remcos | 4f7e671c26e269961ffa6a6639a5522b66c06c8c119bdfb297797473bb7b4cbc

Analysis

max time kernel
163s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2022 15:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ebb80429c2ab3a4b98092d9681c83a0f.exe
Size

322KB
MD5

ebb80429c2ab3a4b98092d9681c83a0f
SHA1

ff42b517c77a1e7fd1e8c133cdc3702f455e2a2f
SHA256

4f7e671c26e269961ffa6a6639a5522b66c06c8c119bdfb297797473bb7b4cbc
SHA512

eef552e819bcf016662e3e5bdeeef7c6bba33d8f3d760fec397c464352590a4d7c3a63a1614dc8f5b80af5282b31e39eed512ea933866205c46c84f0675938c4
SSDEEP

6144:HNeZm2smfQ8gA3mXO5cOZuIpkgaB/uPLDmzxxznqJRMVYaWp2Oal0t8FqD:HNl3mfQq3/JX0QLDi/zsaaz

Score

10^/10

remcos test persistence rat upx

Malware Config

Extracted

Family

remcos

Botnet

test

91.192.100.20:7967

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-TIHKWD
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 2 IoCs

pid	Process
1592	mzzfe.exe
204	remcos.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4144-138-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral2/memory/4144-141-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral2/memory/4856-149-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral2/memory/4856-150-0x0000000000400000-0x0000000000487000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	mzzfe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe

Loads dropped DLL 2 IoCs

pid	Process
4144	mzzfe.exe
4856	remcos.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	mzzfe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	mzzfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	mzzfe.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\	mzzfe.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1592 set thread context of 4144	1592	mzzfe.exe	84
PID 204 set thread context of 4856	204	remcos.exe	91

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1564	1592	WerFault.exe	83
2208	204	WerFault.exe	90

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	mzzfe.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4856	remcos.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4372 wrote to memory of 1592	4372	ebb80429c2ab3a4b98092d9681c83a0f.exe	83
PID 4372 wrote to memory of 1592	4372	ebb80429c2ab3a4b98092d9681c83a0f.exe	83
PID 4372 wrote to memory of 1592	4372	ebb80429c2ab3a4b98092d9681c83a0f.exe	83
PID 1592 wrote to memory of 4144	1592	mzzfe.exe	84
PID 1592 wrote to memory of 4144	1592	mzzfe.exe	84
PID 1592 wrote to memory of 4144	1592	mzzfe.exe	84
PID 1592 wrote to memory of 4144	1592	mzzfe.exe	84
PID 4144 wrote to memory of 2780	4144	mzzfe.exe	87
PID 4144 wrote to memory of 2780	4144	mzzfe.exe	87
PID 4144 wrote to memory of 2780	4144	mzzfe.exe	87
PID 2780 wrote to memory of 3708	2780	WScript.exe	88
PID 2780 wrote to memory of 3708	2780	WScript.exe	88
PID 2780 wrote to memory of 3708	2780	WScript.exe	88
PID 3708 wrote to memory of 204	3708	cmd.exe	90
PID 3708 wrote to memory of 204	3708	cmd.exe	90
PID 3708 wrote to memory of 204	3708	cmd.exe	90
PID 204 wrote to memory of 4856	204	remcos.exe	91
PID 204 wrote to memory of 4856	204	remcos.exe	91
PID 204 wrote to memory of 4856	204	remcos.exe	91
PID 204 wrote to memory of 4856	204	remcos.exe	91

C:\Users\Admin\AppData\Local\Temp\ebb80429c2ab3a4b98092d9681c83a0f.exe
"C:\Users\Admin\AppData\Local\Temp\ebb80429c2ab3a4b98092d9681c83a0f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4372
- C:\Users\Admin\AppData\Local\Temp\mzzfe.exe
  "C:\Users\Admin\AppData\Local\Temp\mzzfe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Users\Admin\AppData\Local\Temp\mzzfe.exe
    "C:\Users\Admin\AppData\Local\Temp\mzzfe.exe"
    3⤵
    - Checks computer location settings
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4144
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:2780
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\remcos.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3708
      - C:\ProgramData\Remcos\remcos.exe
        
        C:\ProgramData\Remcos\remcos.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:204
        
        C:\ProgramData\Remcos\remcos.exe
        
        C:\ProgramData\Remcos\remcos.exe
        7⤵
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        
        PID:4856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 204 -s 548
        7⤵
        Program crash
        
        PID:2208
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 540
    3⤵
    - Program crash
    PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1592 -ip 1592
1⤵
PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 204 -ip 204
1⤵
PID:3852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Remcos\remcos.exe

Filesize
125KB

MD5
0441aaf5a815eeb2e69a76b1a462fb5a

SHA1
c315440ae55e779c8a0c4cf7c6fb9dbb9a03daf5

SHA256
a1c19d3a781af8ce19836bf600f4d49b3df02338af7bcab960ea6a6f03ce914d

SHA512
960a6ffaaeafd3011304dc1fdfca00ad7177cf2c02ffd1deac6ad609e9745acf15406268b274002d8c0e5c8d691c27c4467539b22ad96c3020827883df70118b

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
125KB

MD5
0441aaf5a815eeb2e69a76b1a462fb5a

SHA1
c315440ae55e779c8a0c4cf7c6fb9dbb9a03daf5

SHA256
a1c19d3a781af8ce19836bf600f4d49b3df02338af7bcab960ea6a6f03ce914d

SHA512
960a6ffaaeafd3011304dc1fdfca00ad7177cf2c02ffd1deac6ad609e9745acf15406268b274002d8c0e5c8d691c27c4467539b22ad96c3020827883df70118b

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
125KB

MD5
0441aaf5a815eeb2e69a76b1a462fb5a

SHA1
c315440ae55e779c8a0c4cf7c6fb9dbb9a03daf5

SHA256
a1c19d3a781af8ce19836bf600f4d49b3df02338af7bcab960ea6a6f03ce914d

SHA512
960a6ffaaeafd3011304dc1fdfca00ad7177cf2c02ffd1deac6ad609e9745acf15406268b274002d8c0e5c8d691c27c4467539b22ad96c3020827883df70118b

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
386B

MD5
1ec6289c6fd4c2ded6b2836ed28cbeb5

SHA1
c4e08195e6c640eb8860acc03fda1d649b4fe070

SHA256
6efdc40f9eb217f879607614e928b65bff759e424f3efb31faceb2a043c32dc2

SHA512
20bc46f4dee22f75f15c402c7c2eaee60fff7dd92548050585571dcbefd59485cc249c06bc3f1aac7a138e5ae67c0c3918b46ffa24c8b0f1b092e2f6b6e21288

Download Submit
C:\Users\Admin\AppData\Local\Temp\mzzfe.exe

Filesize
125KB

MD5
0441aaf5a815eeb2e69a76b1a462fb5a

SHA1
c315440ae55e779c8a0c4cf7c6fb9dbb9a03daf5

SHA256
a1c19d3a781af8ce19836bf600f4d49b3df02338af7bcab960ea6a6f03ce914d

SHA512
960a6ffaaeafd3011304dc1fdfca00ad7177cf2c02ffd1deac6ad609e9745acf15406268b274002d8c0e5c8d691c27c4467539b22ad96c3020827883df70118b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mzzfe.exe

Filesize
125KB

MD5
0441aaf5a815eeb2e69a76b1a462fb5a

SHA1
c315440ae55e779c8a0c4cf7c6fb9dbb9a03daf5

SHA256
a1c19d3a781af8ce19836bf600f4d49b3df02338af7bcab960ea6a6f03ce914d

SHA512
960a6ffaaeafd3011304dc1fdfca00ad7177cf2c02ffd1deac6ad609e9745acf15406268b274002d8c0e5c8d691c27c4467539b22ad96c3020827883df70118b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mzzfe.exe

Filesize
125KB

MD5
0441aaf5a815eeb2e69a76b1a462fb5a

SHA1
c315440ae55e779c8a0c4cf7c6fb9dbb9a03daf5

SHA256
a1c19d3a781af8ce19836bf600f4d49b3df02338af7bcab960ea6a6f03ce914d

SHA512
960a6ffaaeafd3011304dc1fdfca00ad7177cf2c02ffd1deac6ad609e9745acf15406268b274002d8c0e5c8d691c27c4467539b22ad96c3020827883df70118b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nqmbj.w

Filesize
228KB

MD5
518bf8c18e617f61c2d8e0b6513b925d

SHA1
f8fe4041612a0f7384df91cce98051ff3ef2094b

SHA256
e15bc33f04d3842be3ce2cba0d5d9bd27862d921f9ac6c1ba3404ffd45f5ebc0

SHA512
9613399290f518812c8d2e53154b8afc45509867dc34bdebd449031542b6132e7cc845238b33ebb925384b9f4528aef2e290e74e70a27303351aff0b5994d1b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\xrxwuads.j

Filesize
4KB

MD5
46b2ce2aa4b00ab70940ab9b19942a5e

SHA1
10c9ae4c1f1c1fe6ed639a86e7259bf4a8cd361f

SHA256
d4185b2719d6ac863275066c26baeedee49b426c7787a44be9af4f44d31f17e3

SHA512
bb4003bb3b1ad26c35d7b3846de201e98ea2eb81791fe520601b64db54bb00de385c74dc4fca227a331e20179d1f14c012a3e742a0a887c6bdb4e0e106dcb158

Download Submit
memory/4144-141-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4144-138-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4856-149-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4856-150-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download