remcos | 16426a775880f1c2b7f79244f86460746cee7dcb65386df2c082abebc7a5d1cf

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27/10/2022, 20:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WoodeProcurement_Specification_Doc_Portal2021R3_Client_index.exe
Size

436KB
MD5

e79a346563c8229ade00a77e2cebc81a
SHA1

ee6d168305f2d139b951296ff80845dce7380451
SHA256

68f90e7cd6f81bcd548c046cfaca36e766da7fdcdddf286ef769c30062fde895
SHA512

b2cb7701be9ebc6a33bed38ce417ef9089cf31a3b4f65e8528de645699ba25ab864b1e86d70180cfe1467c0f74c3ec26762a4f9b5bf0be3bc4e3b48317eada87
SSDEEP

12288:1Ltdhijtuzu2H884oL4lW6ynCsV1QXq9bNAP8WLS:1Ltd9H8NoLs9yCGK6XOLS

Score

10^/10

remcos remotehost persistence rat spyware stealer

Malware Config

Extracted

Family

remcos

Version

3.2.0 Pro

Botnet

RemoteHost

ghostboy.gotdns.ch:3924

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
ghostboy
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-R5JURE
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\adobe\\adobe.exe\","	WoodeProcurement_Specification_Doc_Portal2021R3_Client_index.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 1 IoCs

pid	Process
3932	RegAsm.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WoodeProcurement_Specification_Doc_Portal2021R3_Client_index.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4212 set thread context of 3932	4212	WoodeProcurement_Specification_Doc_Portal2021R3_Client_index.exe	102

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
4720	powershell.exe
4720	powershell.exe
4504	powershell.exe
4504	powershell.exe
3248	powershell.exe
3248	powershell.exe
4280	powershell.exe
4280	powershell.exe
964	powershell.exe
964	powershell.exe
964	powershell.exe
4212	WoodeProcurement_Specification_Doc_Portal2021R3_Client_index.exe
4212	WoodeProcurement_Specification_Doc_Portal2021R3_Client_index.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3932	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4720	powershell.exe
Token: SeIncreaseQuotaPrivilege	4720	powershell.exe
Token: SeSecurityPrivilege	4720	powershell.exe
Token: SeTakeOwnershipPrivilege	4720	powershell.exe
Token: SeLoadDriverPrivilege	4720	powershell.exe
Token: SeSystemProfilePrivilege	4720	powershell.exe
Token: SeSystemtimePrivilege	4720	powershell.exe
Token: SeProfSingleProcessPrivilege	4720	powershell.exe
Token: SeIncBasePriorityPrivilege	4720	powershell.exe
Token: SeCreatePagefilePrivilege	4720	powershell.exe
Token: SeBackupPrivilege	4720	powershell.exe
Token: SeRestorePrivilege	4720	powershell.exe
Token: SeShutdownPrivilege	4720	powershell.exe
Token: SeDebugPrivilege	4720	powershell.exe
Token: SeSystemEnvironmentPrivilege	4720	powershell.exe
Token: SeRemoteShutdownPrivilege	4720	powershell.exe
Token: SeUndockPrivilege	4720	powershell.exe
Token: SeManageVolumePrivilege	4720	powershell.exe
Token: 33	4720	powershell.exe
Token: 34	4720	powershell.exe
Token: 35	4720	powershell.exe
Token: 36	4720	powershell.exe
Token: SeIncreaseQuotaPrivilege	4720	powershell.exe
Token: SeSecurityPrivilege	4720	powershell.exe
Token: SeTakeOwnershipPrivilege	4720	powershell.exe
Token: SeLoadDriverPrivilege	4720	powershell.exe
Token: SeSystemProfilePrivilege	4720	powershell.exe
Token: SeSystemtimePrivilege	4720	powershell.exe
Token: SeProfSingleProcessPrivilege	4720	powershell.exe
Token: SeIncBasePriorityPrivilege	4720	powershell.exe
Token: SeCreatePagefilePrivilege	4720	powershell.exe
Token: SeBackupPrivilege	4720	powershell.exe
Token: SeRestorePrivilege	4720	powershell.exe
Token: SeShutdownPrivilege	4720	powershell.exe
Token: SeDebugPrivilege	4720	powershell.exe
Token: SeSystemEnvironmentPrivilege	4720	powershell.exe
Token: SeRemoteShutdownPrivilege	4720	powershell.exe
Token: SeUndockPrivilege	4720	powershell.exe
Token: SeManageVolumePrivilege	4720	powershell.exe
Token: 33	4720	powershell.exe
Token: 34	4720	powershell.exe
Token: 35	4720	powershell.exe
Token: 36	4720	powershell.exe
Token: SeDebugPrivilege	4504	powershell.exe
Token: SeIncreaseQuotaPrivilege	4504	powershell.exe
Token: SeSecurityPrivilege	4504	powershell.exe
Token: SeTakeOwnershipPrivilege	4504	powershell.exe
Token: SeLoadDriverPrivilege	4504	powershell.exe
Token: SeSystemProfilePrivilege	4504	powershell.exe
Token: SeSystemtimePrivilege	4504	powershell.exe
Token: SeProfSingleProcessPrivilege	4504	powershell.exe
Token: SeIncBasePriorityPrivilege	4504	powershell.exe
Token: SeCreatePagefilePrivilege	4504	powershell.exe
Token: SeBackupPrivilege	4504	powershell.exe
Token: SeRestorePrivilege	4504	powershell.exe
Token: SeShutdownPrivilege	4504	powershell.exe
Token: SeDebugPrivilege	4504	powershell.exe
Token: SeSystemEnvironmentPrivilege	4504	powershell.exe
Token: SeRemoteShutdownPrivilege	4504	powershell.exe
Token: SeUndockPrivilege	4504	powershell.exe
Token: SeManageVolumePrivilege	4504	powershell.exe
Token: 33	4504	powershell.exe
Token: 34	4504	powershell.exe
Token: 35	4504	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3932	RegAsm.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 4212 wrote to memory of 4720	4212	WoodeProcurement_Specification_Doc_Portal2021R3_Client_index.exe	84
PID 4212 wrote to memory of 4720	4212	WoodeProcurement_Specification_Doc_Portal2021R3_Client_index.exe	84
PID 4212 wrote to memory of 4720	4212	WoodeProcurement_Specification_Doc_Portal2021R3_Client_index.exe	84
PID 4212 wrote to memory of 4504	4212	WoodeProcurement_Specification_Doc_Portal2021R3_Client_index.exe	86
PID 4212 wrote to memory of 4504	4212	WoodeProcurement_Specification_Doc_Portal2021R3_Client_index.exe	86
PID 4212 wrote to memory of 4504	4212	WoodeProcurement_Specification_Doc_Portal2021R3_Client_index.exe	86
PID 4212 wrote to memory of 3248	4212	WoodeProcurement_Specification_Doc_Portal2021R3_Client_index.exe	88
PID 4212 wrote to memory of 3248	4212	WoodeProcurement_Specification_Doc_Portal2021R3_Client_index.exe	88
PID 4212 wrote to memory of 3248	4212	WoodeProcurement_Specification_Doc_Portal2021R3_Client_index.exe	88
PID 4212 wrote to memory of 4280	4212	WoodeProcurement_Specification_Doc_Portal2021R3_Client_index.exe	93
PID 4212 wrote to memory of 4280	4212	WoodeProcurement_Specification_Doc_Portal2021R3_Client_index.exe	93
PID 4212 wrote to memory of 4280	4212	WoodeProcurement_Specification_Doc_Portal2021R3_Client_index.exe	93
PID 4212 wrote to memory of 964	4212	WoodeProcurement_Specification_Doc_Portal2021R3_Client_index.exe	98
PID 4212 wrote to memory of 964	4212	WoodeProcurement_Specification_Doc_Portal2021R3_Client_index.exe	98
PID 4212 wrote to memory of 964	4212	WoodeProcurement_Specification_Doc_Portal2021R3_Client_index.exe	98
PID 4212 wrote to memory of 3932	4212	WoodeProcurement_Specification_Doc_Portal2021R3_Client_index.exe	102
PID 4212 wrote to memory of 3932	4212	WoodeProcurement_Specification_Doc_Portal2021R3_Client_index.exe	102
PID 4212 wrote to memory of 3932	4212	WoodeProcurement_Specification_Doc_Portal2021R3_Client_index.exe	102
PID 4212 wrote to memory of 3932	4212	WoodeProcurement_Specification_Doc_Portal2021R3_Client_index.exe	102
PID 4212 wrote to memory of 3932	4212	WoodeProcurement_Specification_Doc_Portal2021R3_Client_index.exe	102
PID 4212 wrote to memory of 3932	4212	WoodeProcurement_Specification_Doc_Portal2021R3_Client_index.exe	102
PID 4212 wrote to memory of 3932	4212	WoodeProcurement_Specification_Doc_Portal2021R3_Client_index.exe	102
PID 4212 wrote to memory of 3932	4212	WoodeProcurement_Specification_Doc_Portal2021R3_Client_index.exe	102
PID 4212 wrote to memory of 3932	4212	WoodeProcurement_Specification_Doc_Portal2021R3_Client_index.exe	102
PID 4212 wrote to memory of 3932	4212	WoodeProcurement_Specification_Doc_Portal2021R3_Client_index.exe	102
PID 4212 wrote to memory of 3932	4212	WoodeProcurement_Specification_Doc_Portal2021R3_Client_index.exe	102
PID 4212 wrote to memory of 3932	4212	WoodeProcurement_Specification_Doc_Portal2021R3_Client_index.exe	102

C:\Users\Admin\AppData\Local\Temp\WoodeProcurement_Specification_Doc_Portal2021R3_Client_index.exe
"C:\Users\Admin\AppData\Local\Temp\WoodeProcurement_Specification_Doc_Portal2021R3_Client_index.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4212
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4720
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4504
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3248
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4280
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:964
- C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
  C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:3932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
0774a05ce5ee4c1af7097353c9296c62

SHA1
658ff96b111c21c39d7ad5f510fb72f9762114bb

SHA256
d9c5347ed06755feeb0615f1671f6b91e2718703da0dbc4b0bd205cbd2896dd4

SHA512
104d69fc4f4aaa5070b78ada130228939c7e01436351166fe51fe2da8a02f9948e6d92dd676f62820da1813872b91411e2f863c9a98a760581ec34d4aa354994

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
d0f7b40519e2719331bd5b5739939fbf

SHA1
594de1c0068ee4df4daec39e59294de9d6565bd7

SHA256
d82a3ff03f18cede830c240582ace84131399571d76b699ac1fb8359356a7ee1

SHA512
fe60df3f76c8e938f552ee6aabbc02b3a37d49b9732ad3942c0089b4317ce384b620e85d3da717ec48dda19cd36138dce0cdae046e219cc20186491d6e39c0da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
0bbf59e09c2dc8a7801659af3ecf9118

SHA1
d18f99a44f3c8e55ee914afcbba42cfb0c638bf4

SHA256
001857e6b2d75eebd1c8b80197fecc0c8767ac5dcf4f561268d0ec8689a3c6c2

SHA512
2a8199ddac6a55d55a8463d4bc81947bac323ce0a80bcdb8957bcb443b7defdf56cc89010512d205f6a506861f8c48bdc0880b76e772a735579d4d3d9e73ca5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
652100ddaff8e50a9e7b10878b0a1ae6

SHA1
c40c9257c4d986e580b2f844ae6fa2dfd15396d5

SHA256
9ef2e5f50693a72ebb4698cc2f7c254b4220c7ef59ed7e75d8edc4a1ea6d8d12

SHA512
eea368d4f1f085034bdc30a4301866563f223569515637b5d96a1e267a5503af95ef9e60b1cb4a5bf4905cb0899326d5eccba4b76a9ea2f787335a0043247ca3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
eaea631a5347352b5cd8667779383caf

SHA1
ee1f507f7cbd9c006dab86ba42d11a97cd960fec

SHA256
b21f4249db98b272a4430c70a0a1007f617c61800facccfcfea1d87d37e10096

SHA512
03f6635b3e25313fc90740c349c5f78d57ca8b6c86882d1e493aab0531f896365105be006b387078b0fd850e970164b0ccd30f43127fb8d114fafb290852eb83

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
memory/3932-159-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3932-169-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3932-165-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3932-163-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3932-162-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4212-157-0x0000000008CB0000-0x0000000008CCE000-memory.dmp

Filesize
120KB

Download
memory/4212-132-0x0000000000380000-0x00000000003F4000-memory.dmp

Filesize
464KB

Download
memory/4212-133-0x0000000005230000-0x00000000057D4000-memory.dmp

Filesize
5.6MB

Download
memory/4212-134-0x0000000004D20000-0x0000000004DB2000-memory.dmp

Filesize
584KB

Download
memory/4212-135-0x0000000004CA0000-0x0000000004CAA000-memory.dmp

Filesize
40KB

Download
memory/4212-156-0x0000000008BE0000-0x0000000008C56000-memory.dmp

Filesize
472KB

Download
memory/4720-138-0x0000000005D10000-0x0000000006338000-memory.dmp

Filesize
6.2MB

Download
memory/4720-143-0x0000000007AF0000-0x0000000007B86000-memory.dmp

Filesize
600KB

Download
memory/4720-137-0x0000000003000000-0x0000000003036000-memory.dmp

Filesize
216KB

Download
memory/4720-145-0x0000000006E70000-0x0000000006E92000-memory.dmp

Filesize
136KB

Download
memory/4720-144-0x0000000006E10000-0x0000000006E2A000-memory.dmp

Filesize
104KB

Download
memory/4720-142-0x0000000006930000-0x000000000694E000-memory.dmp

Filesize
120KB

Download
memory/4720-139-0x0000000005A60000-0x0000000005A82000-memory.dmp

Filesize
136KB

Download
memory/4720-140-0x0000000005B80000-0x0000000005BE6000-memory.dmp

Filesize
408KB

Download
memory/4720-141-0x0000000005CA0000-0x0000000005D06000-memory.dmp

Filesize
408KB

Download
memory/4720-146-0x0000000008D70000-0x00000000093EA000-memory.dmp

Filesize
6.5MB

Download