remcos | 7fdaa2d9014b7ec1f7c9b851651909d1b4a137276376e1436c359ce435c18db2

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
07/11/2023, 01:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.6184ff3443ec7a285593273a59becfc0.exe
Size

1.2MB
MD5

6184ff3443ec7a285593273a59becfc0
SHA1

d66612979540afa05e77efc6b8ed527646da0bf8
SHA256

7fdaa2d9014b7ec1f7c9b851651909d1b4a137276376e1436c359ce435c18db2
SHA512

fcd24e33e79717502155363617ae082845951e165b0f1d96322d261606af84013d95b674133c11c597f66a8a4154dd5561ada33fd7c92091ae9e9fa85ade5315
SSDEEP

24576:1zcVdHBFT7bZsai6apMRE+2tA5JiQbSavT7BXZ7:1zcVrFPbZsaOMRUtALiaSavT1XZ7

Score

10^/10

remcos kill rat

Malware Config

Extracted

Family

remcos

Botnet

kill

tincaanii.duckdns.org:24113

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-KCRM7J
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2040 set thread context of 2652	2040	NEAS.6184ff3443ec7a285593273a59becfc0.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2816	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2040	NEAS.6184ff3443ec7a285593273a59becfc0.exe
2040	NEAS.6184ff3443ec7a285593273a59becfc0.exe
2040	NEAS.6184ff3443ec7a285593273a59becfc0.exe
2040	NEAS.6184ff3443ec7a285593273a59becfc0.exe
2040	NEAS.6184ff3443ec7a285593273a59becfc0.exe
2040	NEAS.6184ff3443ec7a285593273a59becfc0.exe
2040	NEAS.6184ff3443ec7a285593273a59becfc0.exe
2040	NEAS.6184ff3443ec7a285593273a59becfc0.exe
2040	NEAS.6184ff3443ec7a285593273a59becfc0.exe
2040	NEAS.6184ff3443ec7a285593273a59becfc0.exe
2616	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2040	NEAS.6184ff3443ec7a285593273a59becfc0.exe
Token: SeDebugPrivilege	2616	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2652	NEAS.6184ff3443ec7a285593273a59becfc0.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2616	2040	NEAS.6184ff3443ec7a285593273a59becfc0.exe	30
PID 2040 wrote to memory of 2616	2040	NEAS.6184ff3443ec7a285593273a59becfc0.exe	30
PID 2040 wrote to memory of 2616	2040	NEAS.6184ff3443ec7a285593273a59becfc0.exe	30
PID 2040 wrote to memory of 2616	2040	NEAS.6184ff3443ec7a285593273a59becfc0.exe	30
PID 2040 wrote to memory of 2816	2040	NEAS.6184ff3443ec7a285593273a59becfc0.exe	32
PID 2040 wrote to memory of 2816	2040	NEAS.6184ff3443ec7a285593273a59becfc0.exe	32
PID 2040 wrote to memory of 2816	2040	NEAS.6184ff3443ec7a285593273a59becfc0.exe	32
PID 2040 wrote to memory of 2816	2040	NEAS.6184ff3443ec7a285593273a59becfc0.exe	32
PID 2040 wrote to memory of 2176	2040	NEAS.6184ff3443ec7a285593273a59becfc0.exe	34
PID 2040 wrote to memory of 2176	2040	NEAS.6184ff3443ec7a285593273a59becfc0.exe	34
PID 2040 wrote to memory of 2176	2040	NEAS.6184ff3443ec7a285593273a59becfc0.exe	34
PID 2040 wrote to memory of 2176	2040	NEAS.6184ff3443ec7a285593273a59becfc0.exe	34
PID 2040 wrote to memory of 2628	2040	NEAS.6184ff3443ec7a285593273a59becfc0.exe	35
PID 2040 wrote to memory of 2628	2040	NEAS.6184ff3443ec7a285593273a59becfc0.exe	35
PID 2040 wrote to memory of 2628	2040	NEAS.6184ff3443ec7a285593273a59becfc0.exe	35
PID 2040 wrote to memory of 2628	2040	NEAS.6184ff3443ec7a285593273a59becfc0.exe	35
PID 2040 wrote to memory of 2632	2040	NEAS.6184ff3443ec7a285593273a59becfc0.exe	36
PID 2040 wrote to memory of 2632	2040	NEAS.6184ff3443ec7a285593273a59becfc0.exe	36
PID 2040 wrote to memory of 2632	2040	NEAS.6184ff3443ec7a285593273a59becfc0.exe	36
PID 2040 wrote to memory of 2632	2040	NEAS.6184ff3443ec7a285593273a59becfc0.exe	36
PID 2040 wrote to memory of 2652	2040	NEAS.6184ff3443ec7a285593273a59becfc0.exe	37
PID 2040 wrote to memory of 2652	2040	NEAS.6184ff3443ec7a285593273a59becfc0.exe	37
PID 2040 wrote to memory of 2652	2040	NEAS.6184ff3443ec7a285593273a59becfc0.exe	37
PID 2040 wrote to memory of 2652	2040	NEAS.6184ff3443ec7a285593273a59becfc0.exe	37
PID 2040 wrote to memory of 2652	2040	NEAS.6184ff3443ec7a285593273a59becfc0.exe	37
PID 2040 wrote to memory of 2652	2040	NEAS.6184ff3443ec7a285593273a59becfc0.exe	37
PID 2040 wrote to memory of 2652	2040	NEAS.6184ff3443ec7a285593273a59becfc0.exe	37
PID 2040 wrote to memory of 2652	2040	NEAS.6184ff3443ec7a285593273a59becfc0.exe	37
PID 2040 wrote to memory of 2652	2040	NEAS.6184ff3443ec7a285593273a59becfc0.exe	37
PID 2040 wrote to memory of 2652	2040	NEAS.6184ff3443ec7a285593273a59becfc0.exe	37
PID 2040 wrote to memory of 2652	2040	NEAS.6184ff3443ec7a285593273a59becfc0.exe	37
PID 2040 wrote to memory of 2652	2040	NEAS.6184ff3443ec7a285593273a59becfc0.exe	37
PID 2040 wrote to memory of 2652	2040	NEAS.6184ff3443ec7a285593273a59becfc0.exe	37

C:\Users\Admin\AppData\Local\Temp\NEAS.6184ff3443ec7a285593273a59becfc0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.6184ff3443ec7a285593273a59becfc0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UinnfI.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2616
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UinnfI" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE466.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2816
- C:\Users\Admin\AppData\Local\Temp\NEAS.6184ff3443ec7a285593273a59becfc0.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.6184ff3443ec7a285593273a59becfc0.exe"
  2⤵
  PID:2176
- C:\Users\Admin\AppData\Local\Temp\NEAS.6184ff3443ec7a285593273a59becfc0.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.6184ff3443ec7a285593273a59becfc0.exe"
  2⤵
  PID:2628
- C:\Users\Admin\AppData\Local\Temp\NEAS.6184ff3443ec7a285593273a59becfc0.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.6184ff3443ec7a285593273a59becfc0.exe"
  2⤵
  PID:2632
- C:\Users\Admin\AppData\Local\Temp\NEAS.6184ff3443ec7a285593273a59becfc0.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.6184ff3443ec7a285593273a59becfc0.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
80f8e029348e8546fb944bc7b3f49ef4

SHA1
502aaa78d30f9038288985159a21b3bc7daac826

SHA256
5cc235a7a416b8b5d0546ba8c8948d03a5c43b6856849066c571f7598d73e75f

SHA512
238d734cbaaf1b8ab9c3c0c1cf501becc39e3171f359c2d8003896e846aa9ca364a63f1396ea91cdfd15b92cf7ce46f7f1289ab9572bca9f658c04f6de2404a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE466.tmp

Filesize
1KB

MD5
c1a20f75d4c320ed2b97be7f659bbde9

SHA1
499158af684cdbaf1bc8e58477c12490ea22b5db

SHA256
8df79141a17d2b65d3b3735f32a7dba2df1b04abcbd7dd570209fdfd27ad91bc

SHA512
32b8f77f09a9b2bb3e13a911ca56c022a3604edbabff195e10d1a9f45ce88e6e63fc8593b1ee7a671103962aa7899b9f3786a093de89a6d9fd23906c241ec78c

Download Submit
memory/2040-8-0x0000000007990000-0x0000000007A66000-memory.dmp

Filesize
856KB

Download
memory/2040-2-0x0000000007230000-0x0000000007270000-memory.dmp

Filesize
256KB

Download
memory/2040-4-0x0000000074630000-0x0000000074D1E000-memory.dmp

Filesize
6.9MB

Download
memory/2040-5-0x0000000007230000-0x0000000007270000-memory.dmp

Filesize
256KB

Download
memory/2040-6-0x00000000004E0000-0x00000000004E6000-memory.dmp

Filesize
24KB

Download
memory/2040-7-0x00000000004F0000-0x00000000004FA000-memory.dmp

Filesize
40KB

Download
memory/2040-29-0x0000000074630000-0x0000000074D1E000-memory.dmp

Filesize
6.9MB

Download
memory/2040-3-0x00000000003A0000-0x00000000003B0000-memory.dmp

Filesize
64KB

Download
memory/2040-1-0x0000000074630000-0x0000000074D1E000-memory.dmp

Filesize
6.9MB

Download
memory/2040-0-0x0000000000110000-0x000000000024A000-memory.dmp

Filesize
1.2MB

Download
memory/2616-39-0x0000000002690000-0x00000000026D0000-memory.dmp

Filesize
256KB

Download
memory/2616-37-0x0000000002690000-0x00000000026D0000-memory.dmp

Filesize
256KB

Download
memory/2616-38-0x0000000002690000-0x00000000026D0000-memory.dmp

Filesize
256KB

Download
memory/2616-34-0x000000006EC00000-0x000000006F1AB000-memory.dmp

Filesize
5.7MB

Download
memory/2616-32-0x000000006EC00000-0x000000006F1AB000-memory.dmp

Filesize
5.7MB

Download
memory/2616-41-0x000000006EC00000-0x000000006F1AB000-memory.dmp

Filesize
5.7MB

Download
memory/2652-30-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2652-40-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2652-28-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2652-22-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2652-23-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2652-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2652-33-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2652-21-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2652-36-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2652-20-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2652-18-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2652-35-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2652-19-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2652-26-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2652-17-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2652-43-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2652-47-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2652-48-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2652-16-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2652-53-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2652-54-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2652-60-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2652-61-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2652-66-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2652-67-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2652-72-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2652-74-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download