remcos | c905fd88a04d9800fd13f9c2c085764bfe4ef4edc0b32d8be8b89bec7fbd5414

Analysis

max time kernel
147s
max time network
141s
platform
windows10-1703_x64
resource
win10-20220718-en
resource tags

arch:x64arch:x86image:win10-20220718-enlocale:en-usos:windows10-1703-x64system
submitted
08-08-2022 10:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c905fd88a04d9800fd13f9c2c085764bfe4ef4edc0b32d8be8b89bec7fbd5414.exe
Size

466KB
MD5

a8d2bc2fa3e2eba741042c348f37a699
SHA1

c75dc387c250c651967b95434e3e5c06bc050e62
SHA256

c905fd88a04d9800fd13f9c2c085764bfe4ef4edc0b32d8be8b89bec7fbd5414
SHA512

faad78aee9962f2d1dc17676cda26a6c1115d924d082d6354ac41b45b08fa327469c95f1f24ba3abb9cc773e06bdde3dee041df5d3b7ab0e1ca01ce9f5acb082

Score

10^/10

remcos andrew persistence rat

Malware Config

Extracted

Family

remcos

Botnet

Andrew

185.222.58.111:5355

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
PerfLog.exe
copy_folder
Remcos
delete_file
true
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-2BHLXE
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
PerfLog
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 1 IoCs

Processes:

PerfLog.exe

pid process

4760 PerfLog.exe
Deletes itself 1 IoCs

Processes:

WScript.exe

pid process

4612 WScript.exe

pid	process
4760	PerfLog.exe

pid	process
4612	WScript.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

PerfLog.exeiexplore.exec905fd88a04d9800fd13f9c2c085764bfe4ef4edc0b32d8be8b89bec7fbd5414.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Windows\CurrentVersion\Run\	PerfLog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PerfLog = "\"C:\\ProgramData\\Remcos\\PerfLog.exe\""	PerfLog.exe
Key created	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Windows\CurrentVersion\Run\	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PerfLog = "\"C:\\ProgramData\\Remcos\\PerfLog.exe\""	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Windows\CurrentVersion\Run\PerfLog = "\"C:\\ProgramData\\Remcos\\PerfLog.exe\""	c905fd88a04d9800fd13f9c2c085764bfe4ef4edc0b32d8be8b89bec7fbd5414.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PerfLog = "\"C:\\ProgramData\\Remcos\\PerfLog.exe\""	c905fd88a04d9800fd13f9c2c085764bfe4ef4edc0b32d8be8b89bec7fbd5414.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Windows\CurrentVersion\Run\PerfLog = "\"C:\\ProgramData\\Remcos\\PerfLog.exe\""	PerfLog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	PerfLog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Windows\CurrentVersion\Run\PerfLog = "\"C:\\ProgramData\\Remcos\\PerfLog.exe\""	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Windows\CurrentVersion\Run\	c905fd88a04d9800fd13f9c2c085764bfe4ef4edc0b32d8be8b89bec7fbd5414.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	c905fd88a04d9800fd13f9c2c085764bfe4ef4edc0b32d8be8b89bec7fbd5414.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

PerfLog.exeiexplore.exe

description	pid	process	target process
PID 4760 set thread context of 3120	4760	PerfLog.exe	iexplore.exe
PID 3120 set thread context of 3040	3120	iexplore.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

c905fd88a04d9800fd13f9c2c085764bfe4ef4edc0b32d8be8b89bec7fbd5414.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings	c905fd88a04d9800fd13f9c2c085764bfe4ef4edc0b32d8be8b89bec7fbd5414.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

PerfLog.exeiexplore.exe

pid process

4760 PerfLog.exe
3120 iexplore.exe

pid	process
4760	PerfLog.exe
3120	iexplore.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

c905fd88a04d9800fd13f9c2c085764bfe4ef4edc0b32d8be8b89bec7fbd5414.exeWScript.execmd.exePerfLog.exeiexplore.exe

description	pid	process	target process
PID 2428 wrote to memory of 4612	2428	c905fd88a04d9800fd13f9c2c085764bfe4ef4edc0b32d8be8b89bec7fbd5414.exe	WScript.exe
PID 2428 wrote to memory of 4612	2428	c905fd88a04d9800fd13f9c2c085764bfe4ef4edc0b32d8be8b89bec7fbd5414.exe	WScript.exe
PID 2428 wrote to memory of 4612	2428	c905fd88a04d9800fd13f9c2c085764bfe4ef4edc0b32d8be8b89bec7fbd5414.exe	WScript.exe
PID 4612 wrote to memory of 4932	4612	WScript.exe	cmd.exe
PID 4612 wrote to memory of 4932	4612	WScript.exe	cmd.exe
PID 4612 wrote to memory of 4932	4612	WScript.exe	cmd.exe
PID 4932 wrote to memory of 4760	4932	cmd.exe	PerfLog.exe
PID 4932 wrote to memory of 4760	4932	cmd.exe	PerfLog.exe
PID 4932 wrote to memory of 4760	4932	cmd.exe	PerfLog.exe
PID 4760 wrote to memory of 3120	4760	PerfLog.exe	iexplore.exe
PID 4760 wrote to memory of 3120	4760	PerfLog.exe	iexplore.exe
PID 4760 wrote to memory of 3120	4760	PerfLog.exe	iexplore.exe
PID 4760 wrote to memory of 3120	4760	PerfLog.exe	iexplore.exe
PID 3120 wrote to memory of 3040	3120	iexplore.exe	svchost.exe
PID 3120 wrote to memory of 3040	3120	iexplore.exe	svchost.exe
PID 3120 wrote to memory of 3040	3120	iexplore.exe	svchost.exe
PID 3120 wrote to memory of 3040	3120	iexplore.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\c905fd88a04d9800fd13f9c2c085764bfe4ef4edc0b32d8be8b89bec7fbd5414.exe
"C:\Users\Admin\AppData\Local\Temp\c905fd88a04d9800fd13f9c2c085764bfe4ef4edc0b32d8be8b89bec7fbd5414.exe"
1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2428

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:4612

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\PerfLog.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4932

C:\ProgramData\Remcos\PerfLog.exe
C:\ProgramData\Remcos\PerfLog.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4760

\??\c:\program files (x86)\internet explorer\iexplore.exe
"c:\program files (x86)\internet explorer\iexplore.exe"
5⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3120

C:\Windows\SysWOW64\svchost.exe
svchost.exe
6⤵
PID:3040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Remcos\PerfLog.exe
Filesize
466KB

MD5
a8d2bc2fa3e2eba741042c348f37a699

SHA1
c75dc387c250c651967b95434e3e5c06bc050e62

SHA256
c905fd88a04d9800fd13f9c2c085764bfe4ef4edc0b32d8be8b89bec7fbd5414

SHA512
faad78aee9962f2d1dc17676cda26a6c1115d924d082d6354ac41b45b08fa327469c95f1f24ba3abb9cc773e06bdde3dee041df5d3b7ab0e1ca01ce9f5acb082

Download Submit
C:\ProgramData\Remcos\PerfLog.exe
Filesize
466KB

MD5
a8d2bc2fa3e2eba741042c348f37a699

SHA1
c75dc387c250c651967b95434e3e5c06bc050e62

SHA256
c905fd88a04d9800fd13f9c2c085764bfe4ef4edc0b32d8be8b89bec7fbd5414

SHA512
faad78aee9962f2d1dc17676cda26a6c1115d924d082d6354ac41b45b08fa327469c95f1f24ba3abb9cc773e06bdde3dee041df5d3b7ab0e1ca01ce9f5acb082

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs
Filesize
628B

MD5
e848c93aeb327499cc174915e0ad7e57

SHA1
d02d4d84be1ee4db0c712a515ff1475760e1253b

SHA256
50e328ba9478dad020249743621f4f4cfeb37585676b6985fbcff18d540809cb

SHA512
d629fb3a1a4c1ac928c761c8bfa8e7f1da4126534c6c4e5b2eae8e11d7d799e867dceb48a868be2bc6588c091352c632a9b0638d1390c4526e18955e31635504

Download Submit
memory/2428-150-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/2428-122-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/2428-119-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/2428-120-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/2428-151-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/2428-152-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/2428-123-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/2428-125-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/2428-124-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/2428-126-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/2428-127-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/2428-128-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/2428-129-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/2428-130-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/2428-131-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/2428-132-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/2428-134-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/2428-133-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/2428-136-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/2428-137-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/2428-138-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/2428-139-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/2428-135-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/2428-140-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/2428-141-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/2428-142-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/2428-143-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/2428-144-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/2428-145-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/2428-146-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/2428-147-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/2428-148-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/2428-149-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/2428-117-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/2428-153-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/2428-118-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/2428-121-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/2428-154-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/2428-155-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/2428-156-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/2428-157-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/2428-158-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/2428-160-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/2428-159-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/2428-161-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/2428-162-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/2428-164-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/2428-163-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/2428-165-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-389-0x00000000008D0000-0x000000000094E000-memory.dmp

Filesize
504KB

Download
memory/3040-331-0x0000000000901BE8-mapping.dmp

Download
memory/3120-288-0x0000000000731BE8-mapping.dmp

Download
memory/3120-390-0x0000000000700000-0x000000000077E000-memory.dmp

Filesize
504KB

Download
memory/3120-337-0x0000000000700000-0x000000000077E000-memory.dmp

Filesize
504KB

Download
memory/4612-167-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/4612-179-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/4612-172-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/4612-174-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/4612-173-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/4612-181-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/4612-178-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/4612-177-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/4612-176-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/4612-171-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/4612-170-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/4612-169-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/4612-168-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/4612-166-0x0000000000000000-mapping.dmp

Download
memory/4612-180-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/4612-175-0x0000000077680000-0x000000007780E000-memory.dmp

Filesize
1.6MB

Download
memory/4760-246-0x0000000000000000-mapping.dmp

Download
memory/4932-233-0x0000000000000000-mapping.dmp

Download