remcos | 2e01a38518327e49082e2a07468320a453f1814644763f25c36a78dd6848697a

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30/09/2024, 07:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TNT invoice 9.30.2024.exe
Size

1017KB
MD5

673d693b0c8b68503d64ed15fd863d61
SHA1

4fb6b11e933354b9f7c5bda096543a5d6b56ff83
SHA256

a77754ef6de4a61024e443178b88e50be8b1994f87b323ed7fa5f2f197acdab4
SHA512

3996083d6b2f207e742a81a1dd11277c1bdb2631438a0ee72eeec88a57ff39fb2a7c9a100b30bc2839519c3019129d2157e89d6ade8cc326c4073daf4cc2bd27
SSDEEP

24576:myN887MU2cPnNupjbW/5OheoofVmhGmfCtquly:myNVQUPNudihOhRdhHIqul

Score

10^/10

remcos irn discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

IRN

irnserv1.ddns.net:4424

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-CA8761
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2704	powershell.exe
1864	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2128	remcos.exe
2024	remcos.exe

Loads dropped DLL 1 IoCs

pid	Process
2688	TNT invoice 9.30.2024.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-CA8761 = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	TNT invoice 9.30.2024.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-CA8761 = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	TNT invoice 9.30.2024.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-CA8761 = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-CA8761 = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2692 set thread context of 2688	2692	TNT invoice 9.30.2024.exe	32
PID 2128 set thread context of 2024	2128	remcos.exe	38

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TNT invoice 9.30.2024.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TNT invoice 9.30.2024.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2508	schtasks.exe
2852	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2704	powershell.exe
1864	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	1864	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2024	remcos.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2704	2692	TNT invoice 9.30.2024.exe	28
PID 2692 wrote to memory of 2704	2692	TNT invoice 9.30.2024.exe	28
PID 2692 wrote to memory of 2704	2692	TNT invoice 9.30.2024.exe	28
PID 2692 wrote to memory of 2704	2692	TNT invoice 9.30.2024.exe	28
PID 2692 wrote to memory of 2508	2692	TNT invoice 9.30.2024.exe	30
PID 2692 wrote to memory of 2508	2692	TNT invoice 9.30.2024.exe	30
PID 2692 wrote to memory of 2508	2692	TNT invoice 9.30.2024.exe	30
PID 2692 wrote to memory of 2508	2692	TNT invoice 9.30.2024.exe	30
PID 2692 wrote to memory of 2688	2692	TNT invoice 9.30.2024.exe	32
PID 2692 wrote to memory of 2688	2692	TNT invoice 9.30.2024.exe	32
PID 2692 wrote to memory of 2688	2692	TNT invoice 9.30.2024.exe	32
PID 2692 wrote to memory of 2688	2692	TNT invoice 9.30.2024.exe	32
PID 2692 wrote to memory of 2688	2692	TNT invoice 9.30.2024.exe	32
PID 2692 wrote to memory of 2688	2692	TNT invoice 9.30.2024.exe	32
PID 2692 wrote to memory of 2688	2692	TNT invoice 9.30.2024.exe	32
PID 2692 wrote to memory of 2688	2692	TNT invoice 9.30.2024.exe	32
PID 2692 wrote to memory of 2688	2692	TNT invoice 9.30.2024.exe	32
PID 2692 wrote to memory of 2688	2692	TNT invoice 9.30.2024.exe	32
PID 2692 wrote to memory of 2688	2692	TNT invoice 9.30.2024.exe	32
PID 2692 wrote to memory of 2688	2692	TNT invoice 9.30.2024.exe	32
PID 2692 wrote to memory of 2688	2692	TNT invoice 9.30.2024.exe	32
PID 2688 wrote to memory of 2128	2688	TNT invoice 9.30.2024.exe	33
PID 2688 wrote to memory of 2128	2688	TNT invoice 9.30.2024.exe	33
PID 2688 wrote to memory of 2128	2688	TNT invoice 9.30.2024.exe	33
PID 2688 wrote to memory of 2128	2688	TNT invoice 9.30.2024.exe	33
PID 2128 wrote to memory of 1864	2128	remcos.exe	34
PID 2128 wrote to memory of 1864	2128	remcos.exe	34
PID 2128 wrote to memory of 1864	2128	remcos.exe	34
PID 2128 wrote to memory of 1864	2128	remcos.exe	34
PID 2128 wrote to memory of 2852	2128	remcos.exe	36
PID 2128 wrote to memory of 2852	2128	remcos.exe	36
PID 2128 wrote to memory of 2852	2128	remcos.exe	36
PID 2128 wrote to memory of 2852	2128	remcos.exe	36
PID 2128 wrote to memory of 2024	2128	remcos.exe	38
PID 2128 wrote to memory of 2024	2128	remcos.exe	38
PID 2128 wrote to memory of 2024	2128	remcos.exe	38
PID 2128 wrote to memory of 2024	2128	remcos.exe	38
PID 2128 wrote to memory of 2024	2128	remcos.exe	38
PID 2128 wrote to memory of 2024	2128	remcos.exe	38
PID 2128 wrote to memory of 2024	2128	remcos.exe	38
PID 2128 wrote to memory of 2024	2128	remcos.exe	38
PID 2128 wrote to memory of 2024	2128	remcos.exe	38
PID 2128 wrote to memory of 2024	2128	remcos.exe	38
PID 2128 wrote to memory of 2024	2128	remcos.exe	38
PID 2128 wrote to memory of 2024	2128	remcos.exe	38
PID 2128 wrote to memory of 2024	2128	remcos.exe	38

C:\Users\Admin\AppData\Local\Temp\TNT invoice 9.30.2024.exe
"C:\Users\Admin\AppData\Local\Temp\TNT invoice 9.30.2024.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mDBLQPaU.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2704
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mDBLQPaU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8AF1.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2508
- C:\Users\Admin\AppData\Local\Temp\TNT invoice 9.30.2024.exe
  "C:\Users\Admin\AppData\Local\Temp\TNT invoice 9.30.2024.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\ProgramData\Remcos\remcos.exe
    "C:\ProgramData\Remcos\remcos.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2128
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mDBLQPaU.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1864
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mDBLQPaU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBC7C.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2852
  - - C:\ProgramData\Remcos\remcos.exe
      "C:\ProgramData\Remcos\remcos.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Remcos\logs.dat

Filesize
144B

MD5
aa966486f24f60283633ddd210096478

SHA1
6e3c8d8499491090e1d17ec25c39015495c8271c

SHA256
e3113cec7d01ac4eb44b20a3e5e578343352756a5aa776be1d7b3e1bc2d68db3

SHA512
4058eba30d4b3bfec87b874734cec3a217a9e95c10f39dedc7e0e050590e7d4ae340f329dc3dee537cdbf70d50c83b40648f1c5195a3e2ff24986a269553173f

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
1017KB

MD5
673d693b0c8b68503d64ed15fd863d61

SHA1
4fb6b11e933354b9f7c5bda096543a5d6b56ff83

SHA256
a77754ef6de4a61024e443178b88e50be8b1994f87b323ed7fa5f2f197acdab4

SHA512
3996083d6b2f207e742a81a1dd11277c1bdb2631438a0ee72eeec88a57ff39fb2a7c9a100b30bc2839519c3019129d2157e89d6ade8cc326c4073daf4cc2bd27

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8AF1.tmp

Filesize
1KB

MD5
295d0d4cc758b4d45d44098d22aab488

SHA1
01d7cf7d2f729af34401995695c579cc6adcae62

SHA256
f2c3b6bff401d0d55b7890541bb5da1bdf9828c0d7f3e93f9d10e36c299f88cc

SHA512
edab08dfc7e313df9aa14b02ac0106e1096a1d6500bd8d4f32c095f20421c9fb22def51ec28178cfcd475104cd009cc98f455bee82e81afe440448a32207a79c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
07ccfc3b43d500c1e4e75b42f0281bd9

SHA1
de7c2b66bf2e94749d43bcd057795e5f083ff5d6

SHA256
3757ecb3e40dfd72791fcb917bcfb7cbd105afe2b3796b43682478c0dfb9bc50

SHA512
50d2ca38011cedcbbd1227479ea8cf49a02337a52779cbf29a9ddab296814c5af4fda789a39fead4ca785849dda0a073ed33fb2dd23363b87b1ad7e64d6ec2fc

Download Submit
memory/2024-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2024-68-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2024-69-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2024-72-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2128-41-0x0000000000D50000-0x0000000000E54000-memory.dmp

Filesize
1.0MB

Download
memory/2688-18-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2688-16-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2688-31-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2688-14-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2688-28-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2688-24-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2688-20-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2688-26-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2688-32-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2688-22-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2688-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2692-34-0x0000000074470000-0x0000000074B5E000-memory.dmp

Filesize
6.9MB

Download
memory/2692-0-0x000000007447E000-0x000000007447F000-memory.dmp

Filesize
4KB

Download
memory/2692-6-0x0000000000930000-0x00000000009F0000-memory.dmp

Filesize
768KB

Download
memory/2692-5-0x0000000074470000-0x0000000074B5E000-memory.dmp

Filesize
6.9MB

Download
memory/2692-4-0x000000007447E000-0x000000007447F000-memory.dmp

Filesize
4KB

Download
memory/2692-3-0x00000000006D0000-0x00000000006EE000-memory.dmp

Filesize
120KB

Download
memory/2692-2-0x0000000074470000-0x0000000074B5E000-memory.dmp

Filesize
6.9MB

Download
memory/2692-1-0x0000000001280000-0x0000000001384000-memory.dmp

Filesize
1.0MB

Download