remcos | 77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d

General

Target

77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe
Size

119KB
MD5

a257f126fda7ec1745bbbdb0ecb97dce
SHA1

354cda5f58ff5828c9ce38b95f3c6d4aa6f59f6e
SHA256

77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d
SHA512

36ed37c96165672c49aa1b5d83988eda5063372bbbb1bf6f4c21868b80cd062895c94e9653ca2de30bbd2c55696ca12bfa744f1aacd500bdc9665c1d7827c5f2

Score

10^/10

remcos lockdown open evasion persistence rat trojan

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Lockdown Open

C2

ascoitaliasa.duckdns.org:4046

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
Windows logoff sound.exe
copy_folder
Microsoft Media
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%WinDir%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
Windows Audio
keylog_path
%AppData%
mouse_option
false
mutex
Window Audio
screenshot_crypt
false
screenshot_flag
true
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
Window sound
take_screenshot_option
true
take_screenshot_time
5
take_screenshot_title
Password;Username;proformer;invoice;notepad

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 2 IoCs

Processes:

Windows logoff sound.exeWindows logoff sound.exe

pid process

3328 Windows logoff sound.exe
1256 Windows logoff sound.exe

pid	process
3328	Windows logoff sound.exe
1256	Windows logoff sound.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exeWindows logoff sound.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run\	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Window sound = "\"C:\\Windows\\Microsoft Media\\Windows logoff sound.exe\""	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run\	Windows logoff sound.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Window sound = "\"C:\\Windows\\Microsoft Media\\Windows logoff sound.exe\""	Windows logoff sound.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exeWindows logoff sound.exe

description	pid	process	target process
PID 4696 set thread context of 1892	4696	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe
PID 3328 set thread context of 1256	3328	Windows logoff sound.exe	Windows logoff sound.exe

Drops file in Windows directory 3 IoCs

Processes:

77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft Media	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe
File created	C:\Windows\Microsoft Media\Windows logoff sound.exe	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe
File opened for modification	C:\Windows\Microsoft Media\Windows logoff sound.exe	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

1100 reg.exe
4352 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2496 PING.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Windows logoff sound.exe

pid process

1256 Windows logoff sound.exe

pid	process
1100	reg.exe
4352	reg.exe

pid	process
2496	PING.EXE

pid	process
1256	Windows logoff sound.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.execmd.execmd.exeWindows logoff sound.exeWindows logoff sound.execmd.exe

description	pid	process	target process
PID 4696 wrote to memory of 1892	4696	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe
PID 4696 wrote to memory of 1892	4696	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe
PID 4696 wrote to memory of 1892	4696	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe
PID 4696 wrote to memory of 1892	4696	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe
PID 4696 wrote to memory of 1892	4696	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe
PID 4696 wrote to memory of 1892	4696	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe
PID 4696 wrote to memory of 1892	4696	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe
PID 4696 wrote to memory of 1892	4696	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe
PID 4696 wrote to memory of 1892	4696	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe
PID 1892 wrote to memory of 4064	1892	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe	cmd.exe
PID 1892 wrote to memory of 4064	1892	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe	cmd.exe
PID 1892 wrote to memory of 4064	1892	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe	cmd.exe
PID 4064 wrote to memory of 4352	4064	cmd.exe	reg.exe
PID 4064 wrote to memory of 4352	4064	cmd.exe	reg.exe
PID 4064 wrote to memory of 4352	4064	cmd.exe	reg.exe
PID 1892 wrote to memory of 1596	1892	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe	cmd.exe
PID 1892 wrote to memory of 1596	1892	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe	cmd.exe
PID 1892 wrote to memory of 1596	1892	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe	cmd.exe
PID 1596 wrote to memory of 2496	1596	cmd.exe	PING.EXE
PID 1596 wrote to memory of 2496	1596	cmd.exe	PING.EXE
PID 1596 wrote to memory of 2496	1596	cmd.exe	PING.EXE
PID 1596 wrote to memory of 3328	1596	cmd.exe	Windows logoff sound.exe
PID 1596 wrote to memory of 3328	1596	cmd.exe	Windows logoff sound.exe
PID 1596 wrote to memory of 3328	1596	cmd.exe	Windows logoff sound.exe
PID 3328 wrote to memory of 1256	3328	Windows logoff sound.exe	Windows logoff sound.exe
PID 3328 wrote to memory of 1256	3328	Windows logoff sound.exe	Windows logoff sound.exe
PID 3328 wrote to memory of 1256	3328	Windows logoff sound.exe	Windows logoff sound.exe
PID 3328 wrote to memory of 1256	3328	Windows logoff sound.exe	Windows logoff sound.exe
PID 3328 wrote to memory of 1256	3328	Windows logoff sound.exe	Windows logoff sound.exe
PID 3328 wrote to memory of 1256	3328	Windows logoff sound.exe	Windows logoff sound.exe
PID 3328 wrote to memory of 1256	3328	Windows logoff sound.exe	Windows logoff sound.exe
PID 3328 wrote to memory of 1256	3328	Windows logoff sound.exe	Windows logoff sound.exe
PID 3328 wrote to memory of 1256	3328	Windows logoff sound.exe	Windows logoff sound.exe
PID 1256 wrote to memory of 3384	1256	Windows logoff sound.exe	cmd.exe
PID 1256 wrote to memory of 3384	1256	Windows logoff sound.exe	cmd.exe
PID 1256 wrote to memory of 3384	1256	Windows logoff sound.exe	cmd.exe
PID 3384 wrote to memory of 1100	3384	cmd.exe	reg.exe
PID 3384 wrote to memory of 1100	3384	cmd.exe	reg.exe
PID 3384 wrote to memory of 1100	3384	cmd.exe	reg.exe
PID 1256 wrote to memory of 1352	1256	Windows logoff sound.exe	iexplore.exe
PID 1256 wrote to memory of 1352	1256	Windows logoff sound.exe	iexplore.exe
PID 1256 wrote to memory of 1352	1256	Windows logoff sound.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe
"C:\Users\Admin\AppData\Local\Temp\77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4696

C:\Users\Admin\AppData\Local\Temp\77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe
"{path}"
2⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1892

C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- Suspicious use of WriteProcessMemory
PID:4064

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
4⤵
- Modifies registry key
PID:4352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\SysWOW64\PING.EXE
PING 127.0.0.1 -n 2
4⤵
- Runs ping.exe
PID:2496

C:\Windows\Microsoft Media\Windows logoff sound.exe
"C:\Windows\Microsoft Media\Windows logoff sound.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3328

C:\Windows\Microsoft Media\Windows logoff sound.exe
"{path}"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
6⤵
- Suspicious use of WriteProcessMemory
PID:3384

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
7⤵
- Modifies registry key
PID:1100

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
6⤵
PID:1352

C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
1⤵
PID:448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.bat

Filesize
102B

MD5
d65c998bd7769229c5cd6c8a1ae4b639

SHA1
59afa2c156d6d670d8e87d61756b814d3bc19bb3

SHA256
bac6c33f44976bb615821bb75ab53cbb8c34d53a00246f68f62b255ef0ba1d7f

SHA512
a56827185f39b896555ddd52391235b9a93e79c269674bf1db729abe728e452ecee1a42749352e12c7261eb114bb66add062cb41f367d5e971ea406bfc831895

Download Submit
C:\Windows\Microsoft Media\Windows logoff sound.exe

Filesize
119KB

MD5
a257f126fda7ec1745bbbdb0ecb97dce

SHA1
354cda5f58ff5828c9ce38b95f3c6d4aa6f59f6e

SHA256
77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d

SHA512
36ed37c96165672c49aa1b5d83988eda5063372bbbb1bf6f4c21868b80cd062895c94e9653ca2de30bbd2c55696ca12bfa744f1aacd500bdc9665c1d7827c5f2

Download Submit
C:\Windows\Microsoft Media\Windows logoff sound.exe

Filesize
119KB

MD5
a257f126fda7ec1745bbbdb0ecb97dce

SHA1
354cda5f58ff5828c9ce38b95f3c6d4aa6f59f6e

SHA256
77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d

SHA512
36ed37c96165672c49aa1b5d83988eda5063372bbbb1bf6f4c21868b80cd062895c94e9653ca2de30bbd2c55696ca12bfa744f1aacd500bdc9665c1d7827c5f2

Download Submit
C:\Windows\Microsoft Media\Windows logoff sound.exe

Filesize
119KB

MD5
a257f126fda7ec1745bbbdb0ecb97dce

SHA1
354cda5f58ff5828c9ce38b95f3c6d4aa6f59f6e

SHA256
77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d

SHA512
36ed37c96165672c49aa1b5d83988eda5063372bbbb1bf6f4c21868b80cd062895c94e9653ca2de30bbd2c55696ca12bfa744f1aacd500bdc9665c1d7827c5f2

Download Submit
memory/448-131-0x00007FFE1DF90000-0x00007FFE1E9C6000-memory.dmp

Filesize
10.2MB

Download
memory/1100-152-0x0000000000000000-mapping.dmp

Download
memory/1256-146-0x0000000000000000-mapping.dmp

Download
memory/1256-153-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1256-150-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1596-139-0x0000000000000000-mapping.dmp

Download
memory/1892-138-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1892-135-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1892-133-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1892-132-0x0000000000000000-mapping.dmp

Download
memory/2496-141-0x0000000000000000-mapping.dmp

Download
memory/3328-145-0x0000000074B00000-0x00000000750B1000-memory.dmp

Filesize
5.7MB

Download
memory/3328-142-0x0000000000000000-mapping.dmp

Download
memory/3384-151-0x0000000000000000-mapping.dmp

Download
memory/4064-136-0x0000000000000000-mapping.dmp

Download
memory/4352-137-0x0000000000000000-mapping.dmp

Download
memory/4696-130-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads