remcos | 92f3b670b34b4f8085a8ed8ecefa869e105f077c1b17ffc253fe65d307fe8efc

General

Target

92f3b670b34b4f8085a8ed8ecefa869e105f077c1b17ffc253fe65d307fe8efc.exe
Size

3.4MB
MD5

3e2ea6c9089596ba1f7af98ead6e533d
SHA1

2d3b22c1687c13a3e8e013b49f44ca05d2d010ae
SHA256

92f3b670b34b4f8085a8ed8ecefa869e105f077c1b17ffc253fe65d307fe8efc
SHA512

1bc725ce413701bf79d86ea2f83be08313f7330f3384b4080224f20899105c236346cf97aef075fb1598fed871f8f0149d0bee9dcfb6529f0d7dbddfc2cdebc0
SSDEEP

98304:mmy4UWfEseF0ptQn8gu6i3SyJbXftMN1LfMNPuIu7goY9:mmybWfEB0nQntyJbP2PLUMIko

Score

10^/10

remcos keep rat

Malware Config

Extracted

Family

remcos

Botnet

keep

C2

search.akamaimicro.com:443

search.akamaimicro.com:80

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
rms-UBKU50
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 1 IoCs

pid	Process
444	OfficeC2Runs.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	92f3b670b34b4f8085a8ed8ecefa869e105f077c1b17ffc253fe65d307fe8efc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3736	92f3b670b34b4f8085a8ed8ecefa869e105f077c1b17ffc253fe65d307fe8efc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	92f3b670b34b4f8085a8ed8ecefa869e105f077c1b17ffc253fe65d307fe8efc.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
204	WINWORD.EXE
204	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3736	92f3b670b34b4f8085a8ed8ecefa869e105f077c1b17ffc253fe65d307fe8efc.exe
3736	92f3b670b34b4f8085a8ed8ecefa869e105f077c1b17ffc253fe65d307fe8efc.exe
3736	92f3b670b34b4f8085a8ed8ecefa869e105f077c1b17ffc253fe65d307fe8efc.exe
3736	92f3b670b34b4f8085a8ed8ecefa869e105f077c1b17ffc253fe65d307fe8efc.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
204	WINWORD.EXE
204	WINWORD.EXE
204	WINWORD.EXE
204	WINWORD.EXE
204	WINWORD.EXE
204	WINWORD.EXE
204	WINWORD.EXE
204	WINWORD.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3736 wrote to memory of 444	3736	92f3b670b34b4f8085a8ed8ecefa869e105f077c1b17ffc253fe65d307fe8efc.exe	83
PID 3736 wrote to memory of 444	3736	92f3b670b34b4f8085a8ed8ecefa869e105f077c1b17ffc253fe65d307fe8efc.exe	83
PID 3736 wrote to memory of 444	3736	92f3b670b34b4f8085a8ed8ecefa869e105f077c1b17ffc253fe65d307fe8efc.exe	83
PID 3736 wrote to memory of 204	3736	92f3b670b34b4f8085a8ed8ecefa869e105f077c1b17ffc253fe65d307fe8efc.exe	85
PID 3736 wrote to memory of 204	3736	92f3b670b34b4f8085a8ed8ecefa869e105f077c1b17ffc253fe65d307fe8efc.exe	85

C:\Users\Admin\AppData\Local\Temp\92f3b670b34b4f8085a8ed8ecefa869e105f077c1b17ffc253fe65d307fe8efc.exe
"C:\Users\Admin\AppData\Local\Temp\92f3b670b34b4f8085a8ed8ecefa869e105f077c1b17ffc253fe65d307fe8efc.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3736
- C:\Users\Admin\AppData\Local\Temp\OfficeC2Runs.exe
  "C:\Users\Admin\AppData\Local\Temp\OfficeC2Runs.exe"
  2⤵
  - Executes dropped EXE
  PID:444
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Èí¼þ¿ª·¢¹¤³ÌÊ¦£ºÀî¶¹¶¹µÄÓ¦Æ¸ÉêÇë.docx" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OfficeC2Runs.exe

Filesize
840KB

MD5
caa94d93ea4ef0343596e6403d49fae0

SHA1
6d41070c47b6a3e9915c310f8f9ea4f15bcc9b07

SHA256
b28c0eeca1d38ac4ed2874498ac8abf5cb40d08b59a56e9d0159edfab9051ec6

SHA512
753a04dd33461407cba5c1e4436d9b249a4f98617a622d2ddf12b08332e4d9bc9aabcd59cae20d611326279141f14412064d54354f6457689d92cd39fd259197

Download Submit
C:\Users\Admin\AppData\Local\Temp\OfficeC2Runs.exe

Filesize
840KB

MD5
caa94d93ea4ef0343596e6403d49fae0

SHA1
6d41070c47b6a3e9915c310f8f9ea4f15bcc9b07

SHA256
b28c0eeca1d38ac4ed2874498ac8abf5cb40d08b59a56e9d0159edfab9051ec6

SHA512
753a04dd33461407cba5c1e4436d9b249a4f98617a622d2ddf12b08332e4d9bc9aabcd59cae20d611326279141f14412064d54354f6457689d92cd39fd259197

Download Submit
C:\Users\Admin\AppData\Local\Temp\Èí¼þ¿ª·¢¹¤³ÌÊ¦£ºÀî¶¹¶¹µÄÓ¦Æ¸ÉêÇë.docx

Filesize
22KB

MD5
c419346d923c12a70c8ad954e650d5ef

SHA1
b5f77661549a3bd56883d1405101147a095e971d

SHA256
6ee076dc8263d41c3ce136f1f932f24dffaa02ccea0192ee086c92ece3360565

SHA512
6551ec65c195714eac2ad197e84f4621ad4b0382ed0e16dd2588852cfbd1e1ffc5b9c40117908e37755890a6d89ae1b604eb0a407039cd23d7668842a0f7e78e

Download Submit
memory/204-144-0x00007FF963870000-0x00007FF963880000-memory.dmp

Filesize
64KB

Download
memory/204-156-0x00007FF963870000-0x00007FF963880000-memory.dmp

Filesize
64KB

Download
memory/204-155-0x00007FF963870000-0x00007FF963880000-memory.dmp

Filesize
64KB

Download
memory/204-154-0x00007FF963870000-0x00007FF963880000-memory.dmp

Filesize
64KB

Download
memory/204-140-0x00007FF963870000-0x00007FF963880000-memory.dmp

Filesize
64KB

Download
memory/204-141-0x00007FF963870000-0x00007FF963880000-memory.dmp

Filesize
64KB

Download
memory/204-142-0x00007FF963870000-0x00007FF963880000-memory.dmp

Filesize
64KB

Download
memory/204-143-0x00007FF963870000-0x00007FF963880000-memory.dmp

Filesize
64KB

Download
memory/204-153-0x00007FF963870000-0x00007FF963880000-memory.dmp

Filesize
64KB

Download
memory/204-145-0x00007FF9617E0000-0x00007FF9617F0000-memory.dmp

Filesize
64KB

Download
memory/204-146-0x00007FF9617E0000-0x00007FF9617F0000-memory.dmp

Filesize
64KB

Download
memory/444-148-0x00000000029D0000-0x0000000002A47000-memory.dmp

Filesize
476KB

Download
memory/444-149-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/444-150-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/444-138-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/3736-133-0x00007FF6372E0000-0x00007FF637A25000-memory.dmp

Filesize
7.3MB

Download
memory/3736-139-0x00007FF6372E0000-0x00007FF637A25000-memory.dmp

Filesize
7.3MB

Download
memory/3736-132-0x00007FF6372E0000-0x00007FF637A25000-memory.dmp

Filesize
7.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads