remcos | 31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729

General

Target

31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe
Size

1.6MB
MD5

983199bbc9855444da45fd3470542c93
SHA1

6358b2bf1dc6e8aff646ad6ab919be865fa19870
SHA256

31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729
SHA512

9d48594222420487bc7a8d0e888806edbd5bac819669504d2a854912d403b22fb761f0e4e0a220412e2a18165ee8d20afe4fa21bea6f73a908428a2116557684

Score

10^/10

remcos ene20 rat

Malware Config

Extracted

Family

remcos

Botnet

Ene20

C2

amsdkjeduejfhdgerop.duckdns.org:2223

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
AdminShell
keylog_path
%AppData%
mouse_option
false
mutex
NQUjfd3E3e5dje-JHD8X5
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 4 IoCs

Processes:

cmd.exe

flow pid process

3 1192 cmd.exe
4 1192 cmd.exe
5 1192 cmd.exe
7 1192 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

plier.exe

pid process

376 plier.exe

flow	pid	process
3	1192	cmd.exe
4	1192	cmd.exe
5	1192	cmd.exe
7	1192	cmd.exe

pid	process
376	plier.exe

Loads dropped DLL 3 IoCs

Processes:

31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exeplier.exe

pid	process
1960	31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe
1960	31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe
376	plier.exe

Drops file in Windows directory 2 IoCs

Processes:

plier.execmd.exe

description ioc process

File opened for modification C:\Windows\win.ini plier.exe
File created C:\Windows\Tasks\diskshadow.job cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

plier.exe

pid process

376 plier.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

plier.exe

pid process

376 plier.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cmd.exe

pid process

1192 cmd.exe

description	ioc	process
File opened for modification	C:\Windows\win.ini	plier.exe
File created	C:\Windows\Tasks\diskshadow.job	cmd.exe

pid	process
376	plier.exe

pid	process
376	plier.exe

pid	process
1192	cmd.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exeplier.exeDllHost.execmd.exe

description	pid	process	target process
PID 1960 wrote to memory of 376	1960	31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe	plier.exe
PID 1960 wrote to memory of 376	1960	31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe	plier.exe
PID 1960 wrote to memory of 376	1960	31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe	plier.exe
PID 1960 wrote to memory of 376	1960	31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe	plier.exe
PID 376 wrote to memory of 1192	376	plier.exe	cmd.exe
PID 376 wrote to memory of 1192	376	plier.exe	cmd.exe
PID 376 wrote to memory of 1192	376	plier.exe	cmd.exe
PID 376 wrote to memory of 1192	376	plier.exe	cmd.exe
PID 376 wrote to memory of 1192	376	plier.exe	cmd.exe
PID 376 wrote to memory of 1192	376	plier.exe	cmd.exe
PID 376 wrote to memory of 1192	376	plier.exe	cmd.exe
PID 376 wrote to memory of 1192	376	plier.exe	cmd.exe
PID 376 wrote to memory of 1192	376	plier.exe	cmd.exe
PID 376 wrote to memory of 1192	376	plier.exe	cmd.exe
PID 376 wrote to memory of 1192	376	plier.exe	cmd.exe
PID 376 wrote to memory of 1192	376	plier.exe	cmd.exe
PID 376 wrote to memory of 1192	376	plier.exe	cmd.exe
PID 376 wrote to memory of 1192	376	plier.exe	cmd.exe
PID 376 wrote to memory of 1192	376	plier.exe	cmd.exe
PID 376 wrote to memory of 1192	376	plier.exe	cmd.exe
PID 376 wrote to memory of 1192	376	plier.exe	cmd.exe
PID 376 wrote to memory of 1192	376	plier.exe	cmd.exe
PID 376 wrote to memory of 1192	376	plier.exe	cmd.exe
PID 376 wrote to memory of 1192	376	plier.exe	cmd.exe
PID 376 wrote to memory of 1192	376	plier.exe	cmd.exe
PID 376 wrote to memory of 1192	376	plier.exe	cmd.exe
PID 376 wrote to memory of 1192	376	plier.exe	cmd.exe
PID 376 wrote to memory of 1192	376	plier.exe	cmd.exe
PID 376 wrote to memory of 1192	376	plier.exe	cmd.exe
PID 376 wrote to memory of 1192	376	plier.exe	cmd.exe
PID 376 wrote to memory of 1192	376	plier.exe	cmd.exe
PID 376 wrote to memory of 1192	376	plier.exe	cmd.exe
PID 376 wrote to memory of 1192	376	plier.exe	cmd.exe
PID 376 wrote to memory of 1192	376	plier.exe	cmd.exe
PID 376 wrote to memory of 1192	376	plier.exe	cmd.exe
PID 376 wrote to memory of 1192	376	plier.exe	cmd.exe
PID 376 wrote to memory of 1192	376	plier.exe	cmd.exe
PID 376 wrote to memory of 1192	376	plier.exe	cmd.exe
PID 376 wrote to memory of 1192	376	plier.exe	cmd.exe
PID 376 wrote to memory of 1192	376	plier.exe	cmd.exe
PID 376 wrote to memory of 1192	376	plier.exe	cmd.exe
PID 376 wrote to memory of 1192	376	plier.exe	cmd.exe
PID 376 wrote to memory of 1192	376	plier.exe	cmd.exe
PID 376 wrote to memory of 1192	376	plier.exe	cmd.exe
PID 376 wrote to memory of 1192	376	plier.exe	cmd.exe
PID 376 wrote to memory of 1192	376	plier.exe	cmd.exe
PID 376 wrote to memory of 1192	376	plier.exe	cmd.exe
PID 376 wrote to memory of 1192	376	plier.exe	cmd.exe
PID 308 wrote to memory of 2016	308	DllHost.exe	cmd.exe
PID 308 wrote to memory of 2016	308	DllHost.exe	cmd.exe
PID 308 wrote to memory of 2016	308	DllHost.exe	cmd.exe
PID 308 wrote to memory of 2016	308	DllHost.exe	cmd.exe
PID 2016 wrote to memory of 916	2016	cmd.exe	reg.exe
PID 2016 wrote to memory of 916	2016	cmd.exe	reg.exe
PID 2016 wrote to memory of 916	2016	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe
"C:\Users\Admin\AppData\Local\Temp\31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1960

C:\Users\Admin\AppData\Local\Temp\plier.exe
C:\Users\Admin\AppData\Local\Temp\plier.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:376

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1192

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
1⤵
- Suspicious use of WriteProcessMemory
PID:308

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\Admin\AppData\Roaming\Adobe\Acrobat" /t REG_DWORD /d 0"
2⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\system32\reg.exe
reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\Admin\AppData\Roaming\Adobe\Acrobat" /t REG_DWORD /d 0
3⤵
PID:916

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cornhusk
MD5
32604f4797fafd34895f707137146e3a

SHA1
86bb7be89f74c85a1f77e52879ab1354af5b00be

SHA256
f4e553e609fd70e9e21f5ea68adaa120bd93df0ad5befb3d2889db38bdb2211a

SHA512
e391f0f16b668d5b07a53e13178f105f35f517fa189764eef811a521d292e16a6f738efe0f1992f98f393ec463f486719f80777dd4967fd1787e561005e62721

Download Submit
C:\Users\Admin\AppData\Local\Temp\Umbellule.DLL
MD5
6000783aeacd1836db8f8d7c10330a3b

SHA1
ba0176243cc0568dd0d10a1762ab69498e1dcb44

SHA256
573eca694d4fde714b97227d2a71950021fa8bb038f35ba998a448a5c8264f65

SHA512
954da3704d60acb61ff3bf0949141f2ec95858906b1bca792d98075a9841bb77372de168ba44972e6b53e103ef4bfc3d166e791390981e32db808dfce12bc248

Download Submit
C:\Users\Admin\AppData\Local\Temp\plier.exe
MD5
11c8f037f0e1a68ff1c74cbcac6e3c6e

SHA1
bb50ac196dfd3a194b7b7161947a012a0d49886c

SHA256
aed09c9a90b38e324fa49b4b8b5b6e263413b49768d5b38f921c2ee4245a6b34

SHA512
05da2d9cd1ce41a11d4ba0f82512790357139c815894f1be4468df137680ecd577660807c368d9c9c6e95aad10e2caa0f00cf1c5739b36644c75a2e8eeae6c2b

Download Submit
\Users\Admin\AppData\Local\Temp\Umbellule.dll
MD5
6000783aeacd1836db8f8d7c10330a3b

SHA1
ba0176243cc0568dd0d10a1762ab69498e1dcb44

SHA256
573eca694d4fde714b97227d2a71950021fa8bb038f35ba998a448a5c8264f65

SHA512
954da3704d60acb61ff3bf0949141f2ec95858906b1bca792d98075a9841bb77372de168ba44972e6b53e103ef4bfc3d166e791390981e32db808dfce12bc248

Download Submit
\Users\Admin\AppData\Local\Temp\plier.exe
MD5
11c8f037f0e1a68ff1c74cbcac6e3c6e

SHA1
bb50ac196dfd3a194b7b7161947a012a0d49886c

SHA256
aed09c9a90b38e324fa49b4b8b5b6e263413b49768d5b38f921c2ee4245a6b34

SHA512
05da2d9cd1ce41a11d4ba0f82512790357139c815894f1be4468df137680ecd577660807c368d9c9c6e95aad10e2caa0f00cf1c5739b36644c75a2e8eeae6c2b

Download Submit
\Users\Admin\AppData\Local\Temp\plier.exe
MD5
11c8f037f0e1a68ff1c74cbcac6e3c6e

SHA1
bb50ac196dfd3a194b7b7161947a012a0d49886c

SHA256
aed09c9a90b38e324fa49b4b8b5b6e263413b49768d5b38f921c2ee4245a6b34

SHA512
05da2d9cd1ce41a11d4ba0f82512790357139c815894f1be4468df137680ecd577660807c368d9c9c6e95aad10e2caa0f00cf1c5739b36644c75a2e8eeae6c2b

Download Submit
memory/376-67-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/376-62-0x00000000003E0000-0x00000000003E7000-memory.dmp

Filesize
28KB

Download
memory/376-66-0x00000000003A0000-0x00000000003A4000-memory.dmp

Filesize
16KB

Download
memory/376-69-0x00000000778D0000-0x0000000077A79000-memory.dmp

Filesize
1.7MB

Download
memory/376-70-0x0000000000420000-0x0000000000442000-memory.dmp

Filesize
136KB

Download
memory/1192-71-0x00000000778D0000-0x0000000077A79000-memory.dmp

Filesize
1.7MB

Download
memory/1192-73-0x0000000000090000-0x0000000000096000-memory.dmp

Filesize
24KB

Download
memory/1192-78-0x0000000000080000-0x0000000000083000-memory.dmp

Filesize
12KB

Download
memory/1192-80-0x0000000074840000-0x0000000074A80000-memory.dmp

Filesize
2.2MB

Download
memory/1960-55-0x0000000076511000-0x0000000076513000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing