remcos | 8e65693b95ab10143d3e363c51097949932e4e6ffb840dcf9094c694d878a92d

Analysis

max time kernel
153s
max time network
160s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
18-04-2023 01:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e3c88ffb4823221b26974cf88c27020.exe
Size

1024.0MB
MD5

a6dd9e0d127491391cfa9a58196321ac
SHA1

9c092ca45847074fca1bd4058ee9c64eb4408196
SHA256

524a0f26b07636670c06f62798e2d9c697ea8b6ce335631b0252aa2f88f4fb86
SHA512

29f4ad61137155742f9abd77d7655925196bff281e5e0e64a0a5c7dd8fb8df163fcc6ba392977c8216c5380b354985c006a50a67e79564e7379aad99a1d1a1ae
SSDEEP

12288:UUM85dV9KrSRNouYVT9L94SpnyKuijGXwPGXS4nrEwosKtYaP:Pf9KQSVT97pruijGXuGi4nrE9sdaP

Score

10^/10

remcos ricos rat

Malware Config

Extracted

Family

remcos

Botnet

RICOS

svjhfviuerfvnojdsnvo.con-ip.com:1883

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-FIH4KJ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 2 IoCs

pid	Process
1800	AppData.exe
1996	AppData.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1308 set thread context of 1476	1308	7e3c88ffb4823221b26974cf88c27020.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
732	schtasks.exe
1808	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1288	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1288	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1476	csc.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 1308 wrote to memory of 840	1308	7e3c88ffb4823221b26974cf88c27020.exe	28
PID 1308 wrote to memory of 840	1308	7e3c88ffb4823221b26974cf88c27020.exe	28
PID 1308 wrote to memory of 840	1308	7e3c88ffb4823221b26974cf88c27020.exe	28
PID 1308 wrote to memory of 840	1308	7e3c88ffb4823221b26974cf88c27020.exe	28
PID 1308 wrote to memory of 896	1308	7e3c88ffb4823221b26974cf88c27020.exe	30
PID 1308 wrote to memory of 896	1308	7e3c88ffb4823221b26974cf88c27020.exe	30
PID 1308 wrote to memory of 896	1308	7e3c88ffb4823221b26974cf88c27020.exe	30
PID 1308 wrote to memory of 896	1308	7e3c88ffb4823221b26974cf88c27020.exe	30
PID 840 wrote to memory of 732	840	cmd.exe	32
PID 840 wrote to memory of 732	840	cmd.exe	32
PID 840 wrote to memory of 732	840	cmd.exe	32
PID 840 wrote to memory of 732	840	cmd.exe	32
PID 1308 wrote to memory of 1288	1308	7e3c88ffb4823221b26974cf88c27020.exe	33
PID 1308 wrote to memory of 1288	1308	7e3c88ffb4823221b26974cf88c27020.exe	33
PID 1308 wrote to memory of 1288	1308	7e3c88ffb4823221b26974cf88c27020.exe	33
PID 1308 wrote to memory of 1288	1308	7e3c88ffb4823221b26974cf88c27020.exe	33
PID 1308 wrote to memory of 1476	1308	7e3c88ffb4823221b26974cf88c27020.exe	35
PID 1308 wrote to memory of 1476	1308	7e3c88ffb4823221b26974cf88c27020.exe	35
PID 1308 wrote to memory of 1476	1308	7e3c88ffb4823221b26974cf88c27020.exe	35
PID 1308 wrote to memory of 1476	1308	7e3c88ffb4823221b26974cf88c27020.exe	35
PID 1308 wrote to memory of 1476	1308	7e3c88ffb4823221b26974cf88c27020.exe	35
PID 1308 wrote to memory of 1476	1308	7e3c88ffb4823221b26974cf88c27020.exe	35
PID 1308 wrote to memory of 1476	1308	7e3c88ffb4823221b26974cf88c27020.exe	35
PID 1308 wrote to memory of 1476	1308	7e3c88ffb4823221b26974cf88c27020.exe	35
PID 1308 wrote to memory of 1476	1308	7e3c88ffb4823221b26974cf88c27020.exe	35
PID 1308 wrote to memory of 1476	1308	7e3c88ffb4823221b26974cf88c27020.exe	35
PID 1308 wrote to memory of 1476	1308	7e3c88ffb4823221b26974cf88c27020.exe	35
PID 1308 wrote to memory of 1476	1308	7e3c88ffb4823221b26974cf88c27020.exe	35
PID 1308 wrote to memory of 1476	1308	7e3c88ffb4823221b26974cf88c27020.exe	35
PID 1384 wrote to memory of 1800	1384	taskeng.exe	39
PID 1384 wrote to memory of 1800	1384	taskeng.exe	39
PID 1384 wrote to memory of 1800	1384	taskeng.exe	39
PID 1384 wrote to memory of 1800	1384	taskeng.exe	39
PID 912 wrote to memory of 1808	912	cmd.exe	44
PID 912 wrote to memory of 1808	912	cmd.exe	44
PID 912 wrote to memory of 1808	912	cmd.exe	44
PID 912 wrote to memory of 1808	912	cmd.exe	44
PID 1384 wrote to memory of 1996	1384	taskeng.exe	48
PID 1384 wrote to memory of 1996	1384	taskeng.exe	48
PID 1384 wrote to memory of 1996	1384	taskeng.exe	48
PID 1384 wrote to memory of 1996	1384	taskeng.exe	48

C:\Users\Admin\AppData\Local\Temp\7e3c88ffb4823221b26974cf88c27020.exe
"C:\Users\Admin\AppData\Local\Temp\7e3c88ffb4823221b26974cf88c27020.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:732
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\7e3c88ffb4823221b26974cf88c27020.exe" "C:\Users\Admin\AppData\Roaming\AppData.exe"
  2⤵
  PID:896
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "'C:\Users\Admin\AppData\Local\Temp\7e3c88ffb4823221b26974cf88c27020.exe'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1476

C:\Windows\system32\taskeng.exe
taskeng.exe {4435F200-0094-494B-A6AF-AF9A4FCE24A4} S-1-5-21-3499517378-2376672570-1134980332-1000:MLXLFKOI\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Users\Admin\AppData\Roaming\AppData.exe
  C:\Users\Admin\AppData\Roaming\AppData.exe
  2⤵
  - Executes dropped EXE
  PID:1800
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:912
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f
      4⤵
      Creates scheduled task(s)
      PID:1808
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "'C:\Users\Admin\AppData\Roaming\AppData.exe'"
    3⤵
    - Drops file in System32 directory
    PID:732
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c copy "C:\Users\Admin\AppData\Roaming\AppData.exe" "C:\Users\Admin\AppData\Roaming\AppData.exe"
    3⤵
    PID:1716
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
    3⤵
    PID:1564
- C:\Users\Admin\AppData\Roaming\AppData.exe
  C:\Users\Admin\AppData\Roaming\AppData.exe
  2⤵
  - Executes dropped EXE
  PID:1996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
e96924a389cf2276fc01cba228d86d16

SHA1
690b6b035afad77f81a962b6b8976281f42905b4

SHA256
40597387083ed76ab135e5199d457b6e24195f282cb2e3dce465f5d81733393d

SHA512
6fc922d0f33544b5ac285926b9f7915b6437625d54c8f72db2791d5b43180599881c61a50c49705c3d36e32faf4e377f6a1a045faaffb7bc5d1bde740c297114

Download Submit
C:\Users\Admin\AppData\Roaming\AppData.exe

Filesize
838.8MB

MD5
3a37c24ca216521f34d7ecef93209905

SHA1
04e63c4ef2ba55a5146b48600383c717a038bc28

SHA256
0e5634ebf06493fc6b9208597aa60d10af2763fa24974e1a8af0b0ea7fe68fc3

SHA512
da2904d8fb3ac23370564bad2c26503fdda7ace1a498e0586f45a1d89d9ac24d1ccbd32533b8e855af6f3f8eb822a92b7811442c89ee354be11e9caacc54a06d

Download Submit
C:\Users\Admin\AppData\Roaming\AppData.exe

Filesize
64.2MB

MD5
1e8dcde45ff0ca2d3edb3a03137ab3c3

SHA1
20043f9c3ec84ce7b600d369d23fe3f96e07b194

SHA256
5462272c2b5cfc1743118fb734c4ef9f494e5006a3eda00efa0a3d292cef5af4

SHA512
b133829218da99ad986c4450b68a65dc96e5f095460753c0942d1b788f94148655deb3d74d7e488735ad5449c93a3a178438a8cec0f21d743e125af989b14661

Download Submit
C:\Users\Admin\AppData\Roaming\AppData.exe

Filesize
824.8MB

MD5
4cdca52072e35698d859dd2940f06903

SHA1
056ea643add14a1540566174a8fc4e7198b2f936

SHA256
3ffc6e96ae359da55bbe13943fe2700de2a9a739212c7d51856a3059d1f0e61c

SHA512
d68e9ede8af3df788df09de335ecfc42b2f119100efb23f3473ae74331e174668b9838e4da17baec24a59a67362461f526113199f668ac5b6115333a79729ce4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
6083bd25fb4c90d235861de341ec78d8

SHA1
3d913fb2817bec9cdb77507bab2facbe78d76ba7

SHA256
cc1a0dcaa973e88062ecfeab03711aaeb7ffce5e04f14e94edc6a30ff09bd9e6

SHA512
1a0bc85e0d6bb01c5dd58001e98ef0db5bdc552df96e445e6e65ec18674c11986d6e07c6753c99d8110e5e8999289f95d597414ed32053faf35e48fb4762d641

Download Submit
memory/1288-88-0x0000000002600000-0x0000000002640000-memory.dmp

Filesize
256KB

Download
memory/1288-87-0x0000000002600000-0x0000000002640000-memory.dmp

Filesize
256KB

Download
memory/1308-54-0x0000000000B40000-0x0000000000BD6000-memory.dmp

Filesize
600KB

Download
memory/1308-55-0x0000000002050000-0x00000000020CA000-memory.dmp

Filesize
488KB

Download
memory/1308-56-0x0000000004340000-0x0000000004380000-memory.dmp

Filesize
256KB

Download
memory/1476-65-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/1476-97-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/1476-69-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/1476-74-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/1476-81-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/1476-82-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/1476-84-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/1476-85-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/1476-86-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/1476-66-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/1476-64-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/1476-89-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/1476-90-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/1476-91-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/1476-93-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/1476-67-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1476-98-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/1476-63-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/1476-62-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/1476-61-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/1476-152-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/1476-60-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/1476-153-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/1476-59-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/1476-125-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/1476-126-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/1476-132-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/1476-133-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/1564-121-0x0000000000130000-0x00000000001AF000-memory.dmp

Filesize
508KB

Download
memory/1564-116-0x0000000000130000-0x00000000001AF000-memory.dmp

Filesize
508KB

Download
memory/1800-105-0x0000000072930000-0x000000007301E000-memory.dmp

Filesize
6.9MB

Download