remcos | d7b82542403c06b63adcd6c4a46614ebc04d903c9c404097d30cc85e0237c2bc

General

Target

d7b82542403c06b63adcd6c4a46614ebc04d903c9c404097d30cc85e0237c2bc.exe
Size

881KB
MD5

a1b7c41a0ef9eb2af3337a97127329d9
SHA1

c94ffbdc29ab82e90b704e33838a1ea6af3cf14a
SHA256

d7b82542403c06b63adcd6c4a46614ebc04d903c9c404097d30cc85e0237c2bc
SHA512

4cd922ffff1940fdea5350b98a54954970f200c3a5c23c2117f8cbcf48bf389c170506b9760b949357d378734e60634512a2801f9a37512f7cf6f12a97147e1e
SSDEEP

24576:5rEmwPVpOaOXAHs2NAZZHy0SUAP2F/cvn:SZtpxOl2NAZ5fD/

Score

10^/10

remcos mekus discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

mekus

C2

dpm-sael.com:2017

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
meckus-ODY51K
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2800	powershell.exe
1136	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2008 set thread context of 2092	2008	d7b82542403c06b63adcd6c4a46614ebc04d903c9c404097d30cc85e0237c2bc.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d7b82542403c06b63adcd6c4a46614ebc04d903c9c404097d30cc85e0237c2bc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d7b82542403c06b63adcd6c4a46614ebc04d903c9c404097d30cc85e0237c2bc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2940	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2800	powershell.exe
1136	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	1136	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2092	d7b82542403c06b63adcd6c4a46614ebc04d903c9c404097d30cc85e0237c2bc.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 2800	2008	d7b82542403c06b63adcd6c4a46614ebc04d903c9c404097d30cc85e0237c2bc.exe	30
PID 2008 wrote to memory of 2800	2008	d7b82542403c06b63adcd6c4a46614ebc04d903c9c404097d30cc85e0237c2bc.exe	30
PID 2008 wrote to memory of 2800	2008	d7b82542403c06b63adcd6c4a46614ebc04d903c9c404097d30cc85e0237c2bc.exe	30
PID 2008 wrote to memory of 2800	2008	d7b82542403c06b63adcd6c4a46614ebc04d903c9c404097d30cc85e0237c2bc.exe	30
PID 2008 wrote to memory of 1136	2008	d7b82542403c06b63adcd6c4a46614ebc04d903c9c404097d30cc85e0237c2bc.exe	32
PID 2008 wrote to memory of 1136	2008	d7b82542403c06b63adcd6c4a46614ebc04d903c9c404097d30cc85e0237c2bc.exe	32
PID 2008 wrote to memory of 1136	2008	d7b82542403c06b63adcd6c4a46614ebc04d903c9c404097d30cc85e0237c2bc.exe	32
PID 2008 wrote to memory of 1136	2008	d7b82542403c06b63adcd6c4a46614ebc04d903c9c404097d30cc85e0237c2bc.exe	32
PID 2008 wrote to memory of 2940	2008	d7b82542403c06b63adcd6c4a46614ebc04d903c9c404097d30cc85e0237c2bc.exe	33
PID 2008 wrote to memory of 2940	2008	d7b82542403c06b63adcd6c4a46614ebc04d903c9c404097d30cc85e0237c2bc.exe	33
PID 2008 wrote to memory of 2940	2008	d7b82542403c06b63adcd6c4a46614ebc04d903c9c404097d30cc85e0237c2bc.exe	33
PID 2008 wrote to memory of 2940	2008	d7b82542403c06b63adcd6c4a46614ebc04d903c9c404097d30cc85e0237c2bc.exe	33
PID 2008 wrote to memory of 2092	2008	d7b82542403c06b63adcd6c4a46614ebc04d903c9c404097d30cc85e0237c2bc.exe	36
PID 2008 wrote to memory of 2092	2008	d7b82542403c06b63adcd6c4a46614ebc04d903c9c404097d30cc85e0237c2bc.exe	36
PID 2008 wrote to memory of 2092	2008	d7b82542403c06b63adcd6c4a46614ebc04d903c9c404097d30cc85e0237c2bc.exe	36
PID 2008 wrote to memory of 2092	2008	d7b82542403c06b63adcd6c4a46614ebc04d903c9c404097d30cc85e0237c2bc.exe	36
PID 2008 wrote to memory of 2092	2008	d7b82542403c06b63adcd6c4a46614ebc04d903c9c404097d30cc85e0237c2bc.exe	36
PID 2008 wrote to memory of 2092	2008	d7b82542403c06b63adcd6c4a46614ebc04d903c9c404097d30cc85e0237c2bc.exe	36
PID 2008 wrote to memory of 2092	2008	d7b82542403c06b63adcd6c4a46614ebc04d903c9c404097d30cc85e0237c2bc.exe	36
PID 2008 wrote to memory of 2092	2008	d7b82542403c06b63adcd6c4a46614ebc04d903c9c404097d30cc85e0237c2bc.exe	36
PID 2008 wrote to memory of 2092	2008	d7b82542403c06b63adcd6c4a46614ebc04d903c9c404097d30cc85e0237c2bc.exe	36
PID 2008 wrote to memory of 2092	2008	d7b82542403c06b63adcd6c4a46614ebc04d903c9c404097d30cc85e0237c2bc.exe	36
PID 2008 wrote to memory of 2092	2008	d7b82542403c06b63adcd6c4a46614ebc04d903c9c404097d30cc85e0237c2bc.exe	36
PID 2008 wrote to memory of 2092	2008	d7b82542403c06b63adcd6c4a46614ebc04d903c9c404097d30cc85e0237c2bc.exe	36
PID 2008 wrote to memory of 2092	2008	d7b82542403c06b63adcd6c4a46614ebc04d903c9c404097d30cc85e0237c2bc.exe	36

C:\Users\Admin\AppData\Local\Temp\d7b82542403c06b63adcd6c4a46614ebc04d903c9c404097d30cc85e0237c2bc.exe
"C:\Users\Admin\AppData\Local\Temp\d7b82542403c06b63adcd6c4a46614ebc04d903c9c404097d30cc85e0237c2bc.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\d7b82542403c06b63adcd6c4a46614ebc04d903c9c404097d30cc85e0237c2bc.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2800
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rxoPEmTYk.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1136
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rxoPEmTYk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2202.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2940
- C:\Users\Admin\AppData\Local\Temp\d7b82542403c06b63adcd6c4a46614ebc04d903c9c404097d30cc85e0237c2bc.exe
  "C:\Users\Admin\AppData\Local\Temp\d7b82542403c06b63adcd6c4a46614ebc04d903c9c404097d30cc85e0237c2bc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
7f2fde5e1171726c16f34b36f8a24db5

SHA1
f3339a76f0b29223b18651b3c6a9931671f697c4

SHA256
a682aff57fa18b095f2251d3ce33aaa8b6f4177e6100f1650080d3422ae017c5

SHA512
a2c97f5b69eece0733195455400850a2819f5a6ab00a599c96ad77099fa6e5c9872fc150dc9cf9cef3df86f156f30718a0e7f48b5be36dabe6e584df116025d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2202.tmp

Filesize
1KB

MD5
9752bb7fccc9967498df7fcf9ba07afb

SHA1
409b45c1bdfa2d3ffc99c2613ef4e477b71284d4

SHA256
856d6fd6e14b402745d0f2d190413ff64521f7225d85d2d5dfe391a392baf580

SHA512
e1f3d24b75b1a44b59a0ce70f771202b419980892faaa91a4e61e4439f8e29201e218223624f8e18e4efb4fe3511e1c206759a69d62dd975fed98c1c11f92887

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HLNPFRD6PBF2F1JNJQOE.temp

Filesize
7KB

MD5
a6fee0214ab9c789a88096331780a43c

SHA1
c8dd697e7769888f50963229d108c5b7cadd888d

SHA256
448e1b2f9f2acca1dd23175bd3955e162b9a56560b60e133f0631b7476e841a9

SHA512
3c1a6882777d34c5bf0bb891f806f1aa7f2a0a84ff7cc63e548b24b44ba11c70a95dba9a7fc2b2f9406cdbe3ba095d71e94e31dd07b33eb476a80ff27a319e95

Download Submit
memory/2008-41-0x0000000074900000-0x0000000074FEE000-memory.dmp

Filesize
6.9MB

Download
memory/2008-1-0x0000000000270000-0x0000000000352000-memory.dmp

Filesize
904KB

Download
memory/2008-2-0x0000000074900000-0x0000000074FEE000-memory.dmp

Filesize
6.9MB

Download
memory/2008-3-0x00000000001E0000-0x00000000001F0000-memory.dmp

Filesize
64KB

Download
memory/2008-4-0x0000000074900000-0x0000000074FEE000-memory.dmp

Filesize
6.9MB

Download
memory/2008-5-0x00000000056C0000-0x0000000005780000-memory.dmp

Filesize
768KB

Download
memory/2008-0-0x000000007490E000-0x000000007490F000-memory.dmp

Filesize
4KB

Download
memory/2092-42-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2092-44-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2092-34-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2092-32-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2092-30-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2092-36-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2092-29-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2092-27-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2092-37-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2092-24-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2092-22-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2092-20-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2092-19-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2092-35-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2092-43-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2092-45-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2092-51-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2092-52-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2092-40-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2092-59-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2092-67-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2092-68-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2092-75-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2092-76-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2092-84-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2092-83-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads