remcos | f7f8d1ebfed3afd13eb47392a7f502603ecb970a817c221682cd8f2a17ff2bb3

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23/12/2022, 15:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7f8d1ebfed3afd13eb47392a7f502603ecb970a817c221682cd8f2a17ff2bb3.exe
Size

471KB
MD5

ac382bfcfaea86b5749f7abc571ccf12
SHA1

928454bcce909ea349a03b14c043430905a88fdb
SHA256

f7f8d1ebfed3afd13eb47392a7f502603ecb970a817c221682cd8f2a17ff2bb3
SHA512

07cacc471ac863ac12db6f0d4c7a75d968dea257f7f5f722a830e9b5239f45071e1a3fe19c17faca06aec4a48f8456d3590f8643c618a023838aca46e0c03c4d
SSDEEP

6144:EbdjQFiTrgVohW1ydxCrLkE7ZFCSq1zeH4L5WIMOHsAOZZL1XBcYs4:EbdUYCohW1kMfkEbCSqxeYdsfZLU4

Score

10^/10

remcos 12-22-22 evasion persistence rat trojan

Malware Config

Extracted

Family

remcos

Botnet

12-22-22

194.180.48.225:1024

Attributes

audio_folder
iujhgv
audio_path
%Temp%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
lkjhg.exe
copy_folder
sdfghjk
delete_file
true
hide_file
true
hide_keylog_file
true
install_flag
true
keylog_crypt
false
keylog_file
oijkhb.dat
keylog_flag
false
keylog_folder
hgfds
keylog_path
%WinDir%
mouse_option
false
mutex
yuhgfd-9Z85LD
screenshot_crypt
false
screenshot_flag
true
screenshot_folder
lkjhg
screenshot_path
%AppData%
screenshot_time
5
startup_value
ijhgf
take_screenshot_option
true
take_screenshot_time
5
take_screenshot_title
bank

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 1 IoCs

pid	Process
260	lkjhg.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	f7f8d1ebfed3afd13eb47392a7f502603ecb970a817c221682cd8f2a17ff2bb3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ijhgf = "\"C:\\ProgramData\\sdfghjk\\lkjhg.exe\""	lkjhg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ijhgf = "\"C:\\ProgramData\\sdfghjk\\lkjhg.exe\""	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Run\	f7f8d1ebfed3afd13eb47392a7f502603ecb970a817c221682cd8f2a17ff2bb3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ijhgf = "\"C:\\ProgramData\\sdfghjk\\lkjhg.exe\""	f7f8d1ebfed3afd13eb47392a7f502603ecb970a817c221682cd8f2a17ff2bb3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	f7f8d1ebfed3afd13eb47392a7f502603ecb970a817c221682cd8f2a17ff2bb3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ijhgf = "\"C:\\ProgramData\\sdfghjk\\lkjhg.exe\""	f7f8d1ebfed3afd13eb47392a7f502603ecb970a817c221682cd8f2a17ff2bb3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ijhgf = "\"C:\\ProgramData\\sdfghjk\\lkjhg.exe\""	lkjhg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	lkjhg.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Run\	lkjhg.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Run\	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ijhgf = "\"C:\\ProgramData\\sdfghjk\\lkjhg.exe\""	iexplore.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 260 set thread context of 1712	260	lkjhg.exe	92
PID 1712 set thread context of 3628	1712	iexplore.exe	97

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\hgfds\oijkhb.dat	iexplore.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	f7f8d1ebfed3afd13eb47392a7f502603ecb970a817c221682cd8f2a17ff2bb3.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
1688	reg.exe
3504	reg.exe
3508	reg.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
260	lkjhg.exe
260	lkjhg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1712	iexplore.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
260	lkjhg.exe
1712	iexplore.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3060	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3060	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1712	iexplore.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 956	1956	f7f8d1ebfed3afd13eb47392a7f502603ecb970a817c221682cd8f2a17ff2bb3.exe	82
PID 1956 wrote to memory of 956	1956	f7f8d1ebfed3afd13eb47392a7f502603ecb970a817c221682cd8f2a17ff2bb3.exe	82
PID 1956 wrote to memory of 956	1956	f7f8d1ebfed3afd13eb47392a7f502603ecb970a817c221682cd8f2a17ff2bb3.exe	82
PID 956 wrote to memory of 1688	956	cmd.exe	84
PID 956 wrote to memory of 1688	956	cmd.exe	84
PID 956 wrote to memory of 1688	956	cmd.exe	84
PID 1956 wrote to memory of 2384	1956	f7f8d1ebfed3afd13eb47392a7f502603ecb970a817c221682cd8f2a17ff2bb3.exe	85
PID 1956 wrote to memory of 2384	1956	f7f8d1ebfed3afd13eb47392a7f502603ecb970a817c221682cd8f2a17ff2bb3.exe	85
PID 1956 wrote to memory of 2384	1956	f7f8d1ebfed3afd13eb47392a7f502603ecb970a817c221682cd8f2a17ff2bb3.exe	85
PID 2384 wrote to memory of 2156	2384	WScript.exe	87
PID 2384 wrote to memory of 2156	2384	WScript.exe	87
PID 2384 wrote to memory of 2156	2384	WScript.exe	87
PID 2156 wrote to memory of 260	2156	cmd.exe	89
PID 2156 wrote to memory of 260	2156	cmd.exe	89
PID 2156 wrote to memory of 260	2156	cmd.exe	89
PID 260 wrote to memory of 1848	260	lkjhg.exe	90
PID 260 wrote to memory of 1848	260	lkjhg.exe	90
PID 260 wrote to memory of 1848	260	lkjhg.exe	90
PID 260 wrote to memory of 1712	260	lkjhg.exe	92
PID 260 wrote to memory of 1712	260	lkjhg.exe	92
PID 260 wrote to memory of 1712	260	lkjhg.exe	92
PID 260 wrote to memory of 1712	260	lkjhg.exe	92
PID 1712 wrote to memory of 4188	1712	iexplore.exe	93
PID 1712 wrote to memory of 4188	1712	iexplore.exe	93
PID 1712 wrote to memory of 4188	1712	iexplore.exe	93
PID 1848 wrote to memory of 3504	1848	cmd.exe	95
PID 1848 wrote to memory of 3504	1848	cmd.exe	95
PID 1848 wrote to memory of 3504	1848	cmd.exe	95
PID 4188 wrote to memory of 3508	4188	cmd.exe	96
PID 4188 wrote to memory of 3508	4188	cmd.exe	96
PID 4188 wrote to memory of 3508	4188	cmd.exe	96
PID 1712 wrote to memory of 3628	1712	iexplore.exe	97
PID 1712 wrote to memory of 3628	1712	iexplore.exe	97
PID 1712 wrote to memory of 3628	1712	iexplore.exe	97
PID 1712 wrote to memory of 3628	1712	iexplore.exe	97

C:\Users\Admin\AppData\Local\Temp\f7f8d1ebfed3afd13eb47392a7f502603ecb970a817c221682cd8f2a17ff2bb3.exe
"C:\Users\Admin\AppData\Local\Temp\f7f8d1ebfed3afd13eb47392a7f502603ecb970a817c221682cd8f2a17ff2bb3.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\SysWOW64\cmd.exe
  /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:956
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:1688
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\jlefe.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\sdfghjk\lkjhg.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\ProgramData\sdfghjk\lkjhg.exe
      C:\ProgramData\sdfghjk\lkjhg.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:260
    - - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1848
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:3504
    - - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe"
        5⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1712
      - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4188
        
        C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        7⤵
        UAC bypass
        Modifies registry key
        
        PID:3508
      - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        6⤵
        
        PID:3628

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x388 0x384
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\sdfghjk\lkjhg.exe

Filesize
471KB

MD5
ac382bfcfaea86b5749f7abc571ccf12

SHA1
928454bcce909ea349a03b14c043430905a88fdb

SHA256
f7f8d1ebfed3afd13eb47392a7f502603ecb970a817c221682cd8f2a17ff2bb3

SHA512
07cacc471ac863ac12db6f0d4c7a75d968dea257f7f5f722a830e9b5239f45071e1a3fe19c17faca06aec4a48f8456d3590f8643c618a023838aca46e0c03c4d

Download Submit
C:\ProgramData\sdfghjk\lkjhg.exe

Filesize
471KB

MD5
ac382bfcfaea86b5749f7abc571ccf12

SHA1
928454bcce909ea349a03b14c043430905a88fdb

SHA256
f7f8d1ebfed3afd13eb47392a7f502603ecb970a817c221682cd8f2a17ff2bb3

SHA512
07cacc471ac863ac12db6f0d4c7a75d968dea257f7f5f722a830e9b5239f45071e1a3fe19c17faca06aec4a48f8456d3590f8643c618a023838aca46e0c03c4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jlefe.vbs

Filesize
626B

MD5
80ad4cb976e57af6dba65f5591380648

SHA1
c06f4f397775374ac1676d74b946098ac17c66ee

SHA256
140c5d2f2788f7f7c26e5d312382c65847fb8bee97aaeaaf4706245fe886d498

SHA512
0f6a13c10129b5b6288169c977573c530dff63ab5dcbe9cdc42dedca3a461d48ca1bca6822068436356f7665c81b06411c45817efcfe443baef66adede557eb1

Download Submit
memory/1712-146-0x0000000000650000-0x00000000006CF000-memory.dmp

Filesize
508KB

Download
memory/1712-148-0x0000000000650000-0x00000000006CF000-memory.dmp

Filesize
508KB

Download
memory/3628-147-0x0000000000CD0000-0x0000000000D4F000-memory.dmp

Filesize
508KB

Download