remcos | 09c15114a15d5569cb510bbe093d1a9dc1fc7f6dc255aa6b0ef9077156c2f6ac

Analysis

max time kernel
158s
max time network
168s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-09-2024 15:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8560d2cdf6bd8ffb30fe031081360c1f.exe
Size

1024.0MB
MD5

a832f6cf4b13db85c4e3d4a5c563800d
SHA1

af788bb64b532ad62a64af98f6eeec316efcbd72
SHA256

52e9fae2db9e0b5af5c4e28c52508a482348c085fd83e3a2d549c5d676b24470
SHA512

7ee6c7c5529ee55f642c79d1ccd160e1d8183b13edf216a9693163f9acf84c6d355dcd028c41c1f022bc1799ba8852eff30f78e3ea68fa505b606e46c08c2547
SSDEEP

12288:75RVeIv1Jyhik2XF62YPtnsMg9t4q78cjNgT8Yz48h7UJ:9RVeIv1JygrV6XtsRVUS81UJ

Score

10^/10

remcos plata discovery rat

Malware Config

Extracted

Family

remcos

Botnet

PLATA

comercio43.con-ip.com:1835

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
registros.dat
keylog_flag
false
keylog_folder
data34
mouse_option
false
mutex
kiustong-7N6PEP
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Capturas de pantalla
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 2 IoCs

pid	Process
1736	AppData.exe
1108	AppData.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2172 set thread context of 2164	2172	8560d2cdf6bd8ffb30fe031081360c1f.exe	29
PID 1736 set thread context of 2832	1736	AppData.exe	40
PID 1108 set thread context of 2204	1108	AppData.exe	49

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppData.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8560d2cdf6bd8ffb30fe031081360c1f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppData.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2904	schtasks.exe
2452	schtasks.exe
2016	schtasks.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2164	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2164	2172	8560d2cdf6bd8ffb30fe031081360c1f.exe	29
PID 2172 wrote to memory of 2164	2172	8560d2cdf6bd8ffb30fe031081360c1f.exe	29
PID 2172 wrote to memory of 2164	2172	8560d2cdf6bd8ffb30fe031081360c1f.exe	29
PID 2172 wrote to memory of 2164	2172	8560d2cdf6bd8ffb30fe031081360c1f.exe	29
PID 2172 wrote to memory of 2164	2172	8560d2cdf6bd8ffb30fe031081360c1f.exe	29
PID 2172 wrote to memory of 2164	2172	8560d2cdf6bd8ffb30fe031081360c1f.exe	29
PID 2172 wrote to memory of 2164	2172	8560d2cdf6bd8ffb30fe031081360c1f.exe	29
PID 2172 wrote to memory of 2164	2172	8560d2cdf6bd8ffb30fe031081360c1f.exe	29
PID 2172 wrote to memory of 2164	2172	8560d2cdf6bd8ffb30fe031081360c1f.exe	29
PID 2172 wrote to memory of 2164	2172	8560d2cdf6bd8ffb30fe031081360c1f.exe	29
PID 2172 wrote to memory of 2164	2172	8560d2cdf6bd8ffb30fe031081360c1f.exe	29
PID 2172 wrote to memory of 2164	2172	8560d2cdf6bd8ffb30fe031081360c1f.exe	29
PID 2172 wrote to memory of 2164	2172	8560d2cdf6bd8ffb30fe031081360c1f.exe	29
PID 2172 wrote to memory of 2164	2172	8560d2cdf6bd8ffb30fe031081360c1f.exe	29
PID 2172 wrote to memory of 2164	2172	8560d2cdf6bd8ffb30fe031081360c1f.exe	29
PID 2172 wrote to memory of 2164	2172	8560d2cdf6bd8ffb30fe031081360c1f.exe	29
PID 2172 wrote to memory of 2856	2172	8560d2cdf6bd8ffb30fe031081360c1f.exe	30
PID 2172 wrote to memory of 2856	2172	8560d2cdf6bd8ffb30fe031081360c1f.exe	30
PID 2172 wrote to memory of 2856	2172	8560d2cdf6bd8ffb30fe031081360c1f.exe	30
PID 2172 wrote to memory of 2856	2172	8560d2cdf6bd8ffb30fe031081360c1f.exe	30
PID 2172 wrote to memory of 2952	2172	8560d2cdf6bd8ffb30fe031081360c1f.exe	32
PID 2172 wrote to memory of 2952	2172	8560d2cdf6bd8ffb30fe031081360c1f.exe	32
PID 2172 wrote to memory of 2952	2172	8560d2cdf6bd8ffb30fe031081360c1f.exe	32
PID 2172 wrote to memory of 2952	2172	8560d2cdf6bd8ffb30fe031081360c1f.exe	32
PID 2952 wrote to memory of 2904	2952	cmd.exe	34
PID 2952 wrote to memory of 2904	2952	cmd.exe	34
PID 2952 wrote to memory of 2904	2952	cmd.exe	34
PID 2952 wrote to memory of 2904	2952	cmd.exe	34
PID 2172 wrote to memory of 2692	2172	8560d2cdf6bd8ffb30fe031081360c1f.exe	35
PID 2172 wrote to memory of 2692	2172	8560d2cdf6bd8ffb30fe031081360c1f.exe	35
PID 2172 wrote to memory of 2692	2172	8560d2cdf6bd8ffb30fe031081360c1f.exe	35
PID 2172 wrote to memory of 2692	2172	8560d2cdf6bd8ffb30fe031081360c1f.exe	35
PID 3040 wrote to memory of 1736	3040	taskeng.exe	39
PID 3040 wrote to memory of 1736	3040	taskeng.exe	39
PID 3040 wrote to memory of 1736	3040	taskeng.exe	39
PID 3040 wrote to memory of 1736	3040	taskeng.exe	39
PID 3040 wrote to memory of 1736	3040	taskeng.exe	39
PID 3040 wrote to memory of 1736	3040	taskeng.exe	39
PID 3040 wrote to memory of 1736	3040	taskeng.exe	39
PID 1736 wrote to memory of 2832	1736	AppData.exe	40
PID 1736 wrote to memory of 2832	1736	AppData.exe	40
PID 1736 wrote to memory of 2832	1736	AppData.exe	40
PID 1736 wrote to memory of 2832	1736	AppData.exe	40
PID 1736 wrote to memory of 2832	1736	AppData.exe	40
PID 1736 wrote to memory of 2832	1736	AppData.exe	40
PID 1736 wrote to memory of 2832	1736	AppData.exe	40
PID 1736 wrote to memory of 2832	1736	AppData.exe	40
PID 1736 wrote to memory of 2832	1736	AppData.exe	40
PID 1736 wrote to memory of 2832	1736	AppData.exe	40
PID 1736 wrote to memory of 2832	1736	AppData.exe	40
PID 1736 wrote to memory of 2832	1736	AppData.exe	40
PID 1736 wrote to memory of 2832	1736	AppData.exe	40
PID 1736 wrote to memory of 2832	1736	AppData.exe	40
PID 1736 wrote to memory of 2832	1736	AppData.exe	40
PID 1736 wrote to memory of 2832	1736	AppData.exe	40
PID 1736 wrote to memory of 1524	1736	AppData.exe	41
PID 1736 wrote to memory of 1524	1736	AppData.exe	41
PID 1736 wrote to memory of 1524	1736	AppData.exe	41
PID 1736 wrote to memory of 1524	1736	AppData.exe	41
PID 1736 wrote to memory of 836	1736	AppData.exe	43
PID 1736 wrote to memory of 836	1736	AppData.exe	43
PID 1736 wrote to memory of 836	1736	AppData.exe	43
PID 1736 wrote to memory of 836	1736	AppData.exe	43
PID 836 wrote to memory of 2452	836	cmd.exe	45

C:\Users\Admin\AppData\Local\Temp\8560d2cdf6bd8ffb30fe031081360c1f.exe
"C:\Users\Admin\AppData\Local\Temp\8560d2cdf6bd8ffb30fe031081360c1f.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2164
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\AppData"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2856
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2904
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\8560d2cdf6bd8ffb30fe031081360c1f.exe" "C:\Users\Admin\AppData\Roaming\AppData\AppData.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2692

C:\Windows\system32\taskeng.exe
taskeng.exe {4F8B0B76-43C1-46C2-96D4-F738D5E7474E} S-1-5-21-457978338-2990298471-2379561640-1000:WOUOSVRD\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Roaming\AppData\AppData.exe
  C:\Users\Admin\AppData\Roaming\AppData\AppData.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\AppData"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1524
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:836
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2452
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\AppData\AppData.exe" "C:\Users\Admin\AppData\Roaming\AppData\AppData.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:852
- C:\Users\Admin\AppData\Roaming\AppData\AppData.exe
  C:\Users\Admin\AppData\Roaming\AppData\AppData.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:1108
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2204
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\AppData"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1360
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:636
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2016
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\AppData\AppData.exe" "C:\Users\Admin\AppData\Roaming\AppData\AppData.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\data34\registros.dat

Filesize
144B

MD5
c79f31d51ca595205f19a8c3296b9cea

SHA1
585d4b2063eebe5042d7d88324913e9f7f5fae73

SHA256
a0f2f93a74743e171145b2bace3d4cb337a84cea2e0f2814d9b3fe87f8be3136

SHA512
af437301b5fe469debc19c7922ff3ab8aba7a932f75e634b37368d23d3893660937df1a23bfd8787e61ecdf562b36fb6ca6e73c974a6a0bd6ee0569ce011e320

Download Submit
memory/1108-84-0x0000000000D90000-0x0000000000E76000-memory.dmp

Filesize
920KB

Download
memory/1736-45-0x0000000000D90000-0x0000000000E76000-memory.dmp

Filesize
920KB

Download
memory/2164-7-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2164-13-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2164-24-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2164-10-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2164-9-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2164-22-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2164-6-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2164-17-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2164-5-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2164-3-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2164-15-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2164-8-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2164-21-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2164-18-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2164-79-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2164-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2164-23-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2164-25-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2164-29-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2164-28-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2164-80-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2164-4-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2164-39-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2164-40-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2164-72-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2164-71-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2172-2-0x0000000074400000-0x0000000074AEE000-memory.dmp

Filesize
6.9MB

Download
memory/2172-33-0x0000000074400000-0x0000000074AEE000-memory.dmp

Filesize
6.9MB

Download
memory/2172-1-0x0000000000E10000-0x0000000000EF6000-memory.dmp

Filesize
920KB

Download
memory/2172-0-0x000000007440E000-0x000000007440F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads