remcos | 9d724226a2a3c8676d4a58b64b636d9dcc178c1d40fcf321309afa14505cf285

Analysis

max time kernel
149s
max time network
134s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
10/09/2022, 01:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5aea3d8589e1af35ebd2242d29308534.exe
Size

1002KB
MD5

5aea3d8589e1af35ebd2242d29308534
SHA1

1bbc38a19587fe28645f3e7b2f1c0a78d42b53ba
SHA256

9d724226a2a3c8676d4a58b64b636d9dcc178c1d40fcf321309afa14505cf285
SHA512

7ad4f8c2e9ae3e295665d9c6bf96397d354585754fca571884f3401b7be9d00feb7c1c546ffaa4592218974ec2988d1e8abfbf860ab50ae914b6c0c42d5b14a0
SSDEEP

24576:l4444HyyDTaaJxmFSOeV6nNXPh3nJk5n48+6mm34444:VSeVKZ5H6m

Score

10^/10

remcos water-host persistence rat

Malware Config

Extracted

Family

remcos

Botnet

Water-Host

ericbishop225.sytes.net:2220

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
pos.exe
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
mouse_option
false
mutex
Rmc-T77132
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
poc
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 2 IoCs

pid	Process
1460	pos.exe
276	pos.exe

Loads dropped DLL 2 IoCs

pid	Process
1648	cmd.exe
1648	cmd.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\poc = "\"C:\\Users\\Admin\\AppData\\Roaming\\pos.exe\""	pos.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	pos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\poc = "\"C:\\Users\\Admin\\AppData\\Roaming\\pos.exe\""	pos.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\	5aea3d8589e1af35ebd2242d29308534.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\poc = "\"C:\\Users\\Admin\\AppData\\Roaming\\pos.exe\""	5aea3d8589e1af35ebd2242d29308534.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	5aea3d8589e1af35ebd2242d29308534.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\poc = "\"C:\\Users\\Admin\\AppData\\Roaming\\pos.exe\""	5aea3d8589e1af35ebd2242d29308534.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\	pos.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1424 set thread context of 940	1424	5aea3d8589e1af35ebd2242d29308534.exe	29
PID 1460 set thread context of 276	1460	pos.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1424	5aea3d8589e1af35ebd2242d29308534.exe
1424	5aea3d8589e1af35ebd2242d29308534.exe
1424	5aea3d8589e1af35ebd2242d29308534.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1424	5aea3d8589e1af35ebd2242d29308534.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
276	pos.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 1476	1424	5aea3d8589e1af35ebd2242d29308534.exe	26
PID 1424 wrote to memory of 1476	1424	5aea3d8589e1af35ebd2242d29308534.exe	26
PID 1424 wrote to memory of 1476	1424	5aea3d8589e1af35ebd2242d29308534.exe	26
PID 1424 wrote to memory of 1476	1424	5aea3d8589e1af35ebd2242d29308534.exe	26
PID 1424 wrote to memory of 944	1424	5aea3d8589e1af35ebd2242d29308534.exe	27
PID 1424 wrote to memory of 944	1424	5aea3d8589e1af35ebd2242d29308534.exe	27
PID 1424 wrote to memory of 944	1424	5aea3d8589e1af35ebd2242d29308534.exe	27
PID 1424 wrote to memory of 944	1424	5aea3d8589e1af35ebd2242d29308534.exe	27
PID 1424 wrote to memory of 976	1424	5aea3d8589e1af35ebd2242d29308534.exe	28
PID 1424 wrote to memory of 976	1424	5aea3d8589e1af35ebd2242d29308534.exe	28
PID 1424 wrote to memory of 976	1424	5aea3d8589e1af35ebd2242d29308534.exe	28
PID 1424 wrote to memory of 976	1424	5aea3d8589e1af35ebd2242d29308534.exe	28
PID 1424 wrote to memory of 940	1424	5aea3d8589e1af35ebd2242d29308534.exe	29
PID 1424 wrote to memory of 940	1424	5aea3d8589e1af35ebd2242d29308534.exe	29
PID 1424 wrote to memory of 940	1424	5aea3d8589e1af35ebd2242d29308534.exe	29
PID 1424 wrote to memory of 940	1424	5aea3d8589e1af35ebd2242d29308534.exe	29
PID 1424 wrote to memory of 940	1424	5aea3d8589e1af35ebd2242d29308534.exe	29
PID 1424 wrote to memory of 940	1424	5aea3d8589e1af35ebd2242d29308534.exe	29
PID 1424 wrote to memory of 940	1424	5aea3d8589e1af35ebd2242d29308534.exe	29
PID 1424 wrote to memory of 940	1424	5aea3d8589e1af35ebd2242d29308534.exe	29
PID 1424 wrote to memory of 940	1424	5aea3d8589e1af35ebd2242d29308534.exe	29
PID 1424 wrote to memory of 940	1424	5aea3d8589e1af35ebd2242d29308534.exe	29
PID 1424 wrote to memory of 940	1424	5aea3d8589e1af35ebd2242d29308534.exe	29
PID 1424 wrote to memory of 940	1424	5aea3d8589e1af35ebd2242d29308534.exe	29
PID 1424 wrote to memory of 940	1424	5aea3d8589e1af35ebd2242d29308534.exe	29
PID 940 wrote to memory of 1640	940	5aea3d8589e1af35ebd2242d29308534.exe	30
PID 940 wrote to memory of 1640	940	5aea3d8589e1af35ebd2242d29308534.exe	30
PID 940 wrote to memory of 1640	940	5aea3d8589e1af35ebd2242d29308534.exe	30
PID 940 wrote to memory of 1640	940	5aea3d8589e1af35ebd2242d29308534.exe	30
PID 1640 wrote to memory of 1648	1640	WScript.exe	31
PID 1640 wrote to memory of 1648	1640	WScript.exe	31
PID 1640 wrote to memory of 1648	1640	WScript.exe	31
PID 1640 wrote to memory of 1648	1640	WScript.exe	31
PID 1648 wrote to memory of 1460	1648	cmd.exe	33
PID 1648 wrote to memory of 1460	1648	cmd.exe	33
PID 1648 wrote to memory of 1460	1648	cmd.exe	33
PID 1648 wrote to memory of 1460	1648	cmd.exe	33
PID 1460 wrote to memory of 276	1460	pos.exe	34
PID 1460 wrote to memory of 276	1460	pos.exe	34
PID 1460 wrote to memory of 276	1460	pos.exe	34
PID 1460 wrote to memory of 276	1460	pos.exe	34
PID 1460 wrote to memory of 276	1460	pos.exe	34
PID 1460 wrote to memory of 276	1460	pos.exe	34
PID 1460 wrote to memory of 276	1460	pos.exe	34
PID 1460 wrote to memory of 276	1460	pos.exe	34
PID 1460 wrote to memory of 276	1460	pos.exe	34
PID 1460 wrote to memory of 276	1460	pos.exe	34
PID 1460 wrote to memory of 276	1460	pos.exe	34
PID 1460 wrote to memory of 276	1460	pos.exe	34
PID 1460 wrote to memory of 276	1460	pos.exe	34

C:\Users\Admin\AppData\Local\Temp\5aea3d8589e1af35ebd2242d29308534.exe
"C:\Users\Admin\AppData\Local\Temp\5aea3d8589e1af35ebd2242d29308534.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Users\Admin\AppData\Local\Temp\5aea3d8589e1af35ebd2242d29308534.exe
  "C:\Users\Admin\AppData\Local\Temp\5aea3d8589e1af35ebd2242d29308534.exe"
  2⤵
  PID:1476
- C:\Users\Admin\AppData\Local\Temp\5aea3d8589e1af35ebd2242d29308534.exe
  "C:\Users\Admin\AppData\Local\Temp\5aea3d8589e1af35ebd2242d29308534.exe"
  2⤵
  PID:944
- C:\Users\Admin\AppData\Local\Temp\5aea3d8589e1af35ebd2242d29308534.exe
  "C:\Users\Admin\AppData\Local\Temp\5aea3d8589e1af35ebd2242d29308534.exe"
  2⤵
  PID:976
- C:\Users\Admin\AppData\Local\Temp\5aea3d8589e1af35ebd2242d29308534.exe
  "C:\Users\Admin\AppData\Local\Temp\5aea3d8589e1af35ebd2242d29308534.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1640
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\pos.exe"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1648
    - - C:\Users\Admin\AppData\Roaming\pos.exe
        
        C:\Users\Admin\AppData\Roaming\pos.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1460
      - C:\Users\Admin\AppData\Roaming\pos.exe
        
        "C:\Users\Admin\AppData\Roaming\pos.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        
        PID:276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
398B

MD5
60bed8023597b165f4d94f81a7766af6

SHA1
e7964eaa855a967e1aaa71852b777f77b8033b33

SHA256
72d980f61fba569362109748e772ad21f45ec4cd9db1c226b0278aecb3c9661e

SHA512
9c7e8305f369ba24a6b54fa5d7b0671e12635c065766400336e9e96a1151a35749239d49fecc38cc52a32e8cc8a6dccf6d0712afac0eae3f503cd3fca904f468

Download Submit
C:\Users\Admin\AppData\Roaming\pos.exe

Filesize
1002KB

MD5
5aea3d8589e1af35ebd2242d29308534

SHA1
1bbc38a19587fe28645f3e7b2f1c0a78d42b53ba

SHA256
9d724226a2a3c8676d4a58b64b636d9dcc178c1d40fcf321309afa14505cf285

SHA512
7ad4f8c2e9ae3e295665d9c6bf96397d354585754fca571884f3401b7be9d00feb7c1c546ffaa4592218974ec2988d1e8abfbf860ab50ae914b6c0c42d5b14a0

Download Submit
C:\Users\Admin\AppData\Roaming\pos.exe

Filesize
1002KB

MD5
5aea3d8589e1af35ebd2242d29308534

SHA1
1bbc38a19587fe28645f3e7b2f1c0a78d42b53ba

SHA256
9d724226a2a3c8676d4a58b64b636d9dcc178c1d40fcf321309afa14505cf285

SHA512
7ad4f8c2e9ae3e295665d9c6bf96397d354585754fca571884f3401b7be9d00feb7c1c546ffaa4592218974ec2988d1e8abfbf860ab50ae914b6c0c42d5b14a0

Download Submit
C:\Users\Admin\AppData\Roaming\pos.exe

Filesize
1002KB

MD5
5aea3d8589e1af35ebd2242d29308534

SHA1
1bbc38a19587fe28645f3e7b2f1c0a78d42b53ba

SHA256
9d724226a2a3c8676d4a58b64b636d9dcc178c1d40fcf321309afa14505cf285

SHA512
7ad4f8c2e9ae3e295665d9c6bf96397d354585754fca571884f3401b7be9d00feb7c1c546ffaa4592218974ec2988d1e8abfbf860ab50ae914b6c0c42d5b14a0

Download Submit
\Users\Admin\AppData\Roaming\pos.exe

Filesize
1002KB

MD5
5aea3d8589e1af35ebd2242d29308534

SHA1
1bbc38a19587fe28645f3e7b2f1c0a78d42b53ba

SHA256
9d724226a2a3c8676d4a58b64b636d9dcc178c1d40fcf321309afa14505cf285

SHA512
7ad4f8c2e9ae3e295665d9c6bf96397d354585754fca571884f3401b7be9d00feb7c1c546ffaa4592218974ec2988d1e8abfbf860ab50ae914b6c0c42d5b14a0

Download Submit
\Users\Admin\AppData\Roaming\pos.exe

Filesize
1002KB

MD5
5aea3d8589e1af35ebd2242d29308534

SHA1
1bbc38a19587fe28645f3e7b2f1c0a78d42b53ba

SHA256
9d724226a2a3c8676d4a58b64b636d9dcc178c1d40fcf321309afa14505cf285

SHA512
7ad4f8c2e9ae3e295665d9c6bf96397d354585754fca571884f3401b7be9d00feb7c1c546ffaa4592218974ec2988d1e8abfbf860ab50ae914b6c0c42d5b14a0

Download Submit
memory/276-107-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/276-106-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/276-105-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/940-62-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/940-59-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/940-69-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/940-71-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/940-75-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/940-67-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/940-77-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/940-66-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/940-60-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/940-65-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/940-64-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1424-54-0x00000000000B0000-0x00000000001B0000-memory.dmp

Filesize
1024KB

Download
memory/1424-58-0x00000000057A0000-0x000000000581C000-memory.dmp

Filesize
496KB

Download
memory/1424-57-0x00000000055B0000-0x0000000005680000-memory.dmp

Filesize
832KB

Download
memory/1424-56-0x0000000000490000-0x00000000004A8000-memory.dmp

Filesize
96KB

Download
memory/1424-55-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download
memory/1460-86-0x0000000000CE0000-0x0000000000DE0000-memory.dmp

Filesize
1024KB

Download