remcos | a72d8b61eaf5eb63dbf71fd2fdb64d2f51c0f9c9381ffff75c0aea44fafb6693

Analysis

max time kernel
150s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-09-2024 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TNT invoice 9.26.2024 .exe
Size

881KB
MD5

7afd5be4b77090388ddecb8169cf0bc3
SHA1

d3b6ba2e53aed1471c12196c577b7be56d14cf2f
SHA256

68a4b0d743c427d59d076376e5c3a131ee7ab29cdc959b8872735c06b70b7036
SHA512

2f16fce3f75bce88c79286f41010d76691fe0fab37c4fad814867b819c60c81fe4dff17ad722952cc6c7a7d99aaec75d51d2fd16350babb8d3388e11d2236a06
SSDEEP

24576:VE8AE9lxicGLP0CDyB/1FNlUcDos713jb:VExsxiTVe1F/UcDosVb

Score

10^/10

remcos irn discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

IRN

irnserv1.ddns.net:4424

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-CA8761
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2672	powershell.exe
2392	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2536	remcos.exe
2824	remcos.exe

Loads dropped DLL 1 IoCs

pid	Process
1624	TNT invoice 9.26.2024 .exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-CA8761 = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	TNT invoice 9.26.2024 .exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-CA8761 = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	TNT invoice 9.26.2024 .exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-CA8761 = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-CA8761 = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 468 set thread context of 1624	468	TNT invoice 9.26.2024 .exe	34
PID 2536 set thread context of 2824	2536	remcos.exe	40

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TNT invoice 9.26.2024 .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TNT invoice 9.26.2024 .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2736	schtasks.exe
2916	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2672	powershell.exe
2392	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2824	remcos.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 468 wrote to memory of 2672	468	TNT invoice 9.26.2024 .exe	30
PID 468 wrote to memory of 2672	468	TNT invoice 9.26.2024 .exe	30
PID 468 wrote to memory of 2672	468	TNT invoice 9.26.2024 .exe	30
PID 468 wrote to memory of 2672	468	TNT invoice 9.26.2024 .exe	30
PID 468 wrote to memory of 2736	468	TNT invoice 9.26.2024 .exe	32
PID 468 wrote to memory of 2736	468	TNT invoice 9.26.2024 .exe	32
PID 468 wrote to memory of 2736	468	TNT invoice 9.26.2024 .exe	32
PID 468 wrote to memory of 2736	468	TNT invoice 9.26.2024 .exe	32
PID 468 wrote to memory of 1624	468	TNT invoice 9.26.2024 .exe	34
PID 468 wrote to memory of 1624	468	TNT invoice 9.26.2024 .exe	34
PID 468 wrote to memory of 1624	468	TNT invoice 9.26.2024 .exe	34
PID 468 wrote to memory of 1624	468	TNT invoice 9.26.2024 .exe	34
PID 468 wrote to memory of 1624	468	TNT invoice 9.26.2024 .exe	34
PID 468 wrote to memory of 1624	468	TNT invoice 9.26.2024 .exe	34
PID 468 wrote to memory of 1624	468	TNT invoice 9.26.2024 .exe	34
PID 468 wrote to memory of 1624	468	TNT invoice 9.26.2024 .exe	34
PID 468 wrote to memory of 1624	468	TNT invoice 9.26.2024 .exe	34
PID 468 wrote to memory of 1624	468	TNT invoice 9.26.2024 .exe	34
PID 468 wrote to memory of 1624	468	TNT invoice 9.26.2024 .exe	34
PID 468 wrote to memory of 1624	468	TNT invoice 9.26.2024 .exe	34
PID 468 wrote to memory of 1624	468	TNT invoice 9.26.2024 .exe	34
PID 1624 wrote to memory of 2536	1624	TNT invoice 9.26.2024 .exe	35
PID 1624 wrote to memory of 2536	1624	TNT invoice 9.26.2024 .exe	35
PID 1624 wrote to memory of 2536	1624	TNT invoice 9.26.2024 .exe	35
PID 1624 wrote to memory of 2536	1624	TNT invoice 9.26.2024 .exe	35
PID 2536 wrote to memory of 2392	2536	remcos.exe	36
PID 2536 wrote to memory of 2392	2536	remcos.exe	36
PID 2536 wrote to memory of 2392	2536	remcos.exe	36
PID 2536 wrote to memory of 2392	2536	remcos.exe	36
PID 2536 wrote to memory of 2916	2536	remcos.exe	38
PID 2536 wrote to memory of 2916	2536	remcos.exe	38
PID 2536 wrote to memory of 2916	2536	remcos.exe	38
PID 2536 wrote to memory of 2916	2536	remcos.exe	38
PID 2536 wrote to memory of 2824	2536	remcos.exe	40
PID 2536 wrote to memory of 2824	2536	remcos.exe	40
PID 2536 wrote to memory of 2824	2536	remcos.exe	40
PID 2536 wrote to memory of 2824	2536	remcos.exe	40
PID 2536 wrote to memory of 2824	2536	remcos.exe	40
PID 2536 wrote to memory of 2824	2536	remcos.exe	40
PID 2536 wrote to memory of 2824	2536	remcos.exe	40
PID 2536 wrote to memory of 2824	2536	remcos.exe	40
PID 2536 wrote to memory of 2824	2536	remcos.exe	40
PID 2536 wrote to memory of 2824	2536	remcos.exe	40
PID 2536 wrote to memory of 2824	2536	remcos.exe	40
PID 2536 wrote to memory of 2824	2536	remcos.exe	40
PID 2536 wrote to memory of 2824	2536	remcos.exe	40

C:\Users\Admin\AppData\Local\Temp\TNT invoice 9.26.2024 .exe
"C:\Users\Admin\AppData\Local\Temp\TNT invoice 9.26.2024 .exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:468
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GLFzLcBn.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2672
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GLFzLcBn" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB847.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2736
- C:\Users\Admin\AppData\Local\Temp\TNT invoice 9.26.2024 .exe
  "C:\Users\Admin\AppData\Local\Temp\TNT invoice 9.26.2024 .exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\ProgramData\Remcos\remcos.exe
    "C:\ProgramData\Remcos\remcos.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GLFzLcBn.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2392
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GLFzLcBn" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF038.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2916
  - - C:\ProgramData\Remcos\remcos.exe
      "C:\ProgramData\Remcos\remcos.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Remcos\logs.dat

Filesize
144B

MD5
12bc998c6ce14056fc962a8c7e268d8c

SHA1
ed485bca1f96e3999b971341df34baf53a4c378a

SHA256
ede232f301376810f5268aa2d875dc24268365b815e41bf72f6b8f7d6fc3c5ed

SHA512
0869c7b127853425a3c22858b07ed55d43134aecf4008b5ab4298a623c805957ff41b0497d94865de877a8fa6fafb0dc315c809c35a821012d5f496485e20ecb

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
881KB

MD5
7afd5be4b77090388ddecb8169cf0bc3

SHA1
d3b6ba2e53aed1471c12196c577b7be56d14cf2f

SHA256
68a4b0d743c427d59d076376e5c3a131ee7ab29cdc959b8872735c06b70b7036

SHA512
2f16fce3f75bce88c79286f41010d76691fe0fab37c4fad814867b819c60c81fe4dff17ad722952cc6c7a7d99aaec75d51d2fd16350babb8d3388e11d2236a06

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB847.tmp

Filesize
1KB

MD5
629ca32da307f6470434ccb863c8d549

SHA1
c49ef8c703ed2a14821f11c8ccd3fba832b56999

SHA256
c1153a84c5ae963abc2536145f9b5b1667a56c0558d0fee7f413b5a1985f3320

SHA512
641ca4c56fa1c93587c7340bab31a8b3790fc3cec665a040cc74bd477910af1ea7bb017591806145deb9dca796ea380dc35ec1479680837dd4854bff7d5c497d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
7c8172fe77c6d3962a8fa6e0318a277a

SHA1
7675732a79ef842eb68d90a354714e0f3a9d3375

SHA256
70a9a227ffad45582c75a48d3731e42363cc28723a36d953de122401006d8ac6

SHA512
75d7cf19cd7bc03fc86ae2010ab19d14b9eb887320bed06d0f012f7dd5aec749d0c5c37830bb255a13fef08edcc23601d237b1be894642ae8b52b329a74d603c

Download Submit
memory/468-40-0x00000000749B0000-0x000000007509E000-memory.dmp

Filesize
6.9MB

Download
memory/468-5-0x00000000749B0000-0x000000007509E000-memory.dmp

Filesize
6.9MB

Download
memory/468-6-0x0000000005430000-0x00000000054F0000-memory.dmp

Filesize
768KB

Download
memory/468-4-0x00000000749BE000-0x00000000749BF000-memory.dmp

Filesize
4KB

Download
memory/468-1-0x0000000000900000-0x00000000009E2000-memory.dmp

Filesize
904KB

Download
memory/468-2-0x00000000749B0000-0x000000007509E000-memory.dmp

Filesize
6.9MB

Download
memory/468-0-0x00000000749BE000-0x00000000749BF000-memory.dmp

Filesize
4KB

Download
memory/468-3-0x0000000000430000-0x0000000000440000-memory.dmp

Filesize
64KB

Download
memory/1624-18-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1624-26-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1624-20-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1624-24-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1624-30-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1624-16-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1624-14-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1624-22-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1624-12-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1624-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1624-29-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2536-41-0x0000000000AD0000-0x0000000000BB2000-memory.dmp

Filesize
904KB

Download
memory/2824-64-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2824-63-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2824-68-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2824-60-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download