remcos | a8b1d5171c2a80ef5decd6eb87655159a6268984ff9a89304df515a0248b91e6

Analysis

max time kernel
151s
max time network
153s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
11/02/2023, 14:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

2.1MB
MD5

d343df3654a37b13cf8ede51477a0169
SHA1

8979f54e3e61532ca734d484e3ce98233a1fdb60
SHA256

a8b1d5171c2a80ef5decd6eb87655159a6268984ff9a89304df515a0248b91e6
SHA512

56228f0424ba01d6ce82cf0132f65690139d9df70918a1c89d9fc13abf8db0dde79f358c35894c21e69667c6df623e18a0291468b30ca560de409be6ac25cb2a
SSDEEP

12288:xqzi3K/z9wtnRETEK8zukxfWBc0f2fA+CJyi506Hf8y7HNduRtaQ0zSZ8ZlyDDvS:Pn6H7NC8ZlyDL59xBjyzj

Score

10^/10

remcos warzonerat ikmerro2023 infostealer persistence rat

Malware Config

Extracted

Family

remcos

Botnet

IKMERRO2023

5.2.68.82:1198

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
Explorer.exe
copy_folder
ATM Machine
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
true
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
1234567ME
mouse_option
false
mutex
12345ME-2V5C4Q
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Explorer
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Executes dropped EXE 4 IoCs

pid	Process
1636	REMCOS 2023.exe
1012	warzone file 3.12.exe
1320	Explorer.exe
1332	windows.exe

Loads dropped DLL 8 IoCs

pid	Process
1724	tmp.exe
1724	tmp.exe
1724	tmp.exe
1724	tmp.exe
1636	REMCOS 2023.exe
1636	REMCOS 2023.exe
1012	warzone file 3.12.exe
1012	warzone file 3.12.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dppvbouy = "\"C:\\Users\\Admin\\AppData\\Roaming\\Vmavovpfgj\\Dppvbouy.exe\""	tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Explorer = "\"C:\\ProgramData\\ATM Machine\\Explorer.exe\""	REMCOS 2023.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Explorer = "\"C:\\ProgramData\\ATM Machine\\Explorer.exe\""	REMCOS 2023.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	Explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Explorer = "\"C:\\ProgramData\\ATM Machine\\Explorer.exe\""	Explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	Explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Explorer = "\"C:\\ProgramData\\ATM Machine\\Explorer.exe\""	Explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	REMCOS 2023.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	REMCOS 2023.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1396 set thread context of 1724	1396	tmp.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1756	powershell.exe
796	powershell.exe
280	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	1396	tmp.exe
Token: SeDebugPrivilege	796	powershell.exe
Token: SeDebugPrivilege	280	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1320	Explorer.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 1396 wrote to memory of 1756	1396	tmp.exe	27
PID 1396 wrote to memory of 1756	1396	tmp.exe	27
PID 1396 wrote to memory of 1756	1396	tmp.exe	27
PID 1396 wrote to memory of 1756	1396	tmp.exe	27
PID 1396 wrote to memory of 1724	1396	tmp.exe	29
PID 1396 wrote to memory of 1724	1396	tmp.exe	29
PID 1396 wrote to memory of 1724	1396	tmp.exe	29
PID 1396 wrote to memory of 1724	1396	tmp.exe	29
PID 1396 wrote to memory of 1724	1396	tmp.exe	29
PID 1396 wrote to memory of 1724	1396	tmp.exe	29
PID 1396 wrote to memory of 1724	1396	tmp.exe	29
PID 1396 wrote to memory of 1724	1396	tmp.exe	29
PID 1396 wrote to memory of 1724	1396	tmp.exe	29
PID 1724 wrote to memory of 1636	1724	tmp.exe	30
PID 1724 wrote to memory of 1636	1724	tmp.exe	30
PID 1724 wrote to memory of 1636	1724	tmp.exe	30
PID 1724 wrote to memory of 1636	1724	tmp.exe	30
PID 1724 wrote to memory of 1012	1724	tmp.exe	31
PID 1724 wrote to memory of 1012	1724	tmp.exe	31
PID 1724 wrote to memory of 1012	1724	tmp.exe	31
PID 1724 wrote to memory of 1012	1724	tmp.exe	31
PID 1636 wrote to memory of 1320	1636	REMCOS 2023.exe	32
PID 1636 wrote to memory of 1320	1636	REMCOS 2023.exe	32
PID 1636 wrote to memory of 1320	1636	REMCOS 2023.exe	32
PID 1636 wrote to memory of 1320	1636	REMCOS 2023.exe	32
PID 1012 wrote to memory of 796	1012	warzone file 3.12.exe	33
PID 1012 wrote to memory of 796	1012	warzone file 3.12.exe	33
PID 1012 wrote to memory of 796	1012	warzone file 3.12.exe	33
PID 1012 wrote to memory of 796	1012	warzone file 3.12.exe	33
PID 1012 wrote to memory of 1332	1012	warzone file 3.12.exe	35
PID 1012 wrote to memory of 1332	1012	warzone file 3.12.exe	35
PID 1012 wrote to memory of 1332	1012	warzone file 3.12.exe	35
PID 1012 wrote to memory of 1332	1012	warzone file 3.12.exe	35
PID 1332 wrote to memory of 280	1332	windows.exe	36
PID 1332 wrote to memory of 280	1332	windows.exe	36
PID 1332 wrote to memory of 280	1332	windows.exe	36
PID 1332 wrote to memory of 280	1332	windows.exe	36
PID 1332 wrote to memory of 468	1332	windows.exe	38
PID 1332 wrote to memory of 468	1332	windows.exe	38
PID 1332 wrote to memory of 468	1332	windows.exe	38
PID 1332 wrote to memory of 468	1332	windows.exe	38
PID 1332 wrote to memory of 468	1332	windows.exe	38
PID 1332 wrote to memory of 468	1332	windows.exe	38

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1756
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  C:\Users\Admin\AppData\Local\Temp\tmp.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Users\Admin\AppData\Local\Temp\REMCOS 2023.exe
    "C:\Users\Admin\AppData\Local\Temp\REMCOS 2023.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1636
  - - C:\ProgramData\ATM Machine\Explorer.exe
      "C:\ProgramData\ATM Machine\Explorer.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetWindowsHookEx
      PID:1320
- - C:\Users\Admin\AppData\Local\Temp\warzone file 3.12.exe
    "C:\Users\Admin\AppData\Local\Temp\warzone file 3.12.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1012
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath C:\
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:796
  - - C:\Users\Admin\Documents\windows.exe
      "C:\Users\Admin\Documents\windows.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1332
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath C:\
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:280
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ATM Machine\Explorer.exe

Filesize
475KB

MD5
6b9fea839e48a935e0eefab76a2f7a1f

SHA1
d8ab2fc1ac2b4d38f3995d45629563b829ea1053

SHA256
6713faaedb6fc283b3ac7ce13457aa0ef5be4d9065e297b0d03c9bb2f1b73991

SHA512
e0f83bc686a1218b6441647eff1844644b36f0178a7afc67d36c02782c3e2040b251adfb5a7269ffb0b4b05da287fafa7744ced598af7ef9a3f9ff524e1ac89c

Download Submit
C:\Users\Admin\AppData\Local\Temp\REMCOS 2023.exe

Filesize
475KB

MD5
6b9fea839e48a935e0eefab76a2f7a1f

SHA1
d8ab2fc1ac2b4d38f3995d45629563b829ea1053

SHA256
6713faaedb6fc283b3ac7ce13457aa0ef5be4d9065e297b0d03c9bb2f1b73991

SHA512
e0f83bc686a1218b6441647eff1844644b36f0178a7afc67d36c02782c3e2040b251adfb5a7269ffb0b4b05da287fafa7744ced598af7ef9a3f9ff524e1ac89c

Download Submit
C:\Users\Admin\AppData\Local\Temp\REMCOS 2023.exe

Filesize
475KB

MD5
6b9fea839e48a935e0eefab76a2f7a1f

SHA1
d8ab2fc1ac2b4d38f3995d45629563b829ea1053

SHA256
6713faaedb6fc283b3ac7ce13457aa0ef5be4d9065e297b0d03c9bb2f1b73991

SHA512
e0f83bc686a1218b6441647eff1844644b36f0178a7afc67d36c02782c3e2040b251adfb5a7269ffb0b4b05da287fafa7744ced598af7ef9a3f9ff524e1ac89c

Download Submit
C:\Users\Admin\AppData\Local\Temp\warzone file 3.12.exe

Filesize
164KB

MD5
f89a7392a1c7fd89954be5a9f69d74bf

SHA1
fceb85600befe5774023dc78709ede98ab8a773e

SHA256
6b4ec9d1a735fa22099040c27d02eef9be4913b84dfd01fbf032e0fcafa89c8e

SHA512
668d8cebd80220f252ca8bfb9abfc004501649150bd0531dc91c9506995e8671623c00172efd2423de53926bc21e503c0f37e49ac995a47e4bfed4cfa49a1f27

Download Submit
C:\Users\Admin\AppData\Local\Temp\warzone file 3.12.exe

Filesize
164KB

MD5
f89a7392a1c7fd89954be5a9f69d74bf

SHA1
fceb85600befe5774023dc78709ede98ab8a773e

SHA256
6b4ec9d1a735fa22099040c27d02eef9be4913b84dfd01fbf032e0fcafa89c8e

SHA512
668d8cebd80220f252ca8bfb9abfc004501649150bd0531dc91c9506995e8671623c00172efd2423de53926bc21e503c0f37e49ac995a47e4bfed4cfa49a1f27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
248edee704576d6cb2bf93e0cef749af

SHA1
fcb1cc91581ceeba188ca92cb35fb5f4f712976d

SHA256
8501acd67c7c58a421652e0a93de27a3c23b1c3d5f98991b8f43200428f4edc7

SHA512
e401fc2161c39be15806380f1bb39945cbfb41457c0971cbc6f6228ca3813a88a3c7ce2f4f46de6081d7fe09f7d7e2a5e17f96f7b159d9ab0984cca57c649b33

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e7ebd0e74ec1b51edd4c63ac25d7a3cc

SHA1
25f4702994c2ea0dc82d46c4f7e287822287f1c4

SHA256
4efd040569e095468c02995d0e94dddd7203c3de13c84c12668d997feb66f964

SHA512
88a2e7d09d7b3b71a7e2d7aaa98b9dafc219851d63195eb258f9d986e369ae44f7b92d5c32348119d1bbc478c9d5e183b06a5b024356755f73bc92fd733c9be5

Download Submit
C:\Users\Admin\Documents\windows.exe

Filesize
164KB

MD5
f89a7392a1c7fd89954be5a9f69d74bf

SHA1
fceb85600befe5774023dc78709ede98ab8a773e

SHA256
6b4ec9d1a735fa22099040c27d02eef9be4913b84dfd01fbf032e0fcafa89c8e

SHA512
668d8cebd80220f252ca8bfb9abfc004501649150bd0531dc91c9506995e8671623c00172efd2423de53926bc21e503c0f37e49ac995a47e4bfed4cfa49a1f27

Download Submit
C:\Users\Admin\Documents\windows.exe

Filesize
164KB

MD5
f89a7392a1c7fd89954be5a9f69d74bf

SHA1
fceb85600befe5774023dc78709ede98ab8a773e

SHA256
6b4ec9d1a735fa22099040c27d02eef9be4913b84dfd01fbf032e0fcafa89c8e

SHA512
668d8cebd80220f252ca8bfb9abfc004501649150bd0531dc91c9506995e8671623c00172efd2423de53926bc21e503c0f37e49ac995a47e4bfed4cfa49a1f27

Download Submit
\ProgramData\ATM Machine\Explorer.exe

Filesize
475KB

MD5
6b9fea839e48a935e0eefab76a2f7a1f

SHA1
d8ab2fc1ac2b4d38f3995d45629563b829ea1053

SHA256
6713faaedb6fc283b3ac7ce13457aa0ef5be4d9065e297b0d03c9bb2f1b73991

SHA512
e0f83bc686a1218b6441647eff1844644b36f0178a7afc67d36c02782c3e2040b251adfb5a7269ffb0b4b05da287fafa7744ced598af7ef9a3f9ff524e1ac89c

Download Submit
\ProgramData\ATM Machine\Explorer.exe

Filesize
475KB

MD5
6b9fea839e48a935e0eefab76a2f7a1f

SHA1
d8ab2fc1ac2b4d38f3995d45629563b829ea1053

SHA256
6713faaedb6fc283b3ac7ce13457aa0ef5be4d9065e297b0d03c9bb2f1b73991

SHA512
e0f83bc686a1218b6441647eff1844644b36f0178a7afc67d36c02782c3e2040b251adfb5a7269ffb0b4b05da287fafa7744ced598af7ef9a3f9ff524e1ac89c

Download Submit
\Users\Admin\AppData\Local\Temp\REMCOS 2023.exe

Filesize
475KB

MD5
6b9fea839e48a935e0eefab76a2f7a1f

SHA1
d8ab2fc1ac2b4d38f3995d45629563b829ea1053

SHA256
6713faaedb6fc283b3ac7ce13457aa0ef5be4d9065e297b0d03c9bb2f1b73991

SHA512
e0f83bc686a1218b6441647eff1844644b36f0178a7afc67d36c02782c3e2040b251adfb5a7269ffb0b4b05da287fafa7744ced598af7ef9a3f9ff524e1ac89c

Download Submit
\Users\Admin\AppData\Local\Temp\REMCOS 2023.exe

Filesize
475KB

MD5
6b9fea839e48a935e0eefab76a2f7a1f

SHA1
d8ab2fc1ac2b4d38f3995d45629563b829ea1053

SHA256
6713faaedb6fc283b3ac7ce13457aa0ef5be4d9065e297b0d03c9bb2f1b73991

SHA512
e0f83bc686a1218b6441647eff1844644b36f0178a7afc67d36c02782c3e2040b251adfb5a7269ffb0b4b05da287fafa7744ced598af7ef9a3f9ff524e1ac89c

Download Submit
\Users\Admin\AppData\Local\Temp\warzone file 3.12.exe

Filesize
164KB

MD5
f89a7392a1c7fd89954be5a9f69d74bf

SHA1
fceb85600befe5774023dc78709ede98ab8a773e

SHA256
6b4ec9d1a735fa22099040c27d02eef9be4913b84dfd01fbf032e0fcafa89c8e

SHA512
668d8cebd80220f252ca8bfb9abfc004501649150bd0531dc91c9506995e8671623c00172efd2423de53926bc21e503c0f37e49ac995a47e4bfed4cfa49a1f27

Download Submit
\Users\Admin\AppData\Local\Temp\warzone file 3.12.exe

Filesize
164KB

MD5
f89a7392a1c7fd89954be5a9f69d74bf

SHA1
fceb85600befe5774023dc78709ede98ab8a773e

SHA256
6b4ec9d1a735fa22099040c27d02eef9be4913b84dfd01fbf032e0fcafa89c8e

SHA512
668d8cebd80220f252ca8bfb9abfc004501649150bd0531dc91c9506995e8671623c00172efd2423de53926bc21e503c0f37e49ac995a47e4bfed4cfa49a1f27

Download Submit
\Users\Admin\Documents\windows.exe

Filesize
164KB

MD5
f89a7392a1c7fd89954be5a9f69d74bf

SHA1
fceb85600befe5774023dc78709ede98ab8a773e

SHA256
6b4ec9d1a735fa22099040c27d02eef9be4913b84dfd01fbf032e0fcafa89c8e

SHA512
668d8cebd80220f252ca8bfb9abfc004501649150bd0531dc91c9506995e8671623c00172efd2423de53926bc21e503c0f37e49ac995a47e4bfed4cfa49a1f27

Download Submit
\Users\Admin\Documents\windows.exe

Filesize
164KB

MD5
f89a7392a1c7fd89954be5a9f69d74bf

SHA1
fceb85600befe5774023dc78709ede98ab8a773e

SHA256
6b4ec9d1a735fa22099040c27d02eef9be4913b84dfd01fbf032e0fcafa89c8e

SHA512
668d8cebd80220f252ca8bfb9abfc004501649150bd0531dc91c9506995e8671623c00172efd2423de53926bc21e503c0f37e49ac995a47e4bfed4cfa49a1f27

Download Submit
memory/280-106-0x00000000727F0000-0x0000000072D9B000-memory.dmp

Filesize
5.7MB

Download
memory/468-108-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/796-95-0x0000000072DA0000-0x000000007334B000-memory.dmp

Filesize
5.7MB

Download
memory/1396-57-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download
memory/1396-55-0x0000000004A20000-0x0000000004B2E000-memory.dmp

Filesize
1.1MB

Download
memory/1396-56-0x0000000000BD0000-0x0000000000C44000-memory.dmp

Filesize
464KB

Download
memory/1396-54-0x0000000000F00000-0x0000000001118000-memory.dmp

Filesize
2.1MB

Download
memory/1724-67-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1724-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1724-63-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1724-64-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1724-66-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1724-68-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1724-71-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1756-61-0x000000006F190000-0x000000006F73B000-memory.dmp

Filesize
5.7MB

Download
memory/1756-60-0x000000006F190000-0x000000006F73B000-memory.dmp

Filesize
5.7MB

Download
memory/1756-62-0x000000006F190000-0x000000006F73B000-memory.dmp

Filesize
5.7MB

Download