remcos | 326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693

Analysis

max time kernel
13s
max time network
48s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-06-2022 06:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe
Size

208KB
MD5

eb38e581ba2c7d46a2373dc9abc02b3b
SHA1

86d8449307be9bdeea725c56254fde1692b82a30
SHA256

326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693
SHA512

d09ebf20951ec472b3b68e02f79493049f0f81972327a8d12ee7b7a3c643bb8a5f2ad5377f1f228fda61f38bfffb2c2123ca17095c30ea94c24dbb2cc40ac800

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Version

2.0.5 Pro

Botnet

RemoteHost

79.172.242.28:2404

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
xi3s.exe
copy_folder
xi3x
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%Temp%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-NL03Y0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
xi5w
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 4 IoCs

Processes:

tmp.exe.exexi3s.exexi3s.exe

pid process

1304 tmp.exe
1720 .exe
332 xi3s.exe
436 xi3s.exe

pid	process
1304	tmp.exe
1720	.exe
332	xi3s.exe
436	xi3s.exe

Loads dropped DLL 5 IoCs

Processes:

326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.execmd.execmd.exe

pid	process
1792	326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe
1792	326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe
1792	326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe
864	cmd.exe
1384	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp.exe.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\	tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\xi5w = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\xi3x\\xi3s.exe\""	tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\	.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\xi5w = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\xi3x\\xi3s.exe\""	.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe

description pid process target process

PID 1792 set thread context of 1720 1792 326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe .exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1792 set thread context of 1720	1792	326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe	.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe

pid	process
1792	326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe
1792	326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe
1792	326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe

description	pid	process
Token: SeDebugPrivilege	1792	326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe
Token: 33	1792	326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe
Token: SeIncBasePriorityPrivilege	1792	326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exetmp.exe.exeWScript.exeWScript.execmd.execmd.exe

description	pid	process	target process
PID 1792 wrote to memory of 1304	1792	326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe	tmp.exe
PID 1792 wrote to memory of 1304	1792	326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe	tmp.exe
PID 1792 wrote to memory of 1304	1792	326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe	tmp.exe
PID 1792 wrote to memory of 1304	1792	326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe	tmp.exe
PID 1792 wrote to memory of 1720	1792	326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe	.exe
PID 1792 wrote to memory of 1720	1792	326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe	.exe
PID 1792 wrote to memory of 1720	1792	326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe	.exe
PID 1792 wrote to memory of 1720	1792	326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe	.exe
PID 1792 wrote to memory of 1720	1792	326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe	.exe
PID 1304 wrote to memory of 956	1304	tmp.exe	WScript.exe
PID 1304 wrote to memory of 956	1304	tmp.exe	WScript.exe
PID 1304 wrote to memory of 956	1304	tmp.exe	WScript.exe
PID 1304 wrote to memory of 956	1304	tmp.exe	WScript.exe
PID 1792 wrote to memory of 1720	1792	326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe	.exe
PID 1792 wrote to memory of 1720	1792	326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe	.exe
PID 1792 wrote to memory of 1720	1792	326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe	.exe
PID 1792 wrote to memory of 1720	1792	326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe	.exe
PID 1792 wrote to memory of 1720	1792	326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe	.exe
PID 1720 wrote to memory of 1388	1720	.exe	WScript.exe
PID 1720 wrote to memory of 1388	1720	.exe	WScript.exe
PID 1720 wrote to memory of 1388	1720	.exe	WScript.exe
PID 1720 wrote to memory of 1388	1720	.exe	WScript.exe
PID 1388 wrote to memory of 1384	1388	WScript.exe	cmd.exe
PID 1388 wrote to memory of 1384	1388	WScript.exe	cmd.exe
PID 1388 wrote to memory of 1384	1388	WScript.exe	cmd.exe
PID 1388 wrote to memory of 1384	1388	WScript.exe	cmd.exe
PID 956 wrote to memory of 864	956	WScript.exe	cmd.exe
PID 956 wrote to memory of 864	956	WScript.exe	cmd.exe
PID 956 wrote to memory of 864	956	WScript.exe	cmd.exe
PID 956 wrote to memory of 864	956	WScript.exe	cmd.exe
PID 864 wrote to memory of 436	864	cmd.exe	xi3s.exe
PID 864 wrote to memory of 436	864	cmd.exe	xi3s.exe
PID 864 wrote to memory of 436	864	cmd.exe	xi3s.exe
PID 864 wrote to memory of 436	864	cmd.exe	xi3s.exe
PID 1384 wrote to memory of 332	1384	cmd.exe	xi3s.exe
PID 1384 wrote to memory of 332	1384	cmd.exe	xi3s.exe
PID 1384 wrote to memory of 332	1384	cmd.exe	xi3s.exe
PID 1384 wrote to memory of 332	1384	cmd.exe	xi3s.exe

C:\Users\Admin\AppData\Local\Temp\326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe
"C:\Users\Admin\AppData\Local\Temp\326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1792

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\xi3x\xi3s.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:864

C:\Users\Admin\AppData\Local\Temp\xi3x\xi3s.exe
C:\Users\Admin\AppData\Local\Temp\xi3x\xi3s.exe
5⤵
- Executes dropped EXE
PID:436

C:\Users\Admin\AppData\Local\Temp\.exe
"C:\Users\Admin\AppData\Local\Temp\.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\xi3x\xi3s.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1384

C:\Users\Admin\AppData\Local\Temp\xi3x\xi3s.exe
C:\Users\Admin\AppData\Local\Temp\xi3x\xi3s.exe
5⤵
- Executes dropped EXE
PID:332

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.exe
Filesize
1.6MB

MD5
32827e69b293b99013bbbe37d029245d

SHA1
bc9f80a38f09354d71467a05b0c5a82c3f7dac53

SHA256
9250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f

SHA512
58c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\.exe
Filesize
1.6MB

MD5
32827e69b293b99013bbbe37d029245d

SHA1
bc9f80a38f09354d71467a05b0c5a82c3f7dac53

SHA256
9250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f

SHA512
58c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs
Filesize
416B

MD5
453f89e2c8f4e830ac8db7611532f1dd

SHA1
d1e4a30ec5fd1067ade5d4a806457829038131ad

SHA256
533afaf7f3b5f135c3c9cfa7dc71bba8452949c40ba0d8ffc56daf87fb306936

SHA512
840c7af7dc1911f983a3f0005b9b0efa7b63161b62d53b859b29b3d2d313653d88a5e1db687f87fff1e47e233160fc96ed5067b4f11be6ef9f4bdf72c6b145df

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs
Filesize
416B

MD5
453f89e2c8f4e830ac8db7611532f1dd

SHA1
d1e4a30ec5fd1067ade5d4a806457829038131ad

SHA256
533afaf7f3b5f135c3c9cfa7dc71bba8452949c40ba0d8ffc56daf87fb306936

SHA512
840c7af7dc1911f983a3f0005b9b0efa7b63161b62d53b859b29b3d2d313653d88a5e1db687f87fff1e47e233160fc96ed5067b4f11be6ef9f4bdf72c6b145df

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
108KB

MD5
7ead38802bd7c0a3af677214f2ba23db

SHA1
f0c204c57146244c7e2cc744214c3deff5a9f4b6

SHA256
c75ba3917383a776dee26a215929d242b7896641a4157afa1d7d05913eb473fd

SHA512
88c35c02fc21850904f41563611b57f3bd6c39b649fd8017d6fc19135c87a2b288365020a04d2571a64a91772edda9444821301d69d1ba8b4702fb577b98ac69

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
108KB

MD5
7ead38802bd7c0a3af677214f2ba23db

SHA1
f0c204c57146244c7e2cc744214c3deff5a9f4b6

SHA256
c75ba3917383a776dee26a215929d242b7896641a4157afa1d7d05913eb473fd

SHA512
88c35c02fc21850904f41563611b57f3bd6c39b649fd8017d6fc19135c87a2b288365020a04d2571a64a91772edda9444821301d69d1ba8b4702fb577b98ac69

Download Submit
C:\Users\Admin\AppData\Local\Temp\xi3x\xi3s.exe
Filesize
1.6MB

MD5
32827e69b293b99013bbbe37d029245d

SHA1
bc9f80a38f09354d71467a05b0c5a82c3f7dac53

SHA256
9250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f

SHA512
58c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\xi3x\xi3s.exe
Filesize
1.6MB

MD5
32827e69b293b99013bbbe37d029245d

SHA1
bc9f80a38f09354d71467a05b0c5a82c3f7dac53

SHA256
9250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f

SHA512
58c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\xi3x\xi3s.exe
Filesize
1.6MB

MD5
32827e69b293b99013bbbe37d029245d

SHA1
bc9f80a38f09354d71467a05b0c5a82c3f7dac53

SHA256
9250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f

SHA512
58c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\xi3x\xi3s.exe
Filesize
1.6MB

MD5
32827e69b293b99013bbbe37d029245d

SHA1
bc9f80a38f09354d71467a05b0c5a82c3f7dac53

SHA256
9250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f

SHA512
58c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5

Download Submit
\Users\Admin\AppData\Local\Temp\.exe
Filesize
1.6MB

MD5
32827e69b293b99013bbbe37d029245d

SHA1
bc9f80a38f09354d71467a05b0c5a82c3f7dac53

SHA256
9250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f

SHA512
58c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5

Download Submit
\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
108KB

MD5
7ead38802bd7c0a3af677214f2ba23db

SHA1
f0c204c57146244c7e2cc744214c3deff5a9f4b6

SHA256
c75ba3917383a776dee26a215929d242b7896641a4157afa1d7d05913eb473fd

SHA512
88c35c02fc21850904f41563611b57f3bd6c39b649fd8017d6fc19135c87a2b288365020a04d2571a64a91772edda9444821301d69d1ba8b4702fb577b98ac69

Download Submit
\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
108KB

MD5
7ead38802bd7c0a3af677214f2ba23db

SHA1
f0c204c57146244c7e2cc744214c3deff5a9f4b6

SHA256
c75ba3917383a776dee26a215929d242b7896641a4157afa1d7d05913eb473fd

SHA512
88c35c02fc21850904f41563611b57f3bd6c39b649fd8017d6fc19135c87a2b288365020a04d2571a64a91772edda9444821301d69d1ba8b4702fb577b98ac69

Download Submit
\Users\Admin\AppData\Local\Temp\xi3x\xi3s.exe
Filesize
1.6MB

MD5
32827e69b293b99013bbbe37d029245d

SHA1
bc9f80a38f09354d71467a05b0c5a82c3f7dac53

SHA256
9250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f

SHA512
58c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5

Download Submit
\Users\Admin\AppData\Local\Temp\xi3x\xi3s.exe
Filesize
1.6MB

MD5
32827e69b293b99013bbbe37d029245d

SHA1
bc9f80a38f09354d71467a05b0c5a82c3f7dac53

SHA256
9250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f

SHA512
58c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5

Download Submit
memory/332-91-0x0000000000000000-mapping.dmp

Download
memory/436-89-0x0000000000000000-mapping.dmp

Download
memory/864-86-0x0000000000000000-mapping.dmp

Download
memory/956-66-0x0000000000000000-mapping.dmp

Download
memory/1304-58-0x0000000000000000-mapping.dmp

Download
memory/1384-85-0x0000000000000000-mapping.dmp

Download
memory/1388-81-0x0000000000000000-mapping.dmp

Download
memory/1720-69-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1720-82-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1720-70-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1720-76-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1720-64-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1720-71-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1720-67-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1720-63-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1720-72-0x0000000000412C84-mapping.dmp

Download
memory/1792-54-0x0000000076461000-0x0000000076463000-memory.dmp

Filesize
8KB

Download
memory/1792-55-0x0000000075010000-0x00000000755BB000-memory.dmp

Filesize
5.7MB

Download
memory/1792-94-0x0000000075010000-0x00000000755BB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads