remcos | e5ce666cd121335782af08f14bbe122ee6cb723f4d4bafd4ec76cf6ed34f3e1a

Analysis

max time kernel
134s
max time network
137s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
28-03-2023 06:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Revised_Order_Document‮fdp.scr
Size

300.3MB
MD5

03a5de4492a409b3fd4dcadb87f6e140
SHA1

bb280dad0be2f7641bb83ca7429dc1861f90b39a
SHA256

07d8b0e5d6e43ea033dd06335b5b19c179f78733648a79006f9ac20b5c22042e
SHA512

2d8c5e179581e7633285df8e5ebcbe39bfed288b4416899d8941b5b138ae3d16b94fe612ea0a6cd1d2db303117b2881e678ffb2017a312b787935ea082589a59
SSDEEP

24576:ZTbBv5rUmlWpuLPF/q0f6PoedrSO67Lot/uMrD3gi64o:TBqaPdfuokSHOGMrD3364

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

185.246.220.63:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-0ILS8U
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

LocalISaKC_QNKT.exeehkbu.exe

pid process

2024 LocalISaKC_QNKT.exe
1816 ehkbu.exe
Loads dropped DLL 1 IoCs

Processes:

wscript.exe

pid process

1252 wscript.exe

pid	process
2024	LocalISaKC_QNKT.exe
1816	ehkbu.exe

pid	process
1252	wscript.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

ehkbu.exeRegSvcs.exe

description	pid	process	target process
PID 1816 set thread context of 928	1816	ehkbu.exe	RegSvcs.exe
PID 928 set thread context of 940	928	RegSvcs.exe	iexplore.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 27 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4C60E9A0-CD43-11ED-ADAF-EE84389A6D8F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{4C60E9A2-CD43-11ED-ADAF-EE84389A6D8F}.dat = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

RegSvcs.exe

pid process

928 RegSvcs.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2008 iexplore.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

AcroRd32.exeiexplore.exeIEXPLORE.EXE

pid process

1512 AcroRd32.exe
1512 AcroRd32.exe
1512 AcroRd32.exe
2008 iexplore.exe
2008 iexplore.exe
868 IEXPLORE.EXE
868 IEXPLORE.EXE

pid	process
928	RegSvcs.exe

pid	process
2008	iexplore.exe

pid	process
1512	AcroRd32.exe
1512	AcroRd32.exe
1512	AcroRd32.exe
2008	iexplore.exe
2008	iexplore.exe
868	IEXPLORE.EXE
868	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

Revised_Order_Document‮fdp.scrLocalISaKC_QNKT.exewscript.exeehkbu.exeRegSvcs.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 1324 wrote to memory of 2024	1324	Revised_Order_Document‮fdp.scr	LocalISaKC_QNKT.exe
PID 1324 wrote to memory of 2024	1324	Revised_Order_Document‮fdp.scr	LocalISaKC_QNKT.exe
PID 1324 wrote to memory of 2024	1324	Revised_Order_Document‮fdp.scr	LocalISaKC_QNKT.exe
PID 1324 wrote to memory of 2024	1324	Revised_Order_Document‮fdp.scr	LocalISaKC_QNKT.exe
PID 1324 wrote to memory of 1512	1324	Revised_Order_Document‮fdp.scr	AcroRd32.exe
PID 1324 wrote to memory of 1512	1324	Revised_Order_Document‮fdp.scr	AcroRd32.exe
PID 1324 wrote to memory of 1512	1324	Revised_Order_Document‮fdp.scr	AcroRd32.exe
PID 1324 wrote to memory of 1512	1324	Revised_Order_Document‮fdp.scr	AcroRd32.exe
PID 2024 wrote to memory of 1252	2024	LocalISaKC_QNKT.exe	wscript.exe
PID 2024 wrote to memory of 1252	2024	LocalISaKC_QNKT.exe	wscript.exe
PID 2024 wrote to memory of 1252	2024	LocalISaKC_QNKT.exe	wscript.exe
PID 2024 wrote to memory of 1252	2024	LocalISaKC_QNKT.exe	wscript.exe
PID 1252 wrote to memory of 1816	1252	wscript.exe	ehkbu.exe
PID 1252 wrote to memory of 1816	1252	wscript.exe	ehkbu.exe
PID 1252 wrote to memory of 1816	1252	wscript.exe	ehkbu.exe
PID 1252 wrote to memory of 1816	1252	wscript.exe	ehkbu.exe
PID 1816 wrote to memory of 928	1816	ehkbu.exe	RegSvcs.exe
PID 1816 wrote to memory of 928	1816	ehkbu.exe	RegSvcs.exe
PID 1816 wrote to memory of 928	1816	ehkbu.exe	RegSvcs.exe
PID 1816 wrote to memory of 928	1816	ehkbu.exe	RegSvcs.exe
PID 1816 wrote to memory of 928	1816	ehkbu.exe	RegSvcs.exe
PID 1816 wrote to memory of 928	1816	ehkbu.exe	RegSvcs.exe
PID 1816 wrote to memory of 928	1816	ehkbu.exe	RegSvcs.exe
PID 1816 wrote to memory of 928	1816	ehkbu.exe	RegSvcs.exe
PID 1816 wrote to memory of 928	1816	ehkbu.exe	RegSvcs.exe
PID 928 wrote to memory of 940	928	RegSvcs.exe	iexplore.exe
PID 928 wrote to memory of 940	928	RegSvcs.exe	iexplore.exe
PID 928 wrote to memory of 940	928	RegSvcs.exe	iexplore.exe
PID 928 wrote to memory of 940	928	RegSvcs.exe	iexplore.exe
PID 928 wrote to memory of 940	928	RegSvcs.exe	iexplore.exe
PID 940 wrote to memory of 2008	940	iexplore.exe	iexplore.exe
PID 940 wrote to memory of 2008	940	iexplore.exe	iexplore.exe
PID 940 wrote to memory of 2008	940	iexplore.exe	iexplore.exe
PID 940 wrote to memory of 2008	940	iexplore.exe	iexplore.exe
PID 2008 wrote to memory of 868	2008	iexplore.exe	IEXPLORE.EXE
PID 2008 wrote to memory of 868	2008	iexplore.exe	IEXPLORE.EXE
PID 2008 wrote to memory of 868	2008	iexplore.exe	IEXPLORE.EXE
PID 2008 wrote to memory of 868	2008	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\Revised_Order_Document‮fdp.scr
"C:\Users\Admin\AppData\Local\Temp\Revised_Order_Document‮fdp.scr" /S
1⤵
- Suspicious use of WriteProcessMemory
PID:1324

C:\Users\Admin\AppData\LocalISaKC_QNKT.exe
"C:\Users\Admin\AppData\LocalISaKC_QNKT.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" pxbffb-fpkmd.bmp.vbe
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1252

C:\Users\Admin\AppData\Local\Temp\cppv\ehkbu.exe
"C:\Users\Admin\AppData\Local\Temp\cppv\ehkbu.exe" osoek.dat
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:928

\??\c:\program files (x86)\internet explorer\iexplore.exe
"c:\program files (x86)\internet explorer\iexplore.exe"
6⤵
- Suspicious use of WriteProcessMemory
PID:940

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
7⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2008

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2008 CREDAT:275457 /prefetch:2
8⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:868

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\LocalEakfkhbzPY.pdf"
2⤵
- Suspicious use of SetWindowsHookEx
PID:1512

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalEakfkhbzPY.pdf
Filesize
167KB

MD5
2cfecbd58e0eec099942e74f05c38cff

SHA1
4cf962574cacef01d9f5ec911542c55c2af0c64e

SHA256
b218d8a4ee4c29a98a3a5e6218a1836d7dfd36f5565117dc15b7a0c903da8abe

SHA512
87ef346dc8fff5de0663e9ade5a98f5436a594e0f57390bbb242b09897690d77d01e6f7cee25af5aaf65f7d406a765520e5b98c60c873e4f4fc3d58c248a5304

Download Submit
C:\Users\Admin\AppData\LocalISaKC_QNKT.exe
Filesize
300.0MB

MD5
9dbf6919c0982fdf363d666b9cea97ee

SHA1
04664634a6d9e87286e27a30ef8117e198669647

SHA256
74180ea67b2047e7225720e1735ecb9ab1322797704bd606ac54f4c1c9c4afc2

SHA512
71488336954aae0233bb0e822934a69d28aa8d4b1542780a2c22b82e45e45a4798f539fa0510f264753b3548dc439a71f9385b2ab7faeb3488b56fd0427e6ed8

Download Submit
C:\Users\Admin\AppData\LocalISaKC_QNKT.exe
Filesize
300.0MB

MD5
9dbf6919c0982fdf363d666b9cea97ee

SHA1
04664634a6d9e87286e27a30ef8117e198669647

SHA256
74180ea67b2047e7225720e1735ecb9ab1322797704bd606ac54f4c1c9c4afc2

SHA512
71488336954aae0233bb0e822934a69d28aa8d4b1542780a2c22b82e45e45a4798f539fa0510f264753b3548dc439a71f9385b2ab7faeb3488b56fd0427e6ed8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cppv\dbamss.rpg
Filesize
868KB

MD5
3018e14b39c9633d246c9d5e2bff88fd

SHA1
09ca88027622c823f804786f9192f3e0dadad09d

SHA256
32e400fd227d0590d1ba5628ffc300d4c67a1e26764ae6ebae3cf74762e8a6d8

SHA512
bfbb15efb7d38e6917898402406031c84c20efcf07ccdc28c6ad2bced9165037a0341e0471443a9adffa82dd878decc35d866064cf2914221b53ec3969d8f827

Download Submit
C:\Users\Admin\AppData\Local\Temp\cppv\ehkbu.exe
Filesize
944KB

MD5
76ab3e669b01f2a037c34060a4e9ea02

SHA1
8a04e160052b1fcf803c7d867f8b1c3682ecda62

SHA256
c060f8a33c68264bb01616527642a4432ac4ddbecaf006c585e8199593f31583

SHA512
d728cf3c4e12845f8efd05a8d9e2e2e2f0c13de85806cbd4d96c5f97ce823c115c827ec16dd87a93c7f11e80a12afce076724d8cc873d130be9464438c0b3223

Download Submit
C:\Users\Admin\AppData\Local\Temp\cppv\ehkbu.exe
Filesize
944KB

MD5
76ab3e669b01f2a037c34060a4e9ea02

SHA1
8a04e160052b1fcf803c7d867f8b1c3682ecda62

SHA256
c060f8a33c68264bb01616527642a4432ac4ddbecaf006c585e8199593f31583

SHA512
d728cf3c4e12845f8efd05a8d9e2e2e2f0c13de85806cbd4d96c5f97ce823c115c827ec16dd87a93c7f11e80a12afce076724d8cc873d130be9464438c0b3223

Download Submit
C:\Users\Admin\AppData\Local\Temp\cppv\ggcoopcd.exe
Filesize
36KB

MD5
ae20d990918c3003eadad115c7c54c9c

SHA1
f9e72d61f73fe382143cc4f2a52d3e76c71a4d3b

SHA256
ea266dc747fd492bae1682595dbb066fc0cca80db84c8757c5c719a7af5faa4e

SHA512
4bfc52bbeba535d5674b2cb6713c9d8eef7e716169ec64e6b6f90ad22a43d7bd3aaa0c5ff4c6a6e9745849d35641b4eb1f13cbacf895b4592d0c4dcde9c64aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cppv\osoek.dat
Filesize
93.1MB

MD5
10bf7c6ad8a79508841359d1e00487de

SHA1
9b9d4294260b86ac0d9d6307830329aeff4cff6c

SHA256
34d15509786fac4f4ca1d7181e10614b1fc5fc3e5c1add6428e64594fec43ebf

SHA512
04ad60f5fd4ef57d884f421e46c56d29a30c2633cab37be36778b78bd858434a6746180f0c107f27c999cd4e162a612f853df8ab575d4ffc9e081e84fe01d87e

Download Submit
C:\Users\Admin\AppData\Local\temp\cppv\pxbffb-fpkmd.bmp.vbe
Filesize
47KB

MD5
3345543b3aa28f415cfc7665cd95b02a

SHA1
3f1a2588ea4b36eaee50ec5146df7f42a8b063f9

SHA256
260b3c71b33ae80765af93908120ff5948cb65daca9dca2165f6807b20c41853

SHA512
53794a66f55395af601bff752e113cd7d5dc02b4d187bb6e9ab54e7e7abd9c9f399d8a7c40f45a5a023ac919218495b78b589ffd47eb5923f402ec68b2d28b26

Download Submit
\Users\Admin\AppData\Local\Temp\cppv\ehkbu.exe
Filesize
944KB

MD5
76ab3e669b01f2a037c34060a4e9ea02

SHA1
8a04e160052b1fcf803c7d867f8b1c3682ecda62

SHA256
c060f8a33c68264bb01616527642a4432ac4ddbecaf006c585e8199593f31583

SHA512
d728cf3c4e12845f8efd05a8d9e2e2e2f0c13de85806cbd4d96c5f97ce823c115c827ec16dd87a93c7f11e80a12afce076724d8cc873d130be9464438c0b3223

Download Submit
memory/928-148-0x0000000000260000-0x000000000098C000-memory.dmp

Filesize
7.2MB

Download
memory/928-143-0x0000000000260000-0x000000000098C000-memory.dmp

Filesize
7.2MB

Download
memory/928-145-0x0000000000260000-0x000000000098C000-memory.dmp

Filesize
7.2MB

Download
memory/928-144-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/928-147-0x0000000000260000-0x000000000098C000-memory.dmp

Filesize
7.2MB

Download
memory/928-151-0x0000000000260000-0x000000000098C000-memory.dmp

Filesize
7.2MB

Download
memory/940-149-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/940-150-0x0000000000080000-0x000000000008E000-memory.dmp

Filesize
56KB

Download
memory/940-153-0x0000000000080000-0x000000000008E000-memory.dmp

Filesize
56KB

Download
memory/940-155-0x0000000000080000-0x000000000008E000-memory.dmp

Filesize
56KB

Download
memory/1324-55-0x0000000001300000-0x0000000002300000-memory.dmp

Filesize
16.0MB

Download
memory/1324-54-0x00000000009F0000-0x0000000000A70000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads