remcos | d14a38d2c9b1e72793190664f295860f637ceaa4a4a0d3293d6432e0e0d13a82

General

Target

d14a38d2c9b1e72793190664f295860f637ceaa4a4a0d3293d6432e0e0d13a82N.exe
Size

140KB
MD5

1be47bc640984a6ef5a258f12c902de0
SHA1

f1c2872e67f39aabc821973ddfa0db335414a57b
SHA256

d14a38d2c9b1e72793190664f295860f637ceaa4a4a0d3293d6432e0e0d13a82
SHA512

8b4af1bb3d980d2d0cd456ebe56ad83137406e71d594fc2122cab4a37b2024a757b33ef88daeb5d54018bd08dc5d3bf1c6a32247f66c9917a72e2610c5db6677
SSDEEP

3072:xPd4n/M+WLcilrpgGH/GwY87mVmIXhIHys:xP6/M+WLckOBhVmI5s

Score

10^/10

remcos host discovery persistence rat

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

systemcontrol.ddns.net:45000

systemcontrol2.ddns.net:45000

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
OfficeUpgrade.exe
copy_folder
OfficeUpgrade
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
Upgrader.dat
keylog_flag
false
keylog_folder
Upgrader
keylog_path
%AppData%
mouse_option
false
mutex
req_khauflaoyr
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
OfficeUpgrade
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 2 IoCs

pid	Process
2184	wn2ra4ohzdr.exe
2916	wn2ra4ohzdr.exe

Loads dropped DLL 1 IoCs

pid	Process
2304	d14a38d2c9b1e72793190664f295860f637ceaa4a4a0d3293d6432e0e0d13a82N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\raj4dkhhiap = "C:\\Users\\Admin\\AppData\\Roaming\\raj4dkhhiap\\wn2ra4ohzdr.exe"	d14a38d2c9b1e72793190664f295860f637ceaa4a4a0d3293d6432e0e0d13a82N.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2184 set thread context of 2916	2184	wn2ra4ohzdr.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d14a38d2c9b1e72793190664f295860f637ceaa4a4a0d3293d6432e0e0d13a82N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wn2ra4ohzdr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wn2ra4ohzdr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2916	wn2ra4ohzdr.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2184	2304	d14a38d2c9b1e72793190664f295860f637ceaa4a4a0d3293d6432e0e0d13a82N.exe	30
PID 2304 wrote to memory of 2184	2304	d14a38d2c9b1e72793190664f295860f637ceaa4a4a0d3293d6432e0e0d13a82N.exe	30
PID 2304 wrote to memory of 2184	2304	d14a38d2c9b1e72793190664f295860f637ceaa4a4a0d3293d6432e0e0d13a82N.exe	30
PID 2304 wrote to memory of 2184	2304	d14a38d2c9b1e72793190664f295860f637ceaa4a4a0d3293d6432e0e0d13a82N.exe	30
PID 2184 wrote to memory of 2916	2184	wn2ra4ohzdr.exe	31
PID 2184 wrote to memory of 2916	2184	wn2ra4ohzdr.exe	31
PID 2184 wrote to memory of 2916	2184	wn2ra4ohzdr.exe	31
PID 2184 wrote to memory of 2916	2184	wn2ra4ohzdr.exe	31
PID 2184 wrote to memory of 2916	2184	wn2ra4ohzdr.exe	31
PID 2184 wrote to memory of 2916	2184	wn2ra4ohzdr.exe	31
PID 2184 wrote to memory of 2916	2184	wn2ra4ohzdr.exe	31
PID 2184 wrote to memory of 2916	2184	wn2ra4ohzdr.exe	31
PID 2184 wrote to memory of 2916	2184	wn2ra4ohzdr.exe	31
PID 2184 wrote to memory of 2916	2184	wn2ra4ohzdr.exe	31

C:\Users\Admin\AppData\Local\Temp\d14a38d2c9b1e72793190664f295860f637ceaa4a4a0d3293d6432e0e0d13a82N.exe
"C:\Users\Admin\AppData\Local\Temp\d14a38d2c9b1e72793190664f295860f637ceaa4a4a0d3293d6432e0e0d13a82N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe
  "C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe
    "C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe

Filesize
140KB

MD5
5b33d551813a0dc5067e954882a66f24

SHA1
2e16abdb0438691346e32cdbd4f4005c368bbfeb

SHA256
8ee5bc291a47e45fc03d6a294d9882ad7d42173ef16c0e79e065e00688dc5209

SHA512
3cc22d3ba205a35be28abc08c3a1406630326521e4363558a43a911dff656bea5d601902c49a766ab5bc2d9736b43929a4d55262c3747a4782c12522a7a1c718

Download Submit
memory/2184-13-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download
memory/2184-36-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download
memory/2184-35-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download
memory/2184-16-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download
memory/2184-14-0x0000000000E20000-0x0000000000E48000-memory.dmp

Filesize
160KB

Download
memory/2304-17-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download
memory/2304-12-0x00000000744FE000-0x00000000744FF000-memory.dmp

Filesize
4KB

Download
memory/2304-15-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download
memory/2304-3-0x0000000000610000-0x0000000000630000-memory.dmp

Filesize
128KB

Download
memory/2304-0-0x00000000744FE000-0x00000000744FF000-memory.dmp

Filesize
4KB

Download
memory/2304-1-0x00000000012C0000-0x00000000012E8000-memory.dmp

Filesize
160KB

Download
memory/2304-2-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download
memory/2916-24-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2916-22-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2916-20-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2916-19-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2916-18-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2916-31-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2916-32-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2916-26-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2916-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads