remcos | c2c1b145e3cc27c5320fc08fcf810cbf321590956ef6d7c135f4859c49da4cdf

General

Target

VER SUCESIÓNDEINCAPACIDAD20221205.exe
Size

819KB
MD5

c9d36e490b60b2e1964fd7311d8bb0bd
SHA1

ebd73e29f1fd1f2d0a5bfd0fa3ad1bfeb17a6f75
SHA256

cca6fbbbb4b240bd2d713677e01dc377ffffb4a99dedab5eea9813f9d855af56
SHA512

2d6a381619667a5b4bef7ed0237e84ef4bde77368c7a57b3e3906c14a8d75741e1d908dbad791abf525df19d1fe495f37ea331ee24264bf7e93c0a191be9671f
SSDEEP

12288:oHzdKZ26f6MgGse8hAvQHQ1aqM8Dg5SiaPeX:edKvgsaqM805SiaPe

Score

10^/10

remcos brasil rat

Malware Config

Extracted

Family

remcos

Version

2.7.0 Pro

Botnet

BRASIL

C2

brasil.con-ip.com:2001

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-WLGLS0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

VER SUCESIÓNDEINCAPACIDAD20221205.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	VER SUCESIÓNDEINCAPACIDAD20221205.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

VER SUCESIÓNDEINCAPACIDAD20221205.exe

description pid process target process

PID 4112 set thread context of 4944 4112 VER SUCESIÓNDEINCAPACIDAD20221205.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3540 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

VER SUCESIÓNDEINCAPACIDAD20221205.exepowershell.exe

pid process

4112 VER SUCESIÓNDEINCAPACIDAD20221205.exe
4112 VER SUCESIÓNDEINCAPACIDAD20221205.exe
4572 powershell.exe
4572 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

VER SUCESIÓNDEINCAPACIDAD20221205.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4112 VER SUCESIÓNDEINCAPACIDAD20221205.exe
Token: SeDebugPrivilege 4572 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegSvcs.exe

pid process

4944 RegSvcs.exe

description	pid	process	target process
PID 4112 set thread context of 4944	4112	VER SUCESIÓNDEINCAPACIDAD20221205.exe	RegSvcs.exe

pid	process
3540	schtasks.exe

pid	process
4112	VER SUCESIÓNDEINCAPACIDAD20221205.exe
4112	VER SUCESIÓNDEINCAPACIDAD20221205.exe
4572	powershell.exe
4572	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4112	VER SUCESIÓNDEINCAPACIDAD20221205.exe
Token: SeDebugPrivilege	4572	powershell.exe

pid	process
4944	RegSvcs.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

VER SUCESIÓNDEINCAPACIDAD20221205.exe

description	pid	process	target process
PID 4112 wrote to memory of 4572	4112	VER SUCESIÓNDEINCAPACIDAD20221205.exe	powershell.exe
PID 4112 wrote to memory of 4572	4112	VER SUCESIÓNDEINCAPACIDAD20221205.exe	powershell.exe
PID 4112 wrote to memory of 4572	4112	VER SUCESIÓNDEINCAPACIDAD20221205.exe	powershell.exe
PID 4112 wrote to memory of 3540	4112	VER SUCESIÓNDEINCAPACIDAD20221205.exe	schtasks.exe
PID 4112 wrote to memory of 3540	4112	VER SUCESIÓNDEINCAPACIDAD20221205.exe	schtasks.exe
PID 4112 wrote to memory of 3540	4112	VER SUCESIÓNDEINCAPACIDAD20221205.exe	schtasks.exe
PID 4112 wrote to memory of 4944	4112	VER SUCESIÓNDEINCAPACIDAD20221205.exe	RegSvcs.exe
PID 4112 wrote to memory of 4944	4112	VER SUCESIÓNDEINCAPACIDAD20221205.exe	RegSvcs.exe
PID 4112 wrote to memory of 4944	4112	VER SUCESIÓNDEINCAPACIDAD20221205.exe	RegSvcs.exe
PID 4112 wrote to memory of 4944	4112	VER SUCESIÓNDEINCAPACIDAD20221205.exe	RegSvcs.exe
PID 4112 wrote to memory of 4944	4112	VER SUCESIÓNDEINCAPACIDAD20221205.exe	RegSvcs.exe
PID 4112 wrote to memory of 4944	4112	VER SUCESIÓNDEINCAPACIDAD20221205.exe	RegSvcs.exe
PID 4112 wrote to memory of 4944	4112	VER SUCESIÓNDEINCAPACIDAD20221205.exe	RegSvcs.exe
PID 4112 wrote to memory of 4944	4112	VER SUCESIÓNDEINCAPACIDAD20221205.exe	RegSvcs.exe
PID 4112 wrote to memory of 4944	4112	VER SUCESIÓNDEINCAPACIDAD20221205.exe	RegSvcs.exe
PID 4112 wrote to memory of 4944	4112	VER SUCESIÓNDEINCAPACIDAD20221205.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\VER SUCESIÓNDEINCAPACIDAD20221205.exe
"C:\Users\Admin\AppData\Local\Temp\VER SUCESIÓNDEINCAPACIDAD20221205.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4112

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\LaeCyBpJKSBFqo.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LaeCyBpJKSBFqo" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFFE.tmp"
2⤵
- Creates scheduled task(s)
PID:3540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:4944

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eczq0glj.sjd.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFFE.tmp
Filesize
1KB

MD5
345ec0f35b4d4af670d914dcd01ba39f

SHA1
63bac3cce22f3703dfdd0776c452d01ea6d0ac37

SHA256
9b22ffe5cc15f178ec1b710e21687a2fbf78db3df6aedb2fba749c979dbe007a

SHA512
b081e50f09511eb931cbce7a92886069204f1f05e002224c5ebfb0faa25b6bbccbefa7667bf63e29b8020d4a391b2855740c321afeac0ec016dc5a7b60084beb

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\logs.dat
Filesize
74B

MD5
4798ebf76f94f1681345ea9638dc8d1d

SHA1
1c03e77b3b7c042d63c3f9bc90354672cbc56161

SHA256
3464cf6c2df4660573b7972b0e42ea0802cfbc541f7ef2261628322ee6c5d8c9

SHA512
07e1faedd3d10cfc0d980d1bd9ba971d1305e2c3f35325833150f73e58243e7a6463d0c27ae319b484483ce1eba63a36d7c07487d86141d5bf96f3b3fdf8bf94

Download Submit
memory/4112-134-0x0000000005E70000-0x0000000006414000-memory.dmp

Filesize
5.6MB

Download
memory/4112-135-0x0000000005960000-0x00000000059F2000-memory.dmp

Filesize
584KB

Download
memory/4112-136-0x0000000005920000-0x000000000592A000-memory.dmp

Filesize
40KB

Download
memory/4112-137-0x0000000005860000-0x0000000005870000-memory.dmp

Filesize
64KB

Download
memory/4112-138-0x0000000005860000-0x0000000005870000-memory.dmp

Filesize
64KB

Download
memory/4112-139-0x0000000009290000-0x000000000932C000-memory.dmp

Filesize
624KB

Download
memory/4112-133-0x0000000000E80000-0x0000000000F54000-memory.dmp

Filesize
848KB

Download
memory/4572-184-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/4572-171-0x0000000006FF0000-0x0000000007022000-memory.dmp

Filesize
200KB

Download
memory/4572-151-0x0000000004D20000-0x0000000004D42000-memory.dmp

Filesize
136KB

Download
memory/4572-144-0x00000000024D0000-0x0000000002506000-memory.dmp

Filesize
216KB

Download
memory/4572-154-0x0000000004F60000-0x0000000004FC6000-memory.dmp

Filesize
408KB

Download
memory/4572-191-0x0000000007430000-0x0000000007438000-memory.dmp

Filesize
32KB

Download
memory/4572-190-0x0000000007450000-0x000000000746A000-memory.dmp

Filesize
104KB

Download
memory/4572-161-0x00000000057C0000-0x0000000005826000-memory.dmp

Filesize
408KB

Download
memory/4572-147-0x0000000005090000-0x00000000056B8000-memory.dmp

Filesize
6.2MB

Download
memory/4572-169-0x00000000025F0000-0x0000000002600000-memory.dmp

Filesize
64KB

Download
memory/4572-168-0x00000000025F0000-0x0000000002600000-memory.dmp

Filesize
64KB

Download
memory/4572-189-0x0000000007340000-0x000000000734E000-memory.dmp

Filesize
56KB

Download
memory/4572-170-0x0000000005E10000-0x0000000005E2E000-memory.dmp

Filesize
120KB

Download
memory/4572-188-0x0000000007390000-0x0000000007426000-memory.dmp

Filesize
600KB

Download
memory/4572-172-0x00000000701F0000-0x000000007023C000-memory.dmp

Filesize
304KB

Download
memory/4572-182-0x00000000063B0000-0x00000000063CE000-memory.dmp

Filesize
120KB

Download
memory/4572-183-0x00000000025F0000-0x0000000002600000-memory.dmp

Filesize
64KB

Download
memory/4572-187-0x0000000007180000-0x000000000718A000-memory.dmp

Filesize
40KB

Download
memory/4572-185-0x0000000007760000-0x0000000007DDA000-memory.dmp

Filesize
6.5MB

Download
memory/4572-186-0x0000000007110000-0x000000000712A000-memory.dmp

Filesize
104KB

Download
memory/4944-146-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4944-150-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4944-167-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4944-162-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4944-155-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4944-195-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4944-152-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads