remcos | 4cbf921ca59d8725280de0d34864dc44eb98fadde5ea010683a8f8820eb3b803

General

Target

4cbf921ca59d8725280de0d34864dc44eb98fadde5ea010683a8f8820eb3b803.exe
Size

746KB
MD5

9140ccdcddf8331c3204be8d3eadeb33
SHA1

004fe0732d9065590386bbcc13b834d6bb39d07f
SHA256

4cbf921ca59d8725280de0d34864dc44eb98fadde5ea010683a8f8820eb3b803
SHA512

3a6e7c2e36bc012029d31e3ec8305a10db64f3ebef2a6f38847d9f61776b8029cd03a64951263f7ec4d3cd7782b08c0dd440dd73554dc0e675f4f0d1ecbbc9a7
SSDEEP

12288:RqhmZJbxpDFJxbxmnq2Co4a5mJ2pKBaOtg4e/uKy8Kt58bLjKj3/4vjSC:RQixh3OFK0+e/u8KvynKj3/zC

Score

10^/10

remcos nov 24th evasion persistence rat trojan

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Nov 24th

C2

gcrozona.duckdns.org:6062

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
Microsoft Intel Audios.exe
copy_folder
Audio Microsoft File
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%WinDir%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
Windows Display
keylog_path
%WinDir%
mouse_option
false
mutex
Windows Audio
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
Window Security Check
take_screenshot_option
true
take_screenshot_time
5
take_screenshot_title
Username;password;proforma;invoice;notepad

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 2 IoCs

Processes:

Microsoft Intel Audios.exeMicrosoft Intel Audios.exe

pid process

4016 Microsoft Intel Audios.exe
1636 Microsoft Intel Audios.exe

pid	process
4016	Microsoft Intel Audios.exe
1636	Microsoft Intel Audios.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4cbf921ca59d8725280de0d34864dc44eb98fadde5ea010683a8f8820eb3b803.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	4cbf921ca59d8725280de0d34864dc44eb98fadde5ea010683a8f8820eb3b803.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4cbf921ca59d8725280de0d34864dc44eb98fadde5ea010683a8f8820eb3b803.exeMicrosoft Intel Audios.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows\CurrentVersion\Run\	4cbf921ca59d8725280de0d34864dc44eb98fadde5ea010683a8f8820eb3b803.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Window Security Check = "\"C:\\Windows\\Audio Microsoft File\\Microsoft Intel Audios.exe\""	4cbf921ca59d8725280de0d34864dc44eb98fadde5ea010683a8f8820eb3b803.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows\CurrentVersion\Run\	Microsoft Intel Audios.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Window Security Check = "\"C:\\Windows\\Audio Microsoft File\\Microsoft Intel Audios.exe\""	Microsoft Intel Audios.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

4cbf921ca59d8725280de0d34864dc44eb98fadde5ea010683a8f8820eb3b803.exeMicrosoft Intel Audios.exe

description	pid	process	target process
PID 1104 set thread context of 3012	1104	4cbf921ca59d8725280de0d34864dc44eb98fadde5ea010683a8f8820eb3b803.exe	4cbf921ca59d8725280de0d34864dc44eb98fadde5ea010683a8f8820eb3b803.exe
PID 4016 set thread context of 1636	4016	Microsoft Intel Audios.exe	Microsoft Intel Audios.exe

Drops file in Windows directory 5 IoCs

Processes:

4cbf921ca59d8725280de0d34864dc44eb98fadde5ea010683a8f8820eb3b803.exeMicrosoft Intel Audios.exe

description	ioc	process
File opened for modification	C:\Windows\Audio Microsoft File\Microsoft Intel Audios.exe	4cbf921ca59d8725280de0d34864dc44eb98fadde5ea010683a8f8820eb3b803.exe
File opened for modification	C:\Windows\Audio Microsoft File	4cbf921ca59d8725280de0d34864dc44eb98fadde5ea010683a8f8820eb3b803.exe
File opened for modification	C:\Windows\Windows Display\logs.dat	Microsoft Intel Audios.exe
File created	C:\Windows\Windows Display\logs.dat	Microsoft Intel Audios.exe
File created	C:\Windows\Audio Microsoft File\Microsoft Intel Audios.exe	4cbf921ca59d8725280de0d34864dc44eb98fadde5ea010683a8f8820eb3b803.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

2484 reg.exe
1516 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1308 PING.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Microsoft Intel Audios.exe

pid process

1636 Microsoft Intel Audios.exe

pid	process
2484	reg.exe
1516	reg.exe

pid	process
1308	PING.EXE

pid	process
1636	Microsoft Intel Audios.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

4cbf921ca59d8725280de0d34864dc44eb98fadde5ea010683a8f8820eb3b803.exe4cbf921ca59d8725280de0d34864dc44eb98fadde5ea010683a8f8820eb3b803.execmd.execmd.exeMicrosoft Intel Audios.exeMicrosoft Intel Audios.execmd.exe

description	pid	process	target process
PID 1104 wrote to memory of 3012	1104	4cbf921ca59d8725280de0d34864dc44eb98fadde5ea010683a8f8820eb3b803.exe	4cbf921ca59d8725280de0d34864dc44eb98fadde5ea010683a8f8820eb3b803.exe
PID 1104 wrote to memory of 3012	1104	4cbf921ca59d8725280de0d34864dc44eb98fadde5ea010683a8f8820eb3b803.exe	4cbf921ca59d8725280de0d34864dc44eb98fadde5ea010683a8f8820eb3b803.exe
PID 1104 wrote to memory of 3012	1104	4cbf921ca59d8725280de0d34864dc44eb98fadde5ea010683a8f8820eb3b803.exe	4cbf921ca59d8725280de0d34864dc44eb98fadde5ea010683a8f8820eb3b803.exe
PID 1104 wrote to memory of 3012	1104	4cbf921ca59d8725280de0d34864dc44eb98fadde5ea010683a8f8820eb3b803.exe	4cbf921ca59d8725280de0d34864dc44eb98fadde5ea010683a8f8820eb3b803.exe
PID 1104 wrote to memory of 3012	1104	4cbf921ca59d8725280de0d34864dc44eb98fadde5ea010683a8f8820eb3b803.exe	4cbf921ca59d8725280de0d34864dc44eb98fadde5ea010683a8f8820eb3b803.exe
PID 1104 wrote to memory of 3012	1104	4cbf921ca59d8725280de0d34864dc44eb98fadde5ea010683a8f8820eb3b803.exe	4cbf921ca59d8725280de0d34864dc44eb98fadde5ea010683a8f8820eb3b803.exe
PID 1104 wrote to memory of 3012	1104	4cbf921ca59d8725280de0d34864dc44eb98fadde5ea010683a8f8820eb3b803.exe	4cbf921ca59d8725280de0d34864dc44eb98fadde5ea010683a8f8820eb3b803.exe
PID 1104 wrote to memory of 3012	1104	4cbf921ca59d8725280de0d34864dc44eb98fadde5ea010683a8f8820eb3b803.exe	4cbf921ca59d8725280de0d34864dc44eb98fadde5ea010683a8f8820eb3b803.exe
PID 1104 wrote to memory of 3012	1104	4cbf921ca59d8725280de0d34864dc44eb98fadde5ea010683a8f8820eb3b803.exe	4cbf921ca59d8725280de0d34864dc44eb98fadde5ea010683a8f8820eb3b803.exe
PID 3012 wrote to memory of 3888	3012	4cbf921ca59d8725280de0d34864dc44eb98fadde5ea010683a8f8820eb3b803.exe	cmd.exe
PID 3012 wrote to memory of 3888	3012	4cbf921ca59d8725280de0d34864dc44eb98fadde5ea010683a8f8820eb3b803.exe	cmd.exe
PID 3012 wrote to memory of 3888	3012	4cbf921ca59d8725280de0d34864dc44eb98fadde5ea010683a8f8820eb3b803.exe	cmd.exe
PID 3888 wrote to memory of 2484	3888	cmd.exe	reg.exe
PID 3888 wrote to memory of 2484	3888	cmd.exe	reg.exe
PID 3888 wrote to memory of 2484	3888	cmd.exe	reg.exe
PID 3012 wrote to memory of 3868	3012	4cbf921ca59d8725280de0d34864dc44eb98fadde5ea010683a8f8820eb3b803.exe	cmd.exe
PID 3012 wrote to memory of 3868	3012	4cbf921ca59d8725280de0d34864dc44eb98fadde5ea010683a8f8820eb3b803.exe	cmd.exe
PID 3012 wrote to memory of 3868	3012	4cbf921ca59d8725280de0d34864dc44eb98fadde5ea010683a8f8820eb3b803.exe	cmd.exe
PID 3868 wrote to memory of 1308	3868	cmd.exe	PING.EXE
PID 3868 wrote to memory of 1308	3868	cmd.exe	PING.EXE
PID 3868 wrote to memory of 1308	3868	cmd.exe	PING.EXE
PID 3868 wrote to memory of 4016	3868	cmd.exe	Microsoft Intel Audios.exe
PID 3868 wrote to memory of 4016	3868	cmd.exe	Microsoft Intel Audios.exe
PID 3868 wrote to memory of 4016	3868	cmd.exe	Microsoft Intel Audios.exe
PID 4016 wrote to memory of 1636	4016	Microsoft Intel Audios.exe	Microsoft Intel Audios.exe
PID 4016 wrote to memory of 1636	4016	Microsoft Intel Audios.exe	Microsoft Intel Audios.exe
PID 4016 wrote to memory of 1636	4016	Microsoft Intel Audios.exe	Microsoft Intel Audios.exe
PID 4016 wrote to memory of 1636	4016	Microsoft Intel Audios.exe	Microsoft Intel Audios.exe
PID 4016 wrote to memory of 1636	4016	Microsoft Intel Audios.exe	Microsoft Intel Audios.exe
PID 4016 wrote to memory of 1636	4016	Microsoft Intel Audios.exe	Microsoft Intel Audios.exe
PID 4016 wrote to memory of 1636	4016	Microsoft Intel Audios.exe	Microsoft Intel Audios.exe
PID 4016 wrote to memory of 1636	4016	Microsoft Intel Audios.exe	Microsoft Intel Audios.exe
PID 4016 wrote to memory of 1636	4016	Microsoft Intel Audios.exe	Microsoft Intel Audios.exe
PID 1636 wrote to memory of 1728	1636	Microsoft Intel Audios.exe	cmd.exe
PID 1636 wrote to memory of 1728	1636	Microsoft Intel Audios.exe	cmd.exe
PID 1636 wrote to memory of 1728	1636	Microsoft Intel Audios.exe	cmd.exe
PID 1728 wrote to memory of 1516	1728	cmd.exe	reg.exe
PID 1728 wrote to memory of 1516	1728	cmd.exe	reg.exe
PID 1728 wrote to memory of 1516	1728	cmd.exe	reg.exe
PID 1636 wrote to memory of 1944	1636	Microsoft Intel Audios.exe	iexplore.exe
PID 1636 wrote to memory of 1944	1636	Microsoft Intel Audios.exe	iexplore.exe
PID 1636 wrote to memory of 1944	1636	Microsoft Intel Audios.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\4cbf921ca59d8725280de0d34864dc44eb98fadde5ea010683a8f8820eb3b803.exe
"C:\Users\Admin\AppData\Local\Temp\4cbf921ca59d8725280de0d34864dc44eb98fadde5ea010683a8f8820eb3b803.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1104

C:\Users\Admin\AppData\Local\Temp\4cbf921ca59d8725280de0d34864dc44eb98fadde5ea010683a8f8820eb3b803.exe
"C:\Users\Admin\AppData\Local\Temp\4cbf921ca59d8725280de0d34864dc44eb98fadde5ea010683a8f8820eb3b803.exe"
2⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3012

C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- Suspicious use of WriteProcessMemory
PID:3888

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
4⤵
- UAC bypass
- Modifies registry key
PID:2484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3868

C:\Windows\SysWOW64\PING.EXE
PING 127.0.0.1 -n 2
4⤵
- Runs ping.exe
PID:1308

C:\Windows\Audio Microsoft File\Microsoft Intel Audios.exe
"C:\Windows\Audio Microsoft File\Microsoft Intel Audios.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4016

C:\Windows\Audio Microsoft File\Microsoft Intel Audios.exe
"C:\Windows\Audio Microsoft File\Microsoft Intel Audios.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
6⤵
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
7⤵
- UAC bypass
- Modifies registry key
PID:1516

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
6⤵
PID:1944

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.bat
Filesize
109B

MD5
8ddcdd0ab01b0740982e7b78b1591015

SHA1
acbb9c4bb32822a164f200f8b77eda0ce7bd758d

SHA256
7c1abbf1a20f581d2db76d769cc14cf753a412cf92e383a36ffbf0c962eaf678

SHA512
ef43e3cb89c800529530183d4315782a864281ef8a0e6443a54ccc4f1837fcbfe43027b399bb43ea114fab70416d49b3cb2539cf8bf658b4b447c4e8597959dc

Download Submit
C:\Windows\Audio Microsoft File\Microsoft Intel Audios.exe
Filesize
746KB

MD5
9140ccdcddf8331c3204be8d3eadeb33

SHA1
004fe0732d9065590386bbcc13b834d6bb39d07f

SHA256
4cbf921ca59d8725280de0d34864dc44eb98fadde5ea010683a8f8820eb3b803

SHA512
3a6e7c2e36bc012029d31e3ec8305a10db64f3ebef2a6f38847d9f61776b8029cd03a64951263f7ec4d3cd7782b08c0dd440dd73554dc0e675f4f0d1ecbbc9a7

Download Submit
C:\Windows\Audio Microsoft File\Microsoft Intel Audios.exe
Filesize
746KB

MD5
9140ccdcddf8331c3204be8d3eadeb33

SHA1
004fe0732d9065590386bbcc13b834d6bb39d07f

SHA256
4cbf921ca59d8725280de0d34864dc44eb98fadde5ea010683a8f8820eb3b803

SHA512
3a6e7c2e36bc012029d31e3ec8305a10db64f3ebef2a6f38847d9f61776b8029cd03a64951263f7ec4d3cd7782b08c0dd440dd73554dc0e675f4f0d1ecbbc9a7

Download Submit
C:\Windows\Audio Microsoft File\Microsoft Intel Audios.exe
Filesize
746KB

MD5
9140ccdcddf8331c3204be8d3eadeb33

SHA1
004fe0732d9065590386bbcc13b834d6bb39d07f

SHA256
4cbf921ca59d8725280de0d34864dc44eb98fadde5ea010683a8f8820eb3b803

SHA512
3a6e7c2e36bc012029d31e3ec8305a10db64f3ebef2a6f38847d9f61776b8029cd03a64951263f7ec4d3cd7782b08c0dd440dd73554dc0e675f4f0d1ecbbc9a7

Download Submit
memory/1104-133-0x00000000053D0000-0x0000000005974000-memory.dmp

Filesize
5.6MB

Download
memory/1104-134-0x0000000004D00000-0x0000000004D92000-memory.dmp

Filesize
584KB

Download
memory/1104-135-0x0000000004CB0000-0x0000000004CBA000-memory.dmp

Filesize
40KB

Download
memory/1104-136-0x0000000008760000-0x00000000087FC000-memory.dmp

Filesize
624KB

Download
memory/1104-132-0x0000000000250000-0x0000000000312000-memory.dmp

Filesize
776KB

Download
memory/1308-147-0x0000000000000000-mapping.dmp

Download
memory/1516-157-0x0000000000000000-mapping.dmp

Download
memory/1636-151-0x0000000000000000-mapping.dmp

Download
memory/1636-155-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1636-158-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1728-156-0x0000000000000000-mapping.dmp

Download
memory/2484-143-0x0000000000000000-mapping.dmp

Download
memory/3012-138-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3012-145-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3012-141-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3012-140-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3012-137-0x0000000000000000-mapping.dmp

Download
memory/3868-144-0x0000000000000000-mapping.dmp

Download
memory/3888-142-0x0000000000000000-mapping.dmp

Download
memory/4016-148-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads