remcos | 70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04-02-2023 16:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Enquiry_Order_Official_Quotation.exe
Size

2.5MB
MD5

e1c771cceb693ea14bbcde32ac1355fc
SHA1

bc2da06db4b0cc42595b7761ff990e303441cd99
SHA256

70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9
SHA512

fcbb24d7f938145fb82bd6d1d609a4416d78a9285499078ddabf558cac050319bac06c2b6fccdea3ec558e71c5589fb2bc76c6bee6cb4d02dd2691ded8ef2eff
SSDEEP

24576:CsLDsY5ohQjNm5lGrJrGU/thfLixwfA7DgCBbZoiSNy5aKg88vX6yqlAtVULkfSO:C3FYVr4U/3L7yRAUQKuakLomg0BqKqw

Score

10^/10

remcos ikmerro2023 persistence rat

Malware Config

Extracted

Family

remcos

Botnet

IKMERRO2023

5.2.68.82:1198

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
Explorer.exe
copy_folder
ATM Machine
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
true
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
1234567ME
mouse_option
false
mutex
12345ME-2V5C4Q
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Explorer
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Enquiry_Order_Official_Quotation.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Enquiry_Order_Official_Quotation.exe

Executes dropped EXE 2 IoCs

pid	Process
4576	Explorer.exe
5072	Explorer.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer = "\"C:\\ProgramData\\ATM Machine\\Explorer.exe\""	Enquiry_Order_Official_Quotation.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Explorer = "\"C:\\ProgramData\\ATM Machine\\Explorer.exe\""	Enquiry_Order_Official_Quotation.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer = "\"C:\\ProgramData\\ATM Machine\\Explorer.exe\""	Explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\	Explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	Explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Explorer = "\"C:\\ProgramData\\ATM Machine\\Explorer.exe\""	Explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dgtxdkhrpw = "\"C:\\Users\\Admin\\AppData\\Roaming\\Kyjsafxspwa\\Dgtxdkhrpw.exe\""	Enquiry_Order_Official_Quotation.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\	Enquiry_Order_Official_Quotation.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	Enquiry_Order_Official_Quotation.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dgtxdkhrpw = "\"C:\\Users\\Admin\\AppData\\Roaming\\Kyjsafxspwa\\Dgtxdkhrpw.exe\""	Explorer.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3300 set thread context of 1100	3300	Enquiry_Order_Official_Quotation.exe	89
PID 4576 set thread context of 5072	4576	Explorer.exe	94

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4708	powershell.exe
4708	powershell.exe
3640	powershell.exe
3640	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3300	Enquiry_Order_Official_Quotation.exe
Token: SeDebugPrivilege	4708	powershell.exe
Token: SeDebugPrivilege	4576	Explorer.exe
Token: SeDebugPrivilege	3640	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5072	Explorer.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 3300 wrote to memory of 4708	3300	Enquiry_Order_Official_Quotation.exe	81
PID 3300 wrote to memory of 4708	3300	Enquiry_Order_Official_Quotation.exe	81
PID 3300 wrote to memory of 4708	3300	Enquiry_Order_Official_Quotation.exe	81
PID 3300 wrote to memory of 1100	3300	Enquiry_Order_Official_Quotation.exe	89
PID 3300 wrote to memory of 1100	3300	Enquiry_Order_Official_Quotation.exe	89
PID 3300 wrote to memory of 1100	3300	Enquiry_Order_Official_Quotation.exe	89
PID 3300 wrote to memory of 1100	3300	Enquiry_Order_Official_Quotation.exe	89
PID 3300 wrote to memory of 1100	3300	Enquiry_Order_Official_Quotation.exe	89
PID 3300 wrote to memory of 1100	3300	Enquiry_Order_Official_Quotation.exe	89
PID 3300 wrote to memory of 1100	3300	Enquiry_Order_Official_Quotation.exe	89
PID 3300 wrote to memory of 1100	3300	Enquiry_Order_Official_Quotation.exe	89
PID 3300 wrote to memory of 1100	3300	Enquiry_Order_Official_Quotation.exe	89
PID 3300 wrote to memory of 1100	3300	Enquiry_Order_Official_Quotation.exe	89
PID 3300 wrote to memory of 1100	3300	Enquiry_Order_Official_Quotation.exe	89
PID 3300 wrote to memory of 1100	3300	Enquiry_Order_Official_Quotation.exe	89
PID 1100 wrote to memory of 4576	1100	Enquiry_Order_Official_Quotation.exe	91
PID 1100 wrote to memory of 4576	1100	Enquiry_Order_Official_Quotation.exe	91
PID 1100 wrote to memory of 4576	1100	Enquiry_Order_Official_Quotation.exe	91
PID 4576 wrote to memory of 3640	4576	Explorer.exe	92
PID 4576 wrote to memory of 3640	4576	Explorer.exe	92
PID 4576 wrote to memory of 3640	4576	Explorer.exe	92
PID 4576 wrote to memory of 5072	4576	Explorer.exe	94
PID 4576 wrote to memory of 5072	4576	Explorer.exe	94
PID 4576 wrote to memory of 5072	4576	Explorer.exe	94
PID 4576 wrote to memory of 5072	4576	Explorer.exe	94
PID 4576 wrote to memory of 5072	4576	Explorer.exe	94
PID 4576 wrote to memory of 5072	4576	Explorer.exe	94
PID 4576 wrote to memory of 5072	4576	Explorer.exe	94
PID 4576 wrote to memory of 5072	4576	Explorer.exe	94
PID 4576 wrote to memory of 5072	4576	Explorer.exe	94
PID 4576 wrote to memory of 5072	4576	Explorer.exe	94
PID 4576 wrote to memory of 5072	4576	Explorer.exe	94
PID 4576 wrote to memory of 5072	4576	Explorer.exe	94

C:\Users\Admin\AppData\Local\Temp\Enquiry_Order_Official_Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Enquiry_Order_Official_Quotation.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3300
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4708
- C:\Users\Admin\AppData\Local\Temp\Enquiry_Order_Official_Quotation.exe
  C:\Users\Admin\AppData\Local\Temp\Enquiry_Order_Official_Quotation.exe
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\ProgramData\ATM Machine\Explorer.exe
    "C:\ProgramData\ATM Machine\Explorer.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4576
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3640
  - - C:\ProgramData\ATM Machine\Explorer.exe
      "C:\ProgramData\ATM Machine\Explorer.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetWindowsHookEx
      PID:5072

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ATM Machine\Explorer.exe

Filesize
2.5MB

MD5
e1c771cceb693ea14bbcde32ac1355fc

SHA1
bc2da06db4b0cc42595b7761ff990e303441cd99

SHA256
70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9

SHA512
fcbb24d7f938145fb82bd6d1d609a4416d78a9285499078ddabf558cac050319bac06c2b6fccdea3ec558e71c5589fb2bc76c6bee6cb4d02dd2691ded8ef2eff

Download Submit
C:\ProgramData\ATM Machine\Explorer.exe

Filesize
2.5MB

MD5
e1c771cceb693ea14bbcde32ac1355fc

SHA1
bc2da06db4b0cc42595b7761ff990e303441cd99

SHA256
70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9

SHA512
fcbb24d7f938145fb82bd6d1d609a4416d78a9285499078ddabf558cac050319bac06c2b6fccdea3ec558e71c5589fb2bc76c6bee6cb4d02dd2691ded8ef2eff

Download Submit
C:\ProgramData\ATM Machine\Explorer.exe

Filesize
2.5MB

MD5
e1c771cceb693ea14bbcde32ac1355fc

SHA1
bc2da06db4b0cc42595b7761ff990e303441cd99

SHA256
70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9

SHA512
fcbb24d7f938145fb82bd6d1d609a4416d78a9285499078ddabf558cac050319bac06c2b6fccdea3ec558e71c5589fb2bc76c6bee6cb4d02dd2691ded8ef2eff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
6195a91754effb4df74dbc72cdf4f7a6

SHA1
aba262f5726c6d77659fe0d3195e36a85046b427

SHA256
3254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5

SHA512
ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
a8fc932486dcf26a0d01cfb6b423d57a

SHA1
81fa1f10cbd1f83d6ea796aee46d5dec7ad61f42

SHA256
598899fecdaa6f705911eaf7c25635acab6ea13d04569b3c679beae91f9e9640

SHA512
2e2ed927f7ec0cac46f1f1fe1966a15934b95df1e34813733a1c12f684c539ee8760653a7c2d1ff1fadf9e8aa2de55b9b1c4b01a352692baf7c2d540d5d4a93c

Download Submit
memory/1100-149-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1100-144-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1100-143-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1100-145-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3300-133-0x0000000005020000-0x0000000005042000-memory.dmp

Filesize
136KB

Download
memory/3300-132-0x00000000003D0000-0x0000000000662000-memory.dmp

Filesize
2.6MB

Download
memory/4708-135-0x0000000004CD0000-0x0000000004D06000-memory.dmp

Filesize
216KB

Download
memory/4708-140-0x0000000007B10000-0x000000000818A000-memory.dmp

Filesize
6.5MB

Download
memory/4708-139-0x00000000062A0000-0x00000000062BE000-memory.dmp

Filesize
120KB

Download
memory/4708-138-0x0000000005CB0000-0x0000000005D16000-memory.dmp

Filesize
408KB

Download
memory/4708-137-0x0000000005BD0000-0x0000000005C36000-memory.dmp

Filesize
408KB

Download
memory/4708-136-0x00000000054B0000-0x0000000005AD8000-memory.dmp

Filesize
6.2MB

Download
memory/4708-141-0x00000000067A0000-0x00000000067BA000-memory.dmp

Filesize
104KB

Download
memory/5072-158-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5072-159-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5072-160-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5072-161-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download