remcos | 8a29397afb6adfd188034cd2307bc1cae40d04f0c33ce0c170539ecc030b59cb

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2024, 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Invoice.GT872905.pdf.exe
Size

429KB
MD5

7e6fef3fa9dd8c30cc008589b0a70ad6
SHA1

07079f7f8ba3965042b8d4f665d74d2587563300
SHA256

cd5de9645bcf37759921a67c205b215141ac17cc47281a159f2eada11e6f45ca
SHA512

9a7b8f7c5a113fd0140bdee54ede2381e10441d64602ba2e4a7b34ce410ff2b6fd775ff79f78d421df0dabd90a245f354f0bd2afd45be376ef9f35fe0e4a97f8
SSDEEP

6144:O5dm2Gdz+WiLrCXXifndEqSn4i4fFBnvTctYj3ZuDRJl8nkSC6ao:2NVWSrCqndEqS4tBotYj3Zuctao

Score

10^/10

remcos remotehost discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

212.162.149.226:9285

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
AppUpdate
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-VCJ8ZS
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
AppUpdate
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 2168 created 3520	2168	Invoice.GT872905.pdf.exe	56
PID 4228 created 3520	4228	remcos.exe	56

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Invoice.GT872905.pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\webcam.vbs	Invoice.GT872905.pdf.exe

Executes dropped EXE 2 IoCs

pid	Process
4228	remcos.exe
3244	remcos.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AppUpdate = "\"C:\\ProgramData\\AppUpdate\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AppUpdate = "\"C:\\ProgramData\\AppUpdate\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AppUpdate = "\"C:\\ProgramData\\AppUpdate\\remcos.exe\""	Invoice.GT872905.pdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AppUpdate = "\"C:\\ProgramData\\AppUpdate\\remcos.exe\""	Invoice.GT872905.pdf.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2168 set thread context of 5068	2168	Invoice.GT872905.pdf.exe	92
PID 4228 set thread context of 3244	4228	remcos.exe	103

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Invoice.GT872905.pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Invoice.GT872905.pdf.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	Invoice.GT872905.pdf.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2168	Invoice.GT872905.pdf.exe
4228	remcos.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2168	Invoice.GT872905.pdf.exe
Token: SeDebugPrivilege	2168	Invoice.GT872905.pdf.exe
Token: SeDebugPrivilege	4228	remcos.exe
Token: SeDebugPrivilege	4228	remcos.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 5068	2168	Invoice.GT872905.pdf.exe	92
PID 2168 wrote to memory of 5068	2168	Invoice.GT872905.pdf.exe	92
PID 2168 wrote to memory of 5068	2168	Invoice.GT872905.pdf.exe	92
PID 2168 wrote to memory of 5068	2168	Invoice.GT872905.pdf.exe	92
PID 2168 wrote to memory of 5068	2168	Invoice.GT872905.pdf.exe	92
PID 2168 wrote to memory of 5068	2168	Invoice.GT872905.pdf.exe	92
PID 2168 wrote to memory of 5068	2168	Invoice.GT872905.pdf.exe	92
PID 2168 wrote to memory of 5068	2168	Invoice.GT872905.pdf.exe	92
PID 2168 wrote to memory of 5068	2168	Invoice.GT872905.pdf.exe	92
PID 2168 wrote to memory of 5068	2168	Invoice.GT872905.pdf.exe	92
PID 2168 wrote to memory of 5068	2168	Invoice.GT872905.pdf.exe	92
PID 2168 wrote to memory of 5068	2168	Invoice.GT872905.pdf.exe	92
PID 5068 wrote to memory of 3720	5068	Invoice.GT872905.pdf.exe	93
PID 5068 wrote to memory of 3720	5068	Invoice.GT872905.pdf.exe	93
PID 5068 wrote to memory of 3720	5068	Invoice.GT872905.pdf.exe	93
PID 3720 wrote to memory of 4500	3720	WScript.exe	94
PID 3720 wrote to memory of 4500	3720	WScript.exe	94
PID 3720 wrote to memory of 4500	3720	WScript.exe	94
PID 4500 wrote to memory of 4228	4500	cmd.exe	96
PID 4500 wrote to memory of 4228	4500	cmd.exe	96
PID 4500 wrote to memory of 4228	4500	cmd.exe	96
PID 4228 wrote to memory of 3244	4228	remcos.exe	103
PID 4228 wrote to memory of 3244	4228	remcos.exe	103
PID 4228 wrote to memory of 3244	4228	remcos.exe	103
PID 4228 wrote to memory of 3244	4228	remcos.exe	103
PID 4228 wrote to memory of 3244	4228	remcos.exe	103
PID 4228 wrote to memory of 3244	4228	remcos.exe	103
PID 4228 wrote to memory of 3244	4228	remcos.exe	103
PID 4228 wrote to memory of 3244	4228	remcos.exe	103
PID 4228 wrote to memory of 3244	4228	remcos.exe	103
PID 4228 wrote to memory of 3244	4228	remcos.exe	103
PID 4228 wrote to memory of 3244	4228	remcos.exe	103
PID 4228 wrote to memory of 3244	4228	remcos.exe	103

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3520
- C:\Users\Admin\AppData\Local\Temp\Invoice.GT872905.pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Invoice.GT872905.pdf.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops startup file
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2168
- C:\Users\Admin\AppData\Local\Temp\Invoice.GT872905.pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Invoice.GT872905.pdf.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5068
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3720
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\AppUpdate\remcos.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4500
    - - C:\ProgramData\AppUpdate\remcos.exe
        
        C:\ProgramData\AppUpdate\remcos.exe
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4228
- C:\ProgramData\AppUpdate\remcos.exe
  "C:\ProgramData\AppUpdate\remcos.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AppUpdate\remcos.exe

Filesize
429KB

MD5
7e6fef3fa9dd8c30cc008589b0a70ad6

SHA1
07079f7f8ba3965042b8d4f665d74d2587563300

SHA256
cd5de9645bcf37759921a67c205b215141ac17cc47281a159f2eada11e6f45ca

SHA512
9a7b8f7c5a113fd0140bdee54ede2381e10441d64602ba2e4a7b34ce410ff2b6fd775ff79f78d421df0dabd90a245f354f0bd2afd45be376ef9f35fe0e4a97f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
392B

MD5
046708368578d720d91fb9ceecec742e

SHA1
1dc732f67f48a1d5694f4cf14a8d279dbd1d6ee6

SHA256
04f4edc28e97a16f93cf7acac864aba17cc467282550ae61baac719262be6f5e

SHA512
9106f645ee74c9e061fcb396a00d706512d41054a356125f26a10d42390d8f0d3ea3dd785393bf5de358b62464ec3c0f7d2e27411e87bb408581f820c427e7f0

Download Submit
memory/2168-0-0x000000007500E000-0x000000007500F000-memory.dmp

Filesize
4KB

Download
memory/2168-1-0x0000000000100000-0x0000000000172000-memory.dmp

Filesize
456KB

Download
memory/2168-2-0x0000000075000000-0x00000000757B0000-memory.dmp

Filesize
7.7MB

Download
memory/2168-3-0x0000000005DB0000-0x0000000005ED4000-memory.dmp

Filesize
1.1MB

Download
memory/2168-4-0x0000000006480000-0x0000000006A24000-memory.dmp

Filesize
5.6MB

Download
memory/2168-5-0x0000000005F80000-0x0000000006012000-memory.dmp

Filesize
584KB

Download
memory/2168-17-0x0000000005DB0000-0x0000000005ECE000-memory.dmp

Filesize
1.1MB

Download
memory/2168-29-0x0000000005DB0000-0x0000000005ECE000-memory.dmp

Filesize
1.1MB

Download
memory/2168-69-0x0000000005DB0000-0x0000000005ECE000-memory.dmp

Filesize
1.1MB

Download
memory/2168-67-0x0000000005DB0000-0x0000000005ECE000-memory.dmp

Filesize
1.1MB

Download
memory/2168-65-0x0000000005DB0000-0x0000000005ECE000-memory.dmp

Filesize
1.1MB

Download
memory/2168-63-0x0000000005DB0000-0x0000000005ECE000-memory.dmp

Filesize
1.1MB

Download
memory/2168-61-0x0000000005DB0000-0x0000000005ECE000-memory.dmp

Filesize
1.1MB

Download
memory/2168-59-0x0000000005DB0000-0x0000000005ECE000-memory.dmp

Filesize
1.1MB

Download
memory/2168-57-0x0000000005DB0000-0x0000000005ECE000-memory.dmp

Filesize
1.1MB

Download
memory/2168-56-0x0000000005DB0000-0x0000000005ECE000-memory.dmp

Filesize
1.1MB

Download
memory/2168-53-0x0000000005DB0000-0x0000000005ECE000-memory.dmp

Filesize
1.1MB

Download
memory/2168-51-0x0000000005DB0000-0x0000000005ECE000-memory.dmp

Filesize
1.1MB

Download
memory/2168-49-0x0000000005DB0000-0x0000000005ECE000-memory.dmp

Filesize
1.1MB

Download
memory/2168-47-0x0000000005DB0000-0x0000000005ECE000-memory.dmp

Filesize
1.1MB

Download
memory/2168-45-0x0000000005DB0000-0x0000000005ECE000-memory.dmp

Filesize
1.1MB

Download
memory/2168-43-0x0000000005DB0000-0x0000000005ECE000-memory.dmp

Filesize
1.1MB

Download
memory/2168-41-0x0000000005DB0000-0x0000000005ECE000-memory.dmp

Filesize
1.1MB

Download
memory/2168-39-0x0000000005DB0000-0x0000000005ECE000-memory.dmp

Filesize
1.1MB

Download
memory/2168-37-0x0000000005DB0000-0x0000000005ECE000-memory.dmp

Filesize
1.1MB

Download
memory/2168-35-0x0000000005DB0000-0x0000000005ECE000-memory.dmp

Filesize
1.1MB

Download
memory/2168-31-0x0000000005DB0000-0x0000000005ECE000-memory.dmp

Filesize
1.1MB

Download
memory/2168-27-0x0000000005DB0000-0x0000000005ECE000-memory.dmp

Filesize
1.1MB

Download
memory/2168-23-0x0000000005DB0000-0x0000000005ECE000-memory.dmp

Filesize
1.1MB

Download
memory/2168-21-0x0000000005DB0000-0x0000000005ECE000-memory.dmp

Filesize
1.1MB

Download
memory/2168-19-0x0000000005DB0000-0x0000000005ECE000-memory.dmp

Filesize
1.1MB

Download
memory/2168-15-0x0000000005DB0000-0x0000000005ECE000-memory.dmp

Filesize
1.1MB

Download
memory/2168-13-0x0000000005DB0000-0x0000000005ECE000-memory.dmp

Filesize
1.1MB

Download
memory/2168-11-0x0000000005DB0000-0x0000000005ECE000-memory.dmp

Filesize
1.1MB

Download
memory/2168-9-0x0000000005DB0000-0x0000000005ECE000-memory.dmp

Filesize
1.1MB

Download
memory/2168-33-0x0000000005DB0000-0x0000000005ECE000-memory.dmp

Filesize
1.1MB

Download
memory/2168-6-0x0000000005DB0000-0x0000000005ECE000-memory.dmp

Filesize
1.1MB

Download
memory/2168-25-0x0000000005DB0000-0x0000000005ECE000-memory.dmp

Filesize
1.1MB

Download
memory/2168-7-0x0000000005DB0000-0x0000000005ECE000-memory.dmp

Filesize
1.1MB

Download
memory/2168-1080-0x0000000075000000-0x00000000757B0000-memory.dmp

Filesize
7.7MB

Download
memory/2168-1081-0x00000000060F0000-0x0000000006186000-memory.dmp

Filesize
600KB

Download
memory/2168-1082-0x0000000006190000-0x00000000061DC000-memory.dmp

Filesize
304KB

Download
memory/2168-1085-0x0000000075000000-0x00000000757B0000-memory.dmp

Filesize
7.7MB

Download
memory/2168-1088-0x000000007500E000-0x000000007500F000-memory.dmp

Filesize
4KB

Download
memory/2168-1089-0x0000000075000000-0x00000000757B0000-memory.dmp

Filesize
7.7MB

Download
memory/2168-1087-0x0000000075000000-0x00000000757B0000-memory.dmp

Filesize
7.7MB

Download
memory/2168-1090-0x0000000006360000-0x00000000063B4000-memory.dmp

Filesize
336KB

Download
memory/2168-1096-0x0000000075000000-0x00000000757B0000-memory.dmp

Filesize
7.7MB

Download
memory/4228-2184-0x00000000066D0000-0x0000000006724000-memory.dmp

Filesize
336KB

Download
memory/5068-1099-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5068-1102-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download