remcos | 700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127

Analysis

max time kernel
148s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-09-2024 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe
Size

908KB
MD5

101a0df83daf8836f9bf996d72c4c6a9
SHA1

c778e9a0ff2dab0404cf84ac4db2139aa4d2b000
SHA256

700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127
SHA512

2e6d4de5edfb066c81e08a6d04f82b09c44f520898d8328230b172dafda2197dc509dd6a58e0a345ffc74d403e9a7ff949e1ae2d20ac9f6152c41bf8bee60661
SSDEEP

24576:ZlDEOmXZLjtSvwE8hm3vVp7QbsKswxPSIk:kOUZLjAbh3vVNWRswI

Score

10^/10

remcos mekus discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

mekus

dpm-sael.com:2017

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
meckus-ODY51K
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2628	powershell.exe
2680	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2336 set thread context of 536	2336	700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe	40

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2740	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2336	700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe
2336	700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe
2336	700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe
2336	700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe
2336	700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe
2336	700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe
2680	powershell.exe
2628	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2336	700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
536	700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2628	2336	700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe	31
PID 2336 wrote to memory of 2628	2336	700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe	31
PID 2336 wrote to memory of 2628	2336	700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe	31
PID 2336 wrote to memory of 2628	2336	700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe	31
PID 2336 wrote to memory of 2680	2336	700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe	33
PID 2336 wrote to memory of 2680	2336	700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe	33
PID 2336 wrote to memory of 2680	2336	700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe	33
PID 2336 wrote to memory of 2680	2336	700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe	33
PID 2336 wrote to memory of 2740	2336	700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe	34
PID 2336 wrote to memory of 2740	2336	700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe	34
PID 2336 wrote to memory of 2740	2336	700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe	34
PID 2336 wrote to memory of 2740	2336	700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe	34
PID 2336 wrote to memory of 2756	2336	700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe	37
PID 2336 wrote to memory of 2756	2336	700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe	37
PID 2336 wrote to memory of 2756	2336	700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe	37
PID 2336 wrote to memory of 2756	2336	700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe	37
PID 2336 wrote to memory of 2560	2336	700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe	38
PID 2336 wrote to memory of 2560	2336	700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe	38
PID 2336 wrote to memory of 2560	2336	700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe	38
PID 2336 wrote to memory of 2560	2336	700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe	38
PID 2336 wrote to memory of 3068	2336	700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe	39
PID 2336 wrote to memory of 3068	2336	700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe	39
PID 2336 wrote to memory of 3068	2336	700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe	39
PID 2336 wrote to memory of 3068	2336	700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe	39
PID 2336 wrote to memory of 536	2336	700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe	40
PID 2336 wrote to memory of 536	2336	700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe	40
PID 2336 wrote to memory of 536	2336	700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe	40
PID 2336 wrote to memory of 536	2336	700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe	40
PID 2336 wrote to memory of 536	2336	700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe	40
PID 2336 wrote to memory of 536	2336	700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe	40
PID 2336 wrote to memory of 536	2336	700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe	40
PID 2336 wrote to memory of 536	2336	700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe	40
PID 2336 wrote to memory of 536	2336	700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe	40
PID 2336 wrote to memory of 536	2336	700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe	40
PID 2336 wrote to memory of 536	2336	700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe	40
PID 2336 wrote to memory of 536	2336	700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe	40
PID 2336 wrote to memory of 536	2336	700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe	40

C:\Users\Admin\AppData\Local\Temp\700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe
"C:\Users\Admin\AppData\Local\Temp\700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2628
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GCjswFKGCv.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GCjswFKGCv" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9A2.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2740
- C:\Users\Admin\AppData\Local\Temp\700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe
  "C:\Users\Admin\AppData\Local\Temp\700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe"
  2⤵
  PID:2756
- C:\Users\Admin\AppData\Local\Temp\700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe
  "C:\Users\Admin\AppData\Local\Temp\700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe"
  2⤵
  PID:2560
- C:\Users\Admin\AppData\Local\Temp\700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe
  "C:\Users\Admin\AppData\Local\Temp\700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe"
  2⤵
  PID:3068
- C:\Users\Admin\AppData\Local\Temp\700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe
  "C:\Users\Admin\AppData\Local\Temp\700abeeb6388de45b2e0c175f6de719df739b14cfd0500f3fce94e95d0a9f127.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
34a4205d597ceb4efc3e7281160f78f4

SHA1
436837d18487081e6492fe165b80f1a6c751a819

SHA256
e5949efe4d11e06e0872a082029d7e5c96391c925e31f247024ef14c438e8910

SHA512
fcc3f4a5952f49dc12c9ec837d5af1ea4f55200afbedbb7b82fd693baf46fcff6aab8ef22b100f63f286ddfc4a19dbd759d78bf78696e425aee0c1ca86d10ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9A2.tmp

Filesize
1KB

MD5
8de221c658ccb33934d5084230f0325e

SHA1
584438153ff92a1a39cd7c5ffbae805abc084ccf

SHA256
1a53bdb032657bcaf71d3ef636ae38d6ce4b561eef935466d3b908c497d356c3

SHA512
eb3a48ba9a5b46c175a7c70faeb10e48b378f72990b672774a37bbfaebbaed8639b2879ce0dfb04af2b70ae0bfa18ec5bd21554831093d2a325e38c8eff3eebf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
36a086e85f65afca6acdb6e6dfe3c0c3

SHA1
b1ebaa4b720bfdf5a4aaabface13587e1601ba30

SHA256
64562cf67868ee0a87882db3830c2b55b8c2ead14fcf4e1986dca37dcfc9b3b6

SHA512
2f7f658925a9fa32209bfc13625ce68f37037d888b12f65a148e3c6856c469d14659fe10e2210532315e81595e521711bf2d8ad81a6febac232fad204556d9d9

Download Submit
memory/536-31-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/536-19-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/536-78-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/536-29-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/536-77-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/536-70-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/536-21-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/536-27-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/536-69-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/536-41-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/536-38-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/536-37-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/536-36-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/536-25-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/536-33-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/536-61-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/536-54-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/536-53-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/536-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/536-23-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/536-43-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/536-44-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/536-46-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/536-45-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/536-48-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2336-4-0x000000007426E000-0x000000007426F000-memory.dmp

Filesize
4KB

Download
memory/2336-6-0x00000000051B0000-0x0000000005270000-memory.dmp

Filesize
768KB

Download
memory/2336-1-0x00000000001D0000-0x00000000002BA000-memory.dmp

Filesize
936KB

Download
memory/2336-0-0x000000007426E000-0x000000007426F000-memory.dmp

Filesize
4KB

Download
memory/2336-42-0x0000000074260000-0x000000007494E000-memory.dmp

Filesize
6.9MB

Download
memory/2336-2-0x0000000074260000-0x000000007494E000-memory.dmp

Filesize
6.9MB

Download
memory/2336-3-0x0000000000640000-0x0000000000652000-memory.dmp

Filesize
72KB

Download
memory/2336-5-0x0000000074260000-0x000000007494E000-memory.dmp

Filesize
6.9MB

Download