remcos | ff9b3972b169896c9f9cbb757a31dee0a842a5fae8d58aa2c476a3fd1aafea31

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06/02/2023, 14:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff9b3972b169896c9f9cbb757a31dee0a842a5fae8d58aa2c476a3fd1aafea31.exe
Size

1023KB
MD5

55ee911615a55fc7ed410f68324bb3e5
SHA1

71c9737ff98d14c30332f0197e03956c620de578
SHA256

ff9b3972b169896c9f9cbb757a31dee0a842a5fae8d58aa2c476a3fd1aafea31
SHA512

64ced508adb64328b5776179089456dae44372212ea4bcf46be01b5b6b1b6621ba6cc6feac9e0d1c36b76411645784ed7539b499d59d679c61a4f1a503575ff1
SSDEEP

24576:qohABYTjfr2z3GoVJZmyELytqveCspFtxNR/:3VXz+3DVOdve5prH

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

45.139.105.174:2210

212.193.30.230:6320

212.193.30.230:2286

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-UP55W2
screenshot_crypt
false
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
1
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 2 IoCs

pid	Process
620	remcos.exe
1596	remcos.exe

Loads dropped DLL 2 IoCs

pid	Process
944	cmd.exe
944	cmd.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	ff9b3972b169896c9f9cbb757a31dee0a842a5fae8d58aa2c476a3fd1aafea31.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	ff9b3972b169896c9f9cbb757a31dee0a842a5fae8d58aa2c476a3fd1aafea31.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	ff9b3972b169896c9f9cbb757a31dee0a842a5fae8d58aa2c476a3fd1aafea31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	ff9b3972b169896c9f9cbb757a31dee0a842a5fae8d58aa2c476a3fd1aafea31.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1972 set thread context of 344	1972	ff9b3972b169896c9f9cbb757a31dee0a842a5fae8d58aa2c476a3fd1aafea31.exe	32
PID 620 set thread context of 1596	620	remcos.exe	41

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2040	schtasks.exe
2028	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1972	ff9b3972b169896c9f9cbb757a31dee0a842a5fae8d58aa2c476a3fd1aafea31.exe
1972	ff9b3972b169896c9f9cbb757a31dee0a842a5fae8d58aa2c476a3fd1aafea31.exe
1044	powershell.exe
620	remcos.exe
1624	powershell.exe
620	remcos.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1972	ff9b3972b169896c9f9cbb757a31dee0a842a5fae8d58aa2c476a3fd1aafea31.exe
Token: SeDebugPrivilege	1044	powershell.exe
Token: SeDebugPrivilege	620	remcos.exe
Token: SeDebugPrivilege	1624	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1596	remcos.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 1044	1972	ff9b3972b169896c9f9cbb757a31dee0a842a5fae8d58aa2c476a3fd1aafea31.exe	28
PID 1972 wrote to memory of 1044	1972	ff9b3972b169896c9f9cbb757a31dee0a842a5fae8d58aa2c476a3fd1aafea31.exe	28
PID 1972 wrote to memory of 1044	1972	ff9b3972b169896c9f9cbb757a31dee0a842a5fae8d58aa2c476a3fd1aafea31.exe	28
PID 1972 wrote to memory of 1044	1972	ff9b3972b169896c9f9cbb757a31dee0a842a5fae8d58aa2c476a3fd1aafea31.exe	28
PID 1972 wrote to memory of 2040	1972	ff9b3972b169896c9f9cbb757a31dee0a842a5fae8d58aa2c476a3fd1aafea31.exe	30
PID 1972 wrote to memory of 2040	1972	ff9b3972b169896c9f9cbb757a31dee0a842a5fae8d58aa2c476a3fd1aafea31.exe	30
PID 1972 wrote to memory of 2040	1972	ff9b3972b169896c9f9cbb757a31dee0a842a5fae8d58aa2c476a3fd1aafea31.exe	30
PID 1972 wrote to memory of 2040	1972	ff9b3972b169896c9f9cbb757a31dee0a842a5fae8d58aa2c476a3fd1aafea31.exe	30
PID 1972 wrote to memory of 344	1972	ff9b3972b169896c9f9cbb757a31dee0a842a5fae8d58aa2c476a3fd1aafea31.exe	32
PID 1972 wrote to memory of 344	1972	ff9b3972b169896c9f9cbb757a31dee0a842a5fae8d58aa2c476a3fd1aafea31.exe	32
PID 1972 wrote to memory of 344	1972	ff9b3972b169896c9f9cbb757a31dee0a842a5fae8d58aa2c476a3fd1aafea31.exe	32
PID 1972 wrote to memory of 344	1972	ff9b3972b169896c9f9cbb757a31dee0a842a5fae8d58aa2c476a3fd1aafea31.exe	32
PID 1972 wrote to memory of 344	1972	ff9b3972b169896c9f9cbb757a31dee0a842a5fae8d58aa2c476a3fd1aafea31.exe	32
PID 1972 wrote to memory of 344	1972	ff9b3972b169896c9f9cbb757a31dee0a842a5fae8d58aa2c476a3fd1aafea31.exe	32
PID 1972 wrote to memory of 344	1972	ff9b3972b169896c9f9cbb757a31dee0a842a5fae8d58aa2c476a3fd1aafea31.exe	32
PID 1972 wrote to memory of 344	1972	ff9b3972b169896c9f9cbb757a31dee0a842a5fae8d58aa2c476a3fd1aafea31.exe	32
PID 1972 wrote to memory of 344	1972	ff9b3972b169896c9f9cbb757a31dee0a842a5fae8d58aa2c476a3fd1aafea31.exe	32
PID 1972 wrote to memory of 344	1972	ff9b3972b169896c9f9cbb757a31dee0a842a5fae8d58aa2c476a3fd1aafea31.exe	32
PID 1972 wrote to memory of 344	1972	ff9b3972b169896c9f9cbb757a31dee0a842a5fae8d58aa2c476a3fd1aafea31.exe	32
PID 1972 wrote to memory of 344	1972	ff9b3972b169896c9f9cbb757a31dee0a842a5fae8d58aa2c476a3fd1aafea31.exe	32
PID 1972 wrote to memory of 344	1972	ff9b3972b169896c9f9cbb757a31dee0a842a5fae8d58aa2c476a3fd1aafea31.exe	32
PID 344 wrote to memory of 1112	344	ff9b3972b169896c9f9cbb757a31dee0a842a5fae8d58aa2c476a3fd1aafea31.exe	33
PID 344 wrote to memory of 1112	344	ff9b3972b169896c9f9cbb757a31dee0a842a5fae8d58aa2c476a3fd1aafea31.exe	33
PID 344 wrote to memory of 1112	344	ff9b3972b169896c9f9cbb757a31dee0a842a5fae8d58aa2c476a3fd1aafea31.exe	33
PID 344 wrote to memory of 1112	344	ff9b3972b169896c9f9cbb757a31dee0a842a5fae8d58aa2c476a3fd1aafea31.exe	33
PID 1112 wrote to memory of 944	1112	WScript.exe	34
PID 1112 wrote to memory of 944	1112	WScript.exe	34
PID 1112 wrote to memory of 944	1112	WScript.exe	34
PID 1112 wrote to memory of 944	1112	WScript.exe	34
PID 944 wrote to memory of 620	944	cmd.exe	36
PID 944 wrote to memory of 620	944	cmd.exe	36
PID 944 wrote to memory of 620	944	cmd.exe	36
PID 944 wrote to memory of 620	944	cmd.exe	36
PID 620 wrote to memory of 1624	620	remcos.exe	37
PID 620 wrote to memory of 1624	620	remcos.exe	37
PID 620 wrote to memory of 1624	620	remcos.exe	37
PID 620 wrote to memory of 1624	620	remcos.exe	37
PID 620 wrote to memory of 2028	620	remcos.exe	39
PID 620 wrote to memory of 2028	620	remcos.exe	39
PID 620 wrote to memory of 2028	620	remcos.exe	39
PID 620 wrote to memory of 2028	620	remcos.exe	39
PID 620 wrote to memory of 1596	620	remcos.exe	41
PID 620 wrote to memory of 1596	620	remcos.exe	41
PID 620 wrote to memory of 1596	620	remcos.exe	41
PID 620 wrote to memory of 1596	620	remcos.exe	41
PID 620 wrote to memory of 1596	620	remcos.exe	41
PID 620 wrote to memory of 1596	620	remcos.exe	41
PID 620 wrote to memory of 1596	620	remcos.exe	41
PID 620 wrote to memory of 1596	620	remcos.exe	41
PID 620 wrote to memory of 1596	620	remcos.exe	41
PID 620 wrote to memory of 1596	620	remcos.exe	41
PID 620 wrote to memory of 1596	620	remcos.exe	41
PID 620 wrote to memory of 1596	620	remcos.exe	41
PID 620 wrote to memory of 1596	620	remcos.exe	41

C:\Users\Admin\AppData\Local\Temp\ff9b3972b169896c9f9cbb757a31dee0a842a5fae8d58aa2c476a3fd1aafea31.exe
"C:\Users\Admin\AppData\Local\Temp\ff9b3972b169896c9f9cbb757a31dee0a842a5fae8d58aa2c476a3fd1aafea31.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vOEQrgpIUyHVF.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1044
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vOEQrgpIUyHVF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA6AC.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2040
- C:\Users\Admin\AppData\Local\Temp\ff9b3972b169896c9f9cbb757a31dee0a842a5fae8d58aa2c476a3fd1aafea31.exe
  "C:\Users\Admin\AppData\Local\Temp\ff9b3972b169896c9f9cbb757a31dee0a842a5fae8d58aa2c476a3fd1aafea31.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:344
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\zcfhqipbeyjyhevx.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1112
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\remcos.exe"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:944
    - - C:\ProgramData\Remcos\remcos.exe
        
        C:\ProgramData\Remcos\remcos.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:620
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vOEQrgpIUyHVF.exe"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vOEQrgpIUyHVF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4CCA.tmp"
        6⤵
        Creates scheduled task(s)
        
        PID:2028
      - C:\ProgramData\Remcos\remcos.exe
        
        "C:\ProgramData\Remcos\remcos.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        
        PID:1596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Remcos\remcos.exe

Filesize
1023KB

MD5
55ee911615a55fc7ed410f68324bb3e5

SHA1
71c9737ff98d14c30332f0197e03956c620de578

SHA256
ff9b3972b169896c9f9cbb757a31dee0a842a5fae8d58aa2c476a3fd1aafea31

SHA512
64ced508adb64328b5776179089456dae44372212ea4bcf46be01b5b6b1b6621ba6cc6feac9e0d1c36b76411645784ed7539b499d59d679c61a4f1a503575ff1

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
1023KB

MD5
55ee911615a55fc7ed410f68324bb3e5

SHA1
71c9737ff98d14c30332f0197e03956c620de578

SHA256
ff9b3972b169896c9f9cbb757a31dee0a842a5fae8d58aa2c476a3fd1aafea31

SHA512
64ced508adb64328b5776179089456dae44372212ea4bcf46be01b5b6b1b6621ba6cc6feac9e0d1c36b76411645784ed7539b499d59d679c61a4f1a503575ff1

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
1023KB

MD5
55ee911615a55fc7ed410f68324bb3e5

SHA1
71c9737ff98d14c30332f0197e03956c620de578

SHA256
ff9b3972b169896c9f9cbb757a31dee0a842a5fae8d58aa2c476a3fd1aafea31

SHA512
64ced508adb64328b5776179089456dae44372212ea4bcf46be01b5b6b1b6621ba6cc6feac9e0d1c36b76411645784ed7539b499d59d679c61a4f1a503575ff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4CCA.tmp

Filesize
1KB

MD5
b9ad7ce61325e94d63c6d49aa1fb5b89

SHA1
94d1a9e3368441bf139a61be1dea7d79e1b145bf

SHA256
907a700a826194d8183f35ff47fb065c6cfcd078ad3b1782cafcef9ee3514739

SHA512
76f0bf0c379f94e453453dd90b34ae419b44b89cc54793ff5c569f7e3d7376035d5e58f8a3d7639ff517b397417c91a13d25accb62f550488263b8cb1a4de7c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA6AC.tmp

Filesize
1KB

MD5
b9ad7ce61325e94d63c6d49aa1fb5b89

SHA1
94d1a9e3368441bf139a61be1dea7d79e1b145bf

SHA256
907a700a826194d8183f35ff47fb065c6cfcd078ad3b1782cafcef9ee3514739

SHA512
76f0bf0c379f94e453453dd90b34ae419b44b89cc54793ff5c569f7e3d7376035d5e58f8a3d7639ff517b397417c91a13d25accb62f550488263b8cb1a4de7c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zcfhqipbeyjyhevx.vbs

Filesize
386B

MD5
1ec6289c6fd4c2ded6b2836ed28cbeb5

SHA1
c4e08195e6c640eb8860acc03fda1d649b4fe070

SHA256
6efdc40f9eb217f879607614e928b65bff759e424f3efb31faceb2a043c32dc2

SHA512
20bc46f4dee22f75f15c402c7c2eaee60fff7dd92548050585571dcbefd59485cc249c06bc3f1aac7a138e5ae67c0c3918b46ffa24c8b0f1b092e2f6b6e21288

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
b2ba8db4d4cd24674508f81dddf5f004

SHA1
cff14b73417549f30b5edd6702a81ed8990e10a0

SHA256
9cbdf953e5c63c4f6176a54a68b5963aa619e989913bc91bbe1ace6cfdaa240c

SHA512
fac4cddd927e2a30613ee1804109bd5b503ee6d8baed7a9d04bd2ab0170a2e8250c5ee0d070aa50f42e90fa59efb74095fe80c1a402fa1f1fd3a74478f56f8a8

Download Submit
\ProgramData\Remcos\remcos.exe

Filesize
1023KB

MD5
55ee911615a55fc7ed410f68324bb3e5

SHA1
71c9737ff98d14c30332f0197e03956c620de578

SHA256
ff9b3972b169896c9f9cbb757a31dee0a842a5fae8d58aa2c476a3fd1aafea31

SHA512
64ced508adb64328b5776179089456dae44372212ea4bcf46be01b5b6b1b6621ba6cc6feac9e0d1c36b76411645784ed7539b499d59d679c61a4f1a503575ff1

Download Submit
\ProgramData\Remcos\remcos.exe

Filesize
1023KB

MD5
55ee911615a55fc7ed410f68324bb3e5

SHA1
71c9737ff98d14c30332f0197e03956c620de578

SHA256
ff9b3972b169896c9f9cbb757a31dee0a842a5fae8d58aa2c476a3fd1aafea31

SHA512
64ced508adb64328b5776179089456dae44372212ea4bcf46be01b5b6b1b6621ba6cc6feac9e0d1c36b76411645784ed7539b499d59d679c61a4f1a503575ff1

Download Submit
memory/344-67-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/344-64-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/344-65-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/344-69-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/344-71-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/344-72-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/344-70-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/344-74-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/344-76-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/344-80-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/344-82-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/620-95-0x0000000000440000-0x0000000000454000-memory.dmp

Filesize
80KB

Download
memory/620-93-0x0000000000AF0000-0x0000000000BF6000-memory.dmp

Filesize
1.0MB

Download
memory/1044-86-0x000000006EE20000-0x000000006F3CB000-memory.dmp

Filesize
5.7MB

Download
memory/1044-85-0x000000006EE20000-0x000000006F3CB000-memory.dmp

Filesize
5.7MB

Download
memory/1596-122-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1596-121-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1596-118-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1624-120-0x000000006F5D0000-0x000000006FB7B000-memory.dmp

Filesize
5.7MB

Download
memory/1624-119-0x000000006F5D0000-0x000000006FB7B000-memory.dmp

Filesize
5.7MB

Download
memory/1972-63-0x0000000006010000-0x000000000608E000-memory.dmp

Filesize
504KB

Download
memory/1972-56-0x00000000004E0000-0x00000000004F4000-memory.dmp

Filesize
80KB

Download
memory/1972-55-0x0000000076931000-0x0000000076933000-memory.dmp

Filesize
8KB

Download
memory/1972-57-0x00000000004F0000-0x00000000004FA000-memory.dmp

Filesize
40KB

Download
memory/1972-58-0x0000000008010000-0x00000000080C4000-memory.dmp

Filesize
720KB

Download
memory/1972-54-0x0000000000B70000-0x0000000000C76000-memory.dmp

Filesize
1.0MB

Download