remcos | f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
29-08-2024 18:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RqYh.exe
Size

970KB
MD5

4b487f91d2504883b4c9df18848af5ef
SHA1

964e913b8b4cba2232e46b3fe0b73b1c009bed7d
SHA256

f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607
SHA512

2f38dfa36bff6235dcddb359af65e3374f556e40fd950c6e5e9b52a474d46227d833fd9897efc925b781f6b97b093b29dc9d119edc88d76a23d3407a1471e23b
SSDEEP

24576:BYx8QzPlMGKwlyvxR27CYOlOLkgggD8lyftUCp2mv:6x8QzZYvxR2WbRggp0XT

Score

10^/10

remcos h�texte discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

H�texte

rodri.selfip.net:50019

racindjah.blogdns.com:50066

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
true
keylog_crypt
true
keylog_file
journaux.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-B6J50C
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Captures décran
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2728	powershell.exe
2968	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2868	remcos.exe

Loads dropped DLL 1 IoCs

pid	Process
2640	MSBuild.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-B6J50C = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	MSBuild.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-B6J50C = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	MSBuild.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1956 set thread context of 2640	1956	RqYh.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RqYh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2808	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1956	RqYh.exe
2728	powershell.exe
2968	powershell.exe
1956	RqYh.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1956	RqYh.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	2968	powershell.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 2728	1956	RqYh.exe	30
PID 1956 wrote to memory of 2728	1956	RqYh.exe	30
PID 1956 wrote to memory of 2728	1956	RqYh.exe	30
PID 1956 wrote to memory of 2728	1956	RqYh.exe	30
PID 1956 wrote to memory of 2968	1956	RqYh.exe	32
PID 1956 wrote to memory of 2968	1956	RqYh.exe	32
PID 1956 wrote to memory of 2968	1956	RqYh.exe	32
PID 1956 wrote to memory of 2968	1956	RqYh.exe	32
PID 1956 wrote to memory of 2808	1956	RqYh.exe	34
PID 1956 wrote to memory of 2808	1956	RqYh.exe	34
PID 1956 wrote to memory of 2808	1956	RqYh.exe	34
PID 1956 wrote to memory of 2808	1956	RqYh.exe	34
PID 1956 wrote to memory of 2640	1956	RqYh.exe	36
PID 1956 wrote to memory of 2640	1956	RqYh.exe	36
PID 1956 wrote to memory of 2640	1956	RqYh.exe	36
PID 1956 wrote to memory of 2640	1956	RqYh.exe	36
PID 1956 wrote to memory of 2640	1956	RqYh.exe	36
PID 1956 wrote to memory of 2640	1956	RqYh.exe	36
PID 1956 wrote to memory of 2640	1956	RqYh.exe	36
PID 1956 wrote to memory of 2640	1956	RqYh.exe	36
PID 1956 wrote to memory of 2640	1956	RqYh.exe	36
PID 1956 wrote to memory of 2640	1956	RqYh.exe	36
PID 1956 wrote to memory of 2640	1956	RqYh.exe	36
PID 1956 wrote to memory of 2640	1956	RqYh.exe	36
PID 1956 wrote to memory of 2640	1956	RqYh.exe	36
PID 2640 wrote to memory of 2868	2640	MSBuild.exe	37
PID 2640 wrote to memory of 2868	2640	MSBuild.exe	37
PID 2640 wrote to memory of 2868	2640	MSBuild.exe	37
PID 2640 wrote to memory of 2868	2640	MSBuild.exe	37

C:\Users\Admin\AppData\Local\Temp\RqYh.exe
"C:\Users\Admin\AppData\Local\Temp\RqYh.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RqYh.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2728
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\oJSnAkAh.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2968
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oJSnAkAh" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3A23.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\ProgramData\Remcos\remcos.exe
    "C:\ProgramData\Remcos\remcos.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3A23.tmp

Filesize
1KB

MD5
0d350bb739eb694a6bdd044c436b2669

SHA1
397a6b519e8160b6564a348d2dab9236cc1e414d

SHA256
949247db4fec1236d518c84e1091011b2c7af017abe6fdbe7e3f32e41e45ef1b

SHA512
aa4be243044c7eb34f28885d2441154dc850cd93d33ed200cdccdebd00f8fd39999093737984dfe3236f636d15616c141af5331b6516fd467137dfe005b73c2b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
d9b0b9294a0faf7d678e150d1cfb105c

SHA1
844b6c5849952c96a8c7a8a2f3d1065ce958c3e2

SHA256
825349b4c0f78e7efe97addd827e75adb11cb8ec28d91c2b3b7392d7e12d9586

SHA512
a1cdfe748e1dcf7fa95c73dcf0a303311718f9ff10d490a527e31c1c5ee4a4082ff6d029dc4d9491580d0a87d0946ff2bb8e3b666ae89c58e5bf8654fa8aa75a

Download Submit
\ProgramData\Remcos\remcos.exe

Filesize
255KB

MD5
9af17c8393f0970ee5136bd3ffa27001

SHA1
4b285b72c1a11285a25f31f2597e090da6bbc049

SHA256
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

SHA512
b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

Download Submit
memory/1956-40-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/1956-1-0x00000000003E0000-0x00000000004D8000-memory.dmp

Filesize
992KB

Download
memory/1956-2-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/1956-3-0x0000000000A40000-0x0000000000A58000-memory.dmp

Filesize
96KB

Download
memory/1956-4-0x000000007494E000-0x000000007494F000-memory.dmp

Filesize
4KB

Download
memory/1956-5-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/1956-6-0x0000000004890000-0x0000000004950000-memory.dmp

Filesize
768KB

Download
memory/1956-0-0x000000007494E000-0x000000007494F000-memory.dmp

Filesize
4KB

Download
memory/2640-36-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2640-31-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2640-29-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2640-27-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2640-21-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2640-20-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2640-37-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2640-35-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2640-25-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2640-33-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2640-23-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2868-47-0x0000000000380000-0x00000000003C0000-memory.dmp

Filesize
256KB

Download