remcos | f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
08-06-2023 11:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe
Size

984KB
MD5

c54fea66c5150e6d924ca83f504c1aa4
SHA1

14bb12af44b33a9177bd38f22f970f7e3db80bc9
SHA256

f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9
SHA512

215ec41747e0e341f4581118547152b041161807a0bb4c87bcfe01c759c1cfd998fcc11baef2fe639075648856ca7e4eaf4716ee1af8bb911e33167d40d9805b
SSDEEP

12288:s7z5GoJiGaq5aurWxRe3H3/U7FuMM/e3ColjhNETt9iUME6nlXl0iNawmPV2/1DL:65GoR5auvU7kKXsAE6nj02oc/SMtwY7

Score

10^/10

remcos remotehost collection persistence rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

212.193.30.230:3330

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-VPI7TY
screenshot_crypt
false
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
1
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/1140-164-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView
behavioral1/memory/1140-170-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView
behavioral1/memory/1140-172-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/1744-162-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/1744-169-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1140-164-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral1/memory/1744-162-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1744-169-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1140-170-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral1/memory/1140-172-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft

Executes dropped EXE 5 IoCs

Processes:

remcos.exeremcos.exeremcos.exeremcos.exeremcos.exe

pid process

1352 remcos.exe
1560 remcos.exe
2012 remcos.exe
1744 remcos.exe
1140 remcos.exe
Loads dropped DLL 1 IoCs

Processes:

f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe

pid process

604 f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1352	remcos.exe
1560	remcos.exe
2012	remcos.exe
1744	remcos.exe
1140	remcos.exe

pid	process
604	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

remcos.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	remcos.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

remcos.exef0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	remcos.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exeremcos.exeremcos.exe

description	pid	process	target process
PID 1376 set thread context of 604	1376	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe
PID 1352 set thread context of 1560	1352	remcos.exe	remcos.exe
PID 1560 set thread context of 1744	1560	remcos.exe	remcos.exe
PID 1560 set thread context of 1140	1560	remcos.exe	remcos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1168 schtasks.exe
916 schtasks.exe

pid	process
1168	schtasks.exe
916	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exepowershell.exepowershell.exeremcos.exepowershell.exepowershell.exeremcos.exe

pid	process
1376	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe
1376	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe
1376	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe
1376	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe
1376	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe
1376	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe
656	powershell.exe
1648	powershell.exe
1352	remcos.exe
1352	remcos.exe
1352	remcos.exe
1352	remcos.exe
1352	remcos.exe
1460	powershell.exe
1836	powershell.exe
1352	remcos.exe
1744	remcos.exe
1744	remcos.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

remcos.exe

pid process

1560 remcos.exe
1560 remcos.exe
1560 remcos.exe
1560 remcos.exe

pid	process
1560	remcos.exe
1560	remcos.exe
1560	remcos.exe
1560	remcos.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exepowershell.exepowershell.exeremcos.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1376	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe
Token: SeDebugPrivilege	656	powershell.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	1352	remcos.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	1836	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

remcos.exe

pid process

1560 remcos.exe

pid	process
1560	remcos.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exef0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exeremcos.exeremcos.exe

description	pid	process	target process
PID 1376 wrote to memory of 656	1376	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe	powershell.exe
PID 1376 wrote to memory of 656	1376	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe	powershell.exe
PID 1376 wrote to memory of 656	1376	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe	powershell.exe
PID 1376 wrote to memory of 656	1376	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe	powershell.exe
PID 1376 wrote to memory of 1648	1376	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe	powershell.exe
PID 1376 wrote to memory of 1648	1376	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe	powershell.exe
PID 1376 wrote to memory of 1648	1376	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe	powershell.exe
PID 1376 wrote to memory of 1648	1376	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe	powershell.exe
PID 1376 wrote to memory of 1168	1376	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe	schtasks.exe
PID 1376 wrote to memory of 1168	1376	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe	schtasks.exe
PID 1376 wrote to memory of 1168	1376	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe	schtasks.exe
PID 1376 wrote to memory of 1168	1376	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe	schtasks.exe
PID 1376 wrote to memory of 604	1376	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe
PID 1376 wrote to memory of 604	1376	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe
PID 1376 wrote to memory of 604	1376	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe
PID 1376 wrote to memory of 604	1376	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe
PID 1376 wrote to memory of 604	1376	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe
PID 1376 wrote to memory of 604	1376	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe
PID 1376 wrote to memory of 604	1376	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe
PID 1376 wrote to memory of 604	1376	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe
PID 1376 wrote to memory of 604	1376	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe
PID 1376 wrote to memory of 604	1376	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe
PID 1376 wrote to memory of 604	1376	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe
PID 1376 wrote to memory of 604	1376	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe
PID 1376 wrote to memory of 604	1376	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe
PID 604 wrote to memory of 1352	604	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe	remcos.exe
PID 604 wrote to memory of 1352	604	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe	remcos.exe
PID 604 wrote to memory of 1352	604	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe	remcos.exe
PID 604 wrote to memory of 1352	604	f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe	remcos.exe
PID 1352 wrote to memory of 1836	1352	remcos.exe	powershell.exe
PID 1352 wrote to memory of 1836	1352	remcos.exe	powershell.exe
PID 1352 wrote to memory of 1836	1352	remcos.exe	powershell.exe
PID 1352 wrote to memory of 1836	1352	remcos.exe	powershell.exe
PID 1352 wrote to memory of 1460	1352	remcos.exe	powershell.exe
PID 1352 wrote to memory of 1460	1352	remcos.exe	powershell.exe
PID 1352 wrote to memory of 1460	1352	remcos.exe	powershell.exe
PID 1352 wrote to memory of 1460	1352	remcos.exe	powershell.exe
PID 1352 wrote to memory of 916	1352	remcos.exe	schtasks.exe
PID 1352 wrote to memory of 916	1352	remcos.exe	schtasks.exe
PID 1352 wrote to memory of 916	1352	remcos.exe	schtasks.exe
PID 1352 wrote to memory of 916	1352	remcos.exe	schtasks.exe
PID 1352 wrote to memory of 1560	1352	remcos.exe	remcos.exe
PID 1352 wrote to memory of 1560	1352	remcos.exe	remcos.exe
PID 1352 wrote to memory of 1560	1352	remcos.exe	remcos.exe
PID 1352 wrote to memory of 1560	1352	remcos.exe	remcos.exe
PID 1352 wrote to memory of 1560	1352	remcos.exe	remcos.exe
PID 1352 wrote to memory of 1560	1352	remcos.exe	remcos.exe
PID 1352 wrote to memory of 1560	1352	remcos.exe	remcos.exe
PID 1352 wrote to memory of 1560	1352	remcos.exe	remcos.exe
PID 1352 wrote to memory of 1560	1352	remcos.exe	remcos.exe
PID 1352 wrote to memory of 1560	1352	remcos.exe	remcos.exe
PID 1352 wrote to memory of 1560	1352	remcos.exe	remcos.exe
PID 1352 wrote to memory of 1560	1352	remcos.exe	remcos.exe
PID 1352 wrote to memory of 1560	1352	remcos.exe	remcos.exe
PID 1560 wrote to memory of 2012	1560	remcos.exe	remcos.exe
PID 1560 wrote to memory of 2012	1560	remcos.exe	remcos.exe
PID 1560 wrote to memory of 2012	1560	remcos.exe	remcos.exe
PID 1560 wrote to memory of 2012	1560	remcos.exe	remcos.exe
PID 1560 wrote to memory of 1744	1560	remcos.exe	remcos.exe
PID 1560 wrote to memory of 1744	1560	remcos.exe	remcos.exe
PID 1560 wrote to memory of 1744	1560	remcos.exe	remcos.exe
PID 1560 wrote to memory of 1744	1560	remcos.exe	remcos.exe
PID 1560 wrote to memory of 1744	1560	remcos.exe	remcos.exe
PID 1560 wrote to memory of 1140	1560	remcos.exe	remcos.exe

C:\Users\Admin\AppData\Local\Temp\f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe
"C:\Users\Admin\AppData\Local\Temp\f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:656
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\CFnqYf.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1648
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CFnqYf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE81E.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1168
- C:\Users\Admin\AppData\Local\Temp\f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe
  "C:\Users\Admin\AppData\Local\Temp\f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:604
- - C:\ProgramData\Remcos\remcos.exe
    "C:\ProgramData\Remcos\remcos.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1352
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Remcos\remcos.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1836
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\CFnqYf.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1460
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CFnqYf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC0FF.tmp"
      4⤵
      Creates scheduled task(s)
      PID:916
  - - C:\ProgramData\Remcos\remcos.exe
      "C:\ProgramData\Remcos\remcos.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1560
    - - C:\ProgramData\Remcos\remcos.exe
        
        C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\htayhstcbpxulaydjrvuqqi"
        5⤵
        Executes dropped EXE
        
        PID:2012
    - - C:\ProgramData\Remcos\remcos.exe
        
        C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\htayhstcbpxulaydjrvuqqi"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1744
    - - C:\ProgramData\Remcos\remcos.exe
        
        C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\uptcbdoxlghlxvitknupeiplyemthy"
        5⤵
        
        PID:952
    - - C:\ProgramData\Remcos\remcos.exe
        
        C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\knojakdepypyvhmpbcintducqq"
        5⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        
        PID:1140

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Remcos\logs.dat

Filesize
144B

MD5
956330c0e1f683d01e046a8617f0ea19

SHA1
a084b9d0b391ceae0551ff5655f04bbd48864428

SHA256
081a73d54fac6cfb16a7fca9fe3c78835405ca7ed3add8372082b22f0386abfc

SHA512
de759f7c6ab84e9682f1785f6f2a48a3ded70387a29b3d748677dbd8f3af6356cab0575c17cbb763c8ea7a2a4004928ab08cdd1a7bdb1c06cc047c1b2bb51719

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
984KB

MD5
c54fea66c5150e6d924ca83f504c1aa4

SHA1
14bb12af44b33a9177bd38f22f970f7e3db80bc9

SHA256
f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9

SHA512
215ec41747e0e341f4581118547152b041161807a0bb4c87bcfe01c759c1cfd998fcc11baef2fe639075648856ca7e4eaf4716ee1af8bb911e33167d40d9805b

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
984KB

MD5
c54fea66c5150e6d924ca83f504c1aa4

SHA1
14bb12af44b33a9177bd38f22f970f7e3db80bc9

SHA256
f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9

SHA512
215ec41747e0e341f4581118547152b041161807a0bb4c87bcfe01c759c1cfd998fcc11baef2fe639075648856ca7e4eaf4716ee1af8bb911e33167d40d9805b

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
984KB

MD5
c54fea66c5150e6d924ca83f504c1aa4

SHA1
14bb12af44b33a9177bd38f22f970f7e3db80bc9

SHA256
f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9

SHA512
215ec41747e0e341f4581118547152b041161807a0bb4c87bcfe01c759c1cfd998fcc11baef2fe639075648856ca7e4eaf4716ee1af8bb911e33167d40d9805b

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
984KB

MD5
c54fea66c5150e6d924ca83f504c1aa4

SHA1
14bb12af44b33a9177bd38f22f970f7e3db80bc9

SHA256
f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9

SHA512
215ec41747e0e341f4581118547152b041161807a0bb4c87bcfe01c759c1cfd998fcc11baef2fe639075648856ca7e4eaf4716ee1af8bb911e33167d40d9805b

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
984KB

MD5
c54fea66c5150e6d924ca83f504c1aa4

SHA1
14bb12af44b33a9177bd38f22f970f7e3db80bc9

SHA256
f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9

SHA512
215ec41747e0e341f4581118547152b041161807a0bb4c87bcfe01c759c1cfd998fcc11baef2fe639075648856ca7e4eaf4716ee1af8bb911e33167d40d9805b

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
984KB

MD5
c54fea66c5150e6d924ca83f504c1aa4

SHA1
14bb12af44b33a9177bd38f22f970f7e3db80bc9

SHA256
f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9

SHA512
215ec41747e0e341f4581118547152b041161807a0bb4c87bcfe01c759c1cfd998fcc11baef2fe639075648856ca7e4eaf4716ee1af8bb911e33167d40d9805b

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
984KB

MD5
c54fea66c5150e6d924ca83f504c1aa4

SHA1
14bb12af44b33a9177bd38f22f970f7e3db80bc9

SHA256
f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9

SHA512
215ec41747e0e341f4581118547152b041161807a0bb4c87bcfe01c759c1cfd998fcc11baef2fe639075648856ca7e4eaf4716ee1af8bb911e33167d40d9805b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC0FF.tmp

Filesize
1KB

MD5
2dfb2e9d2107b9c2cdb0ede378db3ea1

SHA1
94805ee6d404dbb2d7e8763ae8a301916878f02d

SHA256
15cee406f8b9df2c61faad965faf47a9f0e3a1678fa90e373dfb7f89190555cb

SHA512
a5ce059140f16c71dd460d0b525cd285639522919975c8936ef4f687cdd0edfcc6bb2a41f1d8269f7a39dfeb5de7f59d4cd9ec2714b639b56275f63838520aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE81E.tmp

Filesize
1KB

MD5
2dfb2e9d2107b9c2cdb0ede378db3ea1

SHA1
94805ee6d404dbb2d7e8763ae8a301916878f02d

SHA256
15cee406f8b9df2c61faad965faf47a9f0e3a1678fa90e373dfb7f89190555cb

SHA512
a5ce059140f16c71dd460d0b525cd285639522919975c8936ef4f687cdd0edfcc6bb2a41f1d8269f7a39dfeb5de7f59d4cd9ec2714b639b56275f63838520aac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PCUSCKIPBQF4J8K4TJ03.temp

Filesize
7KB

MD5
13e4633801e9befbb6413875b4993e82

SHA1
ab1474a4ee92a6f0a095fb1f893bec5ad597a202

SHA256
627eab443747817471f828d19457aa4617593c2b1dff74f3cce42aa9133b8f1c

SHA512
248ffe7216a5e087de32220b88a254d8d5347a9c553ecb7820eaf395f273a513ac10692107485c39d7cf89404abf3fac78ec74e1f345f33b0010fb051eb153be

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TN89RHH4I5AX8TQPZSSL.temp

Filesize
7KB

MD5
65b45c3204d83e5019a66510c0a71bbb

SHA1
e91ea5df0a4ef595747300578ae9252462007552

SHA256
1cb4750bcb8e506b681913012a69ab53d4efb47435acc58f59308465ec455dc1

SHA512
5ed09abb9171584af380e5e5094218628d8064d303fc5829ec04ab8f52a1f294bcbe21670fca679e0e4a79a51caed87d3c8f02bcf468140813cdf356ba76acb7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
65b45c3204d83e5019a66510c0a71bbb

SHA1
e91ea5df0a4ef595747300578ae9252462007552

SHA256
1cb4750bcb8e506b681913012a69ab53d4efb47435acc58f59308465ec455dc1

SHA512
5ed09abb9171584af380e5e5094218628d8064d303fc5829ec04ab8f52a1f294bcbe21670fca679e0e4a79a51caed87d3c8f02bcf468140813cdf356ba76acb7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
65b45c3204d83e5019a66510c0a71bbb

SHA1
e91ea5df0a4ef595747300578ae9252462007552

SHA256
1cb4750bcb8e506b681913012a69ab53d4efb47435acc58f59308465ec455dc1

SHA512
5ed09abb9171584af380e5e5094218628d8064d303fc5829ec04ab8f52a1f294bcbe21670fca679e0e4a79a51caed87d3c8f02bcf468140813cdf356ba76acb7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
13e4633801e9befbb6413875b4993e82

SHA1
ab1474a4ee92a6f0a095fb1f893bec5ad597a202

SHA256
627eab443747817471f828d19457aa4617593c2b1dff74f3cce42aa9133b8f1c

SHA512
248ffe7216a5e087de32220b88a254d8d5347a9c553ecb7820eaf395f273a513ac10692107485c39d7cf89404abf3fac78ec74e1f345f33b0010fb051eb153be

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\ProgramData\Remcos\remcos.exe

Filesize
984KB

MD5
c54fea66c5150e6d924ca83f504c1aa4

SHA1
14bb12af44b33a9177bd38f22f970f7e3db80bc9

SHA256
f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9

SHA512
215ec41747e0e341f4581118547152b041161807a0bb4c87bcfe01c759c1cfd998fcc11baef2fe639075648856ca7e4eaf4716ee1af8bb911e33167d40d9805b

Download Submit
memory/604-81-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/604-78-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/604-82-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/604-74-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/604-75-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/604-86-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/604-76-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/604-80-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/604-79-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/604-73-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/604-77-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/604-95-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/656-87-0x0000000002090000-0x00000000020D0000-memory.dmp

Filesize
256KB

Download
memory/656-85-0x0000000002090000-0x00000000020D0000-memory.dmp

Filesize
256KB

Download
memory/1140-157-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1140-163-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1140-170-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1140-164-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1140-172-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1352-99-0x0000000004950000-0x0000000004990000-memory.dmp

Filesize
256KB

Download
memory/1352-97-0x0000000004950000-0x0000000004990000-memory.dmp

Filesize
256KB

Download
memory/1352-96-0x0000000000130000-0x000000000022C000-memory.dmp

Filesize
1008KB

Download
memory/1376-55-0x0000000004D10000-0x0000000004D50000-memory.dmp

Filesize
256KB

Download
memory/1376-72-0x0000000005650000-0x00000000056D0000-memory.dmp

Filesize
512KB

Download
memory/1376-58-0x0000000000280000-0x000000000028A000-memory.dmp

Filesize
40KB

Download
memory/1376-59-0x0000000005490000-0x0000000005544000-memory.dmp

Filesize
720KB

Download
memory/1376-54-0x0000000000E40000-0x0000000000F3C000-memory.dmp

Filesize
1008KB

Download
memory/1376-56-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/1376-57-0x0000000004D10000-0x0000000004D50000-memory.dmp

Filesize
256KB

Download
memory/1460-113-0x0000000002500000-0x0000000002540000-memory.dmp

Filesize
256KB

Download
memory/1460-112-0x0000000002500000-0x0000000002540000-memory.dmp

Filesize
256KB

Download
memory/1560-129-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1560-132-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1560-140-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1560-141-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1560-143-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1560-144-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1560-145-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1560-146-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1560-147-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1560-149-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1560-134-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1560-133-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1560-174-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1560-136-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1560-131-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1560-128-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1560-124-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1560-173-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1648-98-0x00000000026A0000-0x00000000026E0000-memory.dmp

Filesize
256KB

Download
memory/1648-84-0x00000000026A0000-0x00000000026E0000-memory.dmp

Filesize
256KB

Download
memory/1744-162-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1744-158-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1744-169-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1744-153-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1836-114-0x0000000001E60000-0x0000000001EA0000-memory.dmp

Filesize
256KB

Download