remcos | 28f5fb6f5afd8932e3c365e3af55b56c9b4d0f964ecb4df5710305ce77d9b4b2

Analysis

max time kernel
600s
max time network
602s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
21-03-2023 15:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Agreement documents.exe
Size

2.3MB
MD5

594307a3a85f02d66348cd0fdf16491c
SHA1

89eb99bff35531c828dd9d6b1da84e0ca4f6c1b7
SHA256

34f6c9c56b8193c469694a1e0033dd03e751be111ed356aee435a8aed96c2a15
SHA512

dfa247154c78aaccc8cfe68a68a89c58808a01ef5878c536455cb80af6805a4d01efc0b8d23b9b9014b09119c90ea141abcae76f644f967ba9c19f0e9a77ec95
SSDEEP

24576:yX6ZYD2WTPUKtu1Dze6HDpLAq3di1mBHrmszBf8sM7BfkvkOkOyHVxxBIGkKY9aR:k6ZYDEDzyEcFpPl3WIE

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Version

2.7.1 Pro

Botnet

RemoteHost

march4great.ddns.net:2409

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-43G52Y
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Agreement documents.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ucbjzlfiwd = "\"C:\\Users\\Admin\\AppData\\Roaming\\Owtaohla\\Ucbjzlfiwd.exe\""	Agreement documents.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Agreement documents.exe

description pid process target process

PID 1948 set thread context of 520 1948 Agreement documents.exe Agreement documents.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1276 powershell.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Agreement documents.exe

pid process

520 Agreement documents.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exeAgreement documents.exe

description pid process

Token: SeDebugPrivilege 1276 powershell.exe
Token: SeDebugPrivilege 1948 Agreement documents.exe

description	pid	process	target process
PID 1948 set thread context of 520	1948	Agreement documents.exe	Agreement documents.exe

pid	process
1276	powershell.exe

pid	process
520	Agreement documents.exe

description	pid	process
Token: SeDebugPrivilege	1276	powershell.exe
Token: SeDebugPrivilege	1948	Agreement documents.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Agreement documents.exe

description	pid	process	target process
PID 1948 wrote to memory of 1276	1948	Agreement documents.exe	powershell.exe
PID 1948 wrote to memory of 1276	1948	Agreement documents.exe	powershell.exe
PID 1948 wrote to memory of 1276	1948	Agreement documents.exe	powershell.exe
PID 1948 wrote to memory of 1276	1948	Agreement documents.exe	powershell.exe
PID 1948 wrote to memory of 520	1948	Agreement documents.exe	Agreement documents.exe
PID 1948 wrote to memory of 520	1948	Agreement documents.exe	Agreement documents.exe
PID 1948 wrote to memory of 520	1948	Agreement documents.exe	Agreement documents.exe
PID 1948 wrote to memory of 520	1948	Agreement documents.exe	Agreement documents.exe
PID 1948 wrote to memory of 520	1948	Agreement documents.exe	Agreement documents.exe
PID 1948 wrote to memory of 520	1948	Agreement documents.exe	Agreement documents.exe
PID 1948 wrote to memory of 520	1948	Agreement documents.exe	Agreement documents.exe
PID 1948 wrote to memory of 520	1948	Agreement documents.exe	Agreement documents.exe
PID 1948 wrote to memory of 520	1948	Agreement documents.exe	Agreement documents.exe
PID 1948 wrote to memory of 520	1948	Agreement documents.exe	Agreement documents.exe
PID 1948 wrote to memory of 520	1948	Agreement documents.exe	Agreement documents.exe

C:\Users\Admin\AppData\Local\Temp\Agreement documents.exe
"C:\Users\Admin\AppData\Local\Temp\Agreement documents.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1276

C:\Users\Admin\AppData\Local\Temp\Agreement documents.exe
"C:\Users\Admin\AppData\Local\Temp\Agreement documents.exe"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/520-93-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/520-90-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/520-67-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/520-127-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/520-126-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/520-125-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/520-94-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/520-66-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/520-68-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/520-69-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/520-70-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/520-71-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/520-73-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/520-74-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/520-75-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/520-76-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/520-78-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/520-79-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/520-80-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/520-81-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/520-82-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/520-86-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/520-87-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/520-88-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/520-89-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/520-95-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/520-64-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/520-92-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/520-91-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/520-124-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/520-65-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/520-96-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/520-97-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/520-98-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/520-104-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/520-105-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/520-106-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/520-107-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/520-108-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/520-109-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/520-110-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/520-111-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/520-112-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/520-113-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/520-116-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/520-117-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/520-118-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/520-119-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/520-120-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/520-121-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/520-123-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/520-122-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1276-60-0x0000000002740000-0x0000000002780000-memory.dmp

Filesize
256KB

Download
memory/1276-61-0x0000000002740000-0x0000000002780000-memory.dmp

Filesize
256KB

Download
memory/1948-55-0x0000000004A10000-0x0000000004B5A000-memory.dmp

Filesize
1.3MB

Download
memory/1948-54-0x0000000000830000-0x0000000000A7C000-memory.dmp

Filesize
2.3MB

Download
memory/1948-56-0x0000000004B70000-0x0000000004BB0000-memory.dmp

Filesize
256KB

Download
memory/1948-57-0x0000000004500000-0x0000000004592000-memory.dmp

Filesize
584KB

Download
memory/1948-62-0x0000000004B70000-0x0000000004BB0000-memory.dmp

Filesize
256KB

Download