remcos | c6a386ba41efba3fa22d748ac1c5641dbcd450f5cf9a2334cfcb7a2c1cbc28b8

Analysis

max time kernel
94s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/08/2024, 15:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AntiRootInstaller.exe
Size

278KB
MD5

8dc102c02dbcf1cdf9d613bebfcab908
SHA1

27cfc3f634ff9aca559b9cc5ea07fdcff678c93e
SHA256

c6a386ba41efba3fa22d748ac1c5641dbcd450f5cf9a2334cfcb7a2c1cbc28b8
SHA512

83fc4fb889114a360a46d245c51799777b74493ec6cee8594a579dcc1a3dc5cd17c4b5e01523a2e92fa238b3174142cc190787db3d38bae8a6cd4b3bbe63490d
SSDEEP

6144:y+yVYfCFcmuc9dRd6XM7iFgEEs3FaJ59TCEiUB79:yr/buc9dyXM7kgEEsm5cEiU

Score

10^/10

remcos remotehost discovery evasion persistence rat trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

mode-clusters.gl.at.ply.gg:36304

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
$77-Installer
copy_folder
Remcos
delete_file
true
hide_file
true
hide_keylog_file
false
install_flag
true
install_path
%WinDir%\System32
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-G1AT0Q
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Rmc-G1AT0Q = "\"C:\\Windows\\SysWOW64\\Remcos\\$77-Installer\""	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Rmc-G1AT0Q = "\"C:\\Windows\\SysWOW64\\Remcos\\$77-Installer\""	Updater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	iexplore.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	AntiRootInstaller.exe

Executes dropped EXE 1 IoCs

pid	Process
1512	Updater.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-G1AT0Q = "\"C:\\Windows\\SysWOW64\\Remcos\\$77-Installer\""	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-G1AT0Q = "\"C:\\Windows\\SysWOW64\\Remcos\\$77-Installer\""	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-G1AT0Q = "\"C:\\Windows\\SysWOW64\\Remcos\\$77-Installer\""	Updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-G1AT0Q = "\"C:\\Windows\\SysWOW64\\Remcos\\$77-Installer\""	Updater.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Remcos\$77-Installer	Updater.exe
File opened for modification	C:\Windows\SysWOW64\Remcos\$77-Installer	Updater.exe
File opened for modification	C:\Windows\SysWOW64\Remcos	Updater.exe
File opened for modification	C:\Windows\SysWOW64\Remcos	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\Remcos\$77-Installer	iexplore.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1512 set thread context of 4980	1512	Updater.exe	95
PID 4980 set thread context of 2140	4980	iexplore.exe	98

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3024	timeout.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	AntiRootInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	iexplore.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
404	reg.exe
3848	reg.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1512	Updater.exe
1512	Updater.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1512	Updater.exe
4980	iexplore.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2604	OpenWith.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4396 wrote to memory of 1512	4396	AntiRootInstaller.exe	87
PID 4396 wrote to memory of 1512	4396	AntiRootInstaller.exe	87
PID 4396 wrote to memory of 1512	4396	AntiRootInstaller.exe	87
PID 1512 wrote to memory of 608	1512	Updater.exe	89
PID 1512 wrote to memory of 608	1512	Updater.exe	89
PID 1512 wrote to memory of 608	1512	Updater.exe	89
PID 4396 wrote to memory of 5036	4396	AntiRootInstaller.exe	91
PID 4396 wrote to memory of 5036	4396	AntiRootInstaller.exe	91
PID 608 wrote to memory of 404	608	cmd.exe	92
PID 608 wrote to memory of 404	608	cmd.exe	92
PID 608 wrote to memory of 404	608	cmd.exe	92
PID 5036 wrote to memory of 3024	5036	cmd.exe	94
PID 5036 wrote to memory of 3024	5036	cmd.exe	94
PID 1512 wrote to memory of 4980	1512	Updater.exe	95
PID 1512 wrote to memory of 4980	1512	Updater.exe	95
PID 1512 wrote to memory of 4980	1512	Updater.exe	95
PID 1512 wrote to memory of 4980	1512	Updater.exe	95
PID 4980 wrote to memory of 3460	4980	iexplore.exe	96
PID 4980 wrote to memory of 3460	4980	iexplore.exe	96
PID 4980 wrote to memory of 3460	4980	iexplore.exe	96
PID 4980 wrote to memory of 2140	4980	iexplore.exe	98
PID 4980 wrote to memory of 2140	4980	iexplore.exe	98
PID 4980 wrote to memory of 2140	4980	iexplore.exe	98
PID 4980 wrote to memory of 2140	4980	iexplore.exe	98
PID 3460 wrote to memory of 3848	3460	cmd.exe	99
PID 3460 wrote to memory of 3848	3460	cmd.exe	99
PID 3460 wrote to memory of 3848	3460	cmd.exe	99
PID 4980 wrote to memory of 4588	4980	iexplore.exe	107
PID 4980 wrote to memory of 4588	4980	iexplore.exe	107
PID 4980 wrote to memory of 4588	4980	iexplore.exe	107

C:\Users\Admin\AppData\Local\Temp\AntiRootInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\AntiRootInstaller.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4396
- C:\Users\Admin\AppData\Local\Temp\Updater.exe
  "C:\Users\Admin\AppData\Local\Temp\Updater.exe"
  2⤵
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:608
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:404
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4980
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3460
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3848
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:2140
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aikgcqynmcaz.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7DEA.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5036
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3024

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Updater.exe

Filesize
483KB

MD5
db034c9466c83a31925b6fccd69c60ae

SHA1
f43959427039dae6e78494d0fbca2e0233fa4a07

SHA256
a817510b4e482dbb1235f616c2bd12e7f22be34f0d426846fd11db114be28be3

SHA512
d2d904527ff98f0b7caa9d75337b0823eafc091ef1a24ad4e41bb7caab6c2ddd65ef4a5150bdb1d23a4fef851649318a7ce9603082bf5828eb3707ad2340804b

Download Submit
C:\Users\Admin\AppData\Local\Temp\aikgcqynmcaz.vbs

Filesize
572B

MD5
54a769d74f2b983cb50faaf758561dbe

SHA1
c8f0dd48ebc00ca1fefcba1b904f04d93cab3228

SHA256
bebb01f3ebac7d6849f08374aa13883c6f657df0729f1ad03a100764688e8f4c

SHA512
2ed0cebda27b59db789fe98104529b43ffcf996926d9860e87c29ef7f73be64a160e24d4595642aa824fee86726f6f05451d1268096608b9ec0352fcde2b5692

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7DEA.tmp.bat

Filesize
169B

MD5
ffa9e7865dc8a391dfc8cb75f67f9873

SHA1
6107ac3066bc91a96d03c5f39b7865943e89b47d

SHA256
6c0c94c942541c049f463ceb5098b51f5daf06d98d883a41db14fa285da04b0d

SHA512
9ae0dda0662ddd592b28054eeb35c56ca34dfc5b70ba7aec7e755f5954ab17abb70d8faa2543e3f3cf64f5fa0ca95d27fad07b6eadd6bb86f73c74118f8ff527

Download Submit
memory/2140-40-0x0000000000F50000-0x0000000000FD2000-memory.dmp

Filesize
520KB

Download
memory/2140-39-0x0000000000F50000-0x0000000000FD2000-memory.dmp

Filesize
520KB

Download
memory/4396-1-0x0000000000110000-0x000000000015C000-memory.dmp

Filesize
304KB

Download
memory/4396-7-0x00007FF8B9230000-0x00007FF8B9CF1000-memory.dmp

Filesize
10.8MB

Download
memory/4396-18-0x00007FF8B9230000-0x00007FF8B9CF1000-memory.dmp

Filesize
10.8MB

Download
memory/4396-0-0x00007FF8B9233000-0x00007FF8B9235000-memory.dmp

Filesize
8KB

Download
memory/4980-49-0x0000000000540000-0x00000000005C2000-memory.dmp

Filesize
520KB

Download
memory/4980-52-0x0000000000540000-0x00000000005C2000-memory.dmp

Filesize
520KB

Download
memory/4980-41-0x0000000000540000-0x00000000005C2000-memory.dmp

Filesize
520KB

Download
memory/4980-42-0x0000000000540000-0x00000000005C2000-memory.dmp

Filesize
520KB

Download
memory/4980-43-0x0000000000540000-0x00000000005C2000-memory.dmp

Filesize
520KB

Download
memory/4980-44-0x0000000000540000-0x00000000005C2000-memory.dmp

Filesize
520KB

Download
memory/4980-46-0x0000000000540000-0x00000000005C2000-memory.dmp

Filesize
520KB

Download
memory/4980-47-0x0000000000540000-0x00000000005C2000-memory.dmp

Filesize
520KB

Download
memory/4980-48-0x0000000000540000-0x00000000005C2000-memory.dmp

Filesize
520KB

Download
memory/4980-34-0x0000000000540000-0x00000000005C2000-memory.dmp

Filesize
520KB

Download
memory/4980-50-0x0000000000540000-0x00000000005C2000-memory.dmp

Filesize
520KB

Download
memory/4980-51-0x0000000000540000-0x00000000005C2000-memory.dmp

Filesize
520KB

Download
memory/4980-53-0x0000000000540000-0x00000000005C2000-memory.dmp

Filesize
520KB

Download
memory/4980-33-0x0000000000540000-0x00000000005C2000-memory.dmp

Filesize
520KB

Download
memory/4980-54-0x0000000000540000-0x00000000005C2000-memory.dmp

Filesize
520KB

Download
memory/4980-56-0x0000000000540000-0x00000000005C2000-memory.dmp

Filesize
520KB

Download
memory/4980-57-0x0000000000540000-0x00000000005C2000-memory.dmp

Filesize
520KB

Download
memory/4980-58-0x0000000000540000-0x00000000005C2000-memory.dmp

Filesize
520KB

Download
memory/4980-59-0x0000000000540000-0x00000000005C2000-memory.dmp

Filesize
520KB

Download
memory/4980-60-0x0000000000540000-0x00000000005C2000-memory.dmp

Filesize
520KB

Download
memory/4980-61-0x0000000000540000-0x00000000005C2000-memory.dmp

Filesize
520KB

Download
memory/4980-62-0x0000000000540000-0x00000000005C2000-memory.dmp

Filesize
520KB

Download
memory/4980-63-0x0000000000540000-0x00000000005C2000-memory.dmp

Filesize
520KB

Download
memory/4980-64-0x0000000000540000-0x00000000005C2000-memory.dmp

Filesize
520KB

Download
memory/4980-65-0x0000000000540000-0x00000000005C2000-memory.dmp

Filesize
520KB

Download
memory/4980-69-0x0000000000540000-0x00000000005C2000-memory.dmp

Filesize
520KB

Download
memory/4980-70-0x0000000000540000-0x00000000005C2000-memory.dmp

Filesize
520KB

Download
memory/4980-35-0x0000000000540000-0x00000000005C2000-memory.dmp

Filesize
520KB

Download