remcos | c3bd1eaa3e042bd0948cfdec06cae89031e5437f14ecc65e4a449a44e7c296ed

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
31/08/2024, 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe
Size

970KB
MD5

4b487f91d2504883b4c9df18848af5ef
SHA1

964e913b8b4cba2232e46b3fe0b73b1c009bed7d
SHA256

f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607
SHA512

2f38dfa36bff6235dcddb359af65e3374f556e40fd950c6e5e9b52a474d46227d833fd9897efc925b781f6b97b093b29dc9d119edc88d76a23d3407a1471e23b
SSDEEP

24576:BYx8QzPlMGKwlyvxR27CYOlOLkgggD8lyftUCp2mv:6x8QzZYvxR2WbRggp0XT

Score

10^/10

remcos h�texte discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

H�texte

rodri.selfip.net:50019

racindjah.blogdns.com:50066

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
true
keylog_crypt
true
keylog_file
journaux.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-B6J50C
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Captures décran
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2376	powershell.exe
2736	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2064	remcos.exe

Loads dropped DLL 1 IoCs

pid	Process
2680	MSBuild.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-B6J50C = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	MSBuild.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-B6J50C = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	MSBuild.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1948 set thread context of 2680	1948	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2744	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1948	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe
2736	powershell.exe
2376	powershell.exe
1948	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1948	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 2376	1948	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe	31
PID 1948 wrote to memory of 2376	1948	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe	31
PID 1948 wrote to memory of 2376	1948	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe	31
PID 1948 wrote to memory of 2376	1948	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe	31
PID 1948 wrote to memory of 2736	1948	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe	33
PID 1948 wrote to memory of 2736	1948	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe	33
PID 1948 wrote to memory of 2736	1948	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe	33
PID 1948 wrote to memory of 2736	1948	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe	33
PID 1948 wrote to memory of 2744	1948	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe	34
PID 1948 wrote to memory of 2744	1948	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe	34
PID 1948 wrote to memory of 2744	1948	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe	34
PID 1948 wrote to memory of 2744	1948	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe	34
PID 1948 wrote to memory of 2680	1948	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe	37
PID 1948 wrote to memory of 2680	1948	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe	37
PID 1948 wrote to memory of 2680	1948	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe	37
PID 1948 wrote to memory of 2680	1948	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe	37
PID 1948 wrote to memory of 2680	1948	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe	37
PID 1948 wrote to memory of 2680	1948	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe	37
PID 1948 wrote to memory of 2680	1948	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe	37
PID 1948 wrote to memory of 2680	1948	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe	37
PID 1948 wrote to memory of 2680	1948	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe	37
PID 1948 wrote to memory of 2680	1948	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe	37
PID 1948 wrote to memory of 2680	1948	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe	37
PID 1948 wrote to memory of 2680	1948	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe	37
PID 1948 wrote to memory of 2680	1948	f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe	37
PID 2680 wrote to memory of 2064	2680	MSBuild.exe	38
PID 2680 wrote to memory of 2064	2680	MSBuild.exe	38
PID 2680 wrote to memory of 2064	2680	MSBuild.exe	38
PID 2680 wrote to memory of 2064	2680	MSBuild.exe	38

C:\Users\Admin\AppData\Local\Temp\f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe
"C:\Users\Admin\AppData\Local\Temp\f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2376
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\oJSnAkAh.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2736
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oJSnAkAh" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEA01.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\ProgramData\Remcos\remcos.exe
    "C:\ProgramData\Remcos\remcos.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpEA01.tmp

Filesize
1KB

MD5
4f3aaabf261ac4f1cf219683a9037067

SHA1
1ec186a429e5c4a7e0d555a8b812a5507853be48

SHA256
b82b8d9d99b7cdad5b7c1e3dcab6923d39b0efe0b5bdc64ae5151a8bfff1b3ad

SHA512
cc17b0a59456aa7345971f0eb1bc05992631947946ce035146d0073f5ec21e044d63edda355c828c447d8a387f63062951b5bdfad93ddfa86b5eb02fab7825bc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
32fd1b353e75dcf3a51135c68301a327

SHA1
ed5d43aff3c70c0a91b210436e522b23fe07b094

SHA256
4acf18eee9ac2c78855cd4beaa310f206169b9d00e5d39ad5d8cd96e8a166b20

SHA512
528d7a9683c428b6ba2bae25c65319f71a514350a518d535e7d1c8ec0d61137ca061b0399750a3a9634389a13cf4d1b437e8dd3c95da6fab1d74794c10a1c915

Download Submit
\ProgramData\Remcos\remcos.exe

Filesize
255KB

MD5
9af17c8393f0970ee5136bd3ffa27001

SHA1
4b285b72c1a11285a25f31f2597e090da6bbc049

SHA256
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

SHA512
b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

Download Submit
memory/1948-40-0x0000000074230000-0x000000007491E000-memory.dmp

Filesize
6.9MB

Download
memory/1948-1-0x0000000000C00000-0x0000000000CF8000-memory.dmp

Filesize
992KB

Download
memory/1948-2-0x0000000074230000-0x000000007491E000-memory.dmp

Filesize
6.9MB

Download
memory/1948-3-0x0000000000350000-0x0000000000368000-memory.dmp

Filesize
96KB

Download
memory/1948-4-0x000000007423E000-0x000000007423F000-memory.dmp

Filesize
4KB

Download
memory/1948-5-0x0000000074230000-0x000000007491E000-memory.dmp

Filesize
6.9MB

Download
memory/1948-6-0x0000000005A90000-0x0000000005B50000-memory.dmp

Filesize
768KB

Download
memory/1948-0-0x000000007423E000-0x000000007423F000-memory.dmp

Filesize
4KB

Download
memory/2064-47-0x0000000001240000-0x0000000001280000-memory.dmp

Filesize
256KB

Download
memory/2680-21-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2680-35-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2680-33-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2680-31-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2680-29-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2680-27-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2680-25-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2680-23-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2680-36-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2680-37-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2680-19-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download