remcos | 5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044

General

Target

5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe
Size

448KB
MD5

d55db3e1a122d2193f804f76a3ed2cb3
SHA1

c101298055a396fee1d26220c2655125065e9fe6
SHA256

5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044
SHA512

fab4122e82639b7acab49ee77f54c76edcf116b946b12a8a3915d5f3fc32e43ccb1b53685899f8f2f2ec31dfb2d59b3e3e4cae0ea62574e5eddf55595f38638c
SSDEEP

6144:xoR0EvklriDeO8pZIgVBcY/LfSSk0MeYFuRWYsraTkxAJAJ9U8sgutf2iddj5XDw:uW68NVBcY+SCY+3xAJAJ+f2E5eJQ9jq

Score

10^/10

remcos dec 1st evasion persistence rat trojan

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Dec 1st

C2

terzona2022.duckdns.org:3030

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
Windows input text.exe
copy_folder
Microsoft Text
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%WinDir%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
Windows Display
keylog_path
%WinDir%
mouse_option
false
mutex
Windows Audio
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
Microsoft Sound Text
take_screenshot_option
true
take_screenshot_time
5
take_screenshot_title
Username;password;proforma;invoice;notepad

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe
Executes dropped EXE 1 IoCs

Processes:

Windows input text.exe

pid process

3436 Windows input text.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

pid	process
3436	Windows input text.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run\	5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Sound Text = "\"C:\\Windows\\Microsoft Text\\Windows input text.exe\""	5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe

description	pid	process	target process
PID 1760 set thread context of 1432	1760	5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe	5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe

Drops file in Windows directory 3 IoCs

Processes:

5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe

description	ioc	process
File created	C:\Windows\Microsoft Text\Windows input text.exe	5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe
File opened for modification	C:\Windows\Microsoft Text\Windows input text.exe	5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe
File opened for modification	C:\Windows\Microsoft Text	5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1736 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4588 PING.EXE

pid	process
1736	reg.exe

pid	process
4588	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe

pid	process
1760	5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe
1760	5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe

description pid process

Token: SeDebugPrivilege 1760 5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe

description	pid	process
Token: SeDebugPrivilege	1760	5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.execmd.execmd.exe

description	pid	process	target process
PID 1760 wrote to memory of 5044	1760	5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe	5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe
PID 1760 wrote to memory of 5044	1760	5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe	5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe
PID 1760 wrote to memory of 5044	1760	5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe	5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe
PID 1760 wrote to memory of 1432	1760	5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe	5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe
PID 1760 wrote to memory of 1432	1760	5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe	5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe
PID 1760 wrote to memory of 1432	1760	5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe	5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe
PID 1760 wrote to memory of 1432	1760	5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe	5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe
PID 1760 wrote to memory of 1432	1760	5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe	5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe
PID 1760 wrote to memory of 1432	1760	5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe	5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe
PID 1760 wrote to memory of 1432	1760	5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe	5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe
PID 1760 wrote to memory of 1432	1760	5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe	5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe
PID 1760 wrote to memory of 1432	1760	5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe	5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe
PID 1432 wrote to memory of 4688	1432	5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe	cmd.exe
PID 1432 wrote to memory of 4688	1432	5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe	cmd.exe
PID 1432 wrote to memory of 4688	1432	5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe	cmd.exe
PID 4688 wrote to memory of 1736	4688	cmd.exe	reg.exe
PID 4688 wrote to memory of 1736	4688	cmd.exe	reg.exe
PID 4688 wrote to memory of 1736	4688	cmd.exe	reg.exe
PID 1432 wrote to memory of 768	1432	5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe	cmd.exe
PID 1432 wrote to memory of 768	1432	5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe	cmd.exe
PID 1432 wrote to memory of 768	1432	5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe	cmd.exe
PID 768 wrote to memory of 4588	768	cmd.exe	PING.EXE
PID 768 wrote to memory of 4588	768	cmd.exe	PING.EXE
PID 768 wrote to memory of 4588	768	cmd.exe	PING.EXE
PID 768 wrote to memory of 3436	768	cmd.exe	Windows input text.exe
PID 768 wrote to memory of 3436	768	cmd.exe	Windows input text.exe
PID 768 wrote to memory of 3436	768	cmd.exe	Windows input text.exe

C:\Users\Admin\AppData\Local\Temp\5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe
"C:\Users\Admin\AppData\Local\Temp\5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Users\Admin\AppData\Local\Temp\5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe
  "C:\Users\Admin\AppData\Local\Temp\5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe"
  2⤵
  PID:5044
- C:\Users\Admin\AppData\Local\Temp\5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe
  "C:\Users\Admin\AppData\Local\Temp\5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1432
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4688
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:1736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:768
  - - C:\Windows\SysWOW64\PING.EXE
      PING 127.0.0.1 -n 2
      4⤵
      Runs ping.exe
      PID:4588
  - - C:\Windows\Microsoft Text\Windows input text.exe
      "C:\Windows\Microsoft Text\Windows input text.exe"
      4⤵
      Executes dropped EXE
      PID:3436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.bat

Filesize
99B

MD5
cd13321bdef41f7575c97a6c302668c1

SHA1
f7de6ac53a6914dde55fe408c67ec934686ecc9f

SHA256
2e7ff7169fe44c0360335a47264f1963bb65ae1ca3f93a20922074f143491dc8

SHA512
75ea823f45820f7bc118f8f982faee3b4ede68ab42958723647c356b9f667026d37c75702f4360bc38e19b44efbf4d9bf574e8b65f6a8ef37139216041ab234b

Download Submit
C:\Windows\Microsoft Text\Windows input text.exe

Filesize
448KB

MD5
d55db3e1a122d2193f804f76a3ed2cb3

SHA1
c101298055a396fee1d26220c2655125065e9fe6

SHA256
5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044

SHA512
fab4122e82639b7acab49ee77f54c76edcf116b946b12a8a3915d5f3fc32e43ccb1b53685899f8f2f2ec31dfb2d59b3e3e4cae0ea62574e5eddf55595f38638c

Download Submit
C:\Windows\Microsoft Text\Windows input text.exe

Filesize
448KB

MD5
d55db3e1a122d2193f804f76a3ed2cb3

SHA1
c101298055a396fee1d26220c2655125065e9fe6

SHA256
5107b9fda1ce6e7c51fb52d7928c49a82731ff4fc3c75d700737ce3c2f274044

SHA512
fab4122e82639b7acab49ee77f54c76edcf116b946b12a8a3915d5f3fc32e43ccb1b53685899f8f2f2ec31dfb2d59b3e3e4cae0ea62574e5eddf55595f38638c

Download Submit
memory/768-147-0x0000000000000000-mapping.dmp

Download
memory/1432-148-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1432-146-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1432-143-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1432-139-0x0000000000000000-mapping.dmp

Download
memory/1432-140-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1432-142-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1736-145-0x0000000000000000-mapping.dmp

Download
memory/1760-137-0x0000000001170000-0x000000000120C000-memory.dmp

Filesize
624KB

Download
memory/1760-136-0x0000000005450000-0x000000000545A000-memory.dmp

Filesize
40KB

Download
memory/1760-132-0x0000000000800000-0x0000000000870000-memory.dmp

Filesize
448KB

Download
memory/1760-135-0x00000000054A0000-0x0000000005646000-memory.dmp

Filesize
1.6MB

Download
memory/1760-134-0x0000000005200000-0x0000000005292000-memory.dmp

Filesize
584KB

Download
memory/1760-133-0x0000000005890000-0x0000000005E34000-memory.dmp

Filesize
5.6MB

Download
memory/3436-151-0x0000000000000000-mapping.dmp

Download
memory/4588-150-0x0000000000000000-mapping.dmp

Download
memory/4688-144-0x0000000000000000-mapping.dmp

Download
memory/5044-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads