remcos | 869d82f75b419b649177813ee10ff71987aa775e0c86868bb952aab22f6fe91d

General

Target

869d82f75b419b649177813ee10ff71987aa775e0c86868bb952aab22f6fe91d.exe
Size

604KB
MD5

ffc880a6448b251eee7f03809bf0a1bf
SHA1

09e75e38d588b0e99a3f6f85b2dc4a3eebe4ee08
SHA256

869d82f75b419b649177813ee10ff71987aa775e0c86868bb952aab22f6fe91d
SHA512

21dbc92495d2afa76e2e0b7243586ce70889e6cf1240222f1c75aab217df9a0287f9b9b5f3c754011ecfec411c2677c3fd091bcb2b620205c2c97db564b7b180
SSDEEP

12288:O+DbgZB778Qed59T3C6g9XltKMYicJgTx5bx4OVEIHDe2RZQioKEAmD:3gZBS9TbgoMpcJ+Tbe7Ye2nOK

Score

10^/10

remcos nhs execution rat

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

NHS

C2

185.189.112.19:30311

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
nhs
keylog_path
%AppData%
mouse_option
false
mutex
remcos_lejjhxgdnt
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2668	powershell.exe
2440	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2512 set thread context of 2476	2512	869d82f75b419b649177813ee10ff71987aa775e0c86868bb952aab22f6fe91d.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2800	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2512	869d82f75b419b649177813ee10ff71987aa775e0c86868bb952aab22f6fe91d.exe
2512	869d82f75b419b649177813ee10ff71987aa775e0c86868bb952aab22f6fe91d.exe
2512	869d82f75b419b649177813ee10ff71987aa775e0c86868bb952aab22f6fe91d.exe
2512	869d82f75b419b649177813ee10ff71987aa775e0c86868bb952aab22f6fe91d.exe
2512	869d82f75b419b649177813ee10ff71987aa775e0c86868bb952aab22f6fe91d.exe
2512	869d82f75b419b649177813ee10ff71987aa775e0c86868bb952aab22f6fe91d.exe
2512	869d82f75b419b649177813ee10ff71987aa775e0c86868bb952aab22f6fe91d.exe
2512	869d82f75b419b649177813ee10ff71987aa775e0c86868bb952aab22f6fe91d.exe
2512	869d82f75b419b649177813ee10ff71987aa775e0c86868bb952aab22f6fe91d.exe
2512	869d82f75b419b649177813ee10ff71987aa775e0c86868bb952aab22f6fe91d.exe
2668	powershell.exe
2440	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2512	869d82f75b419b649177813ee10ff71987aa775e0c86868bb952aab22f6fe91d.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2476	869d82f75b419b649177813ee10ff71987aa775e0c86868bb952aab22f6fe91d.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2668	2512	869d82f75b419b649177813ee10ff71987aa775e0c86868bb952aab22f6fe91d.exe	28
PID 2512 wrote to memory of 2668	2512	869d82f75b419b649177813ee10ff71987aa775e0c86868bb952aab22f6fe91d.exe	28
PID 2512 wrote to memory of 2668	2512	869d82f75b419b649177813ee10ff71987aa775e0c86868bb952aab22f6fe91d.exe	28
PID 2512 wrote to memory of 2668	2512	869d82f75b419b649177813ee10ff71987aa775e0c86868bb952aab22f6fe91d.exe	28
PID 2512 wrote to memory of 2440	2512	869d82f75b419b649177813ee10ff71987aa775e0c86868bb952aab22f6fe91d.exe	30
PID 2512 wrote to memory of 2440	2512	869d82f75b419b649177813ee10ff71987aa775e0c86868bb952aab22f6fe91d.exe	30
PID 2512 wrote to memory of 2440	2512	869d82f75b419b649177813ee10ff71987aa775e0c86868bb952aab22f6fe91d.exe	30
PID 2512 wrote to memory of 2440	2512	869d82f75b419b649177813ee10ff71987aa775e0c86868bb952aab22f6fe91d.exe	30
PID 2512 wrote to memory of 2800	2512	869d82f75b419b649177813ee10ff71987aa775e0c86868bb952aab22f6fe91d.exe	31
PID 2512 wrote to memory of 2800	2512	869d82f75b419b649177813ee10ff71987aa775e0c86868bb952aab22f6fe91d.exe	31
PID 2512 wrote to memory of 2800	2512	869d82f75b419b649177813ee10ff71987aa775e0c86868bb952aab22f6fe91d.exe	31
PID 2512 wrote to memory of 2800	2512	869d82f75b419b649177813ee10ff71987aa775e0c86868bb952aab22f6fe91d.exe	31
PID 2512 wrote to memory of 2476	2512	869d82f75b419b649177813ee10ff71987aa775e0c86868bb952aab22f6fe91d.exe	34
PID 2512 wrote to memory of 2476	2512	869d82f75b419b649177813ee10ff71987aa775e0c86868bb952aab22f6fe91d.exe	34
PID 2512 wrote to memory of 2476	2512	869d82f75b419b649177813ee10ff71987aa775e0c86868bb952aab22f6fe91d.exe	34
PID 2512 wrote to memory of 2476	2512	869d82f75b419b649177813ee10ff71987aa775e0c86868bb952aab22f6fe91d.exe	34
PID 2512 wrote to memory of 2476	2512	869d82f75b419b649177813ee10ff71987aa775e0c86868bb952aab22f6fe91d.exe	34
PID 2512 wrote to memory of 2476	2512	869d82f75b419b649177813ee10ff71987aa775e0c86868bb952aab22f6fe91d.exe	34
PID 2512 wrote to memory of 2476	2512	869d82f75b419b649177813ee10ff71987aa775e0c86868bb952aab22f6fe91d.exe	34
PID 2512 wrote to memory of 2476	2512	869d82f75b419b649177813ee10ff71987aa775e0c86868bb952aab22f6fe91d.exe	34
PID 2512 wrote to memory of 2476	2512	869d82f75b419b649177813ee10ff71987aa775e0c86868bb952aab22f6fe91d.exe	34
PID 2512 wrote to memory of 2476	2512	869d82f75b419b649177813ee10ff71987aa775e0c86868bb952aab22f6fe91d.exe	34

C:\Users\Admin\AppData\Local\Temp\869d82f75b419b649177813ee10ff71987aa775e0c86868bb952aab22f6fe91d.exe
"C:\Users\Admin\AppData\Local\Temp\869d82f75b419b649177813ee10ff71987aa775e0c86868bb952aab22f6fe91d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\869d82f75b419b649177813ee10ff71987aa775e0c86868bb952aab22f6fe91d.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2668
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\RqlVhjJtK.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2440
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RqlVhjJtK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp74E2.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2800
- C:\Users\Admin\AppData\Local\Temp\869d82f75b419b649177813ee10ff71987aa775e0c86868bb952aab22f6fe91d.exe
  "C:\Users\Admin\AppData\Local\Temp\869d82f75b419b649177813ee10ff71987aa775e0c86868bb952aab22f6fe91d.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp74E2.tmp

Filesize
1KB

MD5
dd48ebc84e7846eb77ef48d9daea8b7c

SHA1
d53848d5064f0fd0e123ec7863a5d29d45089858

SHA256
f149f5e3aad4ccca7dc2bd3a3bf64f8781c861c185eab88903e5510b8a9378cd

SHA512
5a591c9398a07736c449abb79cf875f1a10f429dcb7734b2077baf2e192bea83bf8a34b4a11927a7c3948ebc8e78f7c8e2ea0630eadc0a5d03725d0eb75afcea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XYN5GAJBH4D6HZ2PW0WV.temp

Filesize
7KB

MD5
95bd2b497d0059614907b531bf29cceb

SHA1
a0bca052170a9e9fdbfc7a8db7c5428aaff36377

SHA256
a2337cd8af4e665e2df7a987ae7b658087f7b31b1f624ff8efde96e9818b3fec

SHA512
3ab4749211a79a0361320fd49d117965525a7c94074d50572c02e9c8b8918bfe0db9c2aac30d1c1d4e08afebb6098c3f738bb1c2a16e5ebfd25bb0e8b2346653

Download Submit
memory/2476-32-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2476-25-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2476-34-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2476-33-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2476-21-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2476-23-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2476-27-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2476-29-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2476-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2512-7-0x00000000745CE000-0x00000000745CF000-memory.dmp

Filesize
4KB

Download
memory/2512-1-0x00000000008C0000-0x000000000095C000-memory.dmp

Filesize
624KB

Download
memory/2512-2-0x00000000745C0000-0x0000000074CAE000-memory.dmp

Filesize
6.9MB

Download
memory/2512-8-0x00000000745C0000-0x0000000074CAE000-memory.dmp

Filesize
6.9MB

Download
memory/2512-0-0x00000000745CE000-0x00000000745CF000-memory.dmp

Filesize
4KB

Download
memory/2512-3-0x0000000000600000-0x0000000000618000-memory.dmp

Filesize
96KB

Download
memory/2512-6-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/2512-5-0x0000000000630000-0x0000000000646000-memory.dmp

Filesize
88KB

Download
memory/2512-4-0x0000000000620000-0x000000000062E000-memory.dmp

Filesize
56KB

Download
memory/2512-37-0x00000000745C0000-0x0000000074CAE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads