remcos | cf24e90d7806fad40a47bf7941496f2568fd992193bbd100ffeaaf2bf9bea681

Analysis

max time kernel
149s
max time network
148s
platform
windows7_x64
resource
win7-en-20211014
submitted
21-10-2021 03:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Order copy.exe
Size

963KB
MD5

4e85bccd3ffbc25142507fe1883f2eda
SHA1

634ca94d2f19b7784bf2de78657c7d927b21b52a
SHA256

14dac7b193364d4c9d85f2cb2c1fa88683e8fffece0a499c90e49eca08a85e9d
SHA512

1704cc8c9219323d455d5611ccaaf6a6103eda3a886dc17101b2a41de3db8064374640f29876f24e5322042d25c0f53c1051002f367d1ec027ce7ba5badf1774

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

sabrinaoyst.ddns.net:7019

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-PACL2H
screenshot_crypt
true
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Extracted

Family

remcos

Version

3.3.0 Pro

Botnet

RemoteHost

sabrinaoyst.ddns.net:7019

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-PACL2H
screenshot_crypt
true
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\lsacce.exe,"	reg.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 4 IoCs

Processes:

lsacce.exeAddInProcess32.exelscce.exelscce.exe

pid process

1828 lsacce.exe
1256 AddInProcess32.exe
1668 lscce.exe
1884 lscce.exe
Loads dropped DLL 4 IoCs

Processes:

Order copy.exelsacce.exelscce.exe

pid process

1988 Order copy.exe
1828 lsacce.exe
1828 lsacce.exe
1668 lscce.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

lsacce.exe

description pid process target process

PID 1828 set thread context of 1256 1828 lsacce.exe AddInProcess32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1828	lsacce.exe
1256	AddInProcess32.exe
1668	lscce.exe
1884	lscce.exe

description	pid	process	target process
PID 1828 set thread context of 1256	1828	lsacce.exe	AddInProcess32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

Order copy.exelsacce.exelscce.exelscce.exe

pid	process
1988	Order copy.exe
1988	Order copy.exe
1988	Order copy.exe
1828	lsacce.exe
1828	lsacce.exe
1828	lsacce.exe
1668	lscce.exe
1884	lscce.exe
1884	lscce.exe
1884	lscce.exe
1828	lsacce.exe
1828	lsacce.exe
1828	lsacce.exe
1828	lsacce.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Order copy.exelsacce.exelscce.exelscce.exe

description	pid	process
Token: SeDebugPrivilege	1988	Order copy.exe
Token: SeDebugPrivilege	1828	lsacce.exe
Token: SeDebugPrivilege	1668	lscce.exe
Token: SeDebugPrivilege	1884	lscce.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

AddInProcess32.exe

pid process

1256 AddInProcess32.exe

pid	process
1256	AddInProcess32.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

Order copy.execmd.exelsacce.exelscce.exe

description	pid	process	target process
PID 1988 wrote to memory of 1724	1988	Order copy.exe	cmd.exe
PID 1988 wrote to memory of 1724	1988	Order copy.exe	cmd.exe
PID 1988 wrote to memory of 1724	1988	Order copy.exe	cmd.exe
PID 1988 wrote to memory of 1724	1988	Order copy.exe	cmd.exe
PID 1724 wrote to memory of 1928	1724	cmd.exe	reg.exe
PID 1724 wrote to memory of 1928	1724	cmd.exe	reg.exe
PID 1724 wrote to memory of 1928	1724	cmd.exe	reg.exe
PID 1724 wrote to memory of 1928	1724	cmd.exe	reg.exe
PID 1988 wrote to memory of 1828	1988	Order copy.exe	lsacce.exe
PID 1988 wrote to memory of 1828	1988	Order copy.exe	lsacce.exe
PID 1988 wrote to memory of 1828	1988	Order copy.exe	lsacce.exe
PID 1988 wrote to memory of 1828	1988	Order copy.exe	lsacce.exe
PID 1828 wrote to memory of 1256	1828	lsacce.exe	AddInProcess32.exe
PID 1828 wrote to memory of 1256	1828	lsacce.exe	AddInProcess32.exe
PID 1828 wrote to memory of 1256	1828	lsacce.exe	AddInProcess32.exe
PID 1828 wrote to memory of 1256	1828	lsacce.exe	AddInProcess32.exe
PID 1828 wrote to memory of 1256	1828	lsacce.exe	AddInProcess32.exe
PID 1828 wrote to memory of 1256	1828	lsacce.exe	AddInProcess32.exe
PID 1828 wrote to memory of 1256	1828	lsacce.exe	AddInProcess32.exe
PID 1828 wrote to memory of 1256	1828	lsacce.exe	AddInProcess32.exe
PID 1828 wrote to memory of 1256	1828	lsacce.exe	AddInProcess32.exe
PID 1828 wrote to memory of 1256	1828	lsacce.exe	AddInProcess32.exe
PID 1828 wrote to memory of 1256	1828	lsacce.exe	AddInProcess32.exe
PID 1828 wrote to memory of 1256	1828	lsacce.exe	AddInProcess32.exe
PID 1828 wrote to memory of 1256	1828	lsacce.exe	AddInProcess32.exe
PID 1828 wrote to memory of 1668	1828	lsacce.exe	lscce.exe
PID 1828 wrote to memory of 1668	1828	lsacce.exe	lscce.exe
PID 1828 wrote to memory of 1668	1828	lsacce.exe	lscce.exe
PID 1828 wrote to memory of 1668	1828	lsacce.exe	lscce.exe
PID 1668 wrote to memory of 1884	1668	lscce.exe	lscce.exe
PID 1668 wrote to memory of 1884	1668	lscce.exe	lscce.exe
PID 1668 wrote to memory of 1884	1668	lscce.exe	lscce.exe
PID 1668 wrote to memory of 1884	1668	lscce.exe	lscce.exe

C:\Users\Admin\AppData\Local\Temp\Order copy.exe
"C:\Users\Admin\AppData\Local\Temp\Order copy.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\lsacce.exe,"
2⤵
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\lsacce.exe,"
3⤵
- Modifies WinLogon for persistence
PID:1928

C:\Users\Admin\AppData\Roaming\lsacce.exe
"C:\Users\Admin\AppData\Roaming\lsacce.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1828

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
"C:\Users\Admin\AppData\Local\Temp\\AddInProcess32.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1256

C:\Users\Admin\AppData\Local\Temp\lscce.exe
"C:\Users\Admin\AppData\Local\Temp\lscce.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668

C:\Users\Admin\AppData\Local\Temp\lscce.exe
"C:\Users\Admin\AppData\Local\Temp\lscce.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1884

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
38d6fa3954e6376dd3114060ae0cc38d

SHA1
2f5c032c6d76c4d67216e5fa5a31dea7af193491

SHA256
83da31fc36053add1b408a2305b3b5868d867ce23625690242efa5ff53c28a43

SHA512
681e9168b5f8f63c2adc26c3a37b7c0ff8495caa4888be64587da136c678c0143c4715a7c686079add80af0a7008c9f8105bdf234142aeadef053f18998529f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\lscce.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\lscce.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\lscce.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\lscce.txt
MD5
7f886d69f5eec2844fd649dfb4342060

SHA1
a26b5dd3f1dd937922146acbe5f8951d6d2844cb

SHA256
d64eb3c59fbd84051e034da03d410b2f8b9ae8b014e21ce241dd6a712e2cc5ce

SHA512
5a4463605a179ccbd7c8f3c9304ab637ac909e55dc6e069e23a4fefc556cc2f38cbd42f6610a97b23909f09bc2337daac4942d856662cf39e161dfece011637a

Download Submit
C:\Users\Admin\AppData\Local\Temp\lscce.txt
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\lscce.txt
MD5
7a328a13541fde325dafdb3e43672496

SHA1
925a39a57cb443dd2894899ab0747370e347312a

SHA256
757151491bf4de5a71ccc028169cd8c809b01a180462be118369c4986043c291

SHA512
d6f9c0719787b2ec9b1fc73a52a715c57c7a646696d31ad186aa337b0c510de6b91c363af3105eaa6b2bab3ffe189dfe9f3ee0f70352a89a0f2a6f71822fafa2

Download Submit
C:\Users\Admin\AppData\Roaming\lsacce.exe
MD5
4e85bccd3ffbc25142507fe1883f2eda

SHA1
634ca94d2f19b7784bf2de78657c7d927b21b52a

SHA256
14dac7b193364d4c9d85f2cb2c1fa88683e8fffece0a499c90e49eca08a85e9d

SHA512
1704cc8c9219323d455d5611ccaaf6a6103eda3a886dc17101b2a41de3db8064374640f29876f24e5322042d25c0f53c1051002f367d1ec027ce7ba5badf1774

Download Submit
C:\Users\Admin\AppData\Roaming\lsacce.exe
MD5
4e85bccd3ffbc25142507fe1883f2eda

SHA1
634ca94d2f19b7784bf2de78657c7d927b21b52a

SHA256
14dac7b193364d4c9d85f2cb2c1fa88683e8fffece0a499c90e49eca08a85e9d

SHA512
1704cc8c9219323d455d5611ccaaf6a6103eda3a886dc17101b2a41de3db8064374640f29876f24e5322042d25c0f53c1051002f367d1ec027ce7ba5badf1774

Download Submit
\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
\Users\Admin\AppData\Local\Temp\lscce.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
\Users\Admin\AppData\Local\Temp\lscce.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
\Users\Admin\AppData\Roaming\lsacce.exe
MD5
4e85bccd3ffbc25142507fe1883f2eda

SHA1
634ca94d2f19b7784bf2de78657c7d927b21b52a

SHA256
14dac7b193364d4c9d85f2cb2c1fa88683e8fffece0a499c90e49eca08a85e9d

SHA512
1704cc8c9219323d455d5611ccaaf6a6103eda3a886dc17101b2a41de3db8064374640f29876f24e5322042d25c0f53c1051002f367d1ec027ce7ba5badf1774

Download Submit
memory/1256-78-0x0000000000120000-0x0000000000199000-memory.dmp

Filesize
484KB

Download
memory/1256-95-0x0000000076231000-0x0000000076233000-memory.dmp

Filesize
8KB

Download
memory/1256-75-0x0000000000120000-0x0000000000199000-memory.dmp

Filesize
484KB

Download
memory/1256-76-0x0000000000120000-0x0000000000199000-memory.dmp

Filesize
484KB

Download
memory/1256-77-0x0000000000120000-0x0000000000199000-memory.dmp

Filesize
484KB

Download
memory/1256-96-0x0000000000120000-0x0000000000199000-memory.dmp

Filesize
484KB

Download
memory/1256-79-0x0000000000120000-0x0000000000199000-memory.dmp

Filesize
484KB

Download
memory/1256-80-0x0000000000120000-0x0000000000199000-memory.dmp

Filesize
484KB

Download
memory/1256-81-0x0000000000120000-0x0000000000199000-memory.dmp

Filesize
484KB

Download
memory/1256-83-0x000000000042FC39-mapping.dmp

Download
memory/1256-85-0x0000000000120000-0x0000000000199000-memory.dmp

Filesize
484KB

Download
memory/1256-74-0x0000000000120000-0x0000000000199000-memory.dmp

Filesize
484KB

Download
memory/1256-90-0x0000000000120000-0x0000000000199000-memory.dmp

Filesize
484KB

Download
memory/1668-101-0x00000000012C0000-0x00000000012C1000-memory.dmp

Filesize
4KB

Download
memory/1668-98-0x0000000000000000-mapping.dmp

Download
memory/1724-59-0x0000000000000000-mapping.dmp

Download
memory/1828-68-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

Filesize
4KB

Download
memory/1828-66-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/1828-63-0x0000000000000000-mapping.dmp

Download
memory/1828-71-0x0000000000590000-0x000000000059A000-memory.dmp

Filesize
40KB

Download
memory/1884-105-0x0000000000000000-mapping.dmp

Download
memory/1928-60-0x0000000000000000-mapping.dmp

Download
memory/1988-55-0x0000000001050000-0x0000000001051000-memory.dmp

Filesize
4KB

Download
memory/1988-61-0x0000000000481000-0x0000000000482000-memory.dmp

Filesize
4KB

Download
memory/1988-58-0x0000000000370000-0x0000000000394000-memory.dmp

Filesize
144KB

Download
memory/1988-57-0x0000000000480000-0x0000000000481000-memory.dmp

Filesize
4KB

Download