remcos | ffde0dec915c775224eb553a98b35f906fbce2e56778190859913e566c84dd60 | Triage

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23/05/2024, 05:43 UTC

Sharing

Report Analysis Logs

General

Target

msimg32.dll
Size

45.1MB
MD5

066cca9347ad8188670f770ddcee55f0
SHA1

a71df2cfa7af7f27f22b17cdf90788784994e4fe
SHA256

cfade56c6497caca67e247954d9b0bbac8018b316d420b22a39ab0eb2fdd05d6
SHA512

71531dfe50737728ecf1345830f0fdc1001408ff7b28010526655c583f717655a0c3224930b46dcdb2d26b1a1376c821098a59bfc1e951e94ba2a8cec1492df1
SSDEEP

786432:YUP7GCGO7t0Srkx/tC0SzIdSwh/WxbpNHQD3trzRpn:YUP7GCG6iSrkx1hSzYsHQD3t/RN

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

pattreon.duckdns.org:7035

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-7D4Q3L
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\*ChromeUpdate = "rundll32.exe C:\\Users\\Admin\\Documents\\ChromeData.dll,EntryPoint"	reg.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2032	regsvr32.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 2032	1612	regsvr32.exe	28
PID 1612 wrote to memory of 2032	1612	regsvr32.exe	28
PID 1612 wrote to memory of 2032	1612	regsvr32.exe	28
PID 1612 wrote to memory of 2032	1612	regsvr32.exe	28
PID 1612 wrote to memory of 2032	1612	regsvr32.exe	28
PID 1612 wrote to memory of 2032	1612	regsvr32.exe	28
PID 1612 wrote to memory of 2032	1612	regsvr32.exe	28
PID 2032 wrote to memory of 2992	2032	regsvr32.exe	29
PID 2032 wrote to memory of 2992	2032	regsvr32.exe	29
PID 2032 wrote to memory of 2992	2032	regsvr32.exe	29
PID 2032 wrote to memory of 2992	2032	regsvr32.exe	29
PID 2032 wrote to memory of 2992	2032	regsvr32.exe	29
PID 2032 wrote to memory of 2992	2032	regsvr32.exe	29
PID 2032 wrote to memory of 2992	2032	regsvr32.exe	29
PID 2032 wrote to memory of 2992	2032	regsvr32.exe	29
PID 2032 wrote to memory of 2992	2032	regsvr32.exe	29
PID 2032 wrote to memory of 2992	2032	regsvr32.exe	29
PID 2032 wrote to memory of 2688	2032	regsvr32.exe	32
PID 2032 wrote to memory of 2688	2032	regsvr32.exe	32
PID 2032 wrote to memory of 2688	2032	regsvr32.exe	32
PID 2032 wrote to memory of 2688	2032	regsvr32.exe	32
PID 2688 wrote to memory of 2028	2688	cmd.exe	34
PID 2688 wrote to memory of 2028	2688	cmd.exe	34
PID 2688 wrote to memory of 2028	2688	cmd.exe	34
PID 2688 wrote to memory of 2028	2688	cmd.exe	34

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\msimg32.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\msimg32.dll
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\SysWOW64\regsvr32.exe"
    3⤵
    PID:2992
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*ChromeUpdate" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\ChromeData.dll",EntryPoint /f & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*ChromeUpdate" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\ChromeData.dll",EntryPoint /f
      4⤵
      Adds Run key to start application
      PID:2028

Network

DNS

pattreon.duckdns.org

regsvr32.exe

Remote address:

8.8.8.8:53

Request

pattreon.duckdns.org

IN A

Response

pattreon.duckdns.org

IN A

104.243.242.199
DNS

pattreon.duckdns.org

regsvr32.exe

Remote address:

8.8.8.8:53

Request

pattreon.duckdns.org

IN A
DNS

pattreon.duckdns.org

regsvr32.exe

Remote address:

8.8.8.8:53

Request

pattreon.duckdns.org

IN A

Response

pattreon.duckdns.org

IN A

104.243.242.199

104.243.242.199:7035

pattreon.duckdns.org

regsvr32.exe

152 B
3
104.243.242.199:7035

pattreon.duckdns.org

regsvr32.exe

152 B
3
104.243.242.199:7035

pattreon.duckdns.org

regsvr32.exe

152 B
3
104.243.242.199:7035

pattreon.duckdns.org

regsvr32.exe

152 B
3
104.243.242.199:7035

pattreon.duckdns.org

regsvr32.exe

152 B
3
104.243.242.199:7035

pattreon.duckdns.org

regsvr32.exe

152 B
3

8.8.8.8:53

pattreon.duckdns.org

dns

regsvr32.exe

132 B
82 B
2
1

DNS Request

pattreon.duckdns.org

DNS Request

pattreon.duckdns.org

DNS Response

104.243.242.199
8.8.8.8:53

pattreon.duckdns.org

dns

regsvr32.exe

66 B
82 B
1
1

DNS Request

pattreon.duckdns.org

DNS Response

104.243.242.199

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2032-0-0x0000000010000000-0x0000000012DD5000-memory.dmp

Filesize
45.8MB

Download
memory/2032-18-0x0000000012D7F000-0x0000000012DA8000-memory.dmp

Filesize
164KB

Download
memory/2032-1-0x00000000102E6000-0x0000000010300000-memory.dmp

Filesize
104KB

Download
memory/2032-15-0x0000000010000000-0x0000000012DD5000-memory.dmp

Filesize
45.8MB

Download
memory/2032-10-0x0000000010000000-0x0000000012DD5000-memory.dmp

Filesize
45.8MB

Download
memory/2992-17-0x0000000000090000-0x0000000000112000-memory.dmp

Filesize
520KB

Download
memory/2992-19-0x0000000000090000-0x0000000000112000-memory.dmp

Filesize
520KB

Download
memory/2992-12-0x0000000000090000-0x0000000000112000-memory.dmp

Filesize
520KB

Download
memory/2992-11-0x0000000000090000-0x0000000000112000-memory.dmp

Filesize
520KB

Download
memory/2992-2-0x0000000000090000-0x0000000000112000-memory.dmp

Filesize
520KB

Download
memory/2992-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2992-16-0x0000000000090000-0x0000000000112000-memory.dmp

Filesize
520KB

Download
memory/2992-6-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2992-8-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2992-14-0x0000000000090000-0x0000000000112000-memory.dmp

Filesize
520KB

Download
memory/2992-20-0x0000000000090000-0x0000000000112000-memory.dmp

Filesize
520KB

Download
memory/2992-21-0x0000000000090000-0x0000000000112000-memory.dmp

Filesize
520KB

Download
memory/2992-22-0x0000000000090000-0x0000000000112000-memory.dmp

Filesize
520KB

Download
memory/2992-23-0x0000000000090000-0x0000000000112000-memory.dmp

Filesize
520KB

Download
memory/2992-24-0x0000000000090000-0x0000000000112000-memory.dmp

Filesize
520KB

Download
memory/2992-25-0x0000000000090000-0x0000000000112000-memory.dmp

Filesize
520KB

Download
memory/2992-26-0x0000000000090000-0x0000000000112000-memory.dmp

Filesize
520KB

Download
memory/2992-27-0x0000000000090000-0x0000000000112000-memory.dmp

Filesize
520KB

Download
memory/2992-28-0x0000000000090000-0x0000000000112000-memory.dmp

Filesize
520KB

Download
memory/2992-29-0x0000000000090000-0x0000000000112000-memory.dmp

Filesize
520KB

Download