remcos | 5c09c1cfdc80893c1a64a68ed969bd26c929c78fb125747ad01064c5b237ad7b

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03-01-2023 05:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c09c1cfdc80893c1a64a68ed969bd26c929c78fb125747ad01064c5b237ad7b.exe
Size

1.1MB
MD5

b80414e3202a808673a8254aec607a12
SHA1

fef5c52c3af36689f3c794ce586d83b0a458afa5
SHA256

5c09c1cfdc80893c1a64a68ed969bd26c929c78fb125747ad01064c5b237ad7b
SHA512

3e1a4e4918b2b64238403811348248ff5955793cf405087edaac332461c74ee3d26b21f814565d22ae4f30cc4436821ac7f9fcdc61cae38d1ce8adf3ff2609b3
SSDEEP

24576:ZH14Ct7BwWTmQHsOzj4j85M1hUQDAxzJX4K4hGxosG:ZHGW7BwWtsOzj4jGM1aK4FX3

Score

10^/10

remcos new rem stub persistence rat

Malware Config

Extracted

Family

remcos

Botnet

NEW REM STUB

valvesco.duckdns.org:5050

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-48V73L
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\mnvcbn .exe,"	reg.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 3 IoCs

Processes:

mnvcbn .exe mnvcbnqa.exe mnvcbnqa.exe

pid process

968 mnvcbn .exe
1660 mnvcbnqa.exe
1736 mnvcbnqa.exe
Loads dropped DLL 3 IoCs

Processes:

cmd.exemnvcbn .exe mnvcbnqa.exe

pid process

1208 cmd.exe
968 mnvcbn .exe
1660 mnvcbnqa.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

mnvcbn .exe

description pid process target process

PID 968 set thread context of 824 968 mnvcbn .exe AddInProcess32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

1460 PING.EXE
552 PING.EXE
1076 PING.EXE

pid	process
968	mnvcbn .exe
1660	mnvcbnqa.exe
1736	mnvcbnqa.exe

pid	process
1208	cmd.exe
968	mnvcbn .exe
1660	mnvcbnqa.exe

description	pid	process	target process
PID 968 set thread context of 824	968	mnvcbn .exe	AddInProcess32.exe

pid	process
1460	PING.EXE
552	PING.EXE
1076	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

5c09c1cfdc80893c1a64a68ed969bd26c929c78fb125747ad01064c5b237ad7b.exemnvcbn .exe mnvcbnqa.exe mnvcbnqa.exe

pid	process
940	5c09c1cfdc80893c1a64a68ed969bd26c929c78fb125747ad01064c5b237ad7b.exe
940	5c09c1cfdc80893c1a64a68ed969bd26c929c78fb125747ad01064c5b237ad7b.exe
940	5c09c1cfdc80893c1a64a68ed969bd26c929c78fb125747ad01064c5b237ad7b.exe
968	mnvcbn .exe
968	mnvcbn .exe
968	mnvcbn .exe
1660	mnvcbnqa.exe
1736	mnvcbnqa.exe
1736	mnvcbnqa.exe
1736	mnvcbnqa.exe
968	mnvcbn .exe
968	mnvcbn .exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

5c09c1cfdc80893c1a64a68ed969bd26c929c78fb125747ad01064c5b237ad7b.exemnvcbn .exe mnvcbnqa.exe mnvcbnqa.exe

description	pid	process
Token: SeDebugPrivilege	940	5c09c1cfdc80893c1a64a68ed969bd26c929c78fb125747ad01064c5b237ad7b.exe
Token: SeDebugPrivilege	968	mnvcbn .exe
Token: SeDebugPrivilege	1660	mnvcbnqa.exe
Token: SeDebugPrivilege	1736	mnvcbnqa.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

AddInProcess32.exe

pid process

824 AddInProcess32.exe

pid	process
824	AddInProcess32.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

5c09c1cfdc80893c1a64a68ed969bd26c929c78fb125747ad01064c5b237ad7b.execmd.execmd.exemnvcbn .exe mnvcbnqa.exe

description	pid	process	target process
PID 940 wrote to memory of 1920	940	5c09c1cfdc80893c1a64a68ed969bd26c929c78fb125747ad01064c5b237ad7b.exe	cmd.exe
PID 940 wrote to memory of 1920	940	5c09c1cfdc80893c1a64a68ed969bd26c929c78fb125747ad01064c5b237ad7b.exe	cmd.exe
PID 940 wrote to memory of 1920	940	5c09c1cfdc80893c1a64a68ed969bd26c929c78fb125747ad01064c5b237ad7b.exe	cmd.exe
PID 940 wrote to memory of 1920	940	5c09c1cfdc80893c1a64a68ed969bd26c929c78fb125747ad01064c5b237ad7b.exe	cmd.exe
PID 1920 wrote to memory of 1460	1920	cmd.exe	PING.EXE
PID 1920 wrote to memory of 1460	1920	cmd.exe	PING.EXE
PID 1920 wrote to memory of 1460	1920	cmd.exe	PING.EXE
PID 1920 wrote to memory of 1460	1920	cmd.exe	PING.EXE
PID 940 wrote to memory of 1208	940	5c09c1cfdc80893c1a64a68ed969bd26c929c78fb125747ad01064c5b237ad7b.exe	cmd.exe
PID 940 wrote to memory of 1208	940	5c09c1cfdc80893c1a64a68ed969bd26c929c78fb125747ad01064c5b237ad7b.exe	cmd.exe
PID 940 wrote to memory of 1208	940	5c09c1cfdc80893c1a64a68ed969bd26c929c78fb125747ad01064c5b237ad7b.exe	cmd.exe
PID 940 wrote to memory of 1208	940	5c09c1cfdc80893c1a64a68ed969bd26c929c78fb125747ad01064c5b237ad7b.exe	cmd.exe
PID 1208 wrote to memory of 552	1208	cmd.exe	PING.EXE
PID 1208 wrote to memory of 552	1208	cmd.exe	PING.EXE
PID 1208 wrote to memory of 552	1208	cmd.exe	PING.EXE
PID 1208 wrote to memory of 552	1208	cmd.exe	PING.EXE
PID 1920 wrote to memory of 1544	1920	cmd.exe	reg.exe
PID 1920 wrote to memory of 1544	1920	cmd.exe	reg.exe
PID 1920 wrote to memory of 1544	1920	cmd.exe	reg.exe
PID 1920 wrote to memory of 1544	1920	cmd.exe	reg.exe
PID 1208 wrote to memory of 1076	1208	cmd.exe	PING.EXE
PID 1208 wrote to memory of 1076	1208	cmd.exe	PING.EXE
PID 1208 wrote to memory of 1076	1208	cmd.exe	PING.EXE
PID 1208 wrote to memory of 1076	1208	cmd.exe	PING.EXE
PID 1208 wrote to memory of 968	1208	cmd.exe	mnvcbn .exe
PID 1208 wrote to memory of 968	1208	cmd.exe	mnvcbn .exe
PID 1208 wrote to memory of 968	1208	cmd.exe	mnvcbn .exe
PID 1208 wrote to memory of 968	1208	cmd.exe	mnvcbn .exe
PID 968 wrote to memory of 824	968	mnvcbn .exe	AddInProcess32.exe
PID 968 wrote to memory of 824	968	mnvcbn .exe	AddInProcess32.exe
PID 968 wrote to memory of 824	968	mnvcbn .exe	AddInProcess32.exe
PID 968 wrote to memory of 824	968	mnvcbn .exe	AddInProcess32.exe
PID 968 wrote to memory of 824	968	mnvcbn .exe	AddInProcess32.exe
PID 968 wrote to memory of 824	968	mnvcbn .exe	AddInProcess32.exe
PID 968 wrote to memory of 824	968	mnvcbn .exe	AddInProcess32.exe
PID 968 wrote to memory of 824	968	mnvcbn .exe	AddInProcess32.exe
PID 968 wrote to memory of 824	968	mnvcbn .exe	AddInProcess32.exe
PID 968 wrote to memory of 824	968	mnvcbn .exe	AddInProcess32.exe
PID 968 wrote to memory of 824	968	mnvcbn .exe	AddInProcess32.exe
PID 968 wrote to memory of 824	968	mnvcbn .exe	AddInProcess32.exe
PID 968 wrote to memory of 824	968	mnvcbn .exe	AddInProcess32.exe
PID 968 wrote to memory of 1660	968	mnvcbn .exe	mnvcbnqa.exe
PID 968 wrote to memory of 1660	968	mnvcbn .exe	mnvcbnqa.exe
PID 968 wrote to memory of 1660	968	mnvcbn .exe	mnvcbnqa.exe
PID 968 wrote to memory of 1660	968	mnvcbn .exe	mnvcbnqa.exe
PID 1660 wrote to memory of 1736	1660	mnvcbnqa.exe	mnvcbnqa.exe
PID 1660 wrote to memory of 1736	1660	mnvcbnqa.exe	mnvcbnqa.exe
PID 1660 wrote to memory of 1736	1660	mnvcbnqa.exe	mnvcbnqa.exe
PID 1660 wrote to memory of 1736	1660	mnvcbnqa.exe	mnvcbnqa.exe

C:\Users\Admin\AppData\Local\Temp\5c09c1cfdc80893c1a64a68ed969bd26c929c78fb125747ad01064c5b237ad7b.exe
"C:\Users\Admin\AppData\Local\Temp\5c09c1cfdc80893c1a64a68ed969bd26c929c78fb125747ad01064c5b237ad7b.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:940

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 8 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\mnvcbn .exe,"
2⤵
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 8
3⤵
- Runs ping.exe
PID:1460

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\mnvcbn .exe,"
3⤵
- Modifies WinLogon for persistence
PID:1544

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 15 > nul && copy "C:\Users\Admin\AppData\Local\Temp\5c09c1cfdc80893c1a64a68ed969bd26c929c78fb125747ad01064c5b237ad7b.exe" "C:\Users\Admin\AppData\Roaming\mnvcbn .exe" && ping 127.0.0.1 -n 15 > nul && "C:\Users\Admin\AppData\Roaming\mnvcbn .exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 15
3⤵
- Runs ping.exe
PID:552

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 15
3⤵
- Runs ping.exe
PID:1076

C:\Users\Admin\AppData\Roaming\mnvcbn .exe
"C:\Users\Admin\AppData\Roaming\mnvcbn .exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
4⤵
- Suspicious use of SetWindowsHookEx
PID:824

C:\Users\Admin\AppData\Local\Temp\ mnvcbnqa.exe
"C:\Users\Admin\AppData\Local\Temp\ mnvcbnqa.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660

C:\Users\Admin\AppData\Local\Temp\ mnvcbnqa.exe
"C:\Users\Admin\AppData\Local\Temp\ mnvcbnqa.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1736

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ mnvcbnqa.exe
Filesize
76KB

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ mnvcbnqa.exe
Filesize
76KB

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ mnvcbnqa.exe
Filesize
76KB

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ mnvcbnqa.txt
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ mnvcbnqa.txt
Filesize
55B

MD5
7f198403810bcdc82854adfdd4ef1aa2

SHA1
e9f679a7088a0631968cceab36ba3620ace6ff22

SHA256
d0315a116b9491ea3fb4b2b5b5e1fe837f1f4908789a663186a5eee4dbcdca92

SHA512
7a83318d71f77fb8be1141e48028bd7d1d858a9691910f24107f3340bd77634faa5341b612a4988bc02e5a282dfc3acb5a898ca72041fbb555984f7ebaa15c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\ mnvcbnqa.txt
Filesize
52B

MD5
0185f17abe3e9fdc4b800cbbe0a6c7fc

SHA1
4b29800e88dd580e1b38647612888c7832fa79c3

SHA256
97df03d73f683c624358182c81791778345895ad38c16a8189abc7d63577dfe3

SHA512
afb37c7e5946772f636ff583376d1b925d083012c28eb8d8ad74af3e0a0bcb3872e2097803a4a909e655dd38fe43c2d16f7b004e1408fbc92ea8c09ce7a0f00e

Download Submit
C:\Users\Admin\AppData\Roaming\mnvcbn .exe
Filesize
1.1MB

MD5
b80414e3202a808673a8254aec607a12

SHA1
fef5c52c3af36689f3c794ce586d83b0a458afa5

SHA256
5c09c1cfdc80893c1a64a68ed969bd26c929c78fb125747ad01064c5b237ad7b

SHA512
3e1a4e4918b2b64238403811348248ff5955793cf405087edaac332461c74ee3d26b21f814565d22ae4f30cc4436821ac7f9fcdc61cae38d1ce8adf3ff2609b3

Download Submit
C:\Users\Admin\AppData\Roaming\mnvcbn .exe
Filesize
1.1MB

MD5
b80414e3202a808673a8254aec607a12

SHA1
fef5c52c3af36689f3c794ce586d83b0a458afa5

SHA256
5c09c1cfdc80893c1a64a68ed969bd26c929c78fb125747ad01064c5b237ad7b

SHA512
3e1a4e4918b2b64238403811348248ff5955793cf405087edaac332461c74ee3d26b21f814565d22ae4f30cc4436821ac7f9fcdc61cae38d1ce8adf3ff2609b3

Download Submit
\Users\Admin\AppData\Local\Temp\ mnvcbnqa.exe
Filesize
76KB

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
\Users\Admin\AppData\Local\Temp\ mnvcbnqa.exe
Filesize
76KB

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
\Users\Admin\AppData\Roaming\mnvcbn .exe
Filesize
1.1MB

MD5
b80414e3202a808673a8254aec607a12

SHA1
fef5c52c3af36689f3c794ce586d83b0a458afa5

SHA256
5c09c1cfdc80893c1a64a68ed969bd26c929c78fb125747ad01064c5b237ad7b

SHA512
3e1a4e4918b2b64238403811348248ff5955793cf405087edaac332461c74ee3d26b21f814565d22ae4f30cc4436821ac7f9fcdc61cae38d1ce8adf3ff2609b3

Download Submit
memory/552-61-0x0000000000000000-mapping.dmp

Download
memory/824-77-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/824-84-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/824-102-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/824-89-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/824-88-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/824-72-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/824-73-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/824-75-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/824-85-0x00000000004327A4-mapping.dmp

Download
memory/824-78-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/824-79-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/824-80-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/824-82-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/940-54-0x00000000000D0000-0x00000000001F0000-memory.dmp

Filesize
1.1MB

Download
memory/940-57-0x0000000000720000-0x0000000000738000-memory.dmp

Filesize
96KB

Download
memory/940-55-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/940-56-0x0000000000560000-0x0000000000590000-memory.dmp

Filesize
192KB

Download
memory/968-71-0x0000000000BF0000-0x0000000000BF6000-memory.dmp

Filesize
24KB

Download
memory/968-70-0x0000000000B80000-0x0000000000B9A000-memory.dmp

Filesize
104KB

Download
memory/968-68-0x00000000012C0000-0x00000000013E0000-memory.dmp

Filesize
1.1MB

Download
memory/968-65-0x0000000000000000-mapping.dmp

Download
memory/1076-63-0x0000000000000000-mapping.dmp

Download
memory/1208-60-0x0000000000000000-mapping.dmp

Download
memory/1460-59-0x0000000000000000-mapping.dmp

Download
memory/1544-62-0x0000000000000000-mapping.dmp

Download
memory/1660-94-0x0000000000F70000-0x0000000000F8A000-memory.dmp

Filesize
104KB

Download
memory/1660-91-0x0000000000000000-mapping.dmp

Download
memory/1736-98-0x0000000000000000-mapping.dmp

Download
memory/1920-58-0x0000000000000000-mapping.dmp

Download