remcos | 1d0a51787f8726c44aa40f88422d01f084c4e533c2f190f4aef1696f9fd600d9

General

Target

SOA_0209202_pdf.exe
Size

1.4MB
MD5

fe591810a3e0165d06827d9d492688d5
SHA1

c0f253fae57c006f3be56b098f2785f5d9495d4d
SHA256

1d0a51787f8726c44aa40f88422d01f084c4e533c2f190f4aef1696f9fd600d9
SHA512

264e532b1811e1221e2564b8b2a01a2adc1e5c6a1c494edb3a19ea62ec03a3fb5671a8f5403a7af467ce7a52370f969ae188d5bbea8107f28e0781f56d9ef5d0
SSDEEP

24576:K12zVZ97yv6NYzSXbmzDZqlPuQsGzUlNuTOI7UlN4Y4J8BngTf+TSi:KAR37aFSLmzFqlPuczyPI78mTf+Wi

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

127.0.0.1:56932

45.128.234.54:56932

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-D11KCU
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Suspicious use of SetThreadContext 1 IoCs

Processes:

SOA_0209202_pdf.exe

description pid process target process

PID 1168 set thread context of 880 1168 SOA_0209202_pdf.exe SOA_0209202_pdf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2016 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

SOA_0209202_pdf.exepowershell.exepowershell.exe

pid process

1168 SOA_0209202_pdf.exe
1168 SOA_0209202_pdf.exe
1168 SOA_0209202_pdf.exe
1168 SOA_0209202_pdf.exe
672 powershell.exe
564 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

SOA_0209202_pdf.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1168 SOA_0209202_pdf.exe
Token: SeDebugPrivilege 672 powershell.exe
Token: SeDebugPrivilege 564 powershell.exe

description	pid	process	target process
PID 1168 set thread context of 880	1168	SOA_0209202_pdf.exe	SOA_0209202_pdf.exe

pid	process
2016	schtasks.exe

pid	process
1168	SOA_0209202_pdf.exe
1168	SOA_0209202_pdf.exe
1168	SOA_0209202_pdf.exe
1168	SOA_0209202_pdf.exe
672	powershell.exe
564	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1168	SOA_0209202_pdf.exe
Token: SeDebugPrivilege	672	powershell.exe
Token: SeDebugPrivilege	564	powershell.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

SOA_0209202_pdf.exe

description	pid	process	target process
PID 1168 wrote to memory of 564	1168	SOA_0209202_pdf.exe	powershell.exe
PID 1168 wrote to memory of 564	1168	SOA_0209202_pdf.exe	powershell.exe
PID 1168 wrote to memory of 564	1168	SOA_0209202_pdf.exe	powershell.exe
PID 1168 wrote to memory of 564	1168	SOA_0209202_pdf.exe	powershell.exe
PID 1168 wrote to memory of 672	1168	SOA_0209202_pdf.exe	powershell.exe
PID 1168 wrote to memory of 672	1168	SOA_0209202_pdf.exe	powershell.exe
PID 1168 wrote to memory of 672	1168	SOA_0209202_pdf.exe	powershell.exe
PID 1168 wrote to memory of 672	1168	SOA_0209202_pdf.exe	powershell.exe
PID 1168 wrote to memory of 2016	1168	SOA_0209202_pdf.exe	schtasks.exe
PID 1168 wrote to memory of 2016	1168	SOA_0209202_pdf.exe	schtasks.exe
PID 1168 wrote to memory of 2016	1168	SOA_0209202_pdf.exe	schtasks.exe
PID 1168 wrote to memory of 2016	1168	SOA_0209202_pdf.exe	schtasks.exe
PID 1168 wrote to memory of 860	1168	SOA_0209202_pdf.exe	SOA_0209202_pdf.exe
PID 1168 wrote to memory of 860	1168	SOA_0209202_pdf.exe	SOA_0209202_pdf.exe
PID 1168 wrote to memory of 860	1168	SOA_0209202_pdf.exe	SOA_0209202_pdf.exe
PID 1168 wrote to memory of 860	1168	SOA_0209202_pdf.exe	SOA_0209202_pdf.exe
PID 1168 wrote to memory of 880	1168	SOA_0209202_pdf.exe	SOA_0209202_pdf.exe
PID 1168 wrote to memory of 880	1168	SOA_0209202_pdf.exe	SOA_0209202_pdf.exe
PID 1168 wrote to memory of 880	1168	SOA_0209202_pdf.exe	SOA_0209202_pdf.exe
PID 1168 wrote to memory of 880	1168	SOA_0209202_pdf.exe	SOA_0209202_pdf.exe
PID 1168 wrote to memory of 880	1168	SOA_0209202_pdf.exe	SOA_0209202_pdf.exe
PID 1168 wrote to memory of 880	1168	SOA_0209202_pdf.exe	SOA_0209202_pdf.exe
PID 1168 wrote to memory of 880	1168	SOA_0209202_pdf.exe	SOA_0209202_pdf.exe
PID 1168 wrote to memory of 880	1168	SOA_0209202_pdf.exe	SOA_0209202_pdf.exe
PID 1168 wrote to memory of 880	1168	SOA_0209202_pdf.exe	SOA_0209202_pdf.exe
PID 1168 wrote to memory of 880	1168	SOA_0209202_pdf.exe	SOA_0209202_pdf.exe
PID 1168 wrote to memory of 880	1168	SOA_0209202_pdf.exe	SOA_0209202_pdf.exe
PID 1168 wrote to memory of 880	1168	SOA_0209202_pdf.exe	SOA_0209202_pdf.exe
PID 1168 wrote to memory of 880	1168	SOA_0209202_pdf.exe	SOA_0209202_pdf.exe

C:\Users\Admin\AppData\Local\Temp\SOA_0209202_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\SOA_0209202_pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SOA_0209202_pdf.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:564

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QuBiob.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:672

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QuBiob" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCB6B.tmp"
2⤵
- Creates scheduled task(s)
PID:2016

C:\Users\Admin\AppData\Local\Temp\SOA_0209202_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\SOA_0209202_pdf.exe"
2⤵
PID:860

C:\Users\Admin\AppData\Local\Temp\SOA_0209202_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\SOA_0209202_pdf.exe"
2⤵
PID:880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpCB6B.tmp
Filesize
1KB

MD5
b88eacc9a2d3d2858ac1267b1d4a063f

SHA1
70e34d104ae187a9dfa4364de73ae9c4e0e34272

SHA256
5371ed8bb57b0c49c99df429377752d54f0b92d9570ff0569777b2672c4c263d

SHA512
452c12bb7f7f825f05e133d45404915d291835ab46e702073921c1313a178153e9b1d304b19de8920c77806632c486ed5c75f81612a921d14ca549a514c5e83f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NCKT42SUP4J5VZ43TJ55.temp
Filesize
7KB

MD5
79b5cd1930f89d272333c5fdb9886a82

SHA1
7091c2cddc4aef6fd57ac805b6e1d93a871b1cc9

SHA256
b3c2f127fbc90f0ff1670dcb6ab2f777cedcce3ff278eb5707c160a63d274a02

SHA512
6a9c2f069766b258b96bf42271a4e95ce0d9a483ffc77f383bbcdee48bf42e84af3bc4c65f220f0c3447cf3d55c12d52bcff894eee6fe2229b860dff1673d66c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
79b5cd1930f89d272333c5fdb9886a82

SHA1
7091c2cddc4aef6fd57ac805b6e1d93a871b1cc9

SHA256
b3c2f127fbc90f0ff1670dcb6ab2f777cedcce3ff278eb5707c160a63d274a02

SHA512
6a9c2f069766b258b96bf42271a4e95ce0d9a483ffc77f383bbcdee48bf42e84af3bc4c65f220f0c3447cf3d55c12d52bcff894eee6fe2229b860dff1673d66c

Download Submit
memory/564-87-0x00000000024C0000-0x0000000002500000-memory.dmp

Filesize
256KB

Download
memory/564-89-0x00000000024C0000-0x0000000002500000-memory.dmp

Filesize
256KB

Download
memory/672-88-0x0000000002680000-0x00000000026C0000-memory.dmp

Filesize
256KB

Download
memory/880-81-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/880-85-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/880-103-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/880-72-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/880-73-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/880-75-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/880-74-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/880-76-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/880-77-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/880-78-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/880-79-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/880-80-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/880-102-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/880-83-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/880-84-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/880-101-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/880-86-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/880-100-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/880-99-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/880-98-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/880-90-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/880-92-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/880-93-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/880-96-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/880-97-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1168-55-0x0000000004F00000-0x0000000004F40000-memory.dmp

Filesize
256KB

Download
memory/1168-56-0x00000000004F0000-0x0000000000510000-memory.dmp

Filesize
128KB

Download
memory/1168-57-0x0000000000620000-0x000000000062C000-memory.dmp

Filesize
48KB

Download
memory/1168-58-0x0000000005A60000-0x0000000005B54000-memory.dmp

Filesize
976KB

Download
memory/1168-54-0x0000000001210000-0x0000000001382000-memory.dmp

Filesize
1.4MB

Download
memory/1168-71-0x0000000005140000-0x00000000051C0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads