remcos | d307086888548ce42d3be3382b268ab742cdee639d26786c32b628cd34535dac

Analysis

max time kernel
147s
max time network
149s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
30-05-2024 14:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FATURA TR.exe
Size

1011KB
MD5

db26196d7b7a5b7686c101b98ebdd88e
SHA1

5a804ae4294cfd81503f33cc1137f0f236e74133
SHA256

6ed3bc3e8ba2b99174ddf35acfbe4326216b43109753a9a488de91a65bb311d8
SHA512

20fc0a785864f82d0803c7b72018a290b3c4920f296edcfc3ec15724b7728cea9351889e3276914a67b15ac8dbc03b6fccfe741cfce9209e0693e52f816c6f05
SSDEEP

24576:1dgZBfJwum315boSahOxxRftBavFqdFEOW1ajNYAOlv:16Xm315boSakhfvkYLEDoO

Score

10^/10

remcos ajanko evasion execution rat trojan

Malware Config

Extracted

Family

remcos

Botnet

AJANKO

ajanko.duckdns.org:1970

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-Z9ICSO
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	FATURA TR.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2596	powershell.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FATURA TR.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	FATURA TR.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2940 set thread context of 2468	2940	FATURA TR.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2596	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2940	FATURA TR.exe
Token: SeDebugPrivilege	2596	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2468	wmplayer.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 2596	2940	FATURA TR.exe	28
PID 2940 wrote to memory of 2596	2940	FATURA TR.exe	28
PID 2940 wrote to memory of 2596	2940	FATURA TR.exe	28
PID 2940 wrote to memory of 2556	2940	FATURA TR.exe	30
PID 2940 wrote to memory of 2556	2940	FATURA TR.exe	30
PID 2940 wrote to memory of 2556	2940	FATURA TR.exe	30
PID 2940 wrote to memory of 2556	2940	FATURA TR.exe	30
PID 2940 wrote to memory of 2556	2940	FATURA TR.exe	30
PID 2940 wrote to memory of 2556	2940	FATURA TR.exe	30
PID 2940 wrote to memory of 2556	2940	FATURA TR.exe	30
PID 2940 wrote to memory of 2556	2940	FATURA TR.exe	30
PID 2940 wrote to memory of 2556	2940	FATURA TR.exe	30
PID 2940 wrote to memory of 2556	2940	FATURA TR.exe	30
PID 2940 wrote to memory of 2556	2940	FATURA TR.exe	30
PID 2940 wrote to memory of 2556	2940	FATURA TR.exe	30
PID 2940 wrote to memory of 2688	2940	FATURA TR.exe	31
PID 2940 wrote to memory of 2688	2940	FATURA TR.exe	31
PID 2940 wrote to memory of 2688	2940	FATURA TR.exe	31
PID 2940 wrote to memory of 2688	2940	FATURA TR.exe	31
PID 2940 wrote to memory of 2688	2940	FATURA TR.exe	31
PID 2940 wrote to memory of 2688	2940	FATURA TR.exe	31
PID 2940 wrote to memory of 2688	2940	FATURA TR.exe	31
PID 2940 wrote to memory of 2688	2940	FATURA TR.exe	31
PID 2940 wrote to memory of 2688	2940	FATURA TR.exe	31
PID 2940 wrote to memory of 2688	2940	FATURA TR.exe	31
PID 2940 wrote to memory of 2688	2940	FATURA TR.exe	31
PID 2940 wrote to memory of 2468	2940	FATURA TR.exe	32
PID 2940 wrote to memory of 2468	2940	FATURA TR.exe	32
PID 2940 wrote to memory of 2468	2940	FATURA TR.exe	32
PID 2940 wrote to memory of 2468	2940	FATURA TR.exe	32
PID 2940 wrote to memory of 2468	2940	FATURA TR.exe	32
PID 2940 wrote to memory of 2468	2940	FATURA TR.exe	32
PID 2940 wrote to memory of 2468	2940	FATURA TR.exe	32
PID 2940 wrote to memory of 2468	2940	FATURA TR.exe	32
PID 2940 wrote to memory of 2468	2940	FATURA TR.exe	32
PID 2940 wrote to memory of 2468	2940	FATURA TR.exe	32
PID 2940 wrote to memory of 2468	2940	FATURA TR.exe	32
PID 2940 wrote to memory of 2468	2940	FATURA TR.exe	32
PID 2940 wrote to memory of 2468	2940	FATURA TR.exe	32
PID 2940 wrote to memory of 2908	2940	FATURA TR.exe	33
PID 2940 wrote to memory of 2908	2940	FATURA TR.exe	33
PID 2940 wrote to memory of 2908	2940	FATURA TR.exe	33
PID 2940 wrote to memory of 2908	2940	FATURA TR.exe	33

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	FATURA TR.exe

C:\Users\Admin\AppData\Local\Temp\FATURA TR.exe
"C:\Users\Admin\AppData\Local\Temp\FATURA TR.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\FATURA TR.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:2556
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2688
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2468
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
08dd3675d24b651e259595bf1018071f

SHA1
596c0ddc62ebe5e9b5b41207f12245754686f87b

SHA256
65178481a180bf778f5c68301d0dcf8e8c0643116b9988443b2f3eea48e6bc94

SHA512
c32320a1d5824bc7d6e157c50bd15cd44e0c9c190d20a9328d5b86369cd61923897d419fe0c3b262fe3a68857debf0acb1f096e37a2d7b4e4ec8912c26ce798b

Download Submit
memory/2468-71-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2468-84-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2468-76-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2468-77-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2468-73-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2468-61-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2468-70-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2468-69-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2468-62-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2468-68-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2468-66-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2468-63-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2468-60-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2556-24-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2556-16-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2556-12-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2556-18-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2556-20-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2556-22-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2556-26-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2556-14-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2596-11-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/2596-10-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/2596-9-0x0000000001D00000-0x0000000001D80000-memory.dmp

Filesize
512KB

Download
memory/2940-67-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2940-0-0x000007FEF5433000-0x000007FEF5434000-memory.dmp

Filesize
4KB

Download
memory/2940-4-0x000000001B2A0000-0x000000001B372000-memory.dmp

Filesize
840KB

Download
memory/2940-3-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download
memory/2940-2-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2940-1-0x0000000000130000-0x0000000000164000-memory.dmp

Filesize
208KB

Download