remcos | 20dfa318d7b2226809ab2799085cc1452f4761eeea87ae6b3ea01554f88cbee1

Analysis

max time kernel
149s
max time network
148s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
10/05/2023, 12:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20dfa318d7b2226809ab2799085cc1452f4761eeea87ae6b3ea01554f88cbee1.exe
Size

715KB
MD5

4ba71f4cb36bc4c5be62b5e18e87dafa
SHA1

82402862203d14f9d162d11c080aaafc94436711
SHA256

20dfa318d7b2226809ab2799085cc1452f4761eeea87ae6b3ea01554f88cbee1
SHA512

5389faf079d660ae1236b576fdc64cf8d340b9878b2f07a96ff4b34cd77bd870bb3b4cc5b4030fdc6e23de0096e32b60d217f87466b09c8265f0f5809ca5f1ad
SSDEEP

12288:SYlqdnpu4NoT7m2mmk22pTdHMqRovr8nFqyAAqSi99oK:xlqnpLX2Bk2cyn2+dv

Score

10^/10

remcos markedback rat

Malware Config

Extracted

Family

remcos

Botnet

MARKEDBACK

closen.kozow.com:2404

zeife.giize.com:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-THXFHQ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 3 IoCs

pid	Process
1648	internalsvs.exe
1284	internalsvs.exe
1412	internalsvs.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1720 set thread context of 2008	1720	20dfa318d7b2226809ab2799085cc1452f4761eeea87ae6b3ea01554f88cbee1.exe	28
PID 1648 set thread context of 1412	1648	internalsvs.exe	40
PID 1284 set thread context of 292	1284	internalsvs.exe	49
PID 1412 set thread context of 952	1412	internalsvs.exe	58

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
960	schtasks.exe
1480	schtasks.exe
1612	schtasks.exe
1668	schtasks.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2008	csc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2008	1720	20dfa318d7b2226809ab2799085cc1452f4761eeea87ae6b3ea01554f88cbee1.exe	28
PID 1720 wrote to memory of 2008	1720	20dfa318d7b2226809ab2799085cc1452f4761eeea87ae6b3ea01554f88cbee1.exe	28
PID 1720 wrote to memory of 2008	1720	20dfa318d7b2226809ab2799085cc1452f4761eeea87ae6b3ea01554f88cbee1.exe	28
PID 1720 wrote to memory of 2008	1720	20dfa318d7b2226809ab2799085cc1452f4761eeea87ae6b3ea01554f88cbee1.exe	28
PID 1720 wrote to memory of 2008	1720	20dfa318d7b2226809ab2799085cc1452f4761eeea87ae6b3ea01554f88cbee1.exe	28
PID 1720 wrote to memory of 2008	1720	20dfa318d7b2226809ab2799085cc1452f4761eeea87ae6b3ea01554f88cbee1.exe	28
PID 1720 wrote to memory of 2008	1720	20dfa318d7b2226809ab2799085cc1452f4761eeea87ae6b3ea01554f88cbee1.exe	28
PID 1720 wrote to memory of 2008	1720	20dfa318d7b2226809ab2799085cc1452f4761eeea87ae6b3ea01554f88cbee1.exe	28
PID 1720 wrote to memory of 2008	1720	20dfa318d7b2226809ab2799085cc1452f4761eeea87ae6b3ea01554f88cbee1.exe	28
PID 1720 wrote to memory of 2008	1720	20dfa318d7b2226809ab2799085cc1452f4761eeea87ae6b3ea01554f88cbee1.exe	28
PID 1720 wrote to memory of 2008	1720	20dfa318d7b2226809ab2799085cc1452f4761eeea87ae6b3ea01554f88cbee1.exe	28
PID 1720 wrote to memory of 2008	1720	20dfa318d7b2226809ab2799085cc1452f4761eeea87ae6b3ea01554f88cbee1.exe	28
PID 1720 wrote to memory of 2008	1720	20dfa318d7b2226809ab2799085cc1452f4761eeea87ae6b3ea01554f88cbee1.exe	28
PID 1720 wrote to memory of 460	1720	20dfa318d7b2226809ab2799085cc1452f4761eeea87ae6b3ea01554f88cbee1.exe	29
PID 1720 wrote to memory of 460	1720	20dfa318d7b2226809ab2799085cc1452f4761eeea87ae6b3ea01554f88cbee1.exe	29
PID 1720 wrote to memory of 460	1720	20dfa318d7b2226809ab2799085cc1452f4761eeea87ae6b3ea01554f88cbee1.exe	29
PID 1720 wrote to memory of 460	1720	20dfa318d7b2226809ab2799085cc1452f4761eeea87ae6b3ea01554f88cbee1.exe	29
PID 1720 wrote to memory of 1904	1720	20dfa318d7b2226809ab2799085cc1452f4761eeea87ae6b3ea01554f88cbee1.exe	33
PID 1720 wrote to memory of 1904	1720	20dfa318d7b2226809ab2799085cc1452f4761eeea87ae6b3ea01554f88cbee1.exe	33
PID 1720 wrote to memory of 1904	1720	20dfa318d7b2226809ab2799085cc1452f4761eeea87ae6b3ea01554f88cbee1.exe	33
PID 1720 wrote to memory of 1904	1720	20dfa318d7b2226809ab2799085cc1452f4761eeea87ae6b3ea01554f88cbee1.exe	33
PID 1720 wrote to memory of 272	1720	20dfa318d7b2226809ab2799085cc1452f4761eeea87ae6b3ea01554f88cbee1.exe	32
PID 1720 wrote to memory of 272	1720	20dfa318d7b2226809ab2799085cc1452f4761eeea87ae6b3ea01554f88cbee1.exe	32
PID 1720 wrote to memory of 272	1720	20dfa318d7b2226809ab2799085cc1452f4761eeea87ae6b3ea01554f88cbee1.exe	32
PID 1720 wrote to memory of 272	1720	20dfa318d7b2226809ab2799085cc1452f4761eeea87ae6b3ea01554f88cbee1.exe	32
PID 1904 wrote to memory of 960	1904	cmd.exe	35
PID 1904 wrote to memory of 960	1904	cmd.exe	35
PID 1904 wrote to memory of 960	1904	cmd.exe	35
PID 1904 wrote to memory of 960	1904	cmd.exe	35
PID 1572 wrote to memory of 1648	1572	taskeng.exe	39
PID 1572 wrote to memory of 1648	1572	taskeng.exe	39
PID 1572 wrote to memory of 1648	1572	taskeng.exe	39
PID 1572 wrote to memory of 1648	1572	taskeng.exe	39
PID 1648 wrote to memory of 1412	1648	internalsvs.exe	40
PID 1648 wrote to memory of 1412	1648	internalsvs.exe	40
PID 1648 wrote to memory of 1412	1648	internalsvs.exe	40
PID 1648 wrote to memory of 1412	1648	internalsvs.exe	40
PID 1648 wrote to memory of 1412	1648	internalsvs.exe	40
PID 1648 wrote to memory of 1412	1648	internalsvs.exe	40
PID 1648 wrote to memory of 1412	1648	internalsvs.exe	40
PID 1648 wrote to memory of 1412	1648	internalsvs.exe	40
PID 1648 wrote to memory of 1412	1648	internalsvs.exe	40
PID 1648 wrote to memory of 1412	1648	internalsvs.exe	40
PID 1648 wrote to memory of 1412	1648	internalsvs.exe	40
PID 1648 wrote to memory of 1412	1648	internalsvs.exe	40
PID 1648 wrote to memory of 1412	1648	internalsvs.exe	40
PID 1648 wrote to memory of 1660	1648	internalsvs.exe	41
PID 1648 wrote to memory of 1660	1648	internalsvs.exe	41
PID 1648 wrote to memory of 1660	1648	internalsvs.exe	41
PID 1648 wrote to memory of 1660	1648	internalsvs.exe	41
PID 1648 wrote to memory of 1508	1648	internalsvs.exe	42
PID 1648 wrote to memory of 1508	1648	internalsvs.exe	42
PID 1648 wrote to memory of 1508	1648	internalsvs.exe	42
PID 1648 wrote to memory of 1508	1648	internalsvs.exe	42
PID 1648 wrote to memory of 1616	1648	internalsvs.exe	43
PID 1648 wrote to memory of 1616	1648	internalsvs.exe	43
PID 1648 wrote to memory of 1616	1648	internalsvs.exe	43
PID 1648 wrote to memory of 1616	1648	internalsvs.exe	43
PID 1508 wrote to memory of 1480	1508	cmd.exe	45
PID 1508 wrote to memory of 1480	1508	cmd.exe	45
PID 1508 wrote to memory of 1480	1508	cmd.exe	45
PID 1508 wrote to memory of 1480	1508	cmd.exe	45
PID 1572 wrote to memory of 1284	1572	taskeng.exe	48
PID 1572 wrote to memory of 1284	1572	taskeng.exe	48

C:\Users\Admin\AppData\Local\Temp\20dfa318d7b2226809ab2799085cc1452f4761eeea87ae6b3ea01554f88cbee1.exe
"C:\Users\Admin\AppData\Local\Temp\20dfa318d7b2226809ab2799085cc1452f4761eeea87ae6b3ea01554f88cbee1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2008
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\internalsvs"
  2⤵
  PID:460
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\20dfa318d7b2226809ab2799085cc1452f4761eeea87ae6b3ea01554f88cbee1.exe" "C:\Users\Admin\AppData\Roaming\internalsvs\internalsvs.exe"
  2⤵
  PID:272
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\internalsvs\internalsvs.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\internalsvs\internalsvs.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:960

C:\Windows\system32\taskeng.exe
taskeng.exe {111F95FA-6DB2-44A4-90B8-AC73C4437357} S-1-5-21-3499517378-2376672570-1134980332-1000:MLXLFKOI\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Users\Admin\AppData\Roaming\internalsvs\internalsvs.exe
  C:\Users\Admin\AppData\Roaming\internalsvs\internalsvs.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
    3⤵
    PID:1412
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\internalsvs"
    3⤵
    PID:1660
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\internalsvs\internalsvs.exe'" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1508
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\internalsvs\internalsvs.exe'" /f
      4⤵
      Creates scheduled task(s)
      PID:1480
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c copy "C:\Users\Admin\AppData\Roaming\internalsvs\internalsvs.exe" "C:\Users\Admin\AppData\Roaming\internalsvs\internalsvs.exe"
    3⤵
    PID:1616
- C:\Users\Admin\AppData\Roaming\internalsvs\internalsvs.exe
  C:\Users\Admin\AppData\Roaming\internalsvs\internalsvs.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1284
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
    3⤵
    PID:292
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\internalsvs"
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\internalsvs\internalsvs.exe'" /f
    3⤵
    PID:1816
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\internalsvs\internalsvs.exe'" /f
      4⤵
      Creates scheduled task(s)
      PID:1612
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c copy "C:\Users\Admin\AppData\Roaming\internalsvs\internalsvs.exe" "C:\Users\Admin\AppData\Roaming\internalsvs\internalsvs.exe"
    3⤵
    PID:1760
- C:\Users\Admin\AppData\Roaming\internalsvs\internalsvs.exe
  C:\Users\Admin\AppData\Roaming\internalsvs\internalsvs.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1412
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
    3⤵
    PID:952
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\internalsvs"
    3⤵
    PID:628
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\internalsvs\internalsvs.exe'" /f
    3⤵
    PID:1168
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\internalsvs\internalsvs.exe'" /f
      4⤵
      Creates scheduled task(s)
      PID:1668
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c copy "C:\Users\Admin\AppData\Roaming\internalsvs\internalsvs.exe" "C:\Users\Admin\AppData\Roaming\internalsvs\internalsvs.exe"
    3⤵
    PID:280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
32ae46924c55bb7197d1ac6d481840b9

SHA1
a600e26416d970addc93ebda2fa778b6dc27765e

SHA256
1afe3a9d656868bc46d93e348259404d3d47ee124bc28c288292afe80df28940

SHA512
8ee58a6b445c2d8c1bf27cf801de1a18098a4a0f93196ccfd614a5e149b3ff53eca7f74004f58c626717d4812ff4ef76720b06c62f949ac4e43d9c1c6df1d222

Download Submit
C:\Users\Admin\AppData\Roaming\internalsvs\internalsvs.exe

Filesize
715KB

MD5
4ba71f4cb36bc4c5be62b5e18e87dafa

SHA1
82402862203d14f9d162d11c080aaafc94436711

SHA256
20dfa318d7b2226809ab2799085cc1452f4761eeea87ae6b3ea01554f88cbee1

SHA512
5389faf079d660ae1236b576fdc64cf8d340b9878b2f07a96ff4b34cd77bd870bb3b4cc5b4030fdc6e23de0096e32b60d217f87466b09c8265f0f5809ca5f1ad

Download Submit
C:\Users\Admin\AppData\Roaming\internalsvs\internalsvs.exe

Filesize
715KB

MD5
4ba71f4cb36bc4c5be62b5e18e87dafa

SHA1
82402862203d14f9d162d11c080aaafc94436711

SHA256
20dfa318d7b2226809ab2799085cc1452f4761eeea87ae6b3ea01554f88cbee1

SHA512
5389faf079d660ae1236b576fdc64cf8d340b9878b2f07a96ff4b34cd77bd870bb3b4cc5b4030fdc6e23de0096e32b60d217f87466b09c8265f0f5809ca5f1ad

Download Submit
C:\Users\Admin\AppData\Roaming\internalsvs\internalsvs.exe

Filesize
715KB

MD5
4ba71f4cb36bc4c5be62b5e18e87dafa

SHA1
82402862203d14f9d162d11c080aaafc94436711

SHA256
20dfa318d7b2226809ab2799085cc1452f4761eeea87ae6b3ea01554f88cbee1

SHA512
5389faf079d660ae1236b576fdc64cf8d340b9878b2f07a96ff4b34cd77bd870bb3b4cc5b4030fdc6e23de0096e32b60d217f87466b09c8265f0f5809ca5f1ad

Download Submit
C:\Users\Admin\AppData\Roaming\internalsvs\internalsvs.exe

Filesize
715KB

MD5
4ba71f4cb36bc4c5be62b5e18e87dafa

SHA1
82402862203d14f9d162d11c080aaafc94436711

SHA256
20dfa318d7b2226809ab2799085cc1452f4761eeea87ae6b3ea01554f88cbee1

SHA512
5389faf079d660ae1236b576fdc64cf8d340b9878b2f07a96ff4b34cd77bd870bb3b4cc5b4030fdc6e23de0096e32b60d217f87466b09c8265f0f5809ca5f1ad

Download Submit
memory/952-181-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1284-131-0x0000000001010000-0x00000000010C8000-memory.dmp

Filesize
736KB

Download
memory/1412-114-0x0000000000100000-0x0000000000180000-memory.dmp

Filesize
512KB

Download
memory/1412-109-0x0000000000100000-0x0000000000180000-memory.dmp

Filesize
512KB

Download
memory/1648-93-0x0000000001010000-0x00000000010C8000-memory.dmp

Filesize
736KB

Download
memory/1720-76-0x0000000000F50000-0x0000000000F90000-memory.dmp

Filesize
256KB

Download
memory/1720-55-0x0000000000BC0000-0x0000000000C3C000-memory.dmp

Filesize
496KB

Download
memory/1720-54-0x0000000001030000-0x00000000010E8000-memory.dmp

Filesize
736KB

Download
memory/2008-64-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2008-63-0x0000000000080000-0x0000000000100000-memory.dmp

Filesize
512KB

Download
memory/2008-78-0x0000000000080000-0x0000000000100000-memory.dmp

Filesize
512KB

Download
memory/2008-81-0x0000000000080000-0x0000000000100000-memory.dmp

Filesize
512KB

Download
memory/2008-84-0x0000000000080000-0x0000000000100000-memory.dmp

Filesize
512KB

Download
memory/2008-85-0x0000000000080000-0x0000000000100000-memory.dmp

Filesize
512KB

Download
memory/2008-86-0x0000000000080000-0x0000000000100000-memory.dmp

Filesize
512KB

Download
memory/2008-87-0x0000000000080000-0x0000000000100000-memory.dmp

Filesize
512KB

Download
memory/2008-71-0x0000000000080000-0x0000000000100000-memory.dmp

Filesize
512KB

Download
memory/2008-58-0x0000000000080000-0x0000000000100000-memory.dmp

Filesize
512KB

Download
memory/2008-66-0x0000000000080000-0x0000000000100000-memory.dmp

Filesize
512KB

Download
memory/2008-77-0x0000000000080000-0x0000000000100000-memory.dmp

Filesize
512KB

Download
memory/2008-62-0x0000000000080000-0x0000000000100000-memory.dmp

Filesize
512KB

Download
memory/2008-116-0x0000000000080000-0x0000000000100000-memory.dmp

Filesize
512KB

Download
memory/2008-117-0x0000000000080000-0x0000000000100000-memory.dmp

Filesize
512KB

Download
memory/2008-60-0x0000000000080000-0x0000000000100000-memory.dmp

Filesize
512KB

Download
memory/2008-123-0x0000000000080000-0x0000000000100000-memory.dmp

Filesize
512KB

Download
memory/2008-124-0x0000000000080000-0x0000000000100000-memory.dmp

Filesize
512KB

Download
memory/2008-61-0x0000000000080000-0x0000000000100000-memory.dmp

Filesize
512KB

Download
memory/2008-59-0x0000000000080000-0x0000000000100000-memory.dmp

Filesize
512KB

Download
memory/2008-57-0x0000000000080000-0x0000000000100000-memory.dmp

Filesize
512KB

Download
memory/2008-56-0x0000000000080000-0x0000000000100000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads