x000000000B830000-0x000000000B8CC000-memory.dmp

Filesize
624KB

Download