remcos | f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607

Analysis

max time kernel
17s
max time network
18s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
30-08-2024 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe
Size

970KB
MD5

4b487f91d2504883b4c9df18848af5ef
SHA1

964e913b8b4cba2232e46b3fe0b73b1c009bed7d
SHA256

f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607
SHA512

2f38dfa36bff6235dcddb359af65e3374f556e40fd950c6e5e9b52a474d46227d833fd9897efc925b781f6b97b093b29dc9d119edc88d76a23d3407a1471e23b
SSDEEP

24576:BYx8QzPlMGKwlyvxR27CYOlOLkgggD8lyftUCp2mv:6x8QzZYvxR2WbRggp0XT

Score

10^/10

remcos h�texte discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

H�texte

rodri.selfip.net:50019

racindjah.blogdns.com:50066

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
true
keylog_crypt
true
keylog_file
journaux.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-B6J50C
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Captures décran
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2936	powershell.exe
2764	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1460	remcos.exe

Loads dropped DLL 1 IoCs

pid	Process
2644	MSBuild.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-B6J50C = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	MSBuild.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-B6J50C = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	MSBuild.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1956 set thread context of 2644	1956	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2768	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1956	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe
1956	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe
2936	powershell.exe
2764	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1956	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 2936	1956	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe	30
PID 1956 wrote to memory of 2936	1956	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe	30
PID 1956 wrote to memory of 2936	1956	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe	30
PID 1956 wrote to memory of 2936	1956	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe	30
PID 1956 wrote to memory of 2764	1956	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe	32
PID 1956 wrote to memory of 2764	1956	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe	32
PID 1956 wrote to memory of 2764	1956	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe	32
PID 1956 wrote to memory of 2764	1956	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe	32
PID 1956 wrote to memory of 2768	1956	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe	34
PID 1956 wrote to memory of 2768	1956	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe	34
PID 1956 wrote to memory of 2768	1956	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe	34
PID 1956 wrote to memory of 2768	1956	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe	34
PID 1956 wrote to memory of 2644	1956	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe	36
PID 1956 wrote to memory of 2644	1956	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe	36
PID 1956 wrote to memory of 2644	1956	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe	36
PID 1956 wrote to memory of 2644	1956	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe	36
PID 1956 wrote to memory of 2644	1956	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe	36
PID 1956 wrote to memory of 2644	1956	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe	36
PID 1956 wrote to memory of 2644	1956	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe	36
PID 1956 wrote to memory of 2644	1956	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe	36
PID 1956 wrote to memory of 2644	1956	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe	36
PID 1956 wrote to memory of 2644	1956	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe	36
PID 1956 wrote to memory of 2644	1956	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe	36
PID 1956 wrote to memory of 2644	1956	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe	36
PID 1956 wrote to memory of 2644	1956	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe	36
PID 2644 wrote to memory of 1460	2644	MSBuild.exe	37
PID 2644 wrote to memory of 1460	2644	MSBuild.exe	37
PID 2644 wrote to memory of 1460	2644	MSBuild.exe	37
PID 2644 wrote to memory of 1460	2644	MSBuild.exe	37

C:\Users\Admin\AppData\Local\Temp\f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe
"C:\Users\Admin\AppData\Local\Temp\f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2936
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\oJSnAkAh.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2764
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oJSnAkAh" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6ECA.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\ProgramData\Remcos\remcos.exe
    "C:\ProgramData\Remcos\remcos.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6ECA.tmp

Filesize
1KB

MD5
c1c32fc9ce72a1e8e9c68a19208702ff

SHA1
760642dd5e3f32c84bbfac96794f42333fc1695f

SHA256
d055f0b2010ef2574f4cd1c6a2fc13f535e2e3b02d3983d6f87b761441ca8715

SHA512
60035b65ccca851c0d20dee7761de48460ced62491e9cd13205d01d9e9cc5cc96834576e5040af12d1828728629d5ee0b4f2649a9bd96a74090d7a8694d3efa3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
b644ada8dac455b8723273b351b566c3

SHA1
33b178c3c9bd39ab8ad3f4850f2d536e89e353da

SHA256
0c3ba56f81a55cb44c515973fa8d05b6395ab2073d1d724984adf958fb05be7d

SHA512
0cc88645fb1689b3e9138bab451f6793f8d90777dcc90f3a7bb5095ef9f16eb081ca0e3fd0b711c65b380fa681f9e81d3fd240ed7158eeda7eab34255a805aab

Download Submit
\ProgramData\Remcos\remcos.exe

Filesize
255KB

MD5
9af17c8393f0970ee5136bd3ffa27001

SHA1
4b285b72c1a11285a25f31f2597e090da6bbc049

SHA256
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

SHA512
b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

Download Submit
memory/1460-47-0x00000000001D0000-0x0000000000210000-memory.dmp

Filesize
256KB

Download
memory/1956-40-0x0000000074880000-0x0000000074F6E000-memory.dmp

Filesize
6.9MB

Download
memory/1956-1-0x00000000001B0000-0x00000000002A8000-memory.dmp

Filesize
992KB

Download
memory/1956-2-0x0000000074880000-0x0000000074F6E000-memory.dmp

Filesize
6.9MB

Download
memory/1956-3-0x0000000000510000-0x0000000000528000-memory.dmp

Filesize
96KB

Download
memory/1956-4-0x000000007488E000-0x000000007488F000-memory.dmp

Filesize
4KB

Download
memory/1956-5-0x0000000074880000-0x0000000074F6E000-memory.dmp

Filesize
6.9MB

Download
memory/1956-6-0x0000000005B10000-0x0000000005BD0000-memory.dmp

Filesize
768KB

Download
memory/1956-0-0x000000007488E000-0x000000007488F000-memory.dmp

Filesize
4KB

Download
memory/2644-20-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2644-34-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2644-31-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2644-29-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2644-28-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2644-37-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2644-35-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2644-25-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2644-24-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2644-36-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2644-21-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download