remcos | 39ec963bdfd683141a24c10435e4a6104375f5c1f61af2053b017ee55b84d1c1

General

Target

39ec963bdfd683141a24c10435e4a6104375f5c1f61af2053b017ee55b84d1c1.exe
Size

36KB
MD5

9aa54216394c3620f7e6131a00acd8f1
SHA1

e5016252d0fc9dc04bceef0334ca93d11e2bbdde
SHA256

39ec963bdfd683141a24c10435e4a6104375f5c1f61af2053b017ee55b84d1c1
SHA512

dda82fe927253230e36902f4a351e470703af3cb168984298689c7f37e293871d18eeace33ba6003c1b69727cad0a8ada740e7ec7bb428cae5a0417343a78b0c
SSDEEP

768:/5PHyCjmhFdWfLubuZ1kvIaEekM2em014r1:/5PHfjGPAKbLVS9r

Score

10^/10

remcos host discovery evasion persistence rat trojan upx

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

dmak777.ddns.net:6522

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
system.exe
copy_folder
system
delete_file
true
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%ProgramFiles%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
system
keylog_path
%AppData%
mouse_option
true
mutex
owgaigcjgxyjhgfds
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
system
take_screenshot_option
false
take_screenshot_time
5

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Program Files (x86)\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\system\\system.exe\""	39ec963bdfd683141a24c10435e4a6104375f5c1f61af2053b017ee55b84d1c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Program Files (x86)\\system\\system.exe\""	39ec963bdfd683141a24c10435e4a6104375f5c1f61af2053b017ee55b84d1c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\system\\system.exe\""	system.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	system.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	39ec963bdfd683141a24c10435e4a6104375f5c1f61af2053b017ee55b84d1c1.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	39ec963bdfd683141a24c10435e4a6104375f5c1f61af2053b017ee55b84d1c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\system = "\"C:\\Program Files (x86)\\system\\system.exe\""	39ec963bdfd683141a24c10435e4a6104375f5c1f61af2053b017ee55b84d1c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\system = "\"C:\\Program Files (x86)\\system\\system.exe\""	system.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	39ec963bdfd683141a24c10435e4a6104375f5c1f61af2053b017ee55b84d1c1.exe

Executes dropped EXE 1 IoCs

pid	Process
4812	system.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "\"C:\\Program Files (x86)\\system\\system.exe\""	39ec963bdfd683141a24c10435e4a6104375f5c1f61af2053b017ee55b84d1c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system = "\"C:\\Program Files (x86)\\system\\system.exe\""	39ec963bdfd683141a24c10435e4a6104375f5c1f61af2053b017ee55b84d1c1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "\"C:\\Program Files (x86)\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system = "\"C:\\Program Files (x86)\\system\\system.exe\""	system.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	39ec963bdfd683141a24c10435e4a6104375f5c1f61af2053b017ee55b84d1c1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	system.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4436-0-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4436-6-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x000800000002349e-9.dat	upx
behavioral2/memory/4812-11-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4812-13-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4812-16-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4812-18-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4812-21-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4812-23-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\system	39ec963bdfd683141a24c10435e4a6104375f5c1f61af2053b017ee55b84d1c1.exe
File created	C:\Program Files (x86)\system\system.exe	39ec963bdfd683141a24c10435e4a6104375f5c1f61af2053b017ee55b84d1c1.exe
File opened for modification	C:\Program Files (x86)\system\system.exe	39ec963bdfd683141a24c10435e4a6104375f5c1f61af2053b017ee55b84d1c1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	39ec963bdfd683141a24c10435e4a6104375f5c1f61af2053b017ee55b84d1c1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
384	PING.EXE

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
4204	reg.exe
2964	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
384	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4812	system.exe
4812	system.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4812	system.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4812	system.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4812	system.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4436 wrote to memory of 1596	4436	39ec963bdfd683141a24c10435e4a6104375f5c1f61af2053b017ee55b84d1c1.exe	82
PID 4436 wrote to memory of 1596	4436	39ec963bdfd683141a24c10435e4a6104375f5c1f61af2053b017ee55b84d1c1.exe	82
PID 4436 wrote to memory of 1596	4436	39ec963bdfd683141a24c10435e4a6104375f5c1f61af2053b017ee55b84d1c1.exe	82
PID 1596 wrote to memory of 4204	1596	cmd.exe	84
PID 1596 wrote to memory of 4204	1596	cmd.exe	84
PID 1596 wrote to memory of 4204	1596	cmd.exe	84
PID 4436 wrote to memory of 2188	4436	39ec963bdfd683141a24c10435e4a6104375f5c1f61af2053b017ee55b84d1c1.exe	85
PID 4436 wrote to memory of 2188	4436	39ec963bdfd683141a24c10435e4a6104375f5c1f61af2053b017ee55b84d1c1.exe	85
PID 4436 wrote to memory of 2188	4436	39ec963bdfd683141a24c10435e4a6104375f5c1f61af2053b017ee55b84d1c1.exe	85
PID 2188 wrote to memory of 384	2188	cmd.exe	87
PID 2188 wrote to memory of 384	2188	cmd.exe	87
PID 2188 wrote to memory of 384	2188	cmd.exe	87
PID 2188 wrote to memory of 4812	2188	cmd.exe	88
PID 2188 wrote to memory of 4812	2188	cmd.exe	88
PID 2188 wrote to memory of 4812	2188	cmd.exe	88
PID 4812 wrote to memory of 1448	4812	system.exe	89
PID 4812 wrote to memory of 1448	4812	system.exe	89
PID 4812 wrote to memory of 1448	4812	system.exe	89
PID 4812 wrote to memory of 5076	4812	system.exe	90
PID 4812 wrote to memory of 5076	4812	system.exe	90
PID 1448 wrote to memory of 2964	1448	cmd.exe	93
PID 1448 wrote to memory of 2964	1448	cmd.exe	93
PID 1448 wrote to memory of 2964	1448	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\39ec963bdfd683141a24c10435e4a6104375f5c1f61af2053b017ee55b84d1c1.exe
"C:\Users\Admin\AppData\Local\Temp\39ec963bdfd683141a24c10435e4a6104375f5c1f61af2053b017ee55b84d1c1.exe"
1⤵
- Modifies WinLogon for persistence
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Adds policy Run key to start application
- Checks computer location settings
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4436
- C:\Windows\SysWOW64\cmd.exe
  /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1596
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4204
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\SysWOW64\PING.EXE
    PING 127.0.0.1 -n 2
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:384
- - C:\Program Files (x86)\system\system.exe
    "C:\Program Files (x86)\system\system.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies WinLogon
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4812
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1448
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2964
  - - C:\Windows\explorer.exe
      C:\Windows\explorer.exe
      4⤵
      PID:5076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

4

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

2

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

4

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

2

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\system\system.exe

Filesize
36KB

MD5
9aa54216394c3620f7e6131a00acd8f1

SHA1
e5016252d0fc9dc04bceef0334ca93d11e2bbdde

SHA256
39ec963bdfd683141a24c10435e4a6104375f5c1f61af2053b017ee55b84d1c1

SHA512
dda82fe927253230e36902f4a351e470703af3cb168984298689c7f37e293871d18eeace33ba6003c1b69727cad0a8ada740e7ec7bb428cae5a0417343a78b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.bat

Filesize
201B

MD5
fe75cf2a14b462bd5fa58326f14d5ae4

SHA1
8cc55995c04240fb49fd57ed13943cbe89cb5cdf

SHA256
67722b45207ed7c391e21c8d2cdfeade76d49f22a54397d07e4513a487352169

SHA512
be5139e76204c59412cc657bea2c0cefcc770303a7ecd418edd7d108f2b6f7209b525b51a64024f704d9f25bd38fc37111cb1cb7cfd4f38b5d4ca294d6a1ca4f

Download Submit
memory/4436-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4436-6-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4812-11-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4812-13-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4812-16-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4812-18-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4812-21-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4812-23-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads