remcos | 94338a235c9207ba31032496ba04d39ae887a3155c15d57347307df2dfa16242

General

Target

f4aedd9c8b06bf6f30404ae4c5de18c0N.exe
Size

936KB
MD5

f4aedd9c8b06bf6f30404ae4c5de18c0
SHA1

9f3b3c5c600416806ca99050f0fe8428e0215720
SHA256

94338a235c9207ba31032496ba04d39ae887a3155c15d57347307df2dfa16242
SHA512

bb95bb409162e2eb1b4b17f52409c91ed38ac4fb695944fb88607df96279778626af650db6028d96e8bce742480ad9f3971896e08e6417712ee06a256111e39a
SSDEEP

24576:Y9MC/qaSu32aV7pOsOwCWiB3F8mUlUAPrs3L0hMa2aa1ucko/8gv:riUu32I+jFvU6APA70hMaz+koX

Score

10^/10

remcos aug 20c2 discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

Aug 20C2

C2

method8888.ddns.net:6902

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-81VELC
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1856	powershell.exe
1852	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2180 set thread context of 2232	2180	f4aedd9c8b06bf6f30404ae4c5de18c0N.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f4aedd9c8b06bf6f30404ae4c5de18c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f4aedd9c8b06bf6f30404ae4c5de18c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2744	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1856	powershell.exe
1852	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2232	f4aedd9c8b06bf6f30404ae4c5de18c0N.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 1856	2180	f4aedd9c8b06bf6f30404ae4c5de18c0N.exe	30
PID 2180 wrote to memory of 1856	2180	f4aedd9c8b06bf6f30404ae4c5de18c0N.exe	30
PID 2180 wrote to memory of 1856	2180	f4aedd9c8b06bf6f30404ae4c5de18c0N.exe	30
PID 2180 wrote to memory of 1856	2180	f4aedd9c8b06bf6f30404ae4c5de18c0N.exe	30
PID 2180 wrote to memory of 1852	2180	f4aedd9c8b06bf6f30404ae4c5de18c0N.exe	32
PID 2180 wrote to memory of 1852	2180	f4aedd9c8b06bf6f30404ae4c5de18c0N.exe	32
PID 2180 wrote to memory of 1852	2180	f4aedd9c8b06bf6f30404ae4c5de18c0N.exe	32
PID 2180 wrote to memory of 1852	2180	f4aedd9c8b06bf6f30404ae4c5de18c0N.exe	32
PID 2180 wrote to memory of 2744	2180	f4aedd9c8b06bf6f30404ae4c5de18c0N.exe	33
PID 2180 wrote to memory of 2744	2180	f4aedd9c8b06bf6f30404ae4c5de18c0N.exe	33
PID 2180 wrote to memory of 2744	2180	f4aedd9c8b06bf6f30404ae4c5de18c0N.exe	33
PID 2180 wrote to memory of 2744	2180	f4aedd9c8b06bf6f30404ae4c5de18c0N.exe	33
PID 2180 wrote to memory of 2232	2180	f4aedd9c8b06bf6f30404ae4c5de18c0N.exe	36
PID 2180 wrote to memory of 2232	2180	f4aedd9c8b06bf6f30404ae4c5de18c0N.exe	36
PID 2180 wrote to memory of 2232	2180	f4aedd9c8b06bf6f30404ae4c5de18c0N.exe	36
PID 2180 wrote to memory of 2232	2180	f4aedd9c8b06bf6f30404ae4c5de18c0N.exe	36
PID 2180 wrote to memory of 2232	2180	f4aedd9c8b06bf6f30404ae4c5de18c0N.exe	36
PID 2180 wrote to memory of 2232	2180	f4aedd9c8b06bf6f30404ae4c5de18c0N.exe	36
PID 2180 wrote to memory of 2232	2180	f4aedd9c8b06bf6f30404ae4c5de18c0N.exe	36
PID 2180 wrote to memory of 2232	2180	f4aedd9c8b06bf6f30404ae4c5de18c0N.exe	36
PID 2180 wrote to memory of 2232	2180	f4aedd9c8b06bf6f30404ae4c5de18c0N.exe	36
PID 2180 wrote to memory of 2232	2180	f4aedd9c8b06bf6f30404ae4c5de18c0N.exe	36
PID 2180 wrote to memory of 2232	2180	f4aedd9c8b06bf6f30404ae4c5de18c0N.exe	36
PID 2180 wrote to memory of 2232	2180	f4aedd9c8b06bf6f30404ae4c5de18c0N.exe	36
PID 2180 wrote to memory of 2232	2180	f4aedd9c8b06bf6f30404ae4c5de18c0N.exe	36

C:\Users\Admin\AppData\Local\Temp\f4aedd9c8b06bf6f30404ae4c5de18c0N.exe
"C:\Users\Admin\AppData\Local\Temp\f4aedd9c8b06bf6f30404ae4c5de18c0N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\f4aedd9c8b06bf6f30404ae4c5de18c0N.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1856
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uULeEHHHWasTQ.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1852
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uULeEHHHWasTQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBFD6.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2744
- C:\Users\Admin\AppData\Local\Temp\f4aedd9c8b06bf6f30404ae4c5de18c0N.exe
  "C:\Users\Admin\AppData\Local\Temp\f4aedd9c8b06bf6f30404ae4c5de18c0N.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
88358320e54b12cac2e2b2bb8fa6436e

SHA1
4240d711579ef1efb2a038eb2e298ddce06cf560

SHA256
7d181eff3a85a41bb7674911fdf686698a2d399ec580db1089f7c0dc53f279dc

SHA512
7b28a7b25ed322b2156a2d597630b5d4f9740f3f227bcabca1dbfdea425e3cb5fe28a9ed32eaec9ad8cea84374fe29958d9cadf303b9f665403589be8448c112

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBFD6.tmp

Filesize
1KB

MD5
b3caf28e2cf5a7210b699765eac76a52

SHA1
5d9a45c30c7674ad759b5fe6452d500dedaba217

SHA256
051aee6cc4f6ba48a8ea3ec4cf0336348330d8be9ff78bbe56ca60456c19f749

SHA512
78fd6df186ca5cea06e85caa2ea0b5606ba614d1e0e042426f3a16cb5ab14ed02c00972a8fc5e4d26d7a3302176e562f672c7d9285a14d810a410d96bacb3645

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\577UWRRC44IQV79AM030.temp

Filesize
7KB

MD5
ecf9c6efa5e13c4952e9619cbe7e48ad

SHA1
8d2523bb8a502d9254517f146d89de2044436a9a

SHA256
9ff8532e1c71daa3f3851dd5ffce89e6f449d78815eea69a106773167735d4ed

SHA512
d24f0b6ae4f0d800f965697e5423d85fc373cdedf518863283306d812b52b8cd0c6f68f604b283fb53b6988de4ec6c282a48cceaeebc6f0407d8a9a97ce55123

Download Submit
memory/2180-0-0x000000007450E000-0x000000007450F000-memory.dmp

Filesize
4KB

Download
memory/2180-1-0x0000000000F40000-0x000000000102C000-memory.dmp

Filesize
944KB

Download
memory/2180-2-0x0000000074500000-0x0000000074BEE000-memory.dmp

Filesize
6.9MB

Download
memory/2180-3-0x0000000000410000-0x0000000000422000-memory.dmp

Filesize
72KB

Download
memory/2180-4-0x000000007450E000-0x000000007450F000-memory.dmp

Filesize
4KB

Download
memory/2180-5-0x0000000074500000-0x0000000074BEE000-memory.dmp

Filesize
6.9MB

Download
memory/2180-6-0x0000000000420000-0x0000000000430000-memory.dmp

Filesize
64KB

Download
memory/2180-7-0x0000000004C00000-0x0000000004CC0000-memory.dmp

Filesize
768KB

Download
memory/2180-43-0x0000000074500000-0x0000000074BEE000-memory.dmp

Filesize
6.9MB

Download
memory/2232-39-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2232-38-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2232-37-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2232-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2232-42-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2232-33-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2232-30-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2232-28-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2232-26-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2232-24-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2232-22-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2232-20-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2232-34-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads