remcos | 35da234a25a8e05a748bdb3d0e9cad042a3cac0b138d5e9d05fefe8ed62bed32

Analysis

max time kernel
95s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
08/10/2022, 04:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7f7ceee3ca0561325ff8bcdf6b682199.exe
Size

1.1MB
MD5

7f7ceee3ca0561325ff8bcdf6b682199
SHA1

26a6430413747bc652705a97b663cceb5018712e
SHA256

35da234a25a8e05a748bdb3d0e9cad042a3cac0b138d5e9d05fefe8ed62bed32
SHA512

6b8c77d932b29807528f388237f99499ca5f0b2c86d16fbe57a53c9f3b7c3c7cd09dfd05643f0eeaf26f7734eaaa00de1228a8fa9918a4dfa36770b4a8c13da2
SSDEEP

24576:aoFBkPPpLnSWGt8NZthzcKvEuwrTHr/0+hYLDdOs9aMd:zFyhnrGtitxc/uWHrLYs

Score

10^/10

remcos ud-host persistence rat

Malware Config

Extracted

Family

remcos

Botnet

UD-Host

amegroupofschoos32.sytes.net:4820

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
dos.exe
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
mouse_option
false
mutex
Rmc-7F587C
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
ax
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 6 IoCs

pid	Process
1044	dos.exe
1192	dos.exe
1540	dos.exe
856	dos.exe
1728	dos.exe
860	dos.exe

Loads dropped DLL 2 IoCs

pid	Process
308	cmd.exe
308	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\	7f7ceee3ca0561325ff8bcdf6b682199.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ax = "\"C:\\Users\\Admin\\AppData\\Roaming\\dos.exe\""	7f7ceee3ca0561325ff8bcdf6b682199.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	7f7ceee3ca0561325ff8bcdf6b682199.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ax = "\"C:\\Users\\Admin\\AppData\\Roaming\\dos.exe\""	7f7ceee3ca0561325ff8bcdf6b682199.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1408 set thread context of 748	1408	7f7ceee3ca0561325ff8bcdf6b682199.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1408	7f7ceee3ca0561325ff8bcdf6b682199.exe
1408	7f7ceee3ca0561325ff8bcdf6b682199.exe
1408	7f7ceee3ca0561325ff8bcdf6b682199.exe
1408	7f7ceee3ca0561325ff8bcdf6b682199.exe
1044	dos.exe
1044	dos.exe
1044	dos.exe
1044	dos.exe
1044	dos.exe
1044	dos.exe
1044	dos.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1408	7f7ceee3ca0561325ff8bcdf6b682199.exe
Token: SeDebugPrivilege	1044	dos.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 828	1408	7f7ceee3ca0561325ff8bcdf6b682199.exe	26
PID 1408 wrote to memory of 828	1408	7f7ceee3ca0561325ff8bcdf6b682199.exe	26
PID 1408 wrote to memory of 828	1408	7f7ceee3ca0561325ff8bcdf6b682199.exe	26
PID 1408 wrote to memory of 828	1408	7f7ceee3ca0561325ff8bcdf6b682199.exe	26
PID 1408 wrote to memory of 744	1408	7f7ceee3ca0561325ff8bcdf6b682199.exe	27
PID 1408 wrote to memory of 744	1408	7f7ceee3ca0561325ff8bcdf6b682199.exe	27
PID 1408 wrote to memory of 744	1408	7f7ceee3ca0561325ff8bcdf6b682199.exe	27
PID 1408 wrote to memory of 744	1408	7f7ceee3ca0561325ff8bcdf6b682199.exe	27
PID 1408 wrote to memory of 748	1408	7f7ceee3ca0561325ff8bcdf6b682199.exe	28
PID 1408 wrote to memory of 748	1408	7f7ceee3ca0561325ff8bcdf6b682199.exe	28
PID 1408 wrote to memory of 748	1408	7f7ceee3ca0561325ff8bcdf6b682199.exe	28
PID 1408 wrote to memory of 748	1408	7f7ceee3ca0561325ff8bcdf6b682199.exe	28
PID 1408 wrote to memory of 748	1408	7f7ceee3ca0561325ff8bcdf6b682199.exe	28
PID 1408 wrote to memory of 748	1408	7f7ceee3ca0561325ff8bcdf6b682199.exe	28
PID 1408 wrote to memory of 748	1408	7f7ceee3ca0561325ff8bcdf6b682199.exe	28
PID 1408 wrote to memory of 748	1408	7f7ceee3ca0561325ff8bcdf6b682199.exe	28
PID 1408 wrote to memory of 748	1408	7f7ceee3ca0561325ff8bcdf6b682199.exe	28
PID 1408 wrote to memory of 748	1408	7f7ceee3ca0561325ff8bcdf6b682199.exe	28
PID 1408 wrote to memory of 748	1408	7f7ceee3ca0561325ff8bcdf6b682199.exe	28
PID 1408 wrote to memory of 748	1408	7f7ceee3ca0561325ff8bcdf6b682199.exe	28
PID 1408 wrote to memory of 748	1408	7f7ceee3ca0561325ff8bcdf6b682199.exe	28
PID 748 wrote to memory of 1752	748	7f7ceee3ca0561325ff8bcdf6b682199.exe	29
PID 748 wrote to memory of 1752	748	7f7ceee3ca0561325ff8bcdf6b682199.exe	29
PID 748 wrote to memory of 1752	748	7f7ceee3ca0561325ff8bcdf6b682199.exe	29
PID 748 wrote to memory of 1752	748	7f7ceee3ca0561325ff8bcdf6b682199.exe	29
PID 1752 wrote to memory of 308	1752	WScript.exe	30
PID 1752 wrote to memory of 308	1752	WScript.exe	30
PID 1752 wrote to memory of 308	1752	WScript.exe	30
PID 1752 wrote to memory of 308	1752	WScript.exe	30
PID 308 wrote to memory of 1044	308	cmd.exe	32
PID 308 wrote to memory of 1044	308	cmd.exe	32
PID 308 wrote to memory of 1044	308	cmd.exe	32
PID 308 wrote to memory of 1044	308	cmd.exe	32
PID 1044 wrote to memory of 1192	1044	dos.exe	33
PID 1044 wrote to memory of 1192	1044	dos.exe	33
PID 1044 wrote to memory of 1192	1044	dos.exe	33
PID 1044 wrote to memory of 1192	1044	dos.exe	33
PID 1044 wrote to memory of 1540	1044	dos.exe	34
PID 1044 wrote to memory of 1540	1044	dos.exe	34
PID 1044 wrote to memory of 1540	1044	dos.exe	34
PID 1044 wrote to memory of 1540	1044	dos.exe	34
PID 1044 wrote to memory of 856	1044	dos.exe	35
PID 1044 wrote to memory of 856	1044	dos.exe	35
PID 1044 wrote to memory of 856	1044	dos.exe	35
PID 1044 wrote to memory of 856	1044	dos.exe	35
PID 1044 wrote to memory of 860	1044	dos.exe	36
PID 1044 wrote to memory of 860	1044	dos.exe	36
PID 1044 wrote to memory of 860	1044	dos.exe	36
PID 1044 wrote to memory of 860	1044	dos.exe	36
PID 1044 wrote to memory of 1728	1044	dos.exe	37
PID 1044 wrote to memory of 1728	1044	dos.exe	37
PID 1044 wrote to memory of 1728	1044	dos.exe	37
PID 1044 wrote to memory of 1728	1044	dos.exe	37

C:\Users\Admin\AppData\Local\Temp\7f7ceee3ca0561325ff8bcdf6b682199.exe
"C:\Users\Admin\AppData\Local\Temp\7f7ceee3ca0561325ff8bcdf6b682199.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Users\Admin\AppData\Local\Temp\7f7ceee3ca0561325ff8bcdf6b682199.exe
  "C:\Users\Admin\AppData\Local\Temp\7f7ceee3ca0561325ff8bcdf6b682199.exe"
  2⤵
  PID:828
- C:\Users\Admin\AppData\Local\Temp\7f7ceee3ca0561325ff8bcdf6b682199.exe
  "C:\Users\Admin\AppData\Local\Temp\7f7ceee3ca0561325ff8bcdf6b682199.exe"
  2⤵
  PID:744
- C:\Users\Admin\AppData\Local\Temp\7f7ceee3ca0561325ff8bcdf6b682199.exe
  "C:\Users\Admin\AppData\Local\Temp\7f7ceee3ca0561325ff8bcdf6b682199.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:748
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1752
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\dos.exe"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:308
    - - C:\Users\Admin\AppData\Roaming\dos.exe
        
        C:\Users\Admin\AppData\Roaming\dos.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1044
      - C:\Users\Admin\AppData\Roaming\dos.exe
        
        "C:\Users\Admin\AppData\Roaming\dos.exe"
        6⤵
        Executes dropped EXE
        
        PID:1192
      - C:\Users\Admin\AppData\Roaming\dos.exe
        
        "C:\Users\Admin\AppData\Roaming\dos.exe"
        6⤵
        Executes dropped EXE
        
        PID:1540
      - C:\Users\Admin\AppData\Roaming\dos.exe
        
        "C:\Users\Admin\AppData\Roaming\dos.exe"
        6⤵
        Executes dropped EXE
        
        PID:856
      - C:\Users\Admin\AppData\Roaming\dos.exe
        
        "C:\Users\Admin\AppData\Roaming\dos.exe"
        6⤵
        Executes dropped EXE
        
        PID:860
      - C:\Users\Admin\AppData\Roaming\dos.exe
        
        "C:\Users\Admin\AppData\Roaming\dos.exe"
        6⤵
        Executes dropped EXE
        
        PID:1728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
398B

MD5
900bef8cebe89717a150a46ada498865

SHA1
f56e326209561a9baffeae921deefad15bb7a699

SHA256
65be12a911de0a8ca2019e4bc52118fc2521b257aafae055bf6b1dff9247fa5c

SHA512
eccf6ddd112f2219d52ef1feb70cab487d7d88bf8ca8637ca2f2cb5121da781dc9268bda45617191c1624957cd5df0b6b086e01fe868a325cac48f2e5f284e11

Download Submit
C:\Users\Admin\AppData\Roaming\dos.exe

Filesize
1.1MB

MD5
7f7ceee3ca0561325ff8bcdf6b682199

SHA1
26a6430413747bc652705a97b663cceb5018712e

SHA256
35da234a25a8e05a748bdb3d0e9cad042a3cac0b138d5e9d05fefe8ed62bed32

SHA512
6b8c77d932b29807528f388237f99499ca5f0b2c86d16fbe57a53c9f3b7c3c7cd09dfd05643f0eeaf26f7734eaaa00de1228a8fa9918a4dfa36770b4a8c13da2

Download Submit
C:\Users\Admin\AppData\Roaming\dos.exe

Filesize
1.1MB

MD5
7f7ceee3ca0561325ff8bcdf6b682199

SHA1
26a6430413747bc652705a97b663cceb5018712e

SHA256
35da234a25a8e05a748bdb3d0e9cad042a3cac0b138d5e9d05fefe8ed62bed32

SHA512
6b8c77d932b29807528f388237f99499ca5f0b2c86d16fbe57a53c9f3b7c3c7cd09dfd05643f0eeaf26f7734eaaa00de1228a8fa9918a4dfa36770b4a8c13da2

Download Submit
C:\Users\Admin\AppData\Roaming\dos.exe

Filesize
1.1MB

MD5
7f7ceee3ca0561325ff8bcdf6b682199

SHA1
26a6430413747bc652705a97b663cceb5018712e

SHA256
35da234a25a8e05a748bdb3d0e9cad042a3cac0b138d5e9d05fefe8ed62bed32

SHA512
6b8c77d932b29807528f388237f99499ca5f0b2c86d16fbe57a53c9f3b7c3c7cd09dfd05643f0eeaf26f7734eaaa00de1228a8fa9918a4dfa36770b4a8c13da2

Download Submit
C:\Users\Admin\AppData\Roaming\dos.exe

Filesize
1.1MB

MD5
7f7ceee3ca0561325ff8bcdf6b682199

SHA1
26a6430413747bc652705a97b663cceb5018712e

SHA256
35da234a25a8e05a748bdb3d0e9cad042a3cac0b138d5e9d05fefe8ed62bed32

SHA512
6b8c77d932b29807528f388237f99499ca5f0b2c86d16fbe57a53c9f3b7c3c7cd09dfd05643f0eeaf26f7734eaaa00de1228a8fa9918a4dfa36770b4a8c13da2

Download Submit
C:\Users\Admin\AppData\Roaming\dos.exe

Filesize
1.1MB

MD5
7f7ceee3ca0561325ff8bcdf6b682199

SHA1
26a6430413747bc652705a97b663cceb5018712e

SHA256
35da234a25a8e05a748bdb3d0e9cad042a3cac0b138d5e9d05fefe8ed62bed32

SHA512
6b8c77d932b29807528f388237f99499ca5f0b2c86d16fbe57a53c9f3b7c3c7cd09dfd05643f0eeaf26f7734eaaa00de1228a8fa9918a4dfa36770b4a8c13da2

Download Submit
C:\Users\Admin\AppData\Roaming\dos.exe

Filesize
1.1MB

MD5
7f7ceee3ca0561325ff8bcdf6b682199

SHA1
26a6430413747bc652705a97b663cceb5018712e

SHA256
35da234a25a8e05a748bdb3d0e9cad042a3cac0b138d5e9d05fefe8ed62bed32

SHA512
6b8c77d932b29807528f388237f99499ca5f0b2c86d16fbe57a53c9f3b7c3c7cd09dfd05643f0eeaf26f7734eaaa00de1228a8fa9918a4dfa36770b4a8c13da2

Download Submit
C:\Users\Admin\AppData\Roaming\dos.exe

Filesize
1.1MB

MD5
7f7ceee3ca0561325ff8bcdf6b682199

SHA1
26a6430413747bc652705a97b663cceb5018712e

SHA256
35da234a25a8e05a748bdb3d0e9cad042a3cac0b138d5e9d05fefe8ed62bed32

SHA512
6b8c77d932b29807528f388237f99499ca5f0b2c86d16fbe57a53c9f3b7c3c7cd09dfd05643f0eeaf26f7734eaaa00de1228a8fa9918a4dfa36770b4a8c13da2

Download Submit
\Users\Admin\AppData\Roaming\dos.exe

Filesize
1.1MB

MD5
7f7ceee3ca0561325ff8bcdf6b682199

SHA1
26a6430413747bc652705a97b663cceb5018712e

SHA256
35da234a25a8e05a748bdb3d0e9cad042a3cac0b138d5e9d05fefe8ed62bed32

SHA512
6b8c77d932b29807528f388237f99499ca5f0b2c86d16fbe57a53c9f3b7c3c7cd09dfd05643f0eeaf26f7734eaaa00de1228a8fa9918a4dfa36770b4a8c13da2

Download Submit
\Users\Admin\AppData\Roaming\dos.exe

Filesize
1.1MB

MD5
7f7ceee3ca0561325ff8bcdf6b682199

SHA1
26a6430413747bc652705a97b663cceb5018712e

SHA256
35da234a25a8e05a748bdb3d0e9cad042a3cac0b138d5e9d05fefe8ed62bed32

SHA512
6b8c77d932b29807528f388237f99499ca5f0b2c86d16fbe57a53c9f3b7c3c7cd09dfd05643f0eeaf26f7734eaaa00de1228a8fa9918a4dfa36770b4a8c13da2

Download Submit
memory/748-64-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/748-59-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/748-71-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/748-75-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/748-77-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/748-69-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/748-67-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/748-66-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/748-65-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/748-88-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/748-62-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/748-60-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1044-86-0x00000000003F0000-0x0000000000504000-memory.dmp

Filesize
1.1MB

Download
memory/1408-54-0x0000000000170000-0x0000000000284000-memory.dmp

Filesize
1.1MB

Download
memory/1408-58-0x0000000007860000-0x00000000078DC000-memory.dmp

Filesize
496KB

Download
memory/1408-57-0x000000000A680000-0x000000000A750000-memory.dmp

Filesize
832KB

Download
memory/1408-56-0x0000000000590000-0x00000000005A6000-memory.dmp

Filesize
88KB

Download
memory/1408-55-0x00000000750A1000-0x00000000750A3000-memory.dmp

Filesize
8KB

Download