remcos | caf08c94a95672212ab753293db7e6ca97cec7ddc28ece68d978f3008a5a6668

Analysis

max time kernel
152s
max time network
157s
platform
windows7_x64
resource
win7-en-20211208
submitted
26-01-2022 09:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rfq_products order.exe
Size

1.5MB
MD5

99b649db223cbef960a8423dd7d50381
SHA1

e4912bb05d068e6edbe5576a9a929d14590efbe3
SHA256

caf08c94a95672212ab753293db7e6ca97cec7ddc28ece68d978f3008a5a6668
SHA512

74b267dba2fd39d04165d4b80c2ca8a7fc04d2894c014c6bf059006874cb3f5ae937fbb12f26ddff81a5a8c8c7e8959c8a35cdd8b970f8affb4404df9041bfa0

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Version

3.2.1 Pro

Botnet

RemoteHost

janeilla.myddns.me:9711

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-SLEDDG
screenshot_crypt
false
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\mssrce.exe,"	reg.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 4 IoCs

Processes:

mssrce.exeAddInProcess32.exemssrCE.exemssrCE.exe

pid process

1160 mssrce.exe
1260 AddInProcess32.exe
1964 mssrCE.exe
900 mssrCE.exe
Loads dropped DLL 4 IoCs

Processes:

cmd.exemssrce.exemssrCE.exe

pid process

1384 cmd.exe
1160 mssrce.exe
1160 mssrce.exe
1964 mssrCE.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

mssrce.exe

description pid process target process

PID 1160 set thread context of 1260 1160 mssrce.exe AddInProcess32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

368 PING.EXE
1108 PING.EXE
1608 PING.EXE

pid	process
1160	mssrce.exe
1260	AddInProcess32.exe
1964	mssrCE.exe
900	mssrCE.exe

pid	process
1384	cmd.exe
1160	mssrce.exe
1160	mssrce.exe
1964	mssrCE.exe

description	pid	process	target process
PID 1160 set thread context of 1260	1160	mssrce.exe	AddInProcess32.exe

pid	process
368	PING.EXE
1108	PING.EXE
1608	PING.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

Rfq_products order.exemssrce.exemssrCE.exemssrCE.exe

pid	process
964	Rfq_products order.exe
964	Rfq_products order.exe
964	Rfq_products order.exe
964	Rfq_products order.exe
964	Rfq_products order.exe
1160	mssrce.exe
1160	mssrce.exe
1160	mssrce.exe
1964	mssrCE.exe
900	mssrCE.exe
900	mssrCE.exe
900	mssrCE.exe
1160	mssrce.exe
1160	mssrce.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Rfq_products order.exemssrce.exemssrCE.exemssrCE.exe

description	pid	process
Token: SeDebugPrivilege	964	Rfq_products order.exe
Token: SeDebugPrivilege	1160	mssrce.exe
Token: SeDebugPrivilege	1964	mssrCE.exe
Token: SeDebugPrivilege	900	mssrCE.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

AddInProcess32.exe

pid process

1260 AddInProcess32.exe

pid	process
1260	AddInProcess32.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

Rfq_products order.execmd.execmd.exemssrce.exemssrCE.exe

description	pid	process	target process
PID 964 wrote to memory of 268	964	Rfq_products order.exe	cmd.exe
PID 964 wrote to memory of 268	964	Rfq_products order.exe	cmd.exe
PID 964 wrote to memory of 268	964	Rfq_products order.exe	cmd.exe
PID 964 wrote to memory of 268	964	Rfq_products order.exe	cmd.exe
PID 268 wrote to memory of 368	268	cmd.exe	PING.EXE
PID 268 wrote to memory of 368	268	cmd.exe	PING.EXE
PID 268 wrote to memory of 368	268	cmd.exe	PING.EXE
PID 268 wrote to memory of 368	268	cmd.exe	PING.EXE
PID 964 wrote to memory of 1384	964	Rfq_products order.exe	cmd.exe
PID 964 wrote to memory of 1384	964	Rfq_products order.exe	cmd.exe
PID 964 wrote to memory of 1384	964	Rfq_products order.exe	cmd.exe
PID 964 wrote to memory of 1384	964	Rfq_products order.exe	cmd.exe
PID 1384 wrote to memory of 1108	1384	cmd.exe	PING.EXE
PID 1384 wrote to memory of 1108	1384	cmd.exe	PING.EXE
PID 1384 wrote to memory of 1108	1384	cmd.exe	PING.EXE
PID 1384 wrote to memory of 1108	1384	cmd.exe	PING.EXE
PID 268 wrote to memory of 1648	268	cmd.exe	reg.exe
PID 268 wrote to memory of 1648	268	cmd.exe	reg.exe
PID 268 wrote to memory of 1648	268	cmd.exe	reg.exe
PID 268 wrote to memory of 1648	268	cmd.exe	reg.exe
PID 1384 wrote to memory of 1608	1384	cmd.exe	PING.EXE
PID 1384 wrote to memory of 1608	1384	cmd.exe	PING.EXE
PID 1384 wrote to memory of 1608	1384	cmd.exe	PING.EXE
PID 1384 wrote to memory of 1608	1384	cmd.exe	PING.EXE
PID 1384 wrote to memory of 1160	1384	cmd.exe	mssrce.exe
PID 1384 wrote to memory of 1160	1384	cmd.exe	mssrce.exe
PID 1384 wrote to memory of 1160	1384	cmd.exe	mssrce.exe
PID 1384 wrote to memory of 1160	1384	cmd.exe	mssrce.exe
PID 1160 wrote to memory of 1260	1160	mssrce.exe	AddInProcess32.exe
PID 1160 wrote to memory of 1260	1160	mssrce.exe	AddInProcess32.exe
PID 1160 wrote to memory of 1260	1160	mssrce.exe	AddInProcess32.exe
PID 1160 wrote to memory of 1260	1160	mssrce.exe	AddInProcess32.exe
PID 1160 wrote to memory of 1260	1160	mssrce.exe	AddInProcess32.exe
PID 1160 wrote to memory of 1260	1160	mssrce.exe	AddInProcess32.exe
PID 1160 wrote to memory of 1260	1160	mssrce.exe	AddInProcess32.exe
PID 1160 wrote to memory of 1260	1160	mssrce.exe	AddInProcess32.exe
PID 1160 wrote to memory of 1260	1160	mssrce.exe	AddInProcess32.exe
PID 1160 wrote to memory of 1260	1160	mssrce.exe	AddInProcess32.exe
PID 1160 wrote to memory of 1260	1160	mssrce.exe	AddInProcess32.exe
PID 1160 wrote to memory of 1260	1160	mssrce.exe	AddInProcess32.exe
PID 1160 wrote to memory of 1260	1160	mssrce.exe	AddInProcess32.exe
PID 1160 wrote to memory of 1964	1160	mssrce.exe	mssrCE.exe
PID 1160 wrote to memory of 1964	1160	mssrce.exe	mssrCE.exe
PID 1160 wrote to memory of 1964	1160	mssrce.exe	mssrCE.exe
PID 1160 wrote to memory of 1964	1160	mssrce.exe	mssrCE.exe
PID 1964 wrote to memory of 900	1964	mssrCE.exe	mssrCE.exe
PID 1964 wrote to memory of 900	1964	mssrCE.exe	mssrCE.exe
PID 1964 wrote to memory of 900	1964	mssrCE.exe	mssrCE.exe
PID 1964 wrote to memory of 900	1964	mssrCE.exe	mssrCE.exe

C:\Users\Admin\AppData\Local\Temp\Rfq_products order.exe
"C:\Users\Admin\AppData\Local\Temp\Rfq_products order.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 8 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\mssrce.exe,"
2⤵
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 8
3⤵
- Runs ping.exe
PID:368

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\mssrce.exe,"
3⤵
- Modifies WinLogon for persistence
PID:1648

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 10 > nul && copy "C:\Users\Admin\AppData\Local\Temp\Rfq_products order.exe" "C:\Users\Admin\AppData\Roaming\mssrce.exe" && ping 127.0.0.1 -n 10 > nul && "C:\Users\Admin\AppData\Roaming\mssrce.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 10
3⤵
- Runs ping.exe
PID:1108

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 10
3⤵
- Runs ping.exe
PID:1608

C:\Users\Admin\AppData\Roaming\mssrce.exe
"C:\Users\Admin\AppData\Roaming\mssrce.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1160

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1260

C:\Users\Admin\AppData\Local\Temp\mssrCE.exe
"C:\Users\Admin\AppData\Local\Temp\mssrCE.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964

C:\Users\Admin\AppData\Local\Temp\mssrCE.exe
"C:\Users\Admin\AppData\Local\Temp\mssrCE.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:900

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\mssrCE.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mssrCE.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mssrCE.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mssrCE.txt
MD5
68bdcd51117b68752742b3bb44dcb6c4

SHA1
622db8d1587fa406e4b987177475c87b0ee7e583

SHA256
80fd1c72a2940548978e13873890b2b4e7cea553e62bb6faa9a64fbf07096f17

SHA512
aa2742757f6ac49ac5ad7c575c521dc8a5fd95d8b39de8b279e2d61089ac5eb25eb7be7a90b4a24e9bb99ff5669a6983a07ffa85410d3e37879049abdabc5ae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mssrCE.txt
MD5
829435ee60c031ed555e54e59bdeac71

SHA1
f69a18295df23079179d58e336dddce149d189ce

SHA256
2bb74144148fdab9a5917a0979c148ed8e69aff05e9ed474abd47024c08dc0e5

SHA512
38cb033abf62d0318f13521af019f654d68171ddbc9db133e394f294d2b33b5566f39bac373900d48617c31244027d8be259dc103d2b1a8191ae0d5a415aa108

Download Submit
C:\Users\Admin\AppData\Local\Temp\mssrCE.txt
MD5
829435ee60c031ed555e54e59bdeac71

SHA1
f69a18295df23079179d58e336dddce149d189ce

SHA256
2bb74144148fdab9a5917a0979c148ed8e69aff05e9ed474abd47024c08dc0e5

SHA512
38cb033abf62d0318f13521af019f654d68171ddbc9db133e394f294d2b33b5566f39bac373900d48617c31244027d8be259dc103d2b1a8191ae0d5a415aa108

Download Submit
C:\Users\Admin\AppData\Roaming\mssrce.exe
MD5
99b649db223cbef960a8423dd7d50381

SHA1
e4912bb05d068e6edbe5576a9a929d14590efbe3

SHA256
caf08c94a95672212ab753293db7e6ca97cec7ddc28ece68d978f3008a5a6668

SHA512
74b267dba2fd39d04165d4b80c2ca8a7fc04d2894c014c6bf059006874cb3f5ae937fbb12f26ddff81a5a8c8c7e8959c8a35cdd8b970f8affb4404df9041bfa0

Download Submit
C:\Users\Admin\AppData\Roaming\mssrce.exe
MD5
99b649db223cbef960a8423dd7d50381

SHA1
e4912bb05d068e6edbe5576a9a929d14590efbe3

SHA256
caf08c94a95672212ab753293db7e6ca97cec7ddc28ece68d978f3008a5a6668

SHA512
74b267dba2fd39d04165d4b80c2ca8a7fc04d2894c014c6bf059006874cb3f5ae937fbb12f26ddff81a5a8c8c7e8959c8a35cdd8b970f8affb4404df9041bfa0

Download Submit
\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
\Users\Admin\AppData\Local\Temp\mssrCE.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
\Users\Admin\AppData\Local\Temp\mssrCE.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
\Users\Admin\AppData\Roaming\mssrce.exe
MD5
99b649db223cbef960a8423dd7d50381

SHA1
e4912bb05d068e6edbe5576a9a929d14590efbe3

SHA256
caf08c94a95672212ab753293db7e6ca97cec7ddc28ece68d978f3008a5a6668

SHA512
74b267dba2fd39d04165d4b80c2ca8a7fc04d2894c014c6bf059006874cb3f5ae937fbb12f26ddff81a5a8c8c7e8959c8a35cdd8b970f8affb4404df9041bfa0

Download Submit
memory/964-54-0x0000000000030000-0x00000000001BC000-memory.dmp

Filesize
1.5MB

Download
memory/964-57-0x0000000000540000-0x0000000000556000-memory.dmp

Filesize
88KB

Download
memory/964-56-0x00000000005A0000-0x00000000005D2000-memory.dmp

Filesize
200KB

Download
memory/964-55-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download
memory/1160-64-0x00000000007B0000-0x00000000007B6000-memory.dmp

Filesize
24KB

Download
memory/1160-63-0x0000000000AF0000-0x0000000000B0A000-memory.dmp

Filesize
104KB

Download
memory/1160-62-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/1160-61-0x00000000010E0000-0x000000000126C000-memory.dmp

Filesize
1.5MB

Download
memory/1160-75-0x0000000000F61000-0x0000000000F62000-memory.dmp

Filesize
4KB

Download
memory/1260-70-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1260-78-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/1260-79-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1260-76-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1260-73-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1260-74-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1260-72-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1260-71-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1260-68-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1260-69-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1260-67-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1964-83-0x0000000000AA0000-0x0000000000ABA000-memory.dmp

Filesize
104KB

Download