remcos | 4b49dcfe526fbd91184caa931c60b6e430c72ddd0b05b1df3ffa855bebf9499b

Analysis

max time kernel
151s
max time network
158s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
21/04/2023, 17:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lectura de cargos.exe
Size

420.0MB
MD5

3699f52d9d6cf60fcf8cfc3b2594d0a6
SHA1

90a772e4d65d65dfcd7673de798180dbdf143ea2
SHA256

4b49dcfe526fbd91184caa931c60b6e430c72ddd0b05b1df3ffa855bebf9499b
SHA512

1549f3e6df361332077fdf4740b7b3aa5bd8a986470d847ed5b53899427bb2d7bc10dd8bb6dbe479cc86731280ce354cdf65c51b7df61336a4638f1a810b3093
SSDEEP

12288:sixvWiHIG85ZOTahHYByyT/0rrdmPLxUkol6F6yayQXm0kWqJbYyM2NoqA0:PWi0gQly5NxO6VayL0ktb3nNPl

Score

10^/10

remcos 21-marzo rat

Malware Config

Extracted

Family

remcos

Botnet

21-marzo

20.38.13.217:2524

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-KUGK7N
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 2 IoCs

pid	Process
1724	Word.exe
860	Word.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1368 set thread context of 976	1368	Lectura de cargos.exe	35
PID 1724 set thread context of 1708	1724	Word.exe	47
PID 860 set thread context of 112	860	Word.exe	56

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1072	schtasks.exe
1944	schtasks.exe
1496	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1220	powershell.exe
1188	powershell.exe
1436	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1220	powershell.exe
Token: SeDebugPrivilege	1188	powershell.exe
Token: SeDebugPrivilege	1436	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
976	csc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 1316	1368	Lectura de cargos.exe	28
PID 1368 wrote to memory of 1316	1368	Lectura de cargos.exe	28
PID 1368 wrote to memory of 1316	1368	Lectura de cargos.exe	28
PID 1368 wrote to memory of 1316	1368	Lectura de cargos.exe	28
PID 1368 wrote to memory of 2044	1368	Lectura de cargos.exe	30
PID 1368 wrote to memory of 2044	1368	Lectura de cargos.exe	30
PID 1368 wrote to memory of 2044	1368	Lectura de cargos.exe	30
PID 1368 wrote to memory of 2044	1368	Lectura de cargos.exe	30
PID 1316 wrote to memory of 1944	1316	cmd.exe	32
PID 1316 wrote to memory of 1944	1316	cmd.exe	32
PID 1316 wrote to memory of 1944	1316	cmd.exe	32
PID 1316 wrote to memory of 1944	1316	cmd.exe	32
PID 1368 wrote to memory of 1220	1368	Lectura de cargos.exe	33
PID 1368 wrote to memory of 1220	1368	Lectura de cargos.exe	33
PID 1368 wrote to memory of 1220	1368	Lectura de cargos.exe	33
PID 1368 wrote to memory of 1220	1368	Lectura de cargos.exe	33
PID 1368 wrote to memory of 976	1368	Lectura de cargos.exe	35
PID 1368 wrote to memory of 976	1368	Lectura de cargos.exe	35
PID 1368 wrote to memory of 976	1368	Lectura de cargos.exe	35
PID 1368 wrote to memory of 976	1368	Lectura de cargos.exe	35
PID 1368 wrote to memory of 976	1368	Lectura de cargos.exe	35
PID 1368 wrote to memory of 976	1368	Lectura de cargos.exe	35
PID 1368 wrote to memory of 976	1368	Lectura de cargos.exe	35
PID 1368 wrote to memory of 976	1368	Lectura de cargos.exe	35
PID 1368 wrote to memory of 976	1368	Lectura de cargos.exe	35
PID 1368 wrote to memory of 976	1368	Lectura de cargos.exe	35
PID 1368 wrote to memory of 976	1368	Lectura de cargos.exe	35
PID 1368 wrote to memory of 976	1368	Lectura de cargos.exe	35
PID 1368 wrote to memory of 976	1368	Lectura de cargos.exe	35
PID 1964 wrote to memory of 1724	1964	taskeng.exe	39
PID 1964 wrote to memory of 1724	1964	taskeng.exe	39
PID 1964 wrote to memory of 1724	1964	taskeng.exe	39
PID 1964 wrote to memory of 1724	1964	taskeng.exe	39
PID 1724 wrote to memory of 580	1724	Word.exe	40
PID 1724 wrote to memory of 580	1724	Word.exe	40
PID 1724 wrote to memory of 580	1724	Word.exe	40
PID 1724 wrote to memory of 580	1724	Word.exe	40
PID 1724 wrote to memory of 1908	1724	Word.exe	41
PID 1724 wrote to memory of 1908	1724	Word.exe	41
PID 1724 wrote to memory of 1908	1724	Word.exe	41
PID 1724 wrote to memory of 1908	1724	Word.exe	41
PID 1724 wrote to memory of 1188	1724	Word.exe	44
PID 1724 wrote to memory of 1188	1724	Word.exe	44
PID 1724 wrote to memory of 1188	1724	Word.exe	44
PID 1724 wrote to memory of 1188	1724	Word.exe	44
PID 580 wrote to memory of 1496	580	cmd.exe	45
PID 580 wrote to memory of 1496	580	cmd.exe	45
PID 580 wrote to memory of 1496	580	cmd.exe	45
PID 580 wrote to memory of 1496	580	cmd.exe	45
PID 1724 wrote to memory of 1708	1724	Word.exe	47
PID 1724 wrote to memory of 1708	1724	Word.exe	47
PID 1724 wrote to memory of 1708	1724	Word.exe	47
PID 1724 wrote to memory of 1708	1724	Word.exe	47
PID 1724 wrote to memory of 1708	1724	Word.exe	47
PID 1724 wrote to memory of 1708	1724	Word.exe	47
PID 1724 wrote to memory of 1708	1724	Word.exe	47
PID 1724 wrote to memory of 1708	1724	Word.exe	47
PID 1724 wrote to memory of 1708	1724	Word.exe	47
PID 1724 wrote to memory of 1708	1724	Word.exe	47
PID 1724 wrote to memory of 1708	1724	Word.exe	47
PID 1724 wrote to memory of 1708	1724	Word.exe	47
PID 1724 wrote to memory of 1708	1724	Word.exe	47
PID 1964 wrote to memory of 860	1964	taskeng.exe	48
PID 1964 wrote to memory of 860	1964	taskeng.exe	48

C:\Users\Admin\AppData\Local\Temp\Lectura de cargos.exe
"C:\Users\Admin\AppData\Local\Temp\Lectura de cargos.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Word.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Word.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:1944
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\Lectura de cargos.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Word.exe"
  2⤵
  PID:2044
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "'C:\Users\Admin\AppData\Local\Temp\Lectura de cargos.exe'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1220
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:976

C:\Windows\system32\taskeng.exe
taskeng.exe {1C204C04-2402-4862-8531-EF9A0A546BE6} S-1-5-21-3499517378-2376672570-1134980332-1000:MLXLFKOI\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Users\Admin\AppData\Roaming\Microsoft\Word.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Word.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Word.exe'" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:580
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Word.exe'" /f
      4⤵
      Creates scheduled task(s)
      PID:1496
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c copy "C:\Users\Admin\AppData\Roaming\Microsoft\Word.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Word.exe"
    3⤵
    PID:1908
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "'C:\Users\Admin\AppData\Roaming\Microsoft\Word.exe'"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1188
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
    3⤵
    PID:1708
- C:\Users\Admin\AppData\Roaming\Microsoft\Word.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Word.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:860
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Word.exe'" /f
    3⤵
    PID:1736
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Word.exe'" /f
      4⤵
      Creates scheduled task(s)
      PID:1072
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c copy "C:\Users\Admin\AppData\Roaming\Microsoft\Word.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Word.exe"
    3⤵
    PID:928
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "'C:\Users\Admin\AppData\Roaming\Microsoft\Word.exe'"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1436
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
    3⤵
    PID:112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
eea25d298f69438228ff204a3df43d18

SHA1
30fc12af21b596af8758d11522cafb3f3ab19d12

SHA256
80664ab7a29fce4bcda123ee35d8d04bb23f37cd8df3c9022b407bc838ce51b9

SHA512
712eedf90dced0c0590edf672c403d9aa5389534ba34a5335ddfd020043c3f06db586c8cd25bc58db95349f4eb57fefc81b1ce527d6c317cda7e025b37becc58

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EUXVZCUB3ZYRNMX0QTP9.temp

Filesize
7KB

MD5
ca3c5e1f63bee05de8d5495c2716c4c9

SHA1
680e93ba3b222420d6e5b861ebc7cd7606b8b630

SHA256
f55dc96e501fb624aa2f55db1279729b32c75ed0a66b18411f871280cf07b00f

SHA512
60aed95d41744d49ae24211d5cf2d47130a97be1105d192e3979e46fc72143f23108f767a7272296cfebddd2330b4e5b6f9548c2f99e1d9be34f28472c80d36b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
ca3c5e1f63bee05de8d5495c2716c4c9

SHA1
680e93ba3b222420d6e5b861ebc7cd7606b8b630

SHA256
f55dc96e501fb624aa2f55db1279729b32c75ed0a66b18411f871280cf07b00f

SHA512
60aed95d41744d49ae24211d5cf2d47130a97be1105d192e3979e46fc72143f23108f767a7272296cfebddd2330b4e5b6f9548c2f99e1d9be34f28472c80d36b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f09420895ee50f2cea64f07fd7346de0

SHA1
3c803dc648d57bdb3afa420930f31dbcacca9ac4

SHA256
811931daa2ee7b7a4f021a8d220f1bd1fa6996b84c5bbf0a0353d88d8663f569

SHA512
3b21003fcce160620caf4eae7939ac6922153e0d2695b66916ac1d909f38f6996fa7a7b99113e528310324e1bb6556fa23f37b410641c351c30ead0a07cde6ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Word.exe

Filesize
420.0MB

MD5
3699f52d9d6cf60fcf8cfc3b2594d0a6

SHA1
90a772e4d65d65dfcd7673de798180dbdf143ea2

SHA256
4b49dcfe526fbd91184caa931c60b6e430c72ddd0b05b1df3ffa855bebf9499b

SHA512
1549f3e6df361332077fdf4740b7b3aa5bd8a986470d847ed5b53899427bb2d7bc10dd8bb6dbe479cc86731280ce354cdf65c51b7df61336a4638f1a810b3093

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Word.exe

Filesize
420.0MB

MD5
3699f52d9d6cf60fcf8cfc3b2594d0a6

SHA1
90a772e4d65d65dfcd7673de798180dbdf143ea2

SHA256
4b49dcfe526fbd91184caa931c60b6e430c72ddd0b05b1df3ffa855bebf9499b

SHA512
1549f3e6df361332077fdf4740b7b3aa5bd8a986470d847ed5b53899427bb2d7bc10dd8bb6dbe479cc86731280ce354cdf65c51b7df61336a4638f1a810b3093

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Word.exe

Filesize
420.0MB

MD5
3699f52d9d6cf60fcf8cfc3b2594d0a6

SHA1
90a772e4d65d65dfcd7673de798180dbdf143ea2

SHA256
4b49dcfe526fbd91184caa931c60b6e430c72ddd0b05b1df3ffa855bebf9499b

SHA512
1549f3e6df361332077fdf4740b7b3aa5bd8a986470d847ed5b53899427bb2d7bc10dd8bb6dbe479cc86731280ce354cdf65c51b7df61336a4638f1a810b3093

Download Submit
memory/860-147-0x00000000002F0000-0x0000000000516000-memory.dmp

Filesize
2.1MB

Download
memory/976-89-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/976-98-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/976-70-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/976-69-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/976-71-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/976-76-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/976-81-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/976-82-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/976-84-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/976-85-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/976-86-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/976-87-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/976-88-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/976-62-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/976-145-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/976-92-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/976-67-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/976-68-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/976-99-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/976-66-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/976-65-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/976-144-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/976-64-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/976-63-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/976-137-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/976-136-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/1188-133-0x0000000002800000-0x0000000002840000-memory.dmp

Filesize
256KB

Download
memory/1188-134-0x0000000002800000-0x0000000002840000-memory.dmp

Filesize
256KB

Download
memory/1220-90-0x0000000002610000-0x0000000002650000-memory.dmp

Filesize
256KB

Download
memory/1220-59-0x0000000002610000-0x0000000002650000-memory.dmp

Filesize
256KB

Download
memory/1368-54-0x00000000001C0000-0x00000000003E6000-memory.dmp

Filesize
2.1MB

Download
memory/1368-56-0x0000000004BC0000-0x0000000004C00000-memory.dmp

Filesize
256KB

Download
memory/1368-55-0x00000000021E0000-0x0000000002260000-memory.dmp

Filesize
512KB

Download
memory/1436-175-0x00000000026F0000-0x0000000002730000-memory.dmp

Filesize
256KB

Download
memory/1436-176-0x00000000026F0000-0x0000000002730000-memory.dmp

Filesize
256KB

Download
memory/1724-104-0x0000000000D20000-0x0000000000F46000-memory.dmp

Filesize
2.1MB

Download