remcos | 28c32f08c1471496052f517ee43313f86c38f74bdf0194707735574157a2d55c

General

Target

DOC Maquinas-0215522-23.exe
Size

1.0MB
MD5

27e482c64f1b9035e550ac07f1d30f2c
SHA1

4d7390da7f5c4bf6127fbb3d793e8917a47c45bb
SHA256

28c32f08c1471496052f517ee43313f86c38f74bdf0194707735574157a2d55c
SHA512

b7eff12f1d5a5fc356ab887de9124717d748f4fe82d91f6dcf4853cb5485f294af96323608e0def2709dc819e2b731de3236737437a9be61653174759a65e548
SSDEEP

12288:iOt4pogcgotnPXWZsPxIexTmad12j+iVb4ZdQT/ijLC7aX6zLTisxEZONerixVHk:mojjlgsxZG28K3cesxKkMcyPQTnK

Score

10^/10

remcos upgraded001 persistence rat

Malware Config

Extracted

Family

remcos

Botnet

Upgraded001

C2

fresh03.ddns.net:34110

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-O0ARTY
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

remcos.exeremcos.exe

pid process

1656 remcos.exe
872 remcos.exe
Loads dropped DLL 1 IoCs

Processes:

DOC Maquinas-0215522-23.exe

pid process

764 DOC Maquinas-0215522-23.exe

pid	process
1656	remcos.exe
872	remcos.exe

pid	process
764	DOC Maquinas-0215522-23.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

remcos.exeDOC Maquinas-0215522-23.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\	DOC Maquinas-0215522-23.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	DOC Maquinas-0215522-23.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	DOC Maquinas-0215522-23.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	DOC Maquinas-0215522-23.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

DOC Maquinas-0215522-23.exeremcos.exe

description	pid	process	target process
PID 2036 set thread context of 764	2036	DOC Maquinas-0215522-23.exe	DOC Maquinas-0215522-23.exe
PID 1656 set thread context of 872	1656	remcos.exe	remcos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1120 schtasks.exe
732 schtasks.exe

pid	process
1120	schtasks.exe
732	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

DOC Maquinas-0215522-23.exepowershell.exeremcos.exepowershell.exe

pid	process
2036	DOC Maquinas-0215522-23.exe
2036	DOC Maquinas-0215522-23.exe
2036	DOC Maquinas-0215522-23.exe
2036	DOC Maquinas-0215522-23.exe
2036	DOC Maquinas-0215522-23.exe
2036	DOC Maquinas-0215522-23.exe
1852	powershell.exe
1656	remcos.exe
1656	remcos.exe
1656	remcos.exe
1656	remcos.exe
1656	remcos.exe
1292	powershell.exe
1656	remcos.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

DOC Maquinas-0215522-23.exepowershell.exeremcos.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2036	DOC Maquinas-0215522-23.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	1656	remcos.exe
Token: SeDebugPrivilege	1292	powershell.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

DOC Maquinas-0215522-23.exeDOC Maquinas-0215522-23.exeremcos.exe

description	pid	process	target process
PID 2036 wrote to memory of 1852	2036	DOC Maquinas-0215522-23.exe	powershell.exe
PID 2036 wrote to memory of 1852	2036	DOC Maquinas-0215522-23.exe	powershell.exe
PID 2036 wrote to memory of 1852	2036	DOC Maquinas-0215522-23.exe	powershell.exe
PID 2036 wrote to memory of 1852	2036	DOC Maquinas-0215522-23.exe	powershell.exe
PID 2036 wrote to memory of 1120	2036	DOC Maquinas-0215522-23.exe	schtasks.exe
PID 2036 wrote to memory of 1120	2036	DOC Maquinas-0215522-23.exe	schtasks.exe
PID 2036 wrote to memory of 1120	2036	DOC Maquinas-0215522-23.exe	schtasks.exe
PID 2036 wrote to memory of 1120	2036	DOC Maquinas-0215522-23.exe	schtasks.exe
PID 2036 wrote to memory of 764	2036	DOC Maquinas-0215522-23.exe	DOC Maquinas-0215522-23.exe
PID 2036 wrote to memory of 764	2036	DOC Maquinas-0215522-23.exe	DOC Maquinas-0215522-23.exe
PID 2036 wrote to memory of 764	2036	DOC Maquinas-0215522-23.exe	DOC Maquinas-0215522-23.exe
PID 2036 wrote to memory of 764	2036	DOC Maquinas-0215522-23.exe	DOC Maquinas-0215522-23.exe
PID 2036 wrote to memory of 764	2036	DOC Maquinas-0215522-23.exe	DOC Maquinas-0215522-23.exe
PID 2036 wrote to memory of 764	2036	DOC Maquinas-0215522-23.exe	DOC Maquinas-0215522-23.exe
PID 2036 wrote to memory of 764	2036	DOC Maquinas-0215522-23.exe	DOC Maquinas-0215522-23.exe
PID 2036 wrote to memory of 764	2036	DOC Maquinas-0215522-23.exe	DOC Maquinas-0215522-23.exe
PID 2036 wrote to memory of 764	2036	DOC Maquinas-0215522-23.exe	DOC Maquinas-0215522-23.exe
PID 2036 wrote to memory of 764	2036	DOC Maquinas-0215522-23.exe	DOC Maquinas-0215522-23.exe
PID 2036 wrote to memory of 764	2036	DOC Maquinas-0215522-23.exe	DOC Maquinas-0215522-23.exe
PID 2036 wrote to memory of 764	2036	DOC Maquinas-0215522-23.exe	DOC Maquinas-0215522-23.exe
PID 2036 wrote to memory of 764	2036	DOC Maquinas-0215522-23.exe	DOC Maquinas-0215522-23.exe
PID 764 wrote to memory of 1656	764	DOC Maquinas-0215522-23.exe	remcos.exe
PID 764 wrote to memory of 1656	764	DOC Maquinas-0215522-23.exe	remcos.exe
PID 764 wrote to memory of 1656	764	DOC Maquinas-0215522-23.exe	remcos.exe
PID 764 wrote to memory of 1656	764	DOC Maquinas-0215522-23.exe	remcos.exe
PID 1656 wrote to memory of 1292	1656	remcos.exe	powershell.exe
PID 1656 wrote to memory of 1292	1656	remcos.exe	powershell.exe
PID 1656 wrote to memory of 1292	1656	remcos.exe	powershell.exe
PID 1656 wrote to memory of 1292	1656	remcos.exe	powershell.exe
PID 1656 wrote to memory of 732	1656	remcos.exe	schtasks.exe
PID 1656 wrote to memory of 732	1656	remcos.exe	schtasks.exe
PID 1656 wrote to memory of 732	1656	remcos.exe	schtasks.exe
PID 1656 wrote to memory of 732	1656	remcos.exe	schtasks.exe
PID 1656 wrote to memory of 872	1656	remcos.exe	remcos.exe
PID 1656 wrote to memory of 872	1656	remcos.exe	remcos.exe
PID 1656 wrote to memory of 872	1656	remcos.exe	remcos.exe
PID 1656 wrote to memory of 872	1656	remcos.exe	remcos.exe
PID 1656 wrote to memory of 872	1656	remcos.exe	remcos.exe
PID 1656 wrote to memory of 872	1656	remcos.exe	remcos.exe
PID 1656 wrote to memory of 872	1656	remcos.exe	remcos.exe
PID 1656 wrote to memory of 872	1656	remcos.exe	remcos.exe
PID 1656 wrote to memory of 872	1656	remcos.exe	remcos.exe
PID 1656 wrote to memory of 872	1656	remcos.exe	remcos.exe
PID 1656 wrote to memory of 872	1656	remcos.exe	remcos.exe
PID 1656 wrote to memory of 872	1656	remcos.exe	remcos.exe
PID 1656 wrote to memory of 872	1656	remcos.exe	remcos.exe

C:\Users\Admin\AppData\Local\Temp\DOC Maquinas-0215522-23.exe
"C:\Users\Admin\AppData\Local\Temp\DOC Maquinas-0215522-23.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SEfmfXm.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SEfmfXm" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDB52.tmp"
2⤵
- Creates scheduled task(s)
PID:1120

C:\Users\Admin\AppData\Local\Temp\DOC Maquinas-0215522-23.exe
"C:\Users\Admin\AppData\Local\Temp\DOC Maquinas-0215522-23.exe"
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:764

C:\ProgramData\Remcos\remcos.exe
"C:\ProgramData\Remcos\remcos.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SEfmfXm.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1292

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SEfmfXm" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAC76.tmp"
4⤵
- Creates scheduled task(s)
PID:732

C:\ProgramData\Remcos\remcos.exe
"C:\ProgramData\Remcos\remcos.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:872

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Remcos\remcos.exe
Filesize
1.0MB

MD5
27e482c64f1b9035e550ac07f1d30f2c

SHA1
4d7390da7f5c4bf6127fbb3d793e8917a47c45bb

SHA256
28c32f08c1471496052f517ee43313f86c38f74bdf0194707735574157a2d55c

SHA512
b7eff12f1d5a5fc356ab887de9124717d748f4fe82d91f6dcf4853cb5485f294af96323608e0def2709dc819e2b731de3236737437a9be61653174759a65e548

Download Submit
C:\ProgramData\Remcos\remcos.exe
Filesize
1.0MB

MD5
27e482c64f1b9035e550ac07f1d30f2c

SHA1
4d7390da7f5c4bf6127fbb3d793e8917a47c45bb

SHA256
28c32f08c1471496052f517ee43313f86c38f74bdf0194707735574157a2d55c

SHA512
b7eff12f1d5a5fc356ab887de9124717d748f4fe82d91f6dcf4853cb5485f294af96323608e0def2709dc819e2b731de3236737437a9be61653174759a65e548

Download Submit
C:\ProgramData\Remcos\remcos.exe
Filesize
1.0MB

MD5
27e482c64f1b9035e550ac07f1d30f2c

SHA1
4d7390da7f5c4bf6127fbb3d793e8917a47c45bb

SHA256
28c32f08c1471496052f517ee43313f86c38f74bdf0194707735574157a2d55c

SHA512
b7eff12f1d5a5fc356ab887de9124717d748f4fe82d91f6dcf4853cb5485f294af96323608e0def2709dc819e2b731de3236737437a9be61653174759a65e548

Download Submit
C:\ProgramData\Remcos\remcos.exe
Filesize
1.0MB

MD5
27e482c64f1b9035e550ac07f1d30f2c

SHA1
4d7390da7f5c4bf6127fbb3d793e8917a47c45bb

SHA256
28c32f08c1471496052f517ee43313f86c38f74bdf0194707735574157a2d55c

SHA512
b7eff12f1d5a5fc356ab887de9124717d748f4fe82d91f6dcf4853cb5485f294af96323608e0def2709dc819e2b731de3236737437a9be61653174759a65e548

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAC76.tmp
Filesize
1KB

MD5
fa9928ff515e8bc8522c885d0bdb92be

SHA1
7c2bccd1115646cb5622e605299715cf3a201bfa

SHA256
a5ba3fe68e63cd459644c90a5abd9de853a34ab0e4b3e9c4422120560b6bde7a

SHA512
6f43a021d24961ca3f03b9c1f008cad4b6dab878399cee6d92361f65b9fd85ed928b38f271138e384a477f6b91202597f965bb5e3e0feeb0601564dcb99cf5d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDB52.tmp
Filesize
1KB

MD5
fa9928ff515e8bc8522c885d0bdb92be

SHA1
7c2bccd1115646cb5622e605299715cf3a201bfa

SHA256
a5ba3fe68e63cd459644c90a5abd9de853a34ab0e4b3e9c4422120560b6bde7a

SHA512
6f43a021d24961ca3f03b9c1f008cad4b6dab878399cee6d92361f65b9fd85ed928b38f271138e384a477f6b91202597f965bb5e3e0feeb0601564dcb99cf5d1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
0e9229c7c9ea055643f33a5e92c9e76c

SHA1
a66b00eb441c6957628e4464a69e2fe723e00d5e

SHA256
22aa04472b1e9711c76932d5ea8b761cac583c9391be892fb4eb459d59f38311

SHA512
959e93dc9444d987fe9c26528655cc95daa7ea56a3581b72a015030bb2a2c79b4f9e219ea80e0f3e207f9bf626dc0ff51d2d2ac388270c93e9f4176c09567aa6

Download Submit
\ProgramData\Remcos\remcos.exe
Filesize
1.0MB

MD5
27e482c64f1b9035e550ac07f1d30f2c

SHA1
4d7390da7f5c4bf6127fbb3d793e8917a47c45bb

SHA256
28c32f08c1471496052f517ee43313f86c38f74bdf0194707735574157a2d55c

SHA512
b7eff12f1d5a5fc356ab887de9124717d748f4fe82d91f6dcf4853cb5485f294af96323608e0def2709dc819e2b731de3236737437a9be61653174759a65e548

Download Submit
memory/764-69-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/764-70-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/764-68-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/764-71-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/764-67-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/764-74-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/764-72-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/764-75-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/764-76-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/764-77-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/764-79-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/764-85-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/872-118-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/872-124-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/872-131-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/872-130-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/872-129-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/872-128-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/872-127-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/872-126-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/872-125-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/872-123-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/872-122-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/872-108-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/872-121-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/872-112-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/872-113-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/872-114-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/872-115-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/872-116-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/872-117-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/872-120-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/872-119-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1656-92-0x0000000004DF0000-0x0000000004E30000-memory.dmp

Filesize
256KB

Download
memory/1656-91-0x0000000004DF0000-0x0000000004E30000-memory.dmp

Filesize
256KB

Download
memory/1656-88-0x0000000000BF0000-0x0000000000D02000-memory.dmp

Filesize
1.1MB

Download
memory/1852-73-0x0000000002680000-0x00000000026C0000-memory.dmp

Filesize
256KB

Download
memory/1852-90-0x0000000002680000-0x00000000026C0000-memory.dmp

Filesize
256KB

Download
memory/1852-89-0x0000000002680000-0x00000000026C0000-memory.dmp

Filesize
256KB

Download
memory/2036-54-0x0000000001250000-0x0000000001362000-memory.dmp

Filesize
1.1MB

Download
memory/2036-55-0x0000000004F10000-0x0000000004F50000-memory.dmp

Filesize
256KB

Download
memory/2036-56-0x0000000000430000-0x000000000044E000-memory.dmp

Filesize
120KB

Download
memory/2036-57-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2036-58-0x0000000005880000-0x0000000005972000-memory.dmp

Filesize
968KB

Download
memory/2036-66-0x00000000053E0000-0x0000000005460000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads