remcos | 972e40d34724978fa99bac3050f70f729a09e6312957ac9e7be7d801dd5efd97

Analysis

max time kernel
147s
max time network
145s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
28/04/2024, 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UGPP2211543.exe
Size

438KB
MD5

a56042db3faeb469b3dfa843e1e95b28
SHA1

176258dabf6e2cd6320a22b07850ef3ade7b789e
SHA256

dfade890755c0afd9d85acc4f8023a4a81d1be460788bc09757236dd38b20a9c
SHA512

44ce8a11abfdc8a1ed0d665b64e57056a520ef2369477ab1ffb98355e91e6df58b34162e5950310912a12cafd5918a23dcac15d15c0609cfa33db0f7a48b3d0f
SSDEEP

12288:gslRTliAFIZrLzrhicbcRrsc/CJE6HNpXnNUmP/W:gXJZrcMascZ6Km

Score

10^/10

remcos rat

Malware Config

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2580	1620	WerFault.exe	27

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2228	notepad.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1620	UGPP2211543.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	1620	UGPP2211543.exe
Token: SeLoadDriverPrivilege	1620	UGPP2211543.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2228	notepad.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28
PID 1620 wrote to memory of 2228	1620	UGPP2211543.exe	28

C:\Users\Admin\AppData\Local\Temp\UGPP2211543.exe
"C:\Users\Admin\AppData\Local\Temp\UGPP2211543.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\SysWOW64\notepad.exe
  C:\Windows\system32\notepad.exe
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2228
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 540
  2⤵
  - Program crash
  PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\SkypeHost\logs.dat

Filesize
79B

MD5
47cdaf9f1f0753a84a8e768b47e42761

SHA1
eb947899b2d4dd00c03eebebb1c9f428761672bc

SHA256
7941a4426895eca224e1f95a83ef983f4b6ea4b3499a658860395851a5f138d0

SHA512
c33424fdd59702a24089b25f13c5ac40e97f72ee80152a8f687ac1e95ac09e5c2d046de58fa4b698f312f8a126ac53f4f695bc19a44638eb1a97367b57aedb7a

Download Submit
memory/1620-0-0x0000000000E70000-0x0000000000EE3000-memory.dmp

Filesize
460KB

Download
memory/2228-3-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2228-4-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2228-8-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download