remcos | dbd90ffa51b2ec9e716642d651d5740f2a9e376db28b217dbc31ab89b5362409

Resubmissions

05/09/2024, 06:49

240905-hlqemsvdkm 10

05/09/2024, 06:43

240905-hg74wswbrh 10

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/09/2024, 06:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

049ccb277f6c9e2816347b2d51df7ba0N.exe
Size

4.3MB
MD5

049ccb277f6c9e2816347b2d51df7ba0
SHA1

b78da518b845bacca6ecd4595f751a8e6c41c4d6
SHA256

dbd90ffa51b2ec9e716642d651d5740f2a9e376db28b217dbc31ab89b5362409
SHA512

4250cf0ca6815f97265eb7924095c84a8fe41e463bcf172802e72ba5c045f999f23411a994a21d73cab270fe22287e44b33d5314f5b120ab5fad79c53e8a4559
SSDEEP

98304:gC11IMjItWMFAetMtXjxhmZrC11IMjItWMFAetMtXjxhmZY4T:ghSMFjO7mZrhSMFjO7mZY

Score

10^/10

remcos mistery-pc discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

MISTERY-PC

nzobaku.ddns.net:8081

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-59N2NZ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2892	powershell.exe
1936	powershell.exe

Executes dropped EXE 7 IoCs

pid	Process
2708	._cache_049ccb277f6c9e2816347b2d51df7ba0N.exe
2640	Synaptics.exe
696	Synaptics.exe
2900	Synaptics.exe
2676	Synaptics.exe
2288	Synaptics.exe
2080	Synaptics.exe

Loads dropped DLL 3 IoCs

pid	Process
2484	049ccb277f6c9e2816347b2d51df7ba0N.exe
2484	049ccb277f6c9e2816347b2d51df7ba0N.exe
2484	049ccb277f6c9e2816347b2d51df7ba0N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	049ccb277f6c9e2816347b2d51df7ba0N.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1856 set thread context of 2484	1856	049ccb277f6c9e2816347b2d51df7ba0N.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_049ccb277f6c9e2816347b2d51df7ba0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	049ccb277f6c9e2816347b2d51df7ba0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	049ccb277f6c9e2816347b2d51df7ba0N.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1856	049ccb277f6c9e2816347b2d51df7ba0N.exe
1856	049ccb277f6c9e2816347b2d51df7ba0N.exe
1856	049ccb277f6c9e2816347b2d51df7ba0N.exe
1856	049ccb277f6c9e2816347b2d51df7ba0N.exe
1856	049ccb277f6c9e2816347b2d51df7ba0N.exe
1856	049ccb277f6c9e2816347b2d51df7ba0N.exe
1856	049ccb277f6c9e2816347b2d51df7ba0N.exe
2892	powershell.exe
2640	Synaptics.exe
2640	Synaptics.exe
2640	Synaptics.exe
2640	Synaptics.exe
2640	Synaptics.exe
2640	Synaptics.exe
2640	Synaptics.exe
2640	Synaptics.exe
2640	Synaptics.exe
2640	Synaptics.exe
2640	Synaptics.exe
2640	Synaptics.exe
2640	Synaptics.exe
2640	Synaptics.exe
2640	Synaptics.exe
2640	Synaptics.exe
1936	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1856	049ccb277f6c9e2816347b2d51df7ba0N.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	2640	Synaptics.exe
Token: SeDebugPrivilege	1936	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2708	._cache_049ccb277f6c9e2816347b2d51df7ba0N.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 2892	1856	049ccb277f6c9e2816347b2d51df7ba0N.exe	31
PID 1856 wrote to memory of 2892	1856	049ccb277f6c9e2816347b2d51df7ba0N.exe	31
PID 1856 wrote to memory of 2892	1856	049ccb277f6c9e2816347b2d51df7ba0N.exe	31
PID 1856 wrote to memory of 2892	1856	049ccb277f6c9e2816347b2d51df7ba0N.exe	31
PID 1856 wrote to memory of 2484	1856	049ccb277f6c9e2816347b2d51df7ba0N.exe	33
PID 1856 wrote to memory of 2484	1856	049ccb277f6c9e2816347b2d51df7ba0N.exe	33
PID 1856 wrote to memory of 2484	1856	049ccb277f6c9e2816347b2d51df7ba0N.exe	33
PID 1856 wrote to memory of 2484	1856	049ccb277f6c9e2816347b2d51df7ba0N.exe	33
PID 1856 wrote to memory of 2484	1856	049ccb277f6c9e2816347b2d51df7ba0N.exe	33
PID 1856 wrote to memory of 2484	1856	049ccb277f6c9e2816347b2d51df7ba0N.exe	33
PID 1856 wrote to memory of 2484	1856	049ccb277f6c9e2816347b2d51df7ba0N.exe	33
PID 1856 wrote to memory of 2484	1856	049ccb277f6c9e2816347b2d51df7ba0N.exe	33
PID 1856 wrote to memory of 2484	1856	049ccb277f6c9e2816347b2d51df7ba0N.exe	33
PID 1856 wrote to memory of 2484	1856	049ccb277f6c9e2816347b2d51df7ba0N.exe	33
PID 1856 wrote to memory of 2484	1856	049ccb277f6c9e2816347b2d51df7ba0N.exe	33
PID 1856 wrote to memory of 2484	1856	049ccb277f6c9e2816347b2d51df7ba0N.exe	33
PID 2484 wrote to memory of 2708	2484	049ccb277f6c9e2816347b2d51df7ba0N.exe	34
PID 2484 wrote to memory of 2708	2484	049ccb277f6c9e2816347b2d51df7ba0N.exe	34
PID 2484 wrote to memory of 2708	2484	049ccb277f6c9e2816347b2d51df7ba0N.exe	34
PID 2484 wrote to memory of 2708	2484	049ccb277f6c9e2816347b2d51df7ba0N.exe	34
PID 2484 wrote to memory of 2640	2484	049ccb277f6c9e2816347b2d51df7ba0N.exe	35
PID 2484 wrote to memory of 2640	2484	049ccb277f6c9e2816347b2d51df7ba0N.exe	35
PID 2484 wrote to memory of 2640	2484	049ccb277f6c9e2816347b2d51df7ba0N.exe	35
PID 2484 wrote to memory of 2640	2484	049ccb277f6c9e2816347b2d51df7ba0N.exe	35
PID 2640 wrote to memory of 1936	2640	Synaptics.exe	37
PID 2640 wrote to memory of 1936	2640	Synaptics.exe	37
PID 2640 wrote to memory of 1936	2640	Synaptics.exe	37
PID 2640 wrote to memory of 1936	2640	Synaptics.exe	37
PID 2640 wrote to memory of 696	2640	Synaptics.exe	39
PID 2640 wrote to memory of 696	2640	Synaptics.exe	39
PID 2640 wrote to memory of 696	2640	Synaptics.exe	39
PID 2640 wrote to memory of 696	2640	Synaptics.exe	39
PID 2640 wrote to memory of 2676	2640	Synaptics.exe	40
PID 2640 wrote to memory of 2676	2640	Synaptics.exe	40
PID 2640 wrote to memory of 2676	2640	Synaptics.exe	40
PID 2640 wrote to memory of 2676	2640	Synaptics.exe	40
PID 2640 wrote to memory of 2900	2640	Synaptics.exe	41
PID 2640 wrote to memory of 2900	2640	Synaptics.exe	41
PID 2640 wrote to memory of 2900	2640	Synaptics.exe	41
PID 2640 wrote to memory of 2900	2640	Synaptics.exe	41
PID 2640 wrote to memory of 2080	2640	Synaptics.exe	42
PID 2640 wrote to memory of 2080	2640	Synaptics.exe	42
PID 2640 wrote to memory of 2080	2640	Synaptics.exe	42
PID 2640 wrote to memory of 2080	2640	Synaptics.exe	42
PID 2640 wrote to memory of 2288	2640	Synaptics.exe	43
PID 2640 wrote to memory of 2288	2640	Synaptics.exe	43
PID 2640 wrote to memory of 2288	2640	Synaptics.exe	43
PID 2640 wrote to memory of 2288	2640	Synaptics.exe	43

C:\Users\Admin\AppData\Local\Temp\049ccb277f6c9e2816347b2d51df7ba0N.exe
"C:\Users\Admin\AppData\Local\Temp\049ccb277f6c9e2816347b2d51df7ba0N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\049ccb277f6c9e2816347b2d51df7ba0N.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2892
- C:\Users\Admin\AppData\Local\Temp\049ccb277f6c9e2816347b2d51df7ba0N.exe
  "C:\Users\Admin\AppData\Local\Temp\049ccb277f6c9e2816347b2d51df7ba0N.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Users\Admin\AppData\Local\Temp\._cache_049ccb277f6c9e2816347b2d51df7ba0N.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_049ccb277f6c9e2816347b2d51df7ba0N.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2708
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1936
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Executes dropped EXE
      PID:696
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Executes dropped EXE
      PID:2676
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Executes dropped EXE
      PID:2900
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Executes dropped EXE
      PID:2080
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Executes dropped EXE
      PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
4.3MB

MD5
049ccb277f6c9e2816347b2d51df7ba0

SHA1
b78da518b845bacca6ecd4595f751a8e6c41c4d6

SHA256
dbd90ffa51b2ec9e716642d651d5740f2a9e376db28b217dbc31ab89b5362409

SHA512
4250cf0ca6815f97265eb7924095c84a8fe41e463bcf172802e72ba5c045f999f23411a994a21d73cab270fe22287e44b33d5314f5b120ab5fad79c53e8a4559

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
cd5ee104b3875b4d5554e8a528a71d4e

SHA1
bed8717d5da0cb9883434202e0e2e4927961b321

SHA256
e78456b8b39b64d38a7b675cbc846a5384d77a6b360fabff3c7c0150dfa3c546

SHA512
0d87d9b5d311b0d55cab2dc3c1810ab5bd0ec738c34a502d1782f2db3d98594da79b5ec862a260e86313f818621e484235d7061f851b1fef302efc55771d0fcc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
b5486d242f51dc9817ab2a3d46803f35

SHA1
63dd150bcbfb7aa1165953adf712e492dc967d3a

SHA256
c3d379d2235727d7aca088c914a2602ee5a6486701b0ad0b7e257e4239727d51

SHA512
e75f78ac7478a0e24ba4230d9bd4e04124fc79f42899a01a0eaa05bccbec861398add613196dd41fc749ad819c9055ae384aa7ff36f1d7994afe05edf572d8a8

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_049ccb277f6c9e2816347b2d51df7ba0N.exe

Filesize
483KB

MD5
87705ce8d428c8701a1efa3669cb5135

SHA1
3d2022f4950b549bf238bf285aa6ac0dc0c075e3

SHA256
543001345cedb9f6962494aafd531be8c1427876b07f339365fd7b20c18fcdce

SHA512
374bd7e76c0341ad3cba5b1f4d949b246b584f227c8c6461cc4798781fe6b8e8e6b64556d3c6bf94cac2aa4b06ccf10bc0b373a7594bbf117a50b5113f75c9d4

Download Submit
memory/1856-27-0x0000000074080000-0x000000007476E000-memory.dmp

Filesize
6.9MB

Download
memory/1856-5-0x0000000074080000-0x000000007476E000-memory.dmp

Filesize
6.9MB

Download
memory/1856-6-0x0000000000700000-0x000000000070E000-memory.dmp

Filesize
56KB

Download
memory/1856-7-0x00000000009A0000-0x00000000009B6000-memory.dmp

Filesize
88KB

Download
memory/1856-8-0x00000000059E0000-0x0000000005B5E000-memory.dmp

Filesize
1.5MB

Download
memory/1856-1-0x0000000001330000-0x0000000001786000-memory.dmp

Filesize
4.3MB

Download
memory/1856-2-0x0000000074080000-0x000000007476E000-memory.dmp

Filesize
6.9MB

Download
memory/1856-3-0x00000000006D0000-0x00000000006E8000-memory.dmp

Filesize
96KB

Download
memory/1856-4-0x000000007408E000-0x000000007408F000-memory.dmp

Filesize
4KB

Download
memory/1856-0-0x000000007408E000-0x000000007408F000-memory.dmp

Filesize
4KB

Download
memory/2484-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2484-22-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2484-17-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2484-16-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2484-15-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2484-13-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2484-11-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2484-21-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2484-23-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2484-24-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2484-10-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2484-9-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2640-57-0x0000000000A50000-0x0000000000A66000-memory.dmp

Filesize
88KB

Download
memory/2640-53-0x0000000000360000-0x00000000007B6000-memory.dmp

Filesize
4.3MB

Download