remcos | cc97eccfa44feab9151a39e5dffd8daccf9ebb1a77164c9c09ad5e784d09e486

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2023, 13:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc97eccfa44feab9151a39e5dffd8daccf9ebb1a77164c9c09ad5e784d09e486.exe
Size

530KB
MD5

e20590320804fe7edc4f00805f31befd
SHA1

f90974d1b7c0c9b46d1c3dbf22eccc64b85c89eb
SHA256

cc97eccfa44feab9151a39e5dffd8daccf9ebb1a77164c9c09ad5e784d09e486
SHA512

0f47e772ee35d889a2560e44156452b9f3ddd89c4e3af58433b7eef5db8502d58300b7956a5169a67faba1a63d0ebd68c459e466a767f708059eade01a9c439a
SSDEEP

12288:0YgBbkY+5kNbvk7xEMSgT54ztBGFmLue1EQZ/:0YgB+5Kbka4CzfGKt

Score

10^/10

remcos log persistence rat

Malware Config

Extracted

Family

remcos

Botnet

LOG

5.253.114.108:2022

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
chromes.exe
copy_folder
chromes
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-456ENB
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation	cc97eccfa44feab9151a39e5dffd8daccf9ebb1a77164c9c09ad5e784d09e486.exe

Executes dropped EXE 2 IoCs

pid	Process
5088	chromes.exe
4028	chromes.exe

Loads dropped DLL 2 IoCs

pid	Process
2176	cc97eccfa44feab9151a39e5dffd8daccf9ebb1a77164c9c09ad5e784d09e486.exe
5088	chromes.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-456ENB = "\"C:\\ProgramData\\chromes\\chromes.exe\""	cc97eccfa44feab9151a39e5dffd8daccf9ebb1a77164c9c09ad5e784d09e486.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	chromes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-456ENB = "\"C:\\ProgramData\\chromes\\chromes.exe\""	chromes.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	chromes.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-456ENB = "\"C:\\ProgramData\\chromes\\chromes.exe\""	chromes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oxtdmhqmvf = "C:\\Users\\Admin\\AppData\\Roaming\\ktpyidmv\\rbwgplueajf.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\cc97eccfa44feab9151a39e5dffd8daccf9ebb氱"	cc97eccfa44feab9151a39e5dffd8daccf9ebb1a77164c9c09ad5e784d09e486.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	cc97eccfa44feab9151a39e5dffd8daccf9ebb1a77164c9c09ad5e784d09e486.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-456ENB = "\"C:\\ProgramData\\chromes\\chromes.exe\""	cc97eccfa44feab9151a39e5dffd8daccf9ebb1a77164c9c09ad5e784d09e486.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	cc97eccfa44feab9151a39e5dffd8daccf9ebb1a77164c9c09ad5e784d09e486.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2176 set thread context of 64	2176	cc97eccfa44feab9151a39e5dffd8daccf9ebb1a77164c9c09ad5e784d09e486.exe	84
PID 5088 set thread context of 4028	5088	chromes.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2176	cc97eccfa44feab9151a39e5dffd8daccf9ebb1a77164c9c09ad5e784d09e486.exe
5088	chromes.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 64	2176	cc97eccfa44feab9151a39e5dffd8daccf9ebb1a77164c9c09ad5e784d09e486.exe	84
PID 2176 wrote to memory of 64	2176	cc97eccfa44feab9151a39e5dffd8daccf9ebb1a77164c9c09ad5e784d09e486.exe	84
PID 2176 wrote to memory of 64	2176	cc97eccfa44feab9151a39e5dffd8daccf9ebb1a77164c9c09ad5e784d09e486.exe	84
PID 2176 wrote to memory of 64	2176	cc97eccfa44feab9151a39e5dffd8daccf9ebb1a77164c9c09ad5e784d09e486.exe	84
PID 64 wrote to memory of 5088	64	cc97eccfa44feab9151a39e5dffd8daccf9ebb1a77164c9c09ad5e784d09e486.exe	85
PID 64 wrote to memory of 5088	64	cc97eccfa44feab9151a39e5dffd8daccf9ebb1a77164c9c09ad5e784d09e486.exe	85
PID 64 wrote to memory of 5088	64	cc97eccfa44feab9151a39e5dffd8daccf9ebb1a77164c9c09ad5e784d09e486.exe	85
PID 5088 wrote to memory of 4028	5088	chromes.exe	86
PID 5088 wrote to memory of 4028	5088	chromes.exe	86
PID 5088 wrote to memory of 4028	5088	chromes.exe	86
PID 5088 wrote to memory of 4028	5088	chromes.exe	86

C:\Users\Admin\AppData\Local\Temp\cc97eccfa44feab9151a39e5dffd8daccf9ebb1a77164c9c09ad5e784d09e486.exe
"C:\Users\Admin\AppData\Local\Temp\cc97eccfa44feab9151a39e5dffd8daccf9ebb1a77164c9c09ad5e784d09e486.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Users\Admin\AppData\Local\Temp\cc97eccfa44feab9151a39e5dffd8daccf9ebb1a77164c9c09ad5e784d09e486.exe
  "C:\Users\Admin\AppData\Local\Temp\cc97eccfa44feab9151a39e5dffd8daccf9ebb1a77164c9c09ad5e784d09e486.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:64
- - C:\ProgramData\chromes\chromes.exe
    "C:\ProgramData\chromes\chromes.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:5088
  - - C:\ProgramData\chromes\chromes.exe
      "C:\ProgramData\chromes\chromes.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:4028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\chromes\chromes.exe

Filesize
530KB

MD5
e20590320804fe7edc4f00805f31befd

SHA1
f90974d1b7c0c9b46d1c3dbf22eccc64b85c89eb

SHA256
cc97eccfa44feab9151a39e5dffd8daccf9ebb1a77164c9c09ad5e784d09e486

SHA512
0f47e772ee35d889a2560e44156452b9f3ddd89c4e3af58433b7eef5db8502d58300b7956a5169a67faba1a63d0ebd68c459e466a767f708059eade01a9c439a

Download Submit
C:\ProgramData\chromes\chromes.exe

Filesize
530KB

MD5
e20590320804fe7edc4f00805f31befd

SHA1
f90974d1b7c0c9b46d1c3dbf22eccc64b85c89eb

SHA256
cc97eccfa44feab9151a39e5dffd8daccf9ebb1a77164c9c09ad5e784d09e486

SHA512
0f47e772ee35d889a2560e44156452b9f3ddd89c4e3af58433b7eef5db8502d58300b7956a5169a67faba1a63d0ebd68c459e466a767f708059eade01a9c439a

Download Submit
C:\ProgramData\chromes\chromes.exe

Filesize
530KB

MD5
e20590320804fe7edc4f00805f31befd

SHA1
f90974d1b7c0c9b46d1c3dbf22eccc64b85c89eb

SHA256
cc97eccfa44feab9151a39e5dffd8daccf9ebb1a77164c9c09ad5e784d09e486

SHA512
0f47e772ee35d889a2560e44156452b9f3ddd89c4e3af58433b7eef5db8502d58300b7956a5169a67faba1a63d0ebd68c459e466a767f708059eade01a9c439a

Download Submit
C:\ProgramData\chromes\chromes.exe

Filesize
530KB

MD5
e20590320804fe7edc4f00805f31befd

SHA1
f90974d1b7c0c9b46d1c3dbf22eccc64b85c89eb

SHA256
cc97eccfa44feab9151a39e5dffd8daccf9ebb1a77164c9c09ad5e784d09e486

SHA512
0f47e772ee35d889a2560e44156452b9f3ddd89c4e3af58433b7eef5db8502d58300b7956a5169a67faba1a63d0ebd68c459e466a767f708059eade01a9c439a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsclvhricg.y

Filesize
7KB

MD5
5c7eb8a4ff36e5446f6fbe82efd71936

SHA1
cf941b3ae8f749d680433fea39a57511df596888

SHA256
ca903a766910977848b4a336c235c16ec4998d747d84a04f38b6e97ed81bb91d

SHA512
30ac52ed23fefa45e0755f320cf100b192e258853291d361c90051dba4b73d632c366d72235563eb67cab893b2a13e6525e1633e331ea513108f8eb3010d1d0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ingfjikysz.g

Filesize
501KB

MD5
54d7a169d6c01de22da81078e1520c4f

SHA1
a75fbcdfac4dedf50558f0d06a0a7ceb84bf9627

SHA256
bb18691d87e0c3539bbe9ff7b3279bd650455c3328d87f2af4747218bd8af5ff

SHA512
0243ca3018ca12a73f8184a690a697797b77a43c17583e1c5ddc5962814ca7631b82b2074365b8ca0c8a51d83259d68607d9e39382b27ae660494a11af347494

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk93B6.tmp\dddtndp.dll

Filesize
10KB

MD5
c7c6640bde2dd19fab44081c281d4dbc

SHA1
901f87cc20966aee2cba8da0e155a90678efbb84

SHA256
1b97aed80c1baaa497b636c58eb5ea77e248df4803117642706d920487635a05

SHA512
07327bac8cce25bffbab1561e783682fcb87477271d0482e94d3d5e9f0929dc550dee6c32f716d4bdec673ffef4dfaafa9362ee13e4f4a817147000af7e2dae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9925.tmp\dddtndp.dll

Filesize
10KB

MD5
c7c6640bde2dd19fab44081c281d4dbc

SHA1
901f87cc20966aee2cba8da0e155a90678efbb84

SHA256
1b97aed80c1baaa497b636c58eb5ea77e248df4803117642706d920487635a05

SHA512
07327bac8cce25bffbab1561e783682fcb87477271d0482e94d3d5e9f0929dc550dee6c32f716d4bdec673ffef4dfaafa9362ee13e4f4a817147000af7e2dae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9925.tmp\dddtndp.dll

Filesize
10KB

MD5
c7c6640bde2dd19fab44081c281d4dbc

SHA1
901f87cc20966aee2cba8da0e155a90678efbb84

SHA256
1b97aed80c1baaa497b636c58eb5ea77e248df4803117642706d920487635a05

SHA512
07327bac8cce25bffbab1561e783682fcb87477271d0482e94d3d5e9f0929dc550dee6c32f716d4bdec673ffef4dfaafa9362ee13e4f4a817147000af7e2dae1

Download Submit
memory/64-143-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/64-142-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/64-144-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/64-155-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2176-141-0x0000000002430000-0x0000000002432000-memory.dmp

Filesize
8KB

Download
memory/4028-186-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-193-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-168-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-169-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-170-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-171-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-172-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-173-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-174-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-175-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-176-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-177-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-178-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-179-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-180-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-181-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-182-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-183-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-184-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-185-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-166-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-187-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-188-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-189-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-190-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-191-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-192-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-167-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-194-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-195-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-196-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-197-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-198-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-199-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-200-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-201-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-202-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-203-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-204-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-205-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-206-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-207-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-209-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-210-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-211-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-212-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-213-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-214-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-216-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-217-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-218-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-219-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-220-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-221-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-222-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4028-223-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download