remcos | 70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9

General

Target

Enquiry_Order_Official_Quotation.exe
Size

2.5MB
MD5

e1c771cceb693ea14bbcde32ac1355fc
SHA1

bc2da06db4b0cc42595b7761ff990e303441cd99
SHA256

70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9
SHA512

fcbb24d7f938145fb82bd6d1d609a4416d78a9285499078ddabf558cac050319bac06c2b6fccdea3ec558e71c5589fb2bc76c6bee6cb4d02dd2691ded8ef2eff
SSDEEP

24576:CsLDsY5ohQjNm5lGrJrGU/thfLixwfA7DgCBbZoiSNy5aKg88vX6yqlAtVULkfSO:C3FYVr4U/3L7yRAUQKuakLomg0BqKqw

Score

10^/10

remcos ikmerro2023 persistence rat

Malware Config

Extracted

Family

remcos

Botnet

IKMERRO2023

C2

5.2.68.82:1198

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
Explorer.exe
copy_folder
ATM Machine
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
true
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
1234567ME
mouse_option
false
mutex
12345ME-2V5C4Q
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Explorer
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Explorer.exeEnquiry_Order_Official_Quotation.exeEnquiry_Order_Official_Quotation.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Enquiry_Order_Official_Quotation.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Enquiry_Order_Official_Quotation.exe

Executes dropped EXE 2 IoCs

Processes:

Explorer.exeExplorer.exe

pid process

4576 Explorer.exe
5072 Explorer.exe

pid	process
4576	Explorer.exe
5072	Explorer.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Enquiry_Order_Official_Quotation.exeExplorer.exeEnquiry_Order_Official_Quotation.exeExplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer = "\"C:\\ProgramData\\ATM Machine\\Explorer.exe\""	Enquiry_Order_Official_Quotation.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Explorer = "\"C:\\ProgramData\\ATM Machine\\Explorer.exe\""	Enquiry_Order_Official_Quotation.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer = "\"C:\\ProgramData\\ATM Machine\\Explorer.exe\""	Explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\	Explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	Explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Explorer = "\"C:\\ProgramData\\ATM Machine\\Explorer.exe\""	Explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dgtxdkhrpw = "\"C:\\Users\\Admin\\AppData\\Roaming\\Kyjsafxspwa\\Dgtxdkhrpw.exe\""	Enquiry_Order_Official_Quotation.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\	Enquiry_Order_Official_Quotation.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	Enquiry_Order_Official_Quotation.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dgtxdkhrpw = "\"C:\\Users\\Admin\\AppData\\Roaming\\Kyjsafxspwa\\Dgtxdkhrpw.exe\""	Explorer.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Enquiry_Order_Official_Quotation.exeExplorer.exe

description	pid	process	target process
PID 3300 set thread context of 1100	3300	Enquiry_Order_Official_Quotation.exe	Enquiry_Order_Official_Quotation.exe
PID 4576 set thread context of 5072	4576	Explorer.exe	Explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

4708 powershell.exe
4708 powershell.exe
3640 powershell.exe
3640 powershell.exe

pid	process
4708	powershell.exe
4708	powershell.exe
3640	powershell.exe
3640	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Enquiry_Order_Official_Quotation.exepowershell.exeExplorer.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3300	Enquiry_Order_Official_Quotation.exe
Token: SeDebugPrivilege	4708	powershell.exe
Token: SeDebugPrivilege	4576	Explorer.exe
Token: SeDebugPrivilege	3640	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.exe

pid process

5072 Explorer.exe

pid	process
5072	Explorer.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

Enquiry_Order_Official_Quotation.exeEnquiry_Order_Official_Quotation.exeExplorer.exe

description	pid	process	target process
PID 3300 wrote to memory of 4708	3300	Enquiry_Order_Official_Quotation.exe	powershell.exe
PID 3300 wrote to memory of 4708	3300	Enquiry_Order_Official_Quotation.exe	powershell.exe
PID 3300 wrote to memory of 4708	3300	Enquiry_Order_Official_Quotation.exe	powershell.exe
PID 3300 wrote to memory of 1100	3300	Enquiry_Order_Official_Quotation.exe	Enquiry_Order_Official_Quotation.exe
PID 3300 wrote to memory of 1100	3300	Enquiry_Order_Official_Quotation.exe	Enquiry_Order_Official_Quotation.exe
PID 3300 wrote to memory of 1100	3300	Enquiry_Order_Official_Quotation.exe	Enquiry_Order_Official_Quotation.exe
PID 3300 wrote to memory of 1100	3300	Enquiry_Order_Official_Quotation.exe	Enquiry_Order_Official_Quotation.exe
PID 3300 wrote to memory of 1100	3300	Enquiry_Order_Official_Quotation.exe	Enquiry_Order_Official_Quotation.exe
PID 3300 wrote to memory of 1100	3300	Enquiry_Order_Official_Quotation.exe	Enquiry_Order_Official_Quotation.exe
PID 3300 wrote to memory of 1100	3300	Enquiry_Order_Official_Quotation.exe	Enquiry_Order_Official_Quotation.exe
PID 3300 wrote to memory of 1100	3300	Enquiry_Order_Official_Quotation.exe	Enquiry_Order_Official_Quotation.exe
PID 3300 wrote to memory of 1100	3300	Enquiry_Order_Official_Quotation.exe	Enquiry_Order_Official_Quotation.exe
PID 3300 wrote to memory of 1100	3300	Enquiry_Order_Official_Quotation.exe	Enquiry_Order_Official_Quotation.exe
PID 3300 wrote to memory of 1100	3300	Enquiry_Order_Official_Quotation.exe	Enquiry_Order_Official_Quotation.exe
PID 3300 wrote to memory of 1100	3300	Enquiry_Order_Official_Quotation.exe	Enquiry_Order_Official_Quotation.exe
PID 1100 wrote to memory of 4576	1100	Enquiry_Order_Official_Quotation.exe	Explorer.exe
PID 1100 wrote to memory of 4576	1100	Enquiry_Order_Official_Quotation.exe	Explorer.exe
PID 1100 wrote to memory of 4576	1100	Enquiry_Order_Official_Quotation.exe	Explorer.exe
PID 4576 wrote to memory of 3640	4576	Explorer.exe	powershell.exe
PID 4576 wrote to memory of 3640	4576	Explorer.exe	powershell.exe
PID 4576 wrote to memory of 3640	4576	Explorer.exe	powershell.exe
PID 4576 wrote to memory of 5072	4576	Explorer.exe	Explorer.exe
PID 4576 wrote to memory of 5072	4576	Explorer.exe	Explorer.exe
PID 4576 wrote to memory of 5072	4576	Explorer.exe	Explorer.exe
PID 4576 wrote to memory of 5072	4576	Explorer.exe	Explorer.exe
PID 4576 wrote to memory of 5072	4576	Explorer.exe	Explorer.exe
PID 4576 wrote to memory of 5072	4576	Explorer.exe	Explorer.exe
PID 4576 wrote to memory of 5072	4576	Explorer.exe	Explorer.exe
PID 4576 wrote to memory of 5072	4576	Explorer.exe	Explorer.exe
PID 4576 wrote to memory of 5072	4576	Explorer.exe	Explorer.exe
PID 4576 wrote to memory of 5072	4576	Explorer.exe	Explorer.exe
PID 4576 wrote to memory of 5072	4576	Explorer.exe	Explorer.exe
PID 4576 wrote to memory of 5072	4576	Explorer.exe	Explorer.exe

C:\Users\Admin\AppData\Local\Temp\Enquiry_Order_Official_Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Enquiry_Order_Official_Quotation.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3300

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4708

C:\Users\Admin\AppData\Local\Temp\Enquiry_Order_Official_Quotation.exe
C:\Users\Admin\AppData\Local\Temp\Enquiry_Order_Official_Quotation.exe
2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1100

C:\ProgramData\ATM Machine\Explorer.exe
"C:\ProgramData\ATM Machine\Explorer.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4576

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3640

C:\ProgramData\ATM Machine\Explorer.exe
"C:\ProgramData\ATM Machine\Explorer.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:5072

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ATM Machine\Explorer.exe
Filesize
2.5MB

MD5
e1c771cceb693ea14bbcde32ac1355fc

SHA1
bc2da06db4b0cc42595b7761ff990e303441cd99

SHA256
70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9

SHA512
fcbb24d7f938145fb82bd6d1d609a4416d78a9285499078ddabf558cac050319bac06c2b6fccdea3ec558e71c5589fb2bc76c6bee6cb4d02dd2691ded8ef2eff

Download Submit
C:\ProgramData\ATM Machine\Explorer.exe
Filesize
2.5MB

MD5
e1c771cceb693ea14bbcde32ac1355fc

SHA1
bc2da06db4b0cc42595b7761ff990e303441cd99

SHA256
70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9

SHA512
fcbb24d7f938145fb82bd6d1d609a4416d78a9285499078ddabf558cac050319bac06c2b6fccdea3ec558e71c5589fb2bc76c6bee6cb4d02dd2691ded8ef2eff

Download Submit
C:\ProgramData\ATM Machine\Explorer.exe
Filesize
2.5MB

MD5
e1c771cceb693ea14bbcde32ac1355fc

SHA1
bc2da06db4b0cc42595b7761ff990e303441cd99

SHA256
70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9

SHA512
fcbb24d7f938145fb82bd6d1d609a4416d78a9285499078ddabf558cac050319bac06c2b6fccdea3ec558e71c5589fb2bc76c6bee6cb4d02dd2691ded8ef2eff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
6195a91754effb4df74dbc72cdf4f7a6

SHA1
aba262f5726c6d77659fe0d3195e36a85046b427

SHA256
3254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5

SHA512
ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
a8fc932486dcf26a0d01cfb6b423d57a

SHA1
81fa1f10cbd1f83d6ea796aee46d5dec7ad61f42

SHA256
598899fecdaa6f705911eaf7c25635acab6ea13d04569b3c679beae91f9e9640

SHA512
2e2ed927f7ec0cac46f1f1fe1966a15934b95df1e34813733a1c12f684c539ee8760653a7c2d1ff1fadf9e8aa2de55b9b1c4b01a352692baf7c2d540d5d4a93c

Download Submit
C:\Users\Admin\AppData\Roaming\Kyjsafxspwa\Dgtxdkhrpw.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1100-149-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1100-142-0x0000000000000000-mapping.dmp

Download
memory/1100-144-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1100-143-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1100-145-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3300-133-0x0000000005020000-0x0000000005042000-memory.dmp

Filesize
136KB

Download
memory/3300-132-0x00000000003D0000-0x0000000000662000-memory.dmp

Filesize
2.6MB

Download
memory/3640-150-0x0000000000000000-mapping.dmp

Download
memory/4576-146-0x0000000000000000-mapping.dmp

Download
memory/4708-135-0x0000000004CD0000-0x0000000004D06000-memory.dmp

Filesize
216KB

Download
memory/4708-140-0x0000000007B10000-0x000000000818A000-memory.dmp

Filesize
6.5MB

Download
memory/4708-139-0x00000000062A0000-0x00000000062BE000-memory.dmp

Filesize
120KB

Download
memory/4708-138-0x0000000005CB0000-0x0000000005D16000-memory.dmp

Filesize
408KB

Download
memory/4708-137-0x0000000005BD0000-0x0000000005C36000-memory.dmp

Filesize
408KB

Download
memory/4708-136-0x00000000054B0000-0x0000000005AD8000-memory.dmp

Filesize
6.2MB

Download
memory/4708-141-0x00000000067A0000-0x00000000067BA000-memory.dmp

Filesize
104KB

Download
memory/4708-134-0x0000000000000000-mapping.dmp

Download
memory/5072-155-0x0000000000000000-mapping.dmp

Download
memory/5072-158-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5072-159-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5072-160-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5072-161-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads