remcos | 9881a8d573a9a6c588e52c8588aeff09ac288ac206fc2baf00f63e4af4db7295

Analysis

max time kernel
144s
max time network
158s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
23-03-2023 17:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DOCX_F0067193508.exe
Size

1024.0MB
MD5

932f4060cc31b4dbaffa1bb6d3991c20
SHA1

989f4fb91c3a30a0789c0d61c1b8c5dad659747e
SHA256

a40084ddc1d6655c2f78365a9ef6a9b81997cfa98a6f81c8d7dfe9619ef6b853
SHA512

7bb952847d5bacff9275415ba02a6fbeb180d16b2ef23591a60f9fe302f51301d7c967af5eaa5dc9135ceb108cdf25afdf745a3875b5b0655924452d1f753ba5
SSDEEP

6144:AxjCbYJafbpsBSM/HVFku/7AGLr5lw2H3SgoXraFjvVpQ+QW8uR3OoJWwvTTZlIY:+PozpsBzkuHPgDsvELuv7ZlIgCjIDF

Score

10^/10

remcos billete rat

Malware Config

Extracted

Family

remcos

Botnet

BILLETE

cactus.con-ip.com:7770

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-9927QM
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 2 IoCs

pid	Process
2036	AppData.exe
1080	AppData.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1992 set thread context of 1636	1992	DOCX_F0067193508.exe	34
PID 2036 set thread context of 532	2036	AppData.exe	46

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1832	schtasks.exe
1736	schtasks.exe
564	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
672	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	672	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1636	csc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 1732	1992	DOCX_F0067193508.exe	27
PID 1992 wrote to memory of 1732	1992	DOCX_F0067193508.exe	27
PID 1992 wrote to memory of 1732	1992	DOCX_F0067193508.exe	27
PID 1992 wrote to memory of 1732	1992	DOCX_F0067193508.exe	27
PID 1992 wrote to memory of 1976	1992	DOCX_F0067193508.exe	29
PID 1992 wrote to memory of 1976	1992	DOCX_F0067193508.exe	29
PID 1992 wrote to memory of 1976	1992	DOCX_F0067193508.exe	29
PID 1992 wrote to memory of 1976	1992	DOCX_F0067193508.exe	29
PID 1732 wrote to memory of 1832	1732	cmd.exe	31
PID 1732 wrote to memory of 1832	1732	cmd.exe	31
PID 1732 wrote to memory of 1832	1732	cmd.exe	31
PID 1732 wrote to memory of 1832	1732	cmd.exe	31
PID 1992 wrote to memory of 672	1992	DOCX_F0067193508.exe	32
PID 1992 wrote to memory of 672	1992	DOCX_F0067193508.exe	32
PID 1992 wrote to memory of 672	1992	DOCX_F0067193508.exe	32
PID 1992 wrote to memory of 672	1992	DOCX_F0067193508.exe	32
PID 1992 wrote to memory of 1636	1992	DOCX_F0067193508.exe	34
PID 1992 wrote to memory of 1636	1992	DOCX_F0067193508.exe	34
PID 1992 wrote to memory of 1636	1992	DOCX_F0067193508.exe	34
PID 1992 wrote to memory of 1636	1992	DOCX_F0067193508.exe	34
PID 1992 wrote to memory of 1636	1992	DOCX_F0067193508.exe	34
PID 1992 wrote to memory of 1636	1992	DOCX_F0067193508.exe	34
PID 1992 wrote to memory of 1636	1992	DOCX_F0067193508.exe	34
PID 1992 wrote to memory of 1636	1992	DOCX_F0067193508.exe	34
PID 1992 wrote to memory of 1636	1992	DOCX_F0067193508.exe	34
PID 1992 wrote to memory of 1636	1992	DOCX_F0067193508.exe	34
PID 1992 wrote to memory of 1636	1992	DOCX_F0067193508.exe	34
PID 1992 wrote to memory of 1636	1992	DOCX_F0067193508.exe	34
PID 1992 wrote to memory of 1636	1992	DOCX_F0067193508.exe	34
PID 704 wrote to memory of 2036	704	taskeng.exe	38
PID 704 wrote to memory of 2036	704	taskeng.exe	38
PID 704 wrote to memory of 2036	704	taskeng.exe	38
PID 704 wrote to memory of 2036	704	taskeng.exe	38
PID 2036 wrote to memory of 1724	2036	AppData.exe	39
PID 2036 wrote to memory of 1724	2036	AppData.exe	39
PID 2036 wrote to memory of 1724	2036	AppData.exe	39
PID 2036 wrote to memory of 1724	2036	AppData.exe	39
PID 2036 wrote to memory of 1596	2036	AppData.exe	40
PID 2036 wrote to memory of 1596	2036	AppData.exe	40
PID 2036 wrote to memory of 1596	2036	AppData.exe	40
PID 2036 wrote to memory of 1596	2036	AppData.exe	40
PID 1724 wrote to memory of 1736	1724	cmd.exe	43
PID 1724 wrote to memory of 1736	1724	cmd.exe	43
PID 1724 wrote to memory of 1736	1724	cmd.exe	43
PID 1724 wrote to memory of 1736	1724	cmd.exe	43
PID 2036 wrote to memory of 1428	2036	AppData.exe	44
PID 2036 wrote to memory of 1428	2036	AppData.exe	44
PID 2036 wrote to memory of 1428	2036	AppData.exe	44
PID 2036 wrote to memory of 1428	2036	AppData.exe	44
PID 2036 wrote to memory of 532	2036	AppData.exe	46
PID 2036 wrote to memory of 532	2036	AppData.exe	46
PID 2036 wrote to memory of 532	2036	AppData.exe	46
PID 2036 wrote to memory of 532	2036	AppData.exe	46
PID 2036 wrote to memory of 532	2036	AppData.exe	46
PID 2036 wrote to memory of 532	2036	AppData.exe	46
PID 2036 wrote to memory of 532	2036	AppData.exe	46
PID 2036 wrote to memory of 532	2036	AppData.exe	46
PID 2036 wrote to memory of 532	2036	AppData.exe	46
PID 2036 wrote to memory of 532	2036	AppData.exe	46
PID 2036 wrote to memory of 532	2036	AppData.exe	46
PID 2036 wrote to memory of 532	2036	AppData.exe	46
PID 2036 wrote to memory of 532	2036	AppData.exe	46
PID 704 wrote to memory of 1080	704	taskeng.exe	47
PID 704 wrote to memory of 1080	704	taskeng.exe	47

C:\Users\Admin\AppData\Local\Temp\DOCX_F0067193508.exe
"C:\Users\Admin\AppData\Local\Temp\DOCX_F0067193508.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:1832
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\DOCX_F0067193508.exe" "C:\Users\Admin\AppData\Roaming\AppData.exe"
  2⤵
  PID:1976
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "'C:\Users\Admin\AppData\Local\Temp\DOCX_F0067193508.exe'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1636

C:\Windows\system32\taskeng.exe
taskeng.exe {CE80079C-034D-43A6-8446-55CFBC5045A7} S-1-5-21-3948302646-268491222-1934009652-1000:KXZDHPUW\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:704
- C:\Users\Admin\AppData\Roaming\AppData.exe
  C:\Users\Admin\AppData\Roaming\AppData.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1724
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f
      4⤵
      Creates scheduled task(s)
      PID:1736
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c copy "C:\Users\Admin\AppData\Roaming\AppData.exe" "C:\Users\Admin\AppData\Roaming\AppData.exe"
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "'C:\Users\Admin\AppData\Roaming\AppData.exe'"
    3⤵
    - Drops file in System32 directory
    PID:1428
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
    3⤵
    PID:532
- C:\Users\Admin\AppData\Roaming\AppData.exe
  C:\Users\Admin\AppData\Roaming\AppData.exe
  2⤵
  - Executes dropped EXE
  PID:1080
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f
    3⤵
    PID:1928
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f
      4⤵
      Creates scheduled task(s)
      PID:564
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c copy "C:\Users\Admin\AppData\Roaming\AppData.exe" "C:\Users\Admin\AppData\Roaming\AppData.exe"
    3⤵
    PID:1208
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "'C:\Users\Admin\AppData\Roaming\AppData.exe'"
    3⤵
    PID:1704
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
    3⤵
    PID:2008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
224B

MD5
7f415bfc880e70c58477d07289282b58

SHA1
35735e74c8caf995fa29d02aca594737cc9b8feb

SHA256
2f5589693999ecd0500336b431269de928c6e099aa374dd7acea9c3b9bdcd368

SHA512
5e296bb779ce49424e0bb4da5c824fb6f74422c1dd845232d6cda7b2fd9f2f1ca54671606d61931a4e71a40d8b48757b3c3502e42166e3e6b163f2522bf8223f

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
c95555ba8a09ac77f682499395b7cc6e

SHA1
8858f1043f3f06a3db1f627d84e03d9749e4deea

SHA256
c79a703c9a3aebc625169050e6101c8930f109cd62e1af24bac0ec6bd5ba230e

SHA512
33eb821f64e3e4f0b291f5e0dacfdc79720916415fea10ea914a11019e3ac81496b5973e8cf61d14bdcec497918c521aa23f5034b1f3b97793dea31f9bd65d25

Download Submit
C:\Users\Admin\AppData\Roaming\AppData.exe

Filesize
635.6MB

MD5
5982b86460f73d75954d7ac77b77bc01

SHA1
fde9f2da283606433da3936da19e7b5c9df41a57

SHA256
59ac10889e2a838d086e74782ddd04fdd40f58dc05069129ba7924d41f244a5d

SHA512
fbd1dfcbd1d59e990dccae236b75e84ebdffea1118980e93942b9583b333f32569d8eadfa706fe91b72fc3557d2f6e9e9f1c33191176e1c0cf35f619a8564d17

Download Submit
C:\Users\Admin\AppData\Roaming\AppData.exe

Filesize
481.6MB

MD5
2588bb9c08ddca70f7bba6b17ea21beb

SHA1
2c9a311dc0c27edc621cc9c1edbe248c6b28f688

SHA256
082339b4c60b00e2b395b150d0f5a9f8c76a8f5438e007800826566cabffe5fa

SHA512
5cad26e9ba13edb48af52cca724a47f3dfc0268f9d04f4c372bfe73cbac43ce5ef447cdf59b18b10c7b1dfd3a83f9f8a6e2b9d3416edcef1d1c8ab59bc0dfe20

Download Submit
C:\Users\Admin\AppData\Roaming\AppData.exe

Filesize
280.1MB

MD5
5e4badb0b5286d8445cb952dcaff3f9a

SHA1
241c44e33b68503c290a3dd459cbb9e400c37c91

SHA256
b773486bc98d8c3a6e4413af8cf26c29ff8bc7934b442018dd3d244ce4ef2474

SHA512
7ea81406b68dd5cb66b6af90e647a1a5ece57fc7b39f486dc65262f7f84539d979bc3ff0265ecff2fee4db208274a3f6e00c3b1ea162e73f9840b74c8d97ac96

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
3dee39426f2f4adfec6546978a70ca7e

SHA1
e25e55a13a8c5d4d01d0852acc94ac307d5d4c26

SHA256
58e5ad66bc688de6e03a65f91cb73cb812254cfb9330a0e3e1b43ecd12f749d3

SHA512
a90c5db98f3d2b04f56a70f3930a7ffbc7e54081d5dcbc0fff3226e393b63b6dd17df1bec47527e8f8b8f21b1c6f5bfdf2aa7a9c699ed21aadd02b7bf2aeff99

Download Submit
memory/532-136-0x0000000000080000-0x0000000000100000-memory.dmp

Filesize
512KB

Download
memory/532-130-0x0000000000080000-0x0000000000100000-memory.dmp

Filesize
512KB

Download
memory/532-123-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/672-80-0x0000000002620000-0x0000000002660000-memory.dmp

Filesize
256KB

Download
memory/672-84-0x0000000002620000-0x0000000002660000-memory.dmp

Filesize
256KB

Download
memory/672-82-0x0000000002620000-0x0000000002660000-memory.dmp

Filesize
256KB

Download
memory/1080-151-0x0000000000BE0000-0x0000000000D12000-memory.dmp

Filesize
1.2MB

Download
memory/1636-89-0x00000000004F0000-0x0000000000570000-memory.dmp

Filesize
512KB

Download
memory/1636-99-0x00000000004F0000-0x0000000000570000-memory.dmp

Filesize
512KB

Download
memory/1636-78-0x00000000004F0000-0x0000000000570000-memory.dmp

Filesize
512KB

Download
memory/1636-73-0x00000000004F0000-0x0000000000570000-memory.dmp

Filesize
512KB

Download
memory/1636-85-0x00000000004F0000-0x0000000000570000-memory.dmp

Filesize
512KB

Download
memory/1636-86-0x00000000004F0000-0x0000000000570000-memory.dmp

Filesize
512KB

Download
memory/1636-87-0x00000000004F0000-0x0000000000570000-memory.dmp

Filesize
512KB

Download
memory/1636-88-0x00000000004F0000-0x0000000000570000-memory.dmp

Filesize
512KB

Download
memory/1636-81-0x00000000004F0000-0x0000000000570000-memory.dmp

Filesize
512KB

Download
memory/1636-90-0x00000000004F0000-0x0000000000570000-memory.dmp

Filesize
512KB

Download
memory/1636-93-0x00000000004F0000-0x0000000000570000-memory.dmp

Filesize
512KB

Download
memory/1636-67-0x00000000004F0000-0x0000000000570000-memory.dmp

Filesize
512KB

Download
memory/1636-98-0x00000000004F0000-0x0000000000570000-memory.dmp

Filesize
512KB

Download
memory/1636-58-0x00000000004F0000-0x0000000000570000-memory.dmp

Filesize
512KB

Download
memory/1636-66-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1636-65-0x00000000004F0000-0x0000000000570000-memory.dmp

Filesize
512KB

Download
memory/1636-156-0x00000000004F0000-0x0000000000570000-memory.dmp

Filesize
512KB

Download
memory/1636-64-0x00000000004F0000-0x0000000000570000-memory.dmp

Filesize
512KB

Download
memory/1636-63-0x00000000004F0000-0x0000000000570000-memory.dmp

Filesize
512KB

Download
memory/1636-111-0x00000000004F0000-0x0000000000570000-memory.dmp

Filesize
512KB

Download
memory/1636-112-0x00000000004F0000-0x0000000000570000-memory.dmp

Filesize
512KB

Download
memory/1636-61-0x00000000004F0000-0x0000000000570000-memory.dmp

Filesize
512KB

Download
memory/1636-155-0x00000000004F0000-0x0000000000570000-memory.dmp

Filesize
512KB

Download
memory/1636-62-0x00000000004F0000-0x0000000000570000-memory.dmp

Filesize
512KB

Download
memory/1636-60-0x00000000004F0000-0x0000000000570000-memory.dmp

Filesize
512KB

Download
memory/1636-143-0x00000000004F0000-0x0000000000570000-memory.dmp

Filesize
512KB

Download
memory/1636-144-0x00000000004F0000-0x0000000000570000-memory.dmp

Filesize
512KB

Download
memory/1636-59-0x00000000004F0000-0x0000000000570000-memory.dmp

Filesize
512KB

Download
memory/1992-54-0x0000000000B60000-0x0000000000C92000-memory.dmp

Filesize
1.2MB

Download
memory/1992-57-0x00000000023B0000-0x00000000023F0000-memory.dmp

Filesize
256KB

Download
memory/2036-128-0x0000000000BD0000-0x0000000000C10000-memory.dmp

Filesize
256KB

Download
memory/2036-107-0x00000000009A0000-0x0000000000AD2000-memory.dmp

Filesize
1.2MB

Download