remcos | 564d742044e5ac9f6279c01c5c29bb801606b63c6c2cbfc2af09d8f2a73b84a6

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
10/01/2024, 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10012024_1753_gbrem.exe
Size

15.6MB
MD5

b6a22c3dfc954914f051aa33d2e2af1a
SHA1

18a53be63f02b68b9772a892816f83a6d97a1789
SHA256

564d742044e5ac9f6279c01c5c29bb801606b63c6c2cbfc2af09d8f2a73b84a6
SHA512

4dad54e04a99cdfbe473813647bb95e4410964b3fde126faca497f27ca8bcbcbd81f41129716af6a948a131282b6bde003b172b4cdcc33825d53c3144509a23f
SSDEEP

393216:XsMcUFlcXXZKTMlViqmu0k4nj8AcVwecyccnauSbb1LcVm:8pnZKTMlgfkMXcVMyouSbbK

Score

10^/10

remcos dvg persistence rat

Malware Config

Extracted

Family

remcos

Botnet

dvg

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
word.exe
copy_folder
DVG
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
dgvsv-Z4Y1VB
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 2 IoCs

pid	Process
2056	word.exe
2924	word.exe

Loads dropped DLL 1 IoCs

pid	Process
2072	10012024_1753_gbrem.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgvsv-Z4Y1VB = "\"C:\\ProgramData\\DVG\\word.exe\""	10012024_1753_gbrem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dgvsv-Z4Y1VB = "\"C:\\ProgramData\\DVG\\word.exe\""	10012024_1753_gbrem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\dgvsv-Z4Y1VB = "\"C:\\ProgramData\\DVG\\word.exe\""	word.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dgvsv-Z4Y1VB = "\"C:\\ProgramData\\DVG\\word.exe\""	word.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2252 set thread context of 2072	2252	10012024_1753_gbrem.exe	28
PID 2056 set thread context of 2924	2056	word.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2072	2252	10012024_1753_gbrem.exe	28
PID 2252 wrote to memory of 2072	2252	10012024_1753_gbrem.exe	28
PID 2252 wrote to memory of 2072	2252	10012024_1753_gbrem.exe	28
PID 2252 wrote to memory of 2072	2252	10012024_1753_gbrem.exe	28
PID 2252 wrote to memory of 2072	2252	10012024_1753_gbrem.exe	28
PID 2252 wrote to memory of 2072	2252	10012024_1753_gbrem.exe	28
PID 2252 wrote to memory of 2072	2252	10012024_1753_gbrem.exe	28
PID 2252 wrote to memory of 2072	2252	10012024_1753_gbrem.exe	28
PID 2252 wrote to memory of 2072	2252	10012024_1753_gbrem.exe	28
PID 2252 wrote to memory of 2072	2252	10012024_1753_gbrem.exe	28
PID 2252 wrote to memory of 2072	2252	10012024_1753_gbrem.exe	28
PID 2252 wrote to memory of 2072	2252	10012024_1753_gbrem.exe	28
PID 2252 wrote to memory of 2072	2252	10012024_1753_gbrem.exe	28
PID 2072 wrote to memory of 2056	2072	10012024_1753_gbrem.exe	29
PID 2072 wrote to memory of 2056	2072	10012024_1753_gbrem.exe	29
PID 2072 wrote to memory of 2056	2072	10012024_1753_gbrem.exe	29
PID 2072 wrote to memory of 2056	2072	10012024_1753_gbrem.exe	29
PID 2056 wrote to memory of 2924	2056	word.exe	30
PID 2056 wrote to memory of 2924	2056	word.exe	30
PID 2056 wrote to memory of 2924	2056	word.exe	30
PID 2056 wrote to memory of 2924	2056	word.exe	30
PID 2056 wrote to memory of 2924	2056	word.exe	30
PID 2056 wrote to memory of 2924	2056	word.exe	30
PID 2056 wrote to memory of 2924	2056	word.exe	30
PID 2056 wrote to memory of 2924	2056	word.exe	30
PID 2056 wrote to memory of 2924	2056	word.exe	30
PID 2056 wrote to memory of 2924	2056	word.exe	30
PID 2056 wrote to memory of 2924	2056	word.exe	30
PID 2056 wrote to memory of 2924	2056	word.exe	30
PID 2056 wrote to memory of 2924	2056	word.exe	30

C:\Users\Admin\AppData\Local\Temp\10012024_1753_gbrem.exe
"C:\Users\Admin\AppData\Local\Temp\10012024_1753_gbrem.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Users\Admin\AppData\Local\Temp\10012024_1753_gbrem.exe
  "C:\Users\Admin\AppData\Local\Temp\10012024_1753_gbrem.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\ProgramData\DVG\word.exe
    "C:\ProgramData\DVG\word.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2056
  - - C:\ProgramData\DVG\word.exe
      "C:\ProgramData\DVG\word.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\DVG\word.exe

Filesize
15.6MB

MD5
b6a22c3dfc954914f051aa33d2e2af1a

SHA1
18a53be63f02b68b9772a892816f83a6d97a1789

SHA256
564d742044e5ac9f6279c01c5c29bb801606b63c6c2cbfc2af09d8f2a73b84a6

SHA512
4dad54e04a99cdfbe473813647bb95e4410964b3fde126faca497f27ca8bcbcbd81f41129716af6a948a131282b6bde003b172b4cdcc33825d53c3144509a23f

Download Submit
memory/2056-47-0x0000000073F70000-0x000000007465E000-memory.dmp

Filesize
6.9MB

Download
memory/2056-32-0x00000000056F0000-0x0000000005730000-memory.dmp

Filesize
256KB

Download
memory/2056-31-0x0000000000800000-0x00000000017AC000-memory.dmp

Filesize
15.7MB

Download
memory/2056-30-0x0000000073F70000-0x000000007465E000-memory.dmp

Filesize
6.9MB

Download
memory/2072-13-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2072-4-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2072-9-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2072-11-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2072-7-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2072-15-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2072-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2072-19-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2072-3-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2072-22-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2072-5-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2252-1-0x0000000000930000-0x00000000018DC000-memory.dmp

Filesize
15.7MB

Download
memory/2252-0-0x0000000074570000-0x0000000074C5E000-memory.dmp

Filesize
6.9MB

Download
memory/2252-2-0x0000000005A40000-0x0000000005A80000-memory.dmp

Filesize
256KB

Download
memory/2252-21-0x0000000074570000-0x0000000074C5E000-memory.dmp

Filesize
6.9MB

Download
memory/2924-64-0x0000000000080000-0x0000000000102000-memory.dmp

Filesize
520KB

Download
memory/2924-68-0x0000000000080000-0x0000000000102000-memory.dmp

Filesize
520KB

Download
memory/2924-57-0x0000000000080000-0x0000000000102000-memory.dmp

Filesize
520KB

Download
memory/2924-58-0x0000000000080000-0x0000000000102000-memory.dmp

Filesize
520KB

Download
memory/2924-59-0x0000000000080000-0x0000000000102000-memory.dmp

Filesize
520KB

Download
memory/2924-60-0x0000000000080000-0x0000000000102000-memory.dmp

Filesize
520KB

Download
memory/2924-62-0x0000000000080000-0x0000000000102000-memory.dmp

Filesize
520KB

Download
memory/2924-42-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2924-66-0x0000000000080000-0x0000000000102000-memory.dmp

Filesize
520KB

Download
memory/2924-52-0x0000000000080000-0x0000000000102000-memory.dmp

Filesize
520KB

Download
memory/2924-70-0x0000000000080000-0x0000000000102000-memory.dmp

Filesize
520KB

Download
memory/2924-72-0x0000000000080000-0x0000000000102000-memory.dmp

Filesize
520KB

Download
memory/2924-73-0x0000000000080000-0x0000000000102000-memory.dmp

Filesize
520KB

Download
memory/2924-74-0x0000000000080000-0x0000000000102000-memory.dmp

Filesize
520KB

Download
memory/2924-76-0x0000000000080000-0x0000000000102000-memory.dmp

Filesize
520KB

Download
memory/2924-78-0x0000000000080000-0x0000000000102000-memory.dmp

Filesize
520KB

Download
memory/2924-80-0x0000000000080000-0x0000000000102000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads