remcos | 31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729

General

Target

31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe
Size

1.6MB
MD5

983199bbc9855444da45fd3470542c93
SHA1

6358b2bf1dc6e8aff646ad6ab919be865fa19870
SHA256

31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729
SHA512

9d48594222420487bc7a8d0e888806edbd5bac819669504d2a854912d403b22fb761f0e4e0a220412e2a18165ee8d20afe4fa21bea6f73a908428a2116557684

Score

10^/10

remcos ene20 rat

Malware Config

Extracted

Family

remcos

Botnet

Ene20

C2

amsdkjeduejfhdgerop.duckdns.org:2223

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
AdminShell
keylog_path
%AppData%
mouse_option
false
mutex
NQUjfd3E3e5dje-JHD8X5
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 2680 created 3284 2680 WerFault.exe cmd.exe
Executes dropped EXE 1 IoCs

Processes:

plier.exe

pid process

2020 plier.exe
Loads dropped DLL 1 IoCs

Processes:

plier.exe

pid process

2020 plier.exe
Drops file in Windows directory 2 IoCs

Processes:

plier.execmd.exe

description ioc process

File opened for modification C:\Windows\win.ini plier.exe
File created C:\Windows\Tasks\diskshadow.job cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2680 3284 WerFault.exe cmd.exe

description	pid	process	target process
PID 2680 created 3284	2680	WerFault.exe	cmd.exe

description	ioc	process
File opened for modification	C:\Windows\win.ini	plier.exe
File created	C:\Windows\Tasks\diskshadow.job	cmd.exe

pid	pid_target	process	target process
2680	3284	WerFault.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

plier.exepowershell.exeWerFault.exe

pid	process
2020	plier.exe
3908	powershell.exe
3908	powershell.exe
3908	powershell.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

plier.exe

pid process

2020 plier.exe
2020 plier.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

powershell.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	3908	powershell.exe
Token: SeRestorePrivilege	2680	WerFault.exe
Token: SeBackupPrivilege	2680	WerFault.exe
Token: SeIncreaseQuotaPrivilege	3908	powershell.exe
Token: SeSecurityPrivilege	3908	powershell.exe
Token: SeTakeOwnershipPrivilege	3908	powershell.exe
Token: SeLoadDriverPrivilege	3908	powershell.exe
Token: SeSystemProfilePrivilege	3908	powershell.exe
Token: SeSystemtimePrivilege	3908	powershell.exe
Token: SeProfSingleProcessPrivilege	3908	powershell.exe
Token: SeIncBasePriorityPrivilege	3908	powershell.exe
Token: SeCreatePagefilePrivilege	3908	powershell.exe
Token: SeBackupPrivilege	3908	powershell.exe
Token: SeRestorePrivilege	3908	powershell.exe
Token: SeShutdownPrivilege	3908	powershell.exe
Token: SeDebugPrivilege	3908	powershell.exe
Token: SeSystemEnvironmentPrivilege	3908	powershell.exe
Token: SeRemoteShutdownPrivilege	3908	powershell.exe
Token: SeUndockPrivilege	3908	powershell.exe
Token: SeManageVolumePrivilege	3908	powershell.exe
Token: 33	3908	powershell.exe
Token: 34	3908	powershell.exe
Token: 35	3908	powershell.exe
Token: 36	3908	powershell.exe
Token: SeDebugPrivilege	2680	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exeplier.exe

description	pid	process	target process
PID 3780 wrote to memory of 2020	3780	31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe	plier.exe
PID 3780 wrote to memory of 2020	3780	31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe	plier.exe
PID 3780 wrote to memory of 2020	3780	31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe	plier.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe
PID 2020 wrote to memory of 3284	2020	plier.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe
"C:\Users\Admin\AppData\Local\Temp\31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3780

C:\Users\Admin\AppData\Local\Temp\plier.exe
C:\Users\Admin\AppData\Local\Temp\plier.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Drops file in Windows directory
PID:3284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3284 -s 1012
4⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2680

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
1⤵
PID:1560

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "powershell.exe -command "Set-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\"""
2⤵
PID:576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\""
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3908

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cornhusk
MD5
32604f4797fafd34895f707137146e3a

SHA1
86bb7be89f74c85a1f77e52879ab1354af5b00be

SHA256
f4e553e609fd70e9e21f5ea68adaa120bd93df0ad5befb3d2889db38bdb2211a

SHA512
e391f0f16b668d5b07a53e13178f105f35f517fa189764eef811a521d292e16a6f738efe0f1992f98f393ec463f486719f80777dd4967fd1787e561005e62721

Download Submit
C:\Users\Admin\AppData\Local\Temp\Umbellule.DLL
MD5
6000783aeacd1836db8f8d7c10330a3b

SHA1
ba0176243cc0568dd0d10a1762ab69498e1dcb44

SHA256
573eca694d4fde714b97227d2a71950021fa8bb038f35ba998a448a5c8264f65

SHA512
954da3704d60acb61ff3bf0949141f2ec95858906b1bca792d98075a9841bb77372de168ba44972e6b53e103ef4bfc3d166e791390981e32db808dfce12bc248

Download Submit
C:\Users\Admin\AppData\Local\Temp\plier.exe
MD5
11c8f037f0e1a68ff1c74cbcac6e3c6e

SHA1
bb50ac196dfd3a194b7b7161947a012a0d49886c

SHA256
aed09c9a90b38e324fa49b4b8b5b6e263413b49768d5b38f921c2ee4245a6b34

SHA512
05da2d9cd1ce41a11d4ba0f82512790357139c815894f1be4468df137680ecd577660807c368d9c9c6e95aad10e2caa0f00cf1c5739b36644c75a2e8eeae6c2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\plier.exe
MD5
11c8f037f0e1a68ff1c74cbcac6e3c6e

SHA1
bb50ac196dfd3a194b7b7161947a012a0d49886c

SHA256
aed09c9a90b38e324fa49b4b8b5b6e263413b49768d5b38f921c2ee4245a6b34

SHA512
05da2d9cd1ce41a11d4ba0f82512790357139c815894f1be4468df137680ecd577660807c368d9c9c6e95aad10e2caa0f00cf1c5739b36644c75a2e8eeae6c2b

Download Submit
\Users\Admin\AppData\Local\Temp\Umbellule.dll
MD5
6000783aeacd1836db8f8d7c10330a3b

SHA1
ba0176243cc0568dd0d10a1762ab69498e1dcb44

SHA256
573eca694d4fde714b97227d2a71950021fa8bb038f35ba998a448a5c8264f65

SHA512
954da3704d60acb61ff3bf0949141f2ec95858906b1bca792d98075a9841bb77372de168ba44972e6b53e103ef4bfc3d166e791390981e32db808dfce12bc248

Download Submit
memory/2020-123-0x0000000000460000-0x0000000000467000-memory.dmp

Filesize
28KB

Download
memory/2020-128-0x0000000000410000-0x00000000004BE000-memory.dmp

Filesize
696KB

Download
memory/2020-127-0x0000000000410000-0x00000000004BE000-memory.dmp

Filesize
696KB

Download
memory/2020-129-0x00000000004E0000-0x000000000062A000-memory.dmp

Filesize
1.3MB

Download
memory/2020-130-0x00007FFB82820000-0x00007FFB829FB000-memory.dmp

Filesize
1.9MB

Download
memory/3284-131-0x0000000002330000-0x0000000002336000-memory.dmp

Filesize
24KB

Download
memory/3284-132-0x0000000077569000-0x000000007756A000-memory.dmp

Filesize
4KB

Download
memory/3284-136-0x00007FFB82820000-0x00007FFB829FB000-memory.dmp

Filesize
1.9MB

Download
memory/3284-157-0x00000000002A0000-0x00000000002A3000-memory.dmp

Filesize
12KB

Download
memory/3284-168-0x0000000072BE0000-0x0000000072FC3000-memory.dmp

Filesize
3.9MB

Download
memory/3908-163-0x00000243503F0000-0x0000024350412000-memory.dmp

Filesize
136KB

Download
memory/3908-167-0x0000024352580000-0x00000243525F6000-memory.dmp

Filesize
472KB

Download
memory/3908-169-0x00000243504A0000-0x00000243504A2000-memory.dmp

Filesize
8KB

Download
memory/3908-170-0x00000243504A3000-0x00000243504A5000-memory.dmp

Filesize
8KB

Download
memory/3908-195-0x00000243504A6000-0x00000243504A8000-memory.dmp

Filesize
8KB

Download
memory/3908-263-0x00000243504A8000-0x00000243504A9000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads