remcos | 8b6a0f607c8aa32a95838d10b496bdbd68b86a457ef49f8043badb21f5b12b2a

General

Target

TNT Original Invoice PDF.exe
Size

1.0MB
MD5

f64fc1f7c9d03819bd76645aab99be48
SHA1

11513e335fefcc3a302aba54ea5f5911f3290b9d
SHA256

8b6a0f607c8aa32a95838d10b496bdbd68b86a457ef49f8043badb21f5b12b2a
SHA512

5e9ffee587fbb61256b3f531a50c9ec40598a6459f6e2e30d022c84940a7786208a38430cf7a529588ee9be2f23a930d7b87afa6718744a25b26f81c476dc625
SSDEEP

24576:wYXIQ57jS4qoLVNVS9nqi06jz8ajDTEnU6D5RJ:x/5+oxS9nC6rLR6

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

51.75.209.245:2406

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-52YOYG
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TNT Original Invoice PDF.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	TNT Original Invoice PDF.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

TNT Original Invoice PDF.exe

description pid process target process

PID 1944 set thread context of 3520 1944 TNT Original Invoice PDF.exe TNT Original Invoice PDF.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

5000 schtasks.exe

description	pid	process	target process
PID 1944 set thread context of 3520	1944	TNT Original Invoice PDF.exe	TNT Original Invoice PDF.exe

pid	process
5000	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

TNT Original Invoice PDF.exepowershell.exepowershell.exe

pid	process
1944	TNT Original Invoice PDF.exe
1944	TNT Original Invoice PDF.exe
1944	TNT Original Invoice PDF.exe
1944	TNT Original Invoice PDF.exe
1944	TNT Original Invoice PDF.exe
1944	TNT Original Invoice PDF.exe
344	powershell.exe
3200	powershell.exe
1944	TNT Original Invoice PDF.exe
1944	TNT Original Invoice PDF.exe
1944	TNT Original Invoice PDF.exe
1944	TNT Original Invoice PDF.exe
344	powershell.exe
3200	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

TNT Original Invoice PDF.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1944	TNT Original Invoice PDF.exe
Token: SeDebugPrivilege	344	powershell.exe
Token: SeDebugPrivilege	3200	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

TNT Original Invoice PDF.exe

pid process

3520 TNT Original Invoice PDF.exe

pid	process
3520	TNT Original Invoice PDF.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

TNT Original Invoice PDF.exe

description	pid	process	target process
PID 1944 wrote to memory of 344	1944	TNT Original Invoice PDF.exe	powershell.exe
PID 1944 wrote to memory of 344	1944	TNT Original Invoice PDF.exe	powershell.exe
PID 1944 wrote to memory of 344	1944	TNT Original Invoice PDF.exe	powershell.exe
PID 1944 wrote to memory of 3200	1944	TNT Original Invoice PDF.exe	powershell.exe
PID 1944 wrote to memory of 3200	1944	TNT Original Invoice PDF.exe	powershell.exe
PID 1944 wrote to memory of 3200	1944	TNT Original Invoice PDF.exe	powershell.exe
PID 1944 wrote to memory of 5000	1944	TNT Original Invoice PDF.exe	schtasks.exe
PID 1944 wrote to memory of 5000	1944	TNT Original Invoice PDF.exe	schtasks.exe
PID 1944 wrote to memory of 5000	1944	TNT Original Invoice PDF.exe	schtasks.exe
PID 1944 wrote to memory of 1400	1944	TNT Original Invoice PDF.exe	TNT Original Invoice PDF.exe
PID 1944 wrote to memory of 1400	1944	TNT Original Invoice PDF.exe	TNT Original Invoice PDF.exe
PID 1944 wrote to memory of 1400	1944	TNT Original Invoice PDF.exe	TNT Original Invoice PDF.exe
PID 1944 wrote to memory of 3520	1944	TNT Original Invoice PDF.exe	TNT Original Invoice PDF.exe
PID 1944 wrote to memory of 3520	1944	TNT Original Invoice PDF.exe	TNT Original Invoice PDF.exe
PID 1944 wrote to memory of 3520	1944	TNT Original Invoice PDF.exe	TNT Original Invoice PDF.exe
PID 1944 wrote to memory of 3520	1944	TNT Original Invoice PDF.exe	TNT Original Invoice PDF.exe
PID 1944 wrote to memory of 3520	1944	TNT Original Invoice PDF.exe	TNT Original Invoice PDF.exe
PID 1944 wrote to memory of 3520	1944	TNT Original Invoice PDF.exe	TNT Original Invoice PDF.exe
PID 1944 wrote to memory of 3520	1944	TNT Original Invoice PDF.exe	TNT Original Invoice PDF.exe
PID 1944 wrote to memory of 3520	1944	TNT Original Invoice PDF.exe	TNT Original Invoice PDF.exe
PID 1944 wrote to memory of 3520	1944	TNT Original Invoice PDF.exe	TNT Original Invoice PDF.exe
PID 1944 wrote to memory of 3520	1944	TNT Original Invoice PDF.exe	TNT Original Invoice PDF.exe
PID 1944 wrote to memory of 3520	1944	TNT Original Invoice PDF.exe	TNT Original Invoice PDF.exe
PID 1944 wrote to memory of 3520	1944	TNT Original Invoice PDF.exe	TNT Original Invoice PDF.exe

C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice PDF.exe
"C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice PDF.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice PDF.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:344

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\kZskrgQLQwU.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3200

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kZskrgQLQwU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1D0.tmp"
2⤵
- Creates scheduled task(s)
PID:5000

C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice PDF.exe
"C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice PDF.exe"
2⤵
PID:1400

C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice PDF.exe
"C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice PDF.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:3520

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1D0.tmp
Filesize
1KB

MD5
03b41ac6491dfe776333bbd5bd6b99e8

SHA1
2f4bb429bfc66711c5cd55c5744802e506c59c74

SHA256
d7e321bc6872bcb38cf01354176ba5f5b4b4516f8725b7cf644adde1bb7cb967

SHA512
b172375bd7c2eca650f926689fc8a2539dff3edd5e3da8b38af0a09a30b5c135f1a74fa96bf241744dad1a1f9b56b6bb0ede5d45b9963c5bb49d059d98ffebe4

Download Submit
memory/344-144-0x00000000057A0000-0x0000000005806000-memory.dmp

Filesize
408KB

Download
memory/344-139-0x0000000004A90000-0x0000000004AC6000-memory.dmp

Filesize
216KB

Download
memory/344-162-0x00000000076A0000-0x00000000076BA000-memory.dmp

Filesize
104KB

Download
memory/344-153-0x0000000007050000-0x0000000007082000-memory.dmp

Filesize
200KB

Download
memory/344-141-0x0000000005100000-0x0000000005728000-memory.dmp

Filesize
6.2MB

Download
memory/344-158-0x0000000007360000-0x000000000737A000-memory.dmp

Filesize
104KB

Download
memory/344-152-0x0000000006050000-0x000000000606E000-memory.dmp

Filesize
120KB

Download
memory/344-157-0x00000000079C0000-0x000000000803A000-memory.dmp

Filesize
6.5MB

Download
memory/344-137-0x0000000000000000-mapping.dmp

Download
memory/344-155-0x0000000070E50000-0x0000000070E9C000-memory.dmp

Filesize
304KB

Download
memory/1400-146-0x0000000000000000-mapping.dmp

Download
memory/1944-133-0x0000000005290000-0x0000000005834000-memory.dmp

Filesize
5.6MB

Download
memory/1944-134-0x0000000004DD0000-0x0000000004E62000-memory.dmp

Filesize
584KB

Download
memory/1944-136-0x0000000005040000-0x00000000050DC000-memory.dmp

Filesize
624KB

Download
memory/1944-135-0x0000000004F90000-0x0000000004F9A000-memory.dmp

Filesize
40KB

Download
memory/1944-132-0x0000000000330000-0x0000000000440000-memory.dmp

Filesize
1.1MB

Download
memory/3200-138-0x0000000000000000-mapping.dmp

Download
memory/3200-160-0x0000000007320000-0x00000000073B6000-memory.dmp

Filesize
600KB

Download
memory/3200-159-0x0000000007110000-0x000000000711A000-memory.dmp

Filesize
40KB

Download
memory/3200-161-0x00000000072D0000-0x00000000072DE000-memory.dmp

Filesize
56KB

Download
memory/3200-145-0x0000000004E40000-0x0000000004EA6000-memory.dmp

Filesize
408KB

Download
memory/3200-154-0x0000000070E50000-0x0000000070E9C000-memory.dmp

Filesize
304KB

Download
memory/3200-156-0x0000000006340000-0x000000000635E000-memory.dmp

Filesize
120KB

Download
memory/3200-143-0x0000000004CC0000-0x0000000004CE2000-memory.dmp

Filesize
136KB

Download
memory/3200-163-0x00000000073C0000-0x00000000073C8000-memory.dmp

Filesize
32KB

Download
memory/3520-148-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3520-151-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3520-150-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3520-149-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3520-147-0x0000000000000000-mapping.dmp

Download
memory/3520-164-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5000-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads