remcos | 326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693

Analysis

max time kernel
123s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
20-06-2022 06:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe
Size

208KB
MD5

eb38e581ba2c7d46a2373dc9abc02b3b
SHA1

86d8449307be9bdeea725c56254fde1692b82a30
SHA256

326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693
SHA512

d09ebf20951ec472b3b68e02f79493049f0f81972327a8d12ee7b7a3c643bb8a5f2ad5377f1f228fda61f38bfffb2c2123ca17095c30ea94c24dbb2cc40ac800

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Version

2.0.5 Pro

Botnet

RemoteHost

79.172.242.28:2404

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
xi3s.exe
copy_folder
xi3x
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%Temp%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-NL03Y0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
xi5w
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 4 IoCs

Processes:

tmp.exe.exexi3s.exexi3s.exe

pid process

3356 tmp.exe
1308 .exe
1020 xi3s.exe
2384 xi3s.exe

pid	process
3356	tmp.exe
1308	.exe
1020	xi3s.exe
2384	xi3s.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exetmp.exe.exeWScript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp.exe.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run\	tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xi5w = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\xi3x\\xi3s.exe\""	tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run\	.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xi5w = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\xi3x\\xi3s.exe\""	.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\Desktop.ini	326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe
File created	C:\Windows\assembly\Desktop.ini	326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe

description pid process target process

PID 4580 set thread context of 1308 4580 326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe .exe

description	pid	process	target process
PID 4580 set thread context of 1308	4580	326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe	.exe

Drops file in Windows directory 3 IoCs

Processes:

326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe
File opened for modification	C:\Windows\assembly	326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

tmp.exe.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe

pid	process
4580	326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe
4580	326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe
4580	326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe
4580	326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe
4580	326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe

description	pid	process
Token: SeDebugPrivilege	4580	326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe
Token: 33	4580	326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe
Token: SeIncBasePriorityPrivilege	4580	326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exetmp.exe.exeWScript.execmd.exeWScript.execmd.exe

description	pid	process	target process
PID 4580 wrote to memory of 3356	4580	326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe	tmp.exe
PID 4580 wrote to memory of 3356	4580	326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe	tmp.exe
PID 4580 wrote to memory of 3356	4580	326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe	tmp.exe
PID 4580 wrote to memory of 1308	4580	326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe	.exe
PID 4580 wrote to memory of 1308	4580	326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe	.exe
PID 4580 wrote to memory of 1308	4580	326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe	.exe
PID 4580 wrote to memory of 1308	4580	326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe	.exe
PID 4580 wrote to memory of 1308	4580	326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe	.exe
PID 4580 wrote to memory of 1308	4580	326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe	.exe
PID 4580 wrote to memory of 1308	4580	326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe	.exe
PID 4580 wrote to memory of 1308	4580	326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe	.exe
PID 4580 wrote to memory of 1308	4580	326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe	.exe
PID 3356 wrote to memory of 4552	3356	tmp.exe	WScript.exe
PID 3356 wrote to memory of 4552	3356	tmp.exe	WScript.exe
PID 3356 wrote to memory of 4552	3356	tmp.exe	WScript.exe
PID 1308 wrote to memory of 2556	1308	.exe	WScript.exe
PID 1308 wrote to memory of 2556	1308	.exe	WScript.exe
PID 1308 wrote to memory of 2556	1308	.exe	WScript.exe
PID 4552 wrote to memory of 1564	4552	WScript.exe	cmd.exe
PID 4552 wrote to memory of 1564	4552	WScript.exe	cmd.exe
PID 4552 wrote to memory of 1564	4552	WScript.exe	cmd.exe
PID 1564 wrote to memory of 1020	1564	cmd.exe	xi3s.exe
PID 1564 wrote to memory of 1020	1564	cmd.exe	xi3s.exe
PID 1564 wrote to memory of 1020	1564	cmd.exe	xi3s.exe
PID 2556 wrote to memory of 4492	2556	WScript.exe	cmd.exe
PID 2556 wrote to memory of 4492	2556	WScript.exe	cmd.exe
PID 2556 wrote to memory of 4492	2556	WScript.exe	cmd.exe
PID 4492 wrote to memory of 2384	4492	cmd.exe	xi3s.exe
PID 4492 wrote to memory of 2384	4492	cmd.exe	xi3s.exe
PID 4492 wrote to memory of 2384	4492	cmd.exe	xi3s.exe

C:\Users\Admin\AppData\Local\Temp\326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe
"C:\Users\Admin\AppData\Local\Temp\326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4580

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3356

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4552

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\xi3x\xi3s.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1564

C:\Users\Admin\AppData\Local\Temp\xi3x\xi3s.exe
C:\Users\Admin\AppData\Local\Temp\xi3x\xi3s.exe
5⤵
- Executes dropped EXE
PID:1020

C:\Users\Admin\AppData\Local\Temp\.exe
"C:\Users\Admin\AppData\Local\Temp\.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1308

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2556

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\xi3x\xi3s.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:4492

C:\Users\Admin\AppData\Local\Temp\xi3x\xi3s.exe
C:\Users\Admin\AppData\Local\Temp\xi3x\xi3s.exe
5⤵
- Executes dropped EXE
PID:2384

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.exe
Filesize
1.6MB

MD5
1c9ff7df71493896054a91bee0322ebf

SHA1
38f1c85965d58b910d8e8381b6b1099d5dfcbfe4

SHA256
e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa

SHA512
aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\.exe
Filesize
1.6MB

MD5
1c9ff7df71493896054a91bee0322ebf

SHA1
38f1c85965d58b910d8e8381b6b1099d5dfcbfe4

SHA256
e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa

SHA512
aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs
Filesize
416B

MD5
453f89e2c8f4e830ac8db7611532f1dd

SHA1
d1e4a30ec5fd1067ade5d4a806457829038131ad

SHA256
533afaf7f3b5f135c3c9cfa7dc71bba8452949c40ba0d8ffc56daf87fb306936

SHA512
840c7af7dc1911f983a3f0005b9b0efa7b63161b62d53b859b29b3d2d313653d88a5e1db687f87fff1e47e233160fc96ed5067b4f11be6ef9f4bdf72c6b145df

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs
Filesize
416B

MD5
453f89e2c8f4e830ac8db7611532f1dd

SHA1
d1e4a30ec5fd1067ade5d4a806457829038131ad

SHA256
533afaf7f3b5f135c3c9cfa7dc71bba8452949c40ba0d8ffc56daf87fb306936

SHA512
840c7af7dc1911f983a3f0005b9b0efa7b63161b62d53b859b29b3d2d313653d88a5e1db687f87fff1e47e233160fc96ed5067b4f11be6ef9f4bdf72c6b145df

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
108KB

MD5
7ead38802bd7c0a3af677214f2ba23db

SHA1
f0c204c57146244c7e2cc744214c3deff5a9f4b6

SHA256
c75ba3917383a776dee26a215929d242b7896641a4157afa1d7d05913eb473fd

SHA512
88c35c02fc21850904f41563611b57f3bd6c39b649fd8017d6fc19135c87a2b288365020a04d2571a64a91772edda9444821301d69d1ba8b4702fb577b98ac69

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
108KB

MD5
7ead38802bd7c0a3af677214f2ba23db

SHA1
f0c204c57146244c7e2cc744214c3deff5a9f4b6

SHA256
c75ba3917383a776dee26a215929d242b7896641a4157afa1d7d05913eb473fd

SHA512
88c35c02fc21850904f41563611b57f3bd6c39b649fd8017d6fc19135c87a2b288365020a04d2571a64a91772edda9444821301d69d1ba8b4702fb577b98ac69

Download Submit
C:\Users\Admin\AppData\Local\Temp\xi3x\xi3s.exe
Filesize
1.6MB

MD5
1c9ff7df71493896054a91bee0322ebf

SHA1
38f1c85965d58b910d8e8381b6b1099d5dfcbfe4

SHA256
e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa

SHA512
aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\xi3x\xi3s.exe
Filesize
1.6MB

MD5
1c9ff7df71493896054a91bee0322ebf

SHA1
38f1c85965d58b910d8e8381b6b1099d5dfcbfe4

SHA256
e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa

SHA512
aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\xi3x\xi3s.exe
Filesize
1.6MB

MD5
1c9ff7df71493896054a91bee0322ebf

SHA1
38f1c85965d58b910d8e8381b6b1099d5dfcbfe4

SHA256
e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa

SHA512
aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\xi3x\xi3s.exe
Filesize
1.6MB

MD5
1c9ff7df71493896054a91bee0322ebf

SHA1
38f1c85965d58b910d8e8381b6b1099d5dfcbfe4

SHA256
e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa

SHA512
aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

Download Submit
memory/1020-148-0x0000000000000000-mapping.dmp

Download
memory/1308-135-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1308-145-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1308-140-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1308-134-0x0000000000000000-mapping.dmp

Download
memory/1564-147-0x0000000000000000-mapping.dmp

Download
memory/2384-152-0x0000000000000000-mapping.dmp

Download
memory/2556-144-0x0000000000000000-mapping.dmp

Download
memory/3356-131-0x0000000000000000-mapping.dmp

Download
memory/4492-151-0x0000000000000000-mapping.dmp

Download
memory/4552-139-0x0000000000000000-mapping.dmp

Download
memory/4580-130-0x0000000074970000-0x0000000074F21000-memory.dmp

Filesize
5.7MB

Download
memory/4580-154-0x0000000074970000-0x0000000074F21000-memory.dmp

Filesize
5.7MB

Download