remcos | 7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-09-2024 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Win32.RATXgen.15616.18273.exe
Size

1.0MB
MD5

f2e67a1bef67fa4f49dce815b93eeefb
SHA1

1b75d6182523dc35cf13e5e9430194196fb44aeb
SHA256

7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d
SHA512

d0b2dd442d20921c63716eb5974fcd450d3ff800bbcb9dae84efc1743f0dcd8784c72debaa86841fa90d8a3c1e727d194adc022b4513484d9820777ceef4b7a0
SSDEEP

24576:R1iZQZd2PbZwVslxyAcM3wpGVkYZPGX2lxxuQQGnI:zUZTl4Ad31VkYhs+QtP

Score

10^/10

remcos udu discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

udu

UDUM.WORK.GD:2431

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
vlc
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
sos
mouse_option
false
mutex
udm-2WYU92
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2888	powershell.exe
2748	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2712 set thread context of 2152	2712	SecuriteInfo.com.Win32.RATXgen.15616.18273.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecuriteInfo.com.Win32.RATXgen.15616.18273.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecuriteInfo.com.Win32.RATXgen.15616.18273.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2636	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2712	SecuriteInfo.com.Win32.RATXgen.15616.18273.exe
2712	SecuriteInfo.com.Win32.RATXgen.15616.18273.exe
2888	powershell.exe
2748	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2712	SecuriteInfo.com.Win32.RATXgen.15616.18273.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2152	SecuriteInfo.com.Win32.RATXgen.15616.18273.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2152	SecuriteInfo.com.Win32.RATXgen.15616.18273.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2152	SecuriteInfo.com.Win32.RATXgen.15616.18273.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 2888	2712	SecuriteInfo.com.Win32.RATXgen.15616.18273.exe	30
PID 2712 wrote to memory of 2888	2712	SecuriteInfo.com.Win32.RATXgen.15616.18273.exe	30
PID 2712 wrote to memory of 2888	2712	SecuriteInfo.com.Win32.RATXgen.15616.18273.exe	30
PID 2712 wrote to memory of 2888	2712	SecuriteInfo.com.Win32.RATXgen.15616.18273.exe	30
PID 2712 wrote to memory of 2748	2712	SecuriteInfo.com.Win32.RATXgen.15616.18273.exe	32
PID 2712 wrote to memory of 2748	2712	SecuriteInfo.com.Win32.RATXgen.15616.18273.exe	32
PID 2712 wrote to memory of 2748	2712	SecuriteInfo.com.Win32.RATXgen.15616.18273.exe	32
PID 2712 wrote to memory of 2748	2712	SecuriteInfo.com.Win32.RATXgen.15616.18273.exe	32
PID 2712 wrote to memory of 2636	2712	SecuriteInfo.com.Win32.RATXgen.15616.18273.exe	34
PID 2712 wrote to memory of 2636	2712	SecuriteInfo.com.Win32.RATXgen.15616.18273.exe	34
PID 2712 wrote to memory of 2636	2712	SecuriteInfo.com.Win32.RATXgen.15616.18273.exe	34
PID 2712 wrote to memory of 2636	2712	SecuriteInfo.com.Win32.RATXgen.15616.18273.exe	34
PID 2712 wrote to memory of 2152	2712	SecuriteInfo.com.Win32.RATXgen.15616.18273.exe	36
PID 2712 wrote to memory of 2152	2712	SecuriteInfo.com.Win32.RATXgen.15616.18273.exe	36
PID 2712 wrote to memory of 2152	2712	SecuriteInfo.com.Win32.RATXgen.15616.18273.exe	36
PID 2712 wrote to memory of 2152	2712	SecuriteInfo.com.Win32.RATXgen.15616.18273.exe	36
PID 2712 wrote to memory of 2152	2712	SecuriteInfo.com.Win32.RATXgen.15616.18273.exe	36
PID 2712 wrote to memory of 2152	2712	SecuriteInfo.com.Win32.RATXgen.15616.18273.exe	36
PID 2712 wrote to memory of 2152	2712	SecuriteInfo.com.Win32.RATXgen.15616.18273.exe	36
PID 2712 wrote to memory of 2152	2712	SecuriteInfo.com.Win32.RATXgen.15616.18273.exe	36
PID 2712 wrote to memory of 2152	2712	SecuriteInfo.com.Win32.RATXgen.15616.18273.exe	36
PID 2712 wrote to memory of 2152	2712	SecuriteInfo.com.Win32.RATXgen.15616.18273.exe	36
PID 2712 wrote to memory of 2152	2712	SecuriteInfo.com.Win32.RATXgen.15616.18273.exe	36
PID 2712 wrote to memory of 2152	2712	SecuriteInfo.com.Win32.RATXgen.15616.18273.exe	36
PID 2712 wrote to memory of 2152	2712	SecuriteInfo.com.Win32.RATXgen.15616.18273.exe	36

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.15616.18273.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.15616.18273.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.15616.18273.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2888
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\qmXhNnW.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2748
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qmXhNnW" /XML "C:\Users\Admin\AppData\Local\Temp\tmp78A9.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2636
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.15616.18273.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.15616.18273.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\sos\logs.dat

Filesize
274B

MD5
e0ce10184ff0456c225a86274e10b82f

SHA1
35c97c581c5231d3b8c0d3f4fcc334db88181eaa

SHA256
519be34077901c65019d394cb76c5239e325387066ad1c561f195f52e8cd8ad3

SHA512
0b716a49d3a032733b44680b05a0288bb1b9b05e656edef11aa9973a64df33bfca07202eba9b9135155091c04a04e513efe9790eee4b7156ba289af7e487af74

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp78A9.tmp

Filesize
1KB

MD5
fa7fbead7c0fb7a5da1918706cefc27c

SHA1
f91af81cce988b447253ac4c149dd74898f3a11f

SHA256
eeb7112c8c936d8248c1c1936c6b709a1a9740a83f1f34887c075e9c5aea9000

SHA512
eac7fccacbe22b3f7eefd9516ff4a3d07eb41a98ab1f73812e361439de3bb85fae9ba3565a14bd37a3b746e95cd31383633996d15ee8612882c8a3ebe53708b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
d690e942e47d7a49374e20bd11038158

SHA1
1c658868d247f94183bd0d157e820d9ce523f6fd

SHA256
15bcf53c5326cf2a610eea38d5fd281183bead246cda5be80f9f2632810056da

SHA512
2dbe5279599ca13bd6fa21d3e1010c1fde9927bc24f5f4db1f8d2d03c5c71ccf4780a878c930bb051f1a6472a488e1475d4866e9e44f69e8d2245145b18d0afd

Download Submit
memory/2152-20-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2152-85-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2152-86-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2152-40-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2152-78-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2152-77-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2152-70-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2152-34-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2152-69-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2152-38-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2152-37-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2152-32-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2152-30-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2152-28-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2152-26-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2152-24-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2152-23-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2152-62-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2152-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2152-61-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2152-48-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2152-44-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2152-45-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2152-46-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2152-47-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2152-41-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2152-50-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2152-53-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2152-54-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2712-1-0x0000000000250000-0x0000000000356000-memory.dmp

Filesize
1.0MB

Download
memory/2712-4-0x00000000006C0000-0x00000000006D8000-memory.dmp

Filesize
96KB

Download
memory/2712-0-0x000000007441E000-0x000000007441F000-memory.dmp

Filesize
4KB

Download
memory/2712-39-0x0000000074410000-0x0000000074AFE000-memory.dmp

Filesize
6.9MB

Download
memory/2712-2-0x0000000074410000-0x0000000074AFE000-memory.dmp

Filesize
6.9MB

Download
memory/2712-3-0x0000000004EF0000-0x0000000004FCE000-memory.dmp

Filesize
888KB

Download
memory/2712-7-0x0000000005050000-0x0000000005110000-memory.dmp

Filesize
768KB

Download
memory/2712-6-0x0000000074410000-0x0000000074AFE000-memory.dmp

Filesize
6.9MB

Download
memory/2712-5-0x000000007441E000-0x000000007441F000-memory.dmp

Filesize
4KB

Download