remcos | 883a54ccd8c0af9a22ef5e853f8198dd5636e14f866e38acb878c44bccecafbe | Triage

Analysis

max time kernel
61s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2022, 04:25 UTC

Sharing

Report Analysis Logs

General

Target

892-71-0x0000000000400000-0x0000000000417000-memory.exe
Size

92KB
MD5

8ae4e8ccedefbdfb9ca1aa0aec5930a9
SHA1

c95383e65365197a35c1546a09b72856ddaf3d48
SHA256

883a54ccd8c0af9a22ef5e853f8198dd5636e14f866e38acb878c44bccecafbe
SHA512

79c6a5dafd87408a829e3a080bc04c0198e96a8c5ccaf380364e6f7ca406fd844db82d02dbd2b54e21415b104ccca7d8a81ed06dcd19baaab0d785dcf21930ec
SSDEEP

1536:ghhW0YTGZWdVseJxaM9kraLdV2QkQ1TbPX8IHOCkIsI4ESHNTh9E+JP19qkP6Pr1:mhzYTGWVvJ8f2v1TbPzuMsIFSHNThy+i

Score

10^/10

remcos host persistence rat

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

91.192.100.41:8600

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
remcos_oslegjhiewbgvzr
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 1 IoCs

pid	Process
3908	remcos.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	892-71-0x0000000000400000-0x0000000000417000-memory.exe

Adds Run key to start application 2 TTPs 4 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	892-71-0x0000000000400000-0x0000000000417000-memory.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	892-71-0x0000000000400000-0x0000000000417000-memory.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

pid	Process
2228	PING.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 916 wrote to memory of 2604	916	892-71-0x0000000000400000-0x0000000000417000-memory.exe	80
PID 916 wrote to memory of 2604	916	892-71-0x0000000000400000-0x0000000000417000-memory.exe	80
PID 916 wrote to memory of 2604	916	892-71-0x0000000000400000-0x0000000000417000-memory.exe	80
PID 2604 wrote to memory of 2228	2604	cmd.exe	82
PID 2604 wrote to memory of 2228	2604	cmd.exe	82
PID 2604 wrote to memory of 2228	2604	cmd.exe	82
PID 2604 wrote to memory of 3908	2604	cmd.exe	83
PID 2604 wrote to memory of 3908	2604	cmd.exe	83
PID 2604 wrote to memory of 3908	2604	cmd.exe	83

C:\Users\Admin\AppData\Local\Temp\892-71-0x0000000000400000-0x0000000000417000-memory.exe
"C:\Users\Admin\AppData\Local\Temp\892-71-0x0000000000400000-0x0000000000417000-memory.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\SysWOW64\PING.EXE
    PING 127.0.0.1 -n 2
    3⤵
    - Runs ping.exe
    PID:2228
- - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:3908

Network

No results found

93.184.220.29:80

322 B
7
93.184.220.29:80

322 B
7
91.192.100.41:8600

remcos.exe

1.2kB
988 B
11
18
93.184.221.240:80

322 B
7
93.184.221.240:80

322 B
7
20.189.173.10:443

322 B
7

No results found

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.bat

Filesize
99B

MD5
76c1687d97dfdbcea62ef1490bec5001

SHA1
5f4d1aeafa7d840cde67b76f97416dd68efd1bed

SHA256
79f04ea049979ffd2232c459fdd57fae97a5255aea9b4a2c7dce7ead856f37a4

SHA512
da250f0628632a644f159d818a82a8b9cca8224e46843bddbe0f6f9c32a2d04f7736a620af49ab6d77616317ca7d68285e60043965fe86c03d940835bd30a925

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\remcos.exe

Filesize
92KB

MD5
8ae4e8ccedefbdfb9ca1aa0aec5930a9

SHA1
c95383e65365197a35c1546a09b72856ddaf3d48

SHA256
883a54ccd8c0af9a22ef5e853f8198dd5636e14f866e38acb878c44bccecafbe

SHA512
79c6a5dafd87408a829e3a080bc04c0198e96a8c5ccaf380364e6f7ca406fd844db82d02dbd2b54e21415b104ccca7d8a81ed06dcd19baaab0d785dcf21930ec

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\remcos.exe

Filesize
92KB

MD5
8ae4e8ccedefbdfb9ca1aa0aec5930a9

SHA1
c95383e65365197a35c1546a09b72856ddaf3d48

SHA256
883a54ccd8c0af9a22ef5e853f8198dd5636e14f866e38acb878c44bccecafbe

SHA512
79c6a5dafd87408a829e3a080bc04c0198e96a8c5ccaf380364e6f7ca406fd844db82d02dbd2b54e21415b104ccca7d8a81ed06dcd19baaab0d785dcf21930ec

Download Submit