remcos | f85d410510e8b70e98e47e8173aec211ec37d07f1c2a773b87916eb8194b7c1c

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
29-08-2024 01:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Order8938.exe
Size

1.1MB
MD5

d3fff3f1d4f8d5b93f8ee6ef9de88b81
SHA1

cebcaf2839acba54a8d37fa6b85ccdd82d6b85b1
SHA256

f1e379ba6ef730a30192c591a00410fc174136c7eb71fed2596586b14f29551c
SHA512

00b9d1aa659929827f6e27e1d02d1409edb1f337bbb8a6972163d5be9df42d5e1b45d1e6b9912e836ad77ca0a8269970e317e6c6abb756eec1d693f43cd79aa6
SSDEEP

24576:fv5f66t1rUT6fdMjWo+Dq2MyXKr5B5l3no53lQ9ZynYQHtd19X:H5xy4Gjr+Dqz5do5C9Zy3d11

Score

10^/10

remcos aug - 21 discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

AUG - 21

sungito2.ddns.net:5055

154.216.19.222:7088

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-9KM8RM
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2896	powershell.exe
2900	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1712 set thread context of 764	1712	Order8938.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Order8938.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Order8938.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2956	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2900	powershell.exe
2896	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	2900	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
764	Order8938.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2896	1712	Order8938.exe	31
PID 1712 wrote to memory of 2896	1712	Order8938.exe	31
PID 1712 wrote to memory of 2896	1712	Order8938.exe	31
PID 1712 wrote to memory of 2896	1712	Order8938.exe	31
PID 1712 wrote to memory of 2900	1712	Order8938.exe	33
PID 1712 wrote to memory of 2900	1712	Order8938.exe	33
PID 1712 wrote to memory of 2900	1712	Order8938.exe	33
PID 1712 wrote to memory of 2900	1712	Order8938.exe	33
PID 1712 wrote to memory of 2956	1712	Order8938.exe	35
PID 1712 wrote to memory of 2956	1712	Order8938.exe	35
PID 1712 wrote to memory of 2956	1712	Order8938.exe	35
PID 1712 wrote to memory of 2956	1712	Order8938.exe	35
PID 1712 wrote to memory of 764	1712	Order8938.exe	37
PID 1712 wrote to memory of 764	1712	Order8938.exe	37
PID 1712 wrote to memory of 764	1712	Order8938.exe	37
PID 1712 wrote to memory of 764	1712	Order8938.exe	37
PID 1712 wrote to memory of 764	1712	Order8938.exe	37
PID 1712 wrote to memory of 764	1712	Order8938.exe	37
PID 1712 wrote to memory of 764	1712	Order8938.exe	37
PID 1712 wrote to memory of 764	1712	Order8938.exe	37
PID 1712 wrote to memory of 764	1712	Order8938.exe	37
PID 1712 wrote to memory of 764	1712	Order8938.exe	37
PID 1712 wrote to memory of 764	1712	Order8938.exe	37
PID 1712 wrote to memory of 764	1712	Order8938.exe	37
PID 1712 wrote to memory of 764	1712	Order8938.exe	37

C:\Users\Admin\AppData\Local\Temp\Order8938.exe
"C:\Users\Admin\AppData\Local\Temp\Order8938.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order8938.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2896
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\TlLBve.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2900
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TlLBve" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEE55.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2956
- C:\Users\Admin\AppData\Local\Temp\Order8938.exe
  "C:\Users\Admin\AppData\Local\Temp\Order8938.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
c546a54b637aa2c479d890b8e4c64f0b

SHA1
9a5fce23e3333baa540a6dedb1fe951ae1953d3f

SHA256
581b9b3a6a2e6bdac3efad5b3d1e4785f8a61e020eb0e478a01e20e9a78f57fc

SHA512
dda3ecb95ca6a48e26685b6b57a3a3b9158f8bc90663ea51c8f6f5e37bcc7af99d3d6d43a99e2c10b25b8479fb3e687035dce8975c27363a7be6ec20ee606f1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEE55.tmp

Filesize
1KB

MD5
3d5b025caa66c48fa0a0a5940c9eaed9

SHA1
7009e52a398392205372d120988afe6b8b8f19ab

SHA256
366f92c0cf026891950f64f68cc2a86d3b43e5075364bca0fd7613bd507ee170

SHA512
c460bcfff80581069163ecdbc050ef85bb18c01f3629fa2f0ca95d6ec74a5e0e86f517a1feb06b34ef43a38acd465355af94875c01bd12eec847ce89ea49a0db

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FFGYC7SQU4KV9NTZ9EOK.temp

Filesize
7KB

MD5
f423c187f4eb813f53c243940ab1a382

SHA1
e4e9edc057a3b4ea5a7b87d3cf24d66e85924c4b

SHA256
eb5f1b8ab36053bbbfaf91d1873f6884451957682d86086afb9306c22c8a8179

SHA512
aceaf1f9d422a94e8b534f40952e86c5ef44f36aeae8d1f0f1f27b0a0680c58b6d33dbb2a1c6e2e14a087ed4dc0f98dc4a3fa7477d890d066593c835bd43b110

Download Submit
memory/764-49-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/764-78-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/764-50-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/764-92-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/764-91-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/764-88-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/764-39-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/764-87-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/764-53-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/764-84-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/764-83-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/764-81-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/764-79-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/764-43-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/764-40-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/764-38-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/764-35-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/764-34-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/764-31-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/764-29-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/764-27-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/764-25-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/764-45-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/764-47-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/764-48-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/764-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/764-54-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/764-86-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/764-23-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/764-56-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/764-57-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/764-59-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/764-60-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/764-62-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/764-63-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/764-65-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/764-67-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/764-68-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/764-69-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/764-71-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/764-73-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/764-74-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/764-21-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/764-77-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1712-0-0x00000000741EE000-0x00000000741EF000-memory.dmp

Filesize
4KB

Download
memory/1712-44-0x00000000741E0000-0x00000000748CE000-memory.dmp

Filesize
6.9MB

Download
memory/1712-8-0x0000000005A60000-0x0000000005B20000-memory.dmp

Filesize
768KB

Download
memory/1712-7-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1712-6-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1712-5-0x00000000741E0000-0x00000000748CE000-memory.dmp

Filesize
6.9MB

Download
memory/1712-4-0x00000000741EE000-0x00000000741EF000-memory.dmp

Filesize
4KB

Download
memory/1712-3-0x00000000004E0000-0x00000000004FA000-memory.dmp

Filesize
104KB

Download
memory/1712-2-0x00000000741E0000-0x00000000748CE000-memory.dmp

Filesize
6.9MB

Download
memory/1712-1-0x0000000000980000-0x0000000000AA4000-memory.dmp

Filesize
1.1MB

Download