remcos | 108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24/05/2024, 03:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quotation.scr.exe
Size

929KB
MD5

c5a8d5c579b01dde6496d426425c9e64
SHA1

2f66b4af4ae637fecda1d2a01dfc407137447722
SHA256

108f91d9edea555ad29cb610cc1b578bca00a7447900f0caa2fdc15e8bfbacc4
SHA512

c327fa7f319186880d834ec5ee57009b205511db0486ccbb6da2fdb5eed416f7f82564381bdfadce19de27bb15fb2116ebe3ab98c27d425e9f876ecf79113dbb
SSDEEP

24576:4qi0xXW+9UgrA7TEZEDPpsuNFMAvKKyoZ8y7IC:Ri037rOoZ6BsuPM0KBoZ8yMC

Score

10^/10

remcos remotehost execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

185.216.70.120:2427

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-FSXSJ2
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2656	powershell.exe
2736	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1636 set thread context of 2516	1636	Quotation.scr.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2616	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1636	Quotation.scr.exe
1636	Quotation.scr.exe
1636	Quotation.scr.exe
1636	Quotation.scr.exe
1636	Quotation.scr.exe
1636	Quotation.scr.exe
1636	Quotation.scr.exe
1636	Quotation.scr.exe
1636	Quotation.scr.exe
2656	powershell.exe
2736	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1636	Quotation.scr.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 2656	1636	Quotation.scr.exe	28
PID 1636 wrote to memory of 2656	1636	Quotation.scr.exe	28
PID 1636 wrote to memory of 2656	1636	Quotation.scr.exe	28
PID 1636 wrote to memory of 2656	1636	Quotation.scr.exe	28
PID 1636 wrote to memory of 2736	1636	Quotation.scr.exe	30
PID 1636 wrote to memory of 2736	1636	Quotation.scr.exe	30
PID 1636 wrote to memory of 2736	1636	Quotation.scr.exe	30
PID 1636 wrote to memory of 2736	1636	Quotation.scr.exe	30
PID 1636 wrote to memory of 2616	1636	Quotation.scr.exe	32
PID 1636 wrote to memory of 2616	1636	Quotation.scr.exe	32
PID 1636 wrote to memory of 2616	1636	Quotation.scr.exe	32
PID 1636 wrote to memory of 2616	1636	Quotation.scr.exe	32
PID 1636 wrote to memory of 1244	1636	Quotation.scr.exe	34
PID 1636 wrote to memory of 1244	1636	Quotation.scr.exe	34
PID 1636 wrote to memory of 1244	1636	Quotation.scr.exe	34
PID 1636 wrote to memory of 1244	1636	Quotation.scr.exe	34
PID 1636 wrote to memory of 2560	1636	Quotation.scr.exe	35
PID 1636 wrote to memory of 2560	1636	Quotation.scr.exe	35
PID 1636 wrote to memory of 2560	1636	Quotation.scr.exe	35
PID 1636 wrote to memory of 2560	1636	Quotation.scr.exe	35
PID 1636 wrote to memory of 2568	1636	Quotation.scr.exe	36
PID 1636 wrote to memory of 2568	1636	Quotation.scr.exe	36
PID 1636 wrote to memory of 2568	1636	Quotation.scr.exe	36
PID 1636 wrote to memory of 2568	1636	Quotation.scr.exe	36
PID 1636 wrote to memory of 2516	1636	Quotation.scr.exe	37
PID 1636 wrote to memory of 2516	1636	Quotation.scr.exe	37
PID 1636 wrote to memory of 2516	1636	Quotation.scr.exe	37
PID 1636 wrote to memory of 2516	1636	Quotation.scr.exe	37
PID 1636 wrote to memory of 2516	1636	Quotation.scr.exe	37
PID 1636 wrote to memory of 2516	1636	Quotation.scr.exe	37
PID 1636 wrote to memory of 2516	1636	Quotation.scr.exe	37
PID 1636 wrote to memory of 2516	1636	Quotation.scr.exe	37
PID 1636 wrote to memory of 2516	1636	Quotation.scr.exe	37
PID 1636 wrote to memory of 2516	1636	Quotation.scr.exe	37
PID 1636 wrote to memory of 2516	1636	Quotation.scr.exe	37
PID 1636 wrote to memory of 2516	1636	Quotation.scr.exe	37
PID 1636 wrote to memory of 2516	1636	Quotation.scr.exe	37

C:\Users\Admin\AppData\Local\Temp\Quotation.scr.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.scr.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Quotation.scr.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2656
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uEizHLXGQSPJ.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2736
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uEizHLXGQSPJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5C24.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2616
- C:\Users\Admin\AppData\Local\Temp\Quotation.scr.exe
  "C:\Users\Admin\AppData\Local\Temp\Quotation.scr.exe"
  2⤵
  PID:1244
- C:\Users\Admin\AppData\Local\Temp\Quotation.scr.exe
  "C:\Users\Admin\AppData\Local\Temp\Quotation.scr.exe"
  2⤵
  PID:2560
- C:\Users\Admin\AppData\Local\Temp\Quotation.scr.exe
  "C:\Users\Admin\AppData\Local\Temp\Quotation.scr.exe"
  2⤵
  PID:2568
- C:\Users\Admin\AppData\Local\Temp\Quotation.scr.exe
  "C:\Users\Admin\AppData\Local\Temp\Quotation.scr.exe"
  2⤵
  PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5C24.tmp

Filesize
1KB

MD5
476d97ff33b8158a917819c69f42f6c3

SHA1
d96b3b4e9582121b1f9f6beff3e8ac9b67c07fe3

SHA256
425f06d52e26bee4781a4ab76ba58fcfe4d167db4860abb4676b42f5ab7e12c6

SHA512
b3a9d2bbe249c97a7a6cf57b3851642fba2710b7a6a5753f47a854d473f496b44e2bb9ad6711f85a22c3fe024b7f7f91328e68aa2720ecbc5c572867114a3ef6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\G05CEGR5YEDSV69FM9VS.temp

Filesize
7KB

MD5
cd7a0d3a4e264ffa042cc72b17c7b360

SHA1
dac970efc8f5c8e0ef718364c3b641d8955f654a

SHA256
200733fc6372287c7d969a3e8e6ade761066b3ea3ccedd6769210fb89c6b7178

SHA512
509e313d8aa5d60e33d750503934da573e2413406b9b6ab00afced68d0c181dfe00a5cebf9be2acbf3829582771ba3ad14feece5bd03e72ee807afa8902e5279

Download Submit
memory/1636-0-0x0000000073F1E000-0x0000000073F1F000-memory.dmp

Filesize
4KB

Download
memory/1636-1-0x00000000001C0000-0x00000000002AA000-memory.dmp

Filesize
936KB

Download
memory/1636-2-0x0000000073F10000-0x00000000745FE000-memory.dmp

Filesize
6.9MB

Download
memory/1636-3-0x0000000000450000-0x000000000046A000-memory.dmp

Filesize
104KB

Download
memory/1636-4-0x0000000000390000-0x00000000003A0000-memory.dmp

Filesize
64KB

Download
memory/1636-5-0x0000000005470000-0x0000000005530000-memory.dmp

Filesize
768KB

Download
memory/1636-39-0x0000000073F10000-0x00000000745FE000-memory.dmp

Filesize
6.9MB

Download
memory/2516-20-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-18-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-22-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-28-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-35-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-34-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2516-32-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-30-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-26-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-24-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-36-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-37-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-38-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-40-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-41-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-42-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-43-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-44-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-45-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-46-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-47-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-48-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-49-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-50-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-51-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-52-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-53-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-54-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-55-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-56-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-57-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-58-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-59-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-60-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-61-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-62-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-63-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-64-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-65-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-66-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-67-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-68-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-69-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-70-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-71-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-72-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-73-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-74-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-75-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-76-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-77-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-78-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-79-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-80-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-81-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-82-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download