remcos | 7bc37a2f4e71dd95aa4e40048f4aca478e8e63b9393a8c2811e8470bb6f4aba1

Analysis

max time kernel
148s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05-10-2022 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Order Inquiry.exe
Size

1.1MB
MD5

bd87ed67a08d2e9e4cec6526666b563e
SHA1

6ec0878c6a65ec969617287f19fde458bf0c5461
SHA256

7bc37a2f4e71dd95aa4e40048f4aca478e8e63b9393a8c2811e8470bb6f4aba1
SHA512

236f79f09a7b150c68fc899d08d620fa64ccaeb4ef21c85401296047d3b179a818d33abd22ac38d8018b7f4bc13f2a5419bbf9b1de5570ace87cc1babc815f22
SSDEEP

24576:OGmYbj/2yjk37WwHsOzj4j85M1hUQDAxzJX44qxpWo:OGmY2OghsOzj4jGM1aK4FXo

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

harjahwool.ddnsfree.com:8372

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-EGNT8M
screenshot_crypt
true
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dygjhkm.exe,"	reg.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 3 IoCs

Processes:

dygjhkm.exedygjhkmffffhh.exedygjhkmffffhh.exe

pid process

2328 dygjhkm.exe
880 dygjhkmffffhh.exe
4300 dygjhkmffffhh.exe

pid	process
2328	dygjhkm.exe
880	dygjhkmffffhh.exe
4300	dygjhkmffffhh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dygjhkm.exedygjhkmffffhh.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	dygjhkm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	dygjhkmffffhh.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

dygjhkm.exe

description pid process target process

PID 2328 set thread context of 3824 2328 dygjhkm.exe AddInProcess32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

920 PING.EXE
2652 PING.EXE
3488 PING.EXE

description	pid	process	target process
PID 2328 set thread context of 3824	2328	dygjhkm.exe	AddInProcess32.exe

pid	process
920	PING.EXE
2652	PING.EXE
3488	PING.EXE

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

Order Inquiry.exedygjhkm.exedygjhkmffffhh.exedygjhkmffffhh.exe

pid	process
1416	Order Inquiry.exe
1416	Order Inquiry.exe
1416	Order Inquiry.exe
1416	Order Inquiry.exe
1416	Order Inquiry.exe
1416	Order Inquiry.exe
1416	Order Inquiry.exe
1416	Order Inquiry.exe
1416	Order Inquiry.exe
1416	Order Inquiry.exe
1416	Order Inquiry.exe
1416	Order Inquiry.exe
1416	Order Inquiry.exe
1416	Order Inquiry.exe
1416	Order Inquiry.exe
1416	Order Inquiry.exe
1416	Order Inquiry.exe
1416	Order Inquiry.exe
1416	Order Inquiry.exe
1416	Order Inquiry.exe
1416	Order Inquiry.exe
1416	Order Inquiry.exe
1416	Order Inquiry.exe
1416	Order Inquiry.exe
1416	Order Inquiry.exe
2328	dygjhkm.exe
2328	dygjhkm.exe
2328	dygjhkm.exe
880	dygjhkmffffhh.exe
4300	dygjhkmffffhh.exe
4300	dygjhkmffffhh.exe
4300	dygjhkmffffhh.exe
2328	dygjhkm.exe
2328	dygjhkm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

Order Inquiry.exedygjhkm.exeAUDIODG.EXEdygjhkmffffhh.exedygjhkmffffhh.exe

description	pid	process
Token: SeDebugPrivilege	1416	Order Inquiry.exe
Token: SeDebugPrivilege	2328	dygjhkm.exe
Token: 33	3516	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3516	AUDIODG.EXE
Token: SeDebugPrivilege	880	dygjhkmffffhh.exe
Token: SeDebugPrivilege	4300	dygjhkmffffhh.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

AddInProcess32.exe

pid process

3824 AddInProcess32.exe

pid	process
3824	AddInProcess32.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

Order Inquiry.execmd.execmd.exedygjhkm.exedygjhkmffffhh.exe

description	pid	process	target process
PID 1416 wrote to memory of 2308	1416	Order Inquiry.exe	cmd.exe
PID 1416 wrote to memory of 2308	1416	Order Inquiry.exe	cmd.exe
PID 1416 wrote to memory of 2308	1416	Order Inquiry.exe	cmd.exe
PID 2308 wrote to memory of 3488	2308	cmd.exe	PING.EXE
PID 2308 wrote to memory of 3488	2308	cmd.exe	PING.EXE
PID 2308 wrote to memory of 3488	2308	cmd.exe	PING.EXE
PID 1416 wrote to memory of 1164	1416	Order Inquiry.exe	cmd.exe
PID 1416 wrote to memory of 1164	1416	Order Inquiry.exe	cmd.exe
PID 1416 wrote to memory of 1164	1416	Order Inquiry.exe	cmd.exe
PID 1164 wrote to memory of 920	1164	cmd.exe	PING.EXE
PID 1164 wrote to memory of 920	1164	cmd.exe	PING.EXE
PID 1164 wrote to memory of 920	1164	cmd.exe	PING.EXE
PID 2308 wrote to memory of 4744	2308	cmd.exe	reg.exe
PID 2308 wrote to memory of 4744	2308	cmd.exe	reg.exe
PID 2308 wrote to memory of 4744	2308	cmd.exe	reg.exe
PID 1164 wrote to memory of 2652	1164	cmd.exe	PING.EXE
PID 1164 wrote to memory of 2652	1164	cmd.exe	PING.EXE
PID 1164 wrote to memory of 2652	1164	cmd.exe	PING.EXE
PID 1164 wrote to memory of 2328	1164	cmd.exe	dygjhkm.exe
PID 1164 wrote to memory of 2328	1164	cmd.exe	dygjhkm.exe
PID 1164 wrote to memory of 2328	1164	cmd.exe	dygjhkm.exe
PID 2328 wrote to memory of 3824	2328	dygjhkm.exe	AddInProcess32.exe
PID 2328 wrote to memory of 3824	2328	dygjhkm.exe	AddInProcess32.exe
PID 2328 wrote to memory of 3824	2328	dygjhkm.exe	AddInProcess32.exe
PID 2328 wrote to memory of 3824	2328	dygjhkm.exe	AddInProcess32.exe
PID 2328 wrote to memory of 3824	2328	dygjhkm.exe	AddInProcess32.exe
PID 2328 wrote to memory of 3824	2328	dygjhkm.exe	AddInProcess32.exe
PID 2328 wrote to memory of 3824	2328	dygjhkm.exe	AddInProcess32.exe
PID 2328 wrote to memory of 3824	2328	dygjhkm.exe	AddInProcess32.exe
PID 2328 wrote to memory of 3824	2328	dygjhkm.exe	AddInProcess32.exe
PID 2328 wrote to memory of 3824	2328	dygjhkm.exe	AddInProcess32.exe
PID 2328 wrote to memory of 3824	2328	dygjhkm.exe	AddInProcess32.exe
PID 2328 wrote to memory of 3824	2328	dygjhkm.exe	AddInProcess32.exe
PID 2328 wrote to memory of 880	2328	dygjhkm.exe	dygjhkmffffhh.exe
PID 2328 wrote to memory of 880	2328	dygjhkm.exe	dygjhkmffffhh.exe
PID 2328 wrote to memory of 880	2328	dygjhkm.exe	dygjhkmffffhh.exe
PID 880 wrote to memory of 4300	880	dygjhkmffffhh.exe	dygjhkmffffhh.exe
PID 880 wrote to memory of 4300	880	dygjhkmffffhh.exe	dygjhkmffffhh.exe
PID 880 wrote to memory of 4300	880	dygjhkmffffhh.exe	dygjhkmffffhh.exe

C:\Users\Admin\AppData\Local\Temp\Order Inquiry.exe
"C:\Users\Admin\AppData\Local\Temp\Order Inquiry.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 6 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\dygjhkm.exe,"
2⤵
- Suspicious use of WriteProcessMemory
PID:2308

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 6
3⤵
- Runs ping.exe
PID:3488

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\dygjhkm.exe,"
3⤵
- Modifies WinLogon for persistence
PID:4744

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 18 > nul && copy "C:\Users\Admin\AppData\Local\Temp\Order Inquiry.exe" "C:\Users\Admin\AppData\Roaming\dygjhkm.exe" && ping 127.0.0.1 -n 18 > nul && "C:\Users\Admin\AppData\Roaming\dygjhkm.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1164

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 18
3⤵
- Runs ping.exe
PID:920

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 18
3⤵
- Runs ping.exe
PID:2652

C:\Users\Admin\AppData\Roaming\dygjhkm.exe
"C:\Users\Admin\AppData\Roaming\dygjhkm.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
4⤵
- Suspicious use of SetWindowsHookEx
PID:3824

C:\Users\Admin\AppData\Local\Temp\dygjhkmffffhh.exe
"C:\Users\Admin\AppData\Local\Temp\dygjhkmffffhh.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:880

C:\Users\Admin\AppData\Local\Temp\dygjhkmffffhh.exe
"C:\Users\Admin\AppData\Local\Temp\dygjhkmffffhh.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4300

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x408 0x304
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3516

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dygjhkmffffhh.exe.log
Filesize
1KB

MD5
7dca233df92b3884663fa5a40db8d49c

SHA1
208b8f27b708c4e06ac37f974471cc7b29c29b60

SHA256
90c83311e35da0b5f8aa65aa2109745feb68ee9540e863f4ed909872e9c6a84c

SHA512
d134b96fd33c79c85407608f76afc5a9f937bff453b1c90727a3ed992006c7d4c8329be6a2b5ba6b11da1a32f7cd60e9bc380be388b586d6cd5c2e6b1f57bd07

Download Submit
C:\Users\Admin\AppData\Local\Temp\dygjhkmffffhh.exe
Filesize
76KB

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\dygjhkmffffhh.exe
Filesize
76KB

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\dygjhkmffffhh.exe
Filesize
76KB

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\dygjhkmffffhh.txt
Filesize
55B

MD5
8060b3c73a211494afb6e647d8f3c341

SHA1
f39f681d82226c633c7e45b8e6107a636c36bafa

SHA256
e21698159b10c0963faf1fee0752b1c8a5d8e80e373f8c03dcd4f0e943910237

SHA512
cb007c29e0844189e9823c43f626f2f1a3a5de06ea9f74a6fd3998813417eba8553dbb3210f61f916715cf25b09d7d49e3f05b8e2c56e8199b41c502d35ec376

Download Submit
C:\Users\Admin\AppData\Local\Temp\dygjhkmffffhh.txt
Filesize
56B

MD5
a41f5d301efdeba487fc71e557636575

SHA1
e27042abeb6d2d588eaa5d687e5e640cd24c40bf

SHA256
da900694a7afdf00c46ec924eaffe4eefd0c82d973674e3669205771748f937c

SHA512
8c0f4f766e1d8fb0841756e0f3616aaa89a8e63c08e7b8668a05411b3f066d8ec1d0f8e0e3b7111c12897ac9df9411c495c84a87edaf5931f4fc9de324efdebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\dygjhkmffffhh.txt
Filesize
56B

MD5
a41f5d301efdeba487fc71e557636575

SHA1
e27042abeb6d2d588eaa5d687e5e640cd24c40bf

SHA256
da900694a7afdf00c46ec924eaffe4eefd0c82d973674e3669205771748f937c

SHA512
8c0f4f766e1d8fb0841756e0f3616aaa89a8e63c08e7b8668a05411b3f066d8ec1d0f8e0e3b7111c12897ac9df9411c495c84a87edaf5931f4fc9de324efdebf

Download Submit
C:\Users\Admin\AppData\Roaming\dygjhkm.exe
Filesize
1.1MB

MD5
bd87ed67a08d2e9e4cec6526666b563e

SHA1
6ec0878c6a65ec969617287f19fde458bf0c5461

SHA256
7bc37a2f4e71dd95aa4e40048f4aca478e8e63b9393a8c2811e8470bb6f4aba1

SHA512
236f79f09a7b150c68fc899d08d620fa64ccaeb4ef21c85401296047d3b179a818d33abd22ac38d8018b7f4bc13f2a5419bbf9b1de5570ace87cc1babc815f22

Download Submit
C:\Users\Admin\AppData\Roaming\dygjhkm.exe
Filesize
1.1MB

MD5
bd87ed67a08d2e9e4cec6526666b563e

SHA1
6ec0878c6a65ec969617287f19fde458bf0c5461

SHA256
7bc37a2f4e71dd95aa4e40048f4aca478e8e63b9393a8c2811e8470bb6f4aba1

SHA512
236f79f09a7b150c68fc899d08d620fa64ccaeb4ef21c85401296047d3b179a818d33abd22ac38d8018b7f4bc13f2a5419bbf9b1de5570ace87cc1babc815f22

Download Submit
memory/880-155-0x00000000009B0000-0x00000000009CA000-memory.dmp

Filesize
104KB

Download
memory/880-152-0x0000000000000000-mapping.dmp

Download
memory/920-140-0x0000000000000000-mapping.dmp

Download
memory/1164-139-0x0000000000000000-mapping.dmp

Download
memory/1416-134-0x0000000005440000-0x00000000054DC000-memory.dmp

Filesize
624KB

Download
memory/1416-135-0x00000000066F0000-0x0000000006C94000-memory.dmp

Filesize
5.6MB

Download
memory/1416-133-0x00000000053A0000-0x0000000005432000-memory.dmp

Filesize
584KB

Download
memory/1416-136-0x0000000006420000-0x000000000642A000-memory.dmp

Filesize
40KB

Download
memory/1416-132-0x0000000000730000-0x000000000085A000-memory.dmp

Filesize
1.2MB

Download
memory/2308-137-0x0000000000000000-mapping.dmp

Download
memory/2328-146-0x0000000000AD0000-0x0000000000BFA000-memory.dmp

Filesize
1.2MB

Download
memory/2328-143-0x0000000000000000-mapping.dmp

Download
memory/2652-142-0x0000000000000000-mapping.dmp

Download
memory/3488-138-0x0000000000000000-mapping.dmp

Download
memory/3824-149-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3824-162-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3824-151-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3824-150-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3824-148-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3824-147-0x0000000000000000-mapping.dmp

Download
memory/4300-157-0x0000000000000000-mapping.dmp

Download
memory/4744-141-0x0000000000000000-mapping.dmp

Download