remcos | b4b6159351045ef04f9ba6321722c1c1fd920eac7a3799665d2663775edfa84d

Analysis

max time kernel
149s
max time network
155s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
01/11/2024, 21:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a59df37a0613dbed779ef63b1a36ecbf.exe
Size

1.0MB
MD5

a59df37a0613dbed779ef63b1a36ecbf
SHA1

4bb55b03b492e3b13ff0ae030af26701734b5cc1
SHA256

b4b6159351045ef04f9ba6321722c1c1fd920eac7a3799665d2663775edfa84d
SHA512

7d742e799de7254403760521821743902a9fb3f65d7961573cc4bdd3189037518daa3986696d15b5cf74ab17bbff7802c22e777dacb024cdfd2c27cb8a6fab46
SSDEEP

24576:crhVXoT8dOIzKDjU2x9TlneDSm+dndQiI3lzcRRN9wV:krMqm/UATReWm+ddQiI1YR

Score

10^/10

remcos remotehost discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

85.209.133.15:3310

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-QFR1O5
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2844	powershell.exe
2948	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 392 set thread context of 1048	392	a59df37a0613dbed779ef63b1a36ecbf.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a59df37a0613dbed779ef63b1a36ecbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2456	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2844	powershell.exe
2948	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 392 wrote to memory of 2948	392	a59df37a0613dbed779ef63b1a36ecbf.exe	29
PID 392 wrote to memory of 2948	392	a59df37a0613dbed779ef63b1a36ecbf.exe	29
PID 392 wrote to memory of 2948	392	a59df37a0613dbed779ef63b1a36ecbf.exe	29
PID 392 wrote to memory of 2948	392	a59df37a0613dbed779ef63b1a36ecbf.exe	29
PID 392 wrote to memory of 2844	392	a59df37a0613dbed779ef63b1a36ecbf.exe	31
PID 392 wrote to memory of 2844	392	a59df37a0613dbed779ef63b1a36ecbf.exe	31
PID 392 wrote to memory of 2844	392	a59df37a0613dbed779ef63b1a36ecbf.exe	31
PID 392 wrote to memory of 2844	392	a59df37a0613dbed779ef63b1a36ecbf.exe	31
PID 392 wrote to memory of 2456	392	a59df37a0613dbed779ef63b1a36ecbf.exe	32
PID 392 wrote to memory of 2456	392	a59df37a0613dbed779ef63b1a36ecbf.exe	32
PID 392 wrote to memory of 2456	392	a59df37a0613dbed779ef63b1a36ecbf.exe	32
PID 392 wrote to memory of 2456	392	a59df37a0613dbed779ef63b1a36ecbf.exe	32
PID 392 wrote to memory of 1048	392	a59df37a0613dbed779ef63b1a36ecbf.exe	35
PID 392 wrote to memory of 1048	392	a59df37a0613dbed779ef63b1a36ecbf.exe	35
PID 392 wrote to memory of 1048	392	a59df37a0613dbed779ef63b1a36ecbf.exe	35
PID 392 wrote to memory of 1048	392	a59df37a0613dbed779ef63b1a36ecbf.exe	35
PID 392 wrote to memory of 1048	392	a59df37a0613dbed779ef63b1a36ecbf.exe	35
PID 392 wrote to memory of 1048	392	a59df37a0613dbed779ef63b1a36ecbf.exe	35
PID 392 wrote to memory of 1048	392	a59df37a0613dbed779ef63b1a36ecbf.exe	35
PID 392 wrote to memory of 1048	392	a59df37a0613dbed779ef63b1a36ecbf.exe	35
PID 392 wrote to memory of 1048	392	a59df37a0613dbed779ef63b1a36ecbf.exe	35
PID 392 wrote to memory of 1048	392	a59df37a0613dbed779ef63b1a36ecbf.exe	35
PID 392 wrote to memory of 1048	392	a59df37a0613dbed779ef63b1a36ecbf.exe	35
PID 392 wrote to memory of 1048	392	a59df37a0613dbed779ef63b1a36ecbf.exe	35
PID 392 wrote to memory of 1048	392	a59df37a0613dbed779ef63b1a36ecbf.exe	35
PID 392 wrote to memory of 1048	392	a59df37a0613dbed779ef63b1a36ecbf.exe	35
PID 392 wrote to memory of 1048	392	a59df37a0613dbed779ef63b1a36ecbf.exe	35
PID 392 wrote to memory of 1048	392	a59df37a0613dbed779ef63b1a36ecbf.exe	35

C:\Users\Admin\AppData\Local\Temp\a59df37a0613dbed779ef63b1a36ecbf.exe
"C:\Users\Admin\AppData\Local\Temp\a59df37a0613dbed779ef63b1a36ecbf.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:392
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a59df37a0613dbed779ef63b1a36ecbf.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2948
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vValwiwKfF.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2844
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vValwiwKfF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp70AD.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp70AD.tmp

Filesize
1KB

MD5
008db5494e49405550b5d025140084b6

SHA1
885bb45d3e11dd682c2becc3abf28092315845a8

SHA256
b76d1fda74a7cc0459b0c2070e299f4276803f642dff78a0927c80b337faaa60

SHA512
273c2f0895e26bbe9b822c381c8e962ce1f113f505b6c483c817f5036652eda75f017aa5167810fe475c49c566665d882f85e72fb05fa2d363833966abcf62d4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7BGQJLVX8J5K743NTNXC.temp

Filesize
7KB

MD5
69337e25ade0e1ab7114a1c0091e86b4

SHA1
dd3d9eb675caca79ac32d7b85a28cf4f2d3efdc3

SHA256
60c8e6ba8a9a31b646aad88c605013505c9d1d8c16815c25fff5961f262d3bf7

SHA512
369a2dcaa9e81db8fcd04c0f4bb4e79b80d497c396a49c247ce6880477941d3944a8349dba2a6a4add025d68d9cdbd9e8aea457f31908b3f939f1dd35a0ac98c

Download Submit
memory/392-40-0x00000000744A0000-0x0000000074B8E000-memory.dmp

Filesize
6.9MB

Download
memory/392-1-0x00000000001A0000-0x00000000002B0000-memory.dmp

Filesize
1.1MB

Download
memory/392-2-0x00000000744A0000-0x0000000074B8E000-memory.dmp

Filesize
6.9MB

Download
memory/392-3-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/392-4-0x00000000744AE000-0x00000000744AF000-memory.dmp

Filesize
4KB

Download
memory/392-5-0x00000000744A0000-0x0000000074B8E000-memory.dmp

Filesize
6.9MB

Download
memory/392-6-0x0000000004F10000-0x0000000004FD0000-memory.dmp

Filesize
768KB

Download
memory/392-0-0x00000000744AE000-0x00000000744AF000-memory.dmp

Filesize
4KB

Download
memory/1048-33-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1048-41-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1048-38-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1048-19-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1048-39-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1048-37-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1048-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1048-31-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1048-29-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1048-27-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1048-25-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1048-24-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1048-21-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1048-36-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1048-42-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1048-43-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1048-44-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1048-45-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1048-46-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1048-47-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1048-48-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1048-49-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1048-50-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1048-51-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1048-52-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download