remcos | b93408af1dfa127e3b11d16cd92dab65f448d77fa933259c139bb0f0e6d33a75

Analysis

max time kernel
119s
max time network
125s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
05/10/2024, 20:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Confirmation Order.exe
Size

892KB
MD5

3b13b07b05ea3f2084ee3c38080fffe3
SHA1

dde112544004281ad7d02b36c607bc4a258f22a6
SHA256

b93408af1dfa127e3b11d16cd92dab65f448d77fa933259c139bb0f0e6d33a75
SHA512

c09987d78d52fc94bc991b40380b6f5752f1b15139850d24ed93e9ea8ce74add4b4b477493fb8c0a6980de9e14fb511123e2571622c3c5a46f4402f09d037fe0
SSDEEP

12288:5Eqv8RratEshTEMAiqoWpVvfS4D36FUOJT02id9IV/SxjTWAY+acgp8bQbQk:J8OZTEMAifWTvfuL42id94cgGIQ

Score

10^/10

remcos remotehost discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

127.0.0.1:59321

nnamoo.duckdns.org:59321

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-41EVS0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2352	powershell.exe
1272	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1592 set thread context of 216	1592	Confirmation Order.exe	78

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Confirmation Order.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Confirmation Order.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1180	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2352	powershell.exe
1592	Confirmation Order.exe
1592	Confirmation Order.exe
1272	powershell.exe
1272	powershell.exe
2352	powershell.exe
1272	powershell.exe
2352	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	1272	powershell.exe
Token: SeDebugPrivilege	1592	Confirmation Order.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1592 wrote to memory of 2352	1592	Confirmation Order.exe	71
PID 1592 wrote to memory of 2352	1592	Confirmation Order.exe	71
PID 1592 wrote to memory of 2352	1592	Confirmation Order.exe	71
PID 1592 wrote to memory of 1272	1592	Confirmation Order.exe	73
PID 1592 wrote to memory of 1272	1592	Confirmation Order.exe	73
PID 1592 wrote to memory of 1272	1592	Confirmation Order.exe	73
PID 1592 wrote to memory of 1180	1592	Confirmation Order.exe	74
PID 1592 wrote to memory of 1180	1592	Confirmation Order.exe	74
PID 1592 wrote to memory of 1180	1592	Confirmation Order.exe	74
PID 1592 wrote to memory of 560	1592	Confirmation Order.exe	77
PID 1592 wrote to memory of 560	1592	Confirmation Order.exe	77
PID 1592 wrote to memory of 560	1592	Confirmation Order.exe	77
PID 1592 wrote to memory of 216	1592	Confirmation Order.exe	78
PID 1592 wrote to memory of 216	1592	Confirmation Order.exe	78
PID 1592 wrote to memory of 216	1592	Confirmation Order.exe	78
PID 1592 wrote to memory of 216	1592	Confirmation Order.exe	78
PID 1592 wrote to memory of 216	1592	Confirmation Order.exe	78
PID 1592 wrote to memory of 216	1592	Confirmation Order.exe	78
PID 1592 wrote to memory of 216	1592	Confirmation Order.exe	78
PID 1592 wrote to memory of 216	1592	Confirmation Order.exe	78
PID 1592 wrote to memory of 216	1592	Confirmation Order.exe	78
PID 1592 wrote to memory of 216	1592	Confirmation Order.exe	78
PID 1592 wrote to memory of 216	1592	Confirmation Order.exe	78
PID 1592 wrote to memory of 216	1592	Confirmation Order.exe	78

C:\Users\Admin\AppData\Local\Temp\Confirmation Order.exe
"C:\Users\Admin\AppData\Local\Temp\Confirmation Order.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Confirmation Order.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2352
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\bDXSeyoVzkpA.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1272
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bDXSeyoVzkpA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp838.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1180
- C:\Users\Admin\AppData\Local\Temp\Confirmation Order.exe
  "C:\Users\Admin\AppData\Local\Temp\Confirmation Order.exe"
  2⤵
  PID:560
- C:\Users\Admin\AppData\Local\Temp\Confirmation Order.exe
  "C:\Users\Admin\AppData\Local\Temp\Confirmation Order.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
308a486d9ff6b72bb3600318728c0dd9

SHA1
363f1a8b273d1b7e0356b03b04ecfe5702e43a13

SHA256
f33dc739713f18979ba95608a857567e0eadc40e1c4559f6f0035dd2f0458923

SHA512
51a525d7b4895dce73cb665f8362e75a2a7fd35488220a1980aa89a82a55cf9cb9bf82e40e05a17c890be59eecbc4fe0233b70979486a1fdce84a6bdd59398da

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f02t0t2b.t40.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp838.tmp

Filesize
1KB

MD5
b4d84cc41b1d80fedcdf0688d37ab2de

SHA1
2f67074a867128def0bab83a352f470db9a2553f

SHA256
a5517534690b6dc43394e27b8097e1c7d7879469f1bfe4f1c24d94f7e16fa82d

SHA512
fda8978e07fbc46032dcb37374d041bfaa76945d666f9e95b1dac49ca6999ef0d174f3e2573dde1079a987f3e07989236e3ad0037036ef7b3d8138bdca4d6d19

Download Submit
memory/216-522-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-546-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-572-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-571-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-570-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-569-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-568-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-567-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-566-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-523-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-564-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-563-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-562-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-561-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-560-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-29-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-559-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-558-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-557-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-556-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-555-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-31-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-30-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-554-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-553-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-552-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-39-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-40-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-551-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-550-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-58-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-59-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-68-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-69-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-549-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-548-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-521-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-547-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-545-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-544-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-232-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-543-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-542-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-503-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-541-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-540-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-539-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-538-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-537-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-32-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-565-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-524-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-525-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-526-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-527-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-528-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-529-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-530-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-531-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-532-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-533-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-534-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-535-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/216-536-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1272-78-0x0000000008A60000-0x0000000008A93000-memory.dmp

Filesize
204KB

Download
memory/1272-23-0x0000000073B40000-0x000000007422E000-memory.dmp

Filesize
6.9MB

Download
memory/1272-519-0x0000000073B40000-0x000000007422E000-memory.dmp

Filesize
6.9MB

Download
memory/1272-27-0x0000000073B40000-0x000000007422E000-memory.dmp

Filesize
6.9MB

Download
memory/1272-35-0x0000000007320000-0x0000000007670000-memory.dmp

Filesize
3.3MB

Download
memory/1272-81-0x0000000008A40000-0x0000000008A5E000-memory.dmp

Filesize
120KB

Download
memory/1272-477-0x0000000008F20000-0x0000000008F3A000-memory.dmp

Filesize
104KB

Download
memory/1272-37-0x0000000007690000-0x00000000076AC000-memory.dmp

Filesize
112KB

Download
memory/1272-38-0x0000000007DA0000-0x0000000007DEB000-memory.dmp

Filesize
300KB

Download
memory/1272-79-0x0000000074310000-0x000000007435B000-memory.dmp

Filesize
300KB

Download
memory/1592-5-0x0000000004BA0000-0x0000000004BAA000-memory.dmp

Filesize
40KB

Download
memory/1592-36-0x0000000073B40000-0x000000007422E000-memory.dmp

Filesize
6.9MB

Download
memory/1592-6-0x0000000006790000-0x00000000067A2000-memory.dmp

Filesize
72KB

Download
memory/1592-3-0x0000000004B00000-0x0000000004B92000-memory.dmp

Filesize
584KB

Download
memory/1592-7-0x0000000073B4E000-0x0000000073B4F000-memory.dmp

Filesize
4KB

Download
memory/1592-8-0x0000000073B40000-0x000000007422E000-memory.dmp

Filesize
6.9MB

Download
memory/1592-9-0x0000000006AC0000-0x0000000006B7E000-memory.dmp

Filesize
760KB

Download
memory/1592-10-0x0000000009250000-0x00000000092EC000-memory.dmp

Filesize
624KB

Download
memory/1592-0-0x0000000073B4E000-0x0000000073B4F000-memory.dmp

Filesize
4KB

Download
memory/1592-2-0x00000000050D0000-0x00000000055CE000-memory.dmp

Filesize
5.0MB

Download
memory/1592-4-0x0000000073B40000-0x000000007422E000-memory.dmp

Filesize
6.9MB

Download
memory/1592-1-0x00000000001D0000-0x00000000002B6000-memory.dmp

Filesize
920KB

Download
memory/2352-28-0x0000000006C90000-0x0000000006CF6000-memory.dmp

Filesize
408KB

Download
memory/2352-20-0x0000000073B40000-0x000000007422E000-memory.dmp

Filesize
6.9MB

Download
memory/2352-26-0x0000000006AF0000-0x0000000006B56000-memory.dmp

Filesize
408KB

Download
memory/2352-33-0x0000000073B40000-0x000000007422E000-memory.dmp

Filesize
6.9MB

Download
memory/2352-520-0x0000000073B40000-0x000000007422E000-memory.dmp

Filesize
6.9MB

Download
memory/2352-22-0x0000000073B40000-0x000000007422E000-memory.dmp

Filesize
6.9MB

Download
memory/2352-21-0x0000000006DD0000-0x00000000073F8000-memory.dmp

Filesize
6.2MB

Download
memory/2352-25-0x0000000006A40000-0x0000000006A62000-memory.dmp

Filesize
136KB

Download
memory/2352-17-0x00000000040F0000-0x0000000004126000-memory.dmp

Filesize
216KB

Download
memory/2352-486-0x0000000008F70000-0x0000000008F78000-memory.dmp

Filesize
32KB

Download
memory/2352-91-0x0000000008FD0000-0x0000000009064000-memory.dmp

Filesize
592KB

Download
memory/2352-90-0x0000000008E00000-0x0000000008EA5000-memory.dmp

Filesize
660KB

Download
memory/2352-41-0x0000000007C10000-0x0000000007C86000-memory.dmp

Filesize
472KB

Download
memory/2352-80-0x0000000074310000-0x000000007435B000-memory.dmp

Filesize
300KB

Download