remcos | 70deba92a46f6f3913b10be9eeacfe0c0b89177d4ca6041012bc446ca9bd0acf

Analysis

max time kernel
151s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05-10-2022 16:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Scanned PO N402201321.exe
Size

1.1MB
MD5

be5a3dcd8ac544cc9a5eac17daf5d813
SHA1

aa1317d65deca8bd330018e85000069288ce6afc
SHA256

70deba92a46f6f3913b10be9eeacfe0c0b89177d4ca6041012bc446ca9bd0acf
SHA512

77f0f34476d41108d2bb8d1009c08eb61d906cd13aad9bc3f397ad9d6d96a5f8bcd55181c90b231c707b71a175d531a952649bed9f302d658fb0338754ac5909
SSDEEP

24576:QSbKwOzzwHsOzj4j85M1hUQDAxzJX44ws8:QSnJsOzj4jGM1aK4FXys

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

harjahwool.ddnsfree.com:8372

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-EGNT8M
screenshot_crypt
true
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\ganmuio.exe,"	reg.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 3 IoCs

Processes:

ganmuio.exegreUgKja.exegreUgKja.exe

pid process

2548 ganmuio.exe
3204 greUgKja.exe
4092 greUgKja.exe

pid	process
2548	ganmuio.exe
3204	greUgKja.exe
4092	greUgKja.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ganmuio.exegreUgKja.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	ganmuio.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	greUgKja.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ganmuio.exe

description pid process target process

PID 2548 set thread context of 3944 2548 ganmuio.exe AddInProcess32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

4036 PING.EXE
3532 PING.EXE
1040 PING.EXE

description	pid	process	target process
PID 2548 set thread context of 3944	2548	ganmuio.exe	AddInProcess32.exe

pid	process
4036	PING.EXE
3532	PING.EXE
1040	PING.EXE

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

Scanned PO N402201321.exeganmuio.exegreUgKja.exegreUgKja.exe

pid	process
4140	Scanned PO N402201321.exe
4140	Scanned PO N402201321.exe
4140	Scanned PO N402201321.exe
4140	Scanned PO N402201321.exe
4140	Scanned PO N402201321.exe
4140	Scanned PO N402201321.exe
4140	Scanned PO N402201321.exe
4140	Scanned PO N402201321.exe
4140	Scanned PO N402201321.exe
4140	Scanned PO N402201321.exe
4140	Scanned PO N402201321.exe
4140	Scanned PO N402201321.exe
4140	Scanned PO N402201321.exe
4140	Scanned PO N402201321.exe
4140	Scanned PO N402201321.exe
4140	Scanned PO N402201321.exe
4140	Scanned PO N402201321.exe
4140	Scanned PO N402201321.exe
4140	Scanned PO N402201321.exe
4140	Scanned PO N402201321.exe
4140	Scanned PO N402201321.exe
4140	Scanned PO N402201321.exe
4140	Scanned PO N402201321.exe
4140	Scanned PO N402201321.exe
4140	Scanned PO N402201321.exe
2548	ganmuio.exe
2548	ganmuio.exe
2548	ganmuio.exe
3204	greUgKja.exe
4092	greUgKja.exe
4092	greUgKja.exe
4092	greUgKja.exe
2548	ganmuio.exe
2548	ganmuio.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

Scanned PO N402201321.exeganmuio.exeAUDIODG.EXEgreUgKja.exegreUgKja.exe

description	pid	process
Token: SeDebugPrivilege	4140	Scanned PO N402201321.exe
Token: SeDebugPrivilege	2548	ganmuio.exe
Token: 33	4424	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4424	AUDIODG.EXE
Token: SeDebugPrivilege	3204	greUgKja.exe
Token: SeDebugPrivilege	4092	greUgKja.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

AddInProcess32.exe

pid process

3944 AddInProcess32.exe

pid	process
3944	AddInProcess32.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

Scanned PO N402201321.execmd.execmd.exeganmuio.exegreUgKja.exe

description	pid	process	target process
PID 4140 wrote to memory of 3432	4140	Scanned PO N402201321.exe	cmd.exe
PID 4140 wrote to memory of 3432	4140	Scanned PO N402201321.exe	cmd.exe
PID 4140 wrote to memory of 3432	4140	Scanned PO N402201321.exe	cmd.exe
PID 3432 wrote to memory of 3532	3432	cmd.exe	PING.EXE
PID 3432 wrote to memory of 3532	3432	cmd.exe	PING.EXE
PID 3432 wrote to memory of 3532	3432	cmd.exe	PING.EXE
PID 4140 wrote to memory of 4332	4140	Scanned PO N402201321.exe	cmd.exe
PID 4140 wrote to memory of 4332	4140	Scanned PO N402201321.exe	cmd.exe
PID 4140 wrote to memory of 4332	4140	Scanned PO N402201321.exe	cmd.exe
PID 4332 wrote to memory of 1040	4332	cmd.exe	PING.EXE
PID 4332 wrote to memory of 1040	4332	cmd.exe	PING.EXE
PID 4332 wrote to memory of 1040	4332	cmd.exe	PING.EXE
PID 3432 wrote to memory of 2080	3432	cmd.exe	reg.exe
PID 3432 wrote to memory of 2080	3432	cmd.exe	reg.exe
PID 3432 wrote to memory of 2080	3432	cmd.exe	reg.exe
PID 4332 wrote to memory of 4036	4332	cmd.exe	PING.EXE
PID 4332 wrote to memory of 4036	4332	cmd.exe	PING.EXE
PID 4332 wrote to memory of 4036	4332	cmd.exe	PING.EXE
PID 4332 wrote to memory of 2548	4332	cmd.exe	ganmuio.exe
PID 4332 wrote to memory of 2548	4332	cmd.exe	ganmuio.exe
PID 4332 wrote to memory of 2548	4332	cmd.exe	ganmuio.exe
PID 2548 wrote to memory of 3944	2548	ganmuio.exe	AddInProcess32.exe
PID 2548 wrote to memory of 3944	2548	ganmuio.exe	AddInProcess32.exe
PID 2548 wrote to memory of 3944	2548	ganmuio.exe	AddInProcess32.exe
PID 2548 wrote to memory of 3944	2548	ganmuio.exe	AddInProcess32.exe
PID 2548 wrote to memory of 3944	2548	ganmuio.exe	AddInProcess32.exe
PID 2548 wrote to memory of 3944	2548	ganmuio.exe	AddInProcess32.exe
PID 2548 wrote to memory of 3944	2548	ganmuio.exe	AddInProcess32.exe
PID 2548 wrote to memory of 3944	2548	ganmuio.exe	AddInProcess32.exe
PID 2548 wrote to memory of 3944	2548	ganmuio.exe	AddInProcess32.exe
PID 2548 wrote to memory of 3944	2548	ganmuio.exe	AddInProcess32.exe
PID 2548 wrote to memory of 3944	2548	ganmuio.exe	AddInProcess32.exe
PID 2548 wrote to memory of 3944	2548	ganmuio.exe	AddInProcess32.exe
PID 2548 wrote to memory of 3204	2548	ganmuio.exe	greUgKja.exe
PID 2548 wrote to memory of 3204	2548	ganmuio.exe	greUgKja.exe
PID 2548 wrote to memory of 3204	2548	ganmuio.exe	greUgKja.exe
PID 3204 wrote to memory of 4092	3204	greUgKja.exe	greUgKja.exe
PID 3204 wrote to memory of 4092	3204	greUgKja.exe	greUgKja.exe
PID 3204 wrote to memory of 4092	3204	greUgKja.exe	greUgKja.exe

C:\Users\Admin\AppData\Local\Temp\Scanned PO N402201321.exe
"C:\Users\Admin\AppData\Local\Temp\Scanned PO N402201321.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4140

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 6 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\ganmuio.exe,"
2⤵
- Suspicious use of WriteProcessMemory
PID:3432

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 6
3⤵
- Runs ping.exe
PID:3532

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\ganmuio.exe,"
3⤵
- Modifies WinLogon for persistence
PID:2080

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 13 > nul && copy "C:\Users\Admin\AppData\Local\Temp\Scanned PO N402201321.exe" "C:\Users\Admin\AppData\Roaming\ganmuio.exe" && ping 127.0.0.1 -n 13 > nul && "C:\Users\Admin\AppData\Roaming\ganmuio.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4332

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 13
3⤵
- Runs ping.exe
PID:1040

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 13
3⤵
- Runs ping.exe
PID:4036

C:\Users\Admin\AppData\Roaming\ganmuio.exe
"C:\Users\Admin\AppData\Roaming\ganmuio.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
4⤵
- Suspicious use of SetWindowsHookEx
PID:3944

C:\Users\Admin\AppData\Local\Temp\greUgKja.exe
"C:\Users\Admin\AppData\Local\Temp\greUgKja.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3204

C:\Users\Admin\AppData\Local\Temp\greUgKja.exe
"C:\Users\Admin\AppData\Local\Temp\greUgKja.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x394 0x370
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4424

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\greUgKja.exe.log
Filesize
1KB

MD5
7dca233df92b3884663fa5a40db8d49c

SHA1
208b8f27b708c4e06ac37f974471cc7b29c29b60

SHA256
90c83311e35da0b5f8aa65aa2109745feb68ee9540e863f4ed909872e9c6a84c

SHA512
d134b96fd33c79c85407608f76afc5a9f937bff453b1c90727a3ed992006c7d4c8329be6a2b5ba6b11da1a32f7cd60e9bc380be388b586d6cd5c2e6b1f57bd07

Download Submit
C:\Users\Admin\AppData\Local\Temp\greUgKja.exe
Filesize
76KB

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\greUgKja.exe
Filesize
76KB

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\greUgKja.exe
Filesize
76KB

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\greUgKja.txt
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\greUgKja.txt
Filesize
56B

MD5
15da1382b6023bc625946c2c58ce8e7a

SHA1
ba9120e8d170d6ac75345686adf4341ee888eaf2

SHA256
2dbe8e4d62e2be1d145ddccece831e44749d4957792f1cff94d6a02863e51451

SHA512
1985da52ed5c487a1be29f853a8f34887cb7e0e8d502f85eccd03523fac364fd8b2f8b682c45124b2488ce74d69879496b2ec1e74927597bd311b264c05fc797

Download Submit
C:\Users\Admin\AppData\Local\Temp\greUgKja.txt
Filesize
56B

MD5
15da1382b6023bc625946c2c58ce8e7a

SHA1
ba9120e8d170d6ac75345686adf4341ee888eaf2

SHA256
2dbe8e4d62e2be1d145ddccece831e44749d4957792f1cff94d6a02863e51451

SHA512
1985da52ed5c487a1be29f853a8f34887cb7e0e8d502f85eccd03523fac364fd8b2f8b682c45124b2488ce74d69879496b2ec1e74927597bd311b264c05fc797

Download Submit
C:\Users\Admin\AppData\Roaming\ganmuio.exe
Filesize
1.1MB

MD5
be5a3dcd8ac544cc9a5eac17daf5d813

SHA1
aa1317d65deca8bd330018e85000069288ce6afc

SHA256
70deba92a46f6f3913b10be9eeacfe0c0b89177d4ca6041012bc446ca9bd0acf

SHA512
77f0f34476d41108d2bb8d1009c08eb61d906cd13aad9bc3f397ad9d6d96a5f8bcd55181c90b231c707b71a175d531a952649bed9f302d658fb0338754ac5909

Download Submit
C:\Users\Admin\AppData\Roaming\ganmuio.exe
Filesize
1.1MB

MD5
be5a3dcd8ac544cc9a5eac17daf5d813

SHA1
aa1317d65deca8bd330018e85000069288ce6afc

SHA256
70deba92a46f6f3913b10be9eeacfe0c0b89177d4ca6041012bc446ca9bd0acf

SHA512
77f0f34476d41108d2bb8d1009c08eb61d906cd13aad9bc3f397ad9d6d96a5f8bcd55181c90b231c707b71a175d531a952649bed9f302d658fb0338754ac5909

Download Submit
memory/1040-140-0x0000000000000000-mapping.dmp

Download
memory/2080-141-0x0000000000000000-mapping.dmp

Download
memory/2548-146-0x00000000001B0000-0x00000000002C8000-memory.dmp

Filesize
1.1MB

Download
memory/2548-143-0x0000000000000000-mapping.dmp

Download
memory/3204-155-0x0000000000AF0000-0x0000000000B0A000-memory.dmp

Filesize
104KB

Download
memory/3204-152-0x0000000000000000-mapping.dmp

Download
memory/3432-137-0x0000000000000000-mapping.dmp

Download
memory/3532-138-0x0000000000000000-mapping.dmp

Download
memory/3944-148-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3944-150-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3944-151-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3944-162-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3944-149-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3944-147-0x0000000000000000-mapping.dmp

Download
memory/4036-142-0x0000000000000000-mapping.dmp

Download
memory/4092-157-0x0000000000000000-mapping.dmp

Download
memory/4140-132-0x0000000000700000-0x0000000000818000-memory.dmp

Filesize
1.1MB

Download
memory/4140-136-0x0000000005B50000-0x0000000005B5A000-memory.dmp

Filesize
40KB

Download
memory/4140-135-0x0000000005B80000-0x0000000005C12000-memory.dmp

Filesize
584KB

Download
memory/4140-134-0x0000000005F50000-0x00000000064F4000-memory.dmp

Filesize
5.6MB

Download
memory/4140-133-0x0000000004CC0000-0x0000000004D5C000-memory.dmp

Filesize
624KB

Download
memory/4332-139-0x0000000000000000-mapping.dmp

Download