remcos | 0d4bf4e1a47fa2cfdb5cdc23d8a2b1552c1d82c307e1eec95297e62a478d2f2d

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-11-2024 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23350a33531966fa6a0cf02f9c27f053.exe
Size

466KB
MD5

23350a33531966fa6a0cf02f9c27f053
SHA1

1f53024c59b6b65fcf032bd5bb69cedbdcc67dfa
SHA256

0d4bf4e1a47fa2cfdb5cdc23d8a2b1552c1d82c307e1eec95297e62a478d2f2d
SHA512

b6f8bbbbc5bf9b4d982bdab369513b5667835aa6660678917c259b599d563c7ad2d8f5233e4c62d962523393d8faa51087e3696fa72cabbde81ec1a39d3adfac
SSDEEP

12288:JuD09AUkNIGBYYv4eK13x13nZHSRVMf139F5wIB7+IwtHwBtVxbesvZDS57G+DY:809AfNIEYsunZvZ19ZiGs

Score

10^/10

remcos r2411 discovery evasion persistence rat trojan

Malware Config

Extracted

Family

remcos

Botnet

R2411

cc.shinrarigs.com:2404

45.32.129.178:2404

Attributes

audio_folder
MicRecords (em inglês)
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
BraveSharedUpdater.exe
copy_folder
BraveShared
delete_file
true
hide_file
true
hide_keylog_file
true
install_flag
true
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
BravePrivate
mouse_option
false
mutex
Brv-Q0EV0O
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Capturas de tela
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Brv-Q0EV0O = "\"C:\\ProgramData\\BraveShared\\BraveSharedUpdater.exe\""	BraveSharedUpdater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Brv-Q0EV0O = "\"C:\\Users\\Admin\\AppData\\Roaming\\BraveShared\\BraveSharedUpdater.exe\""	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	23350a33531966fa6a0cf02f9c27f053.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Brv-Q0EV0O = "\"C:\\ProgramData\\BraveShared\\BraveSharedUpdater.exe\""	23350a33531966fa6a0cf02f9c27f053.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	BraveSharedUpdater.exe

Executes dropped EXE 2 IoCs

pid	Process
2800	BraveSharedUpdater.exe
2724	BraveSharedUpdater.exe

Loads dropped DLL 2 IoCs

pid	Process
2188	23350a33531966fa6a0cf02f9c27f053.exe
2856	svchost.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Brv-Q0EV0O = "\"C:\\ProgramData\\BraveShared\\BraveSharedUpdater.exe\""	BraveSharedUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Brv-Q0EV0O = "\"C:\\ProgramData\\BraveShared\\BraveSharedUpdater.exe\""	BraveSharedUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Brv-Q0EV0O = "\"C:\\Users\\Admin\\AppData\\Roaming\\BraveShared\\BraveSharedUpdater.exe\""	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Brv-Q0EV0O = "\"C:\\Users\\Admin\\AppData\\Roaming\\BraveShared\\BraveSharedUpdater.exe\""	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Brv-Q0EV0O = "\"C:\\ProgramData\\BraveShared\\BraveSharedUpdater.exe\""	23350a33531966fa6a0cf02f9c27f053.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Brv-Q0EV0O = "\"C:\\ProgramData\\BraveShared\\BraveSharedUpdater.exe\""	23350a33531966fa6a0cf02f9c27f053.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2800 set thread context of 2856	2800	BraveSharedUpdater.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BraveSharedUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	23350a33531966fa6a0cf02f9c27f053.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
2784	reg.exe
2116	reg.exe
2576	reg.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2800	BraveSharedUpdater.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2800	BraveSharedUpdater.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2244	2188	23350a33531966fa6a0cf02f9c27f053.exe	30
PID 2188 wrote to memory of 2244	2188	23350a33531966fa6a0cf02f9c27f053.exe	30
PID 2188 wrote to memory of 2244	2188	23350a33531966fa6a0cf02f9c27f053.exe	30
PID 2188 wrote to memory of 2244	2188	23350a33531966fa6a0cf02f9c27f053.exe	30
PID 2244 wrote to memory of 2784	2244	cmd.exe	32
PID 2244 wrote to memory of 2784	2244	cmd.exe	32
PID 2244 wrote to memory of 2784	2244	cmd.exe	32
PID 2244 wrote to memory of 2784	2244	cmd.exe	32
PID 2188 wrote to memory of 2800	2188	23350a33531966fa6a0cf02f9c27f053.exe	33
PID 2188 wrote to memory of 2800	2188	23350a33531966fa6a0cf02f9c27f053.exe	33
PID 2188 wrote to memory of 2800	2188	23350a33531966fa6a0cf02f9c27f053.exe	33
PID 2188 wrote to memory of 2800	2188	23350a33531966fa6a0cf02f9c27f053.exe	33
PID 2188 wrote to memory of 2800	2188	23350a33531966fa6a0cf02f9c27f053.exe	33
PID 2188 wrote to memory of 2800	2188	23350a33531966fa6a0cf02f9c27f053.exe	33
PID 2188 wrote to memory of 2800	2188	23350a33531966fa6a0cf02f9c27f053.exe	33
PID 2800 wrote to memory of 2948	2800	BraveSharedUpdater.exe	34
PID 2800 wrote to memory of 2948	2800	BraveSharedUpdater.exe	34
PID 2800 wrote to memory of 2948	2800	BraveSharedUpdater.exe	34
PID 2800 wrote to memory of 2948	2800	BraveSharedUpdater.exe	34
PID 2800 wrote to memory of 2856	2800	BraveSharedUpdater.exe	35
PID 2800 wrote to memory of 2856	2800	BraveSharedUpdater.exe	35
PID 2800 wrote to memory of 2856	2800	BraveSharedUpdater.exe	35
PID 2800 wrote to memory of 2856	2800	BraveSharedUpdater.exe	35
PID 2800 wrote to memory of 2856	2800	BraveSharedUpdater.exe	35
PID 2856 wrote to memory of 1572	2856	svchost.exe	36
PID 2856 wrote to memory of 1572	2856	svchost.exe	36
PID 2856 wrote to memory of 1572	2856	svchost.exe	36
PID 2856 wrote to memory of 1572	2856	svchost.exe	36
PID 1572 wrote to memory of 2576	1572	cmd.exe	39
PID 1572 wrote to memory of 2576	1572	cmd.exe	39
PID 1572 wrote to memory of 2576	1572	cmd.exe	39
PID 1572 wrote to memory of 2576	1572	cmd.exe	39
PID 2948 wrote to memory of 2116	2948	cmd.exe	40
PID 2948 wrote to memory of 2116	2948	cmd.exe	40
PID 2948 wrote to memory of 2116	2948	cmd.exe	40
PID 2948 wrote to memory of 2116	2948	cmd.exe	40
PID 2856 wrote to memory of 2724	2856	svchost.exe	41
PID 2856 wrote to memory of 2724	2856	svchost.exe	41
PID 2856 wrote to memory of 2724	2856	svchost.exe	41
PID 2856 wrote to memory of 2724	2856	svchost.exe	41
PID 2856 wrote to memory of 2724	2856	svchost.exe	41
PID 2856 wrote to memory of 2724	2856	svchost.exe	41
PID 2856 wrote to memory of 2724	2856	svchost.exe	41

C:\Users\Admin\AppData\Local\Temp\23350a33531966fa6a0cf02f9c27f053.exe
"C:\Users\Admin\AppData\Local\Temp\23350a33531966fa6a0cf02f9c27f053.exe"
1⤵
- Adds policy Run key to start application
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\SysWOW64\cmd.exe
  /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2784
- C:\ProgramData\BraveShared\BraveSharedUpdater.exe
  "C:\ProgramData\BraveShared\BraveSharedUpdater.exe"
  2⤵
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2116
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\System32\svchost.exe
    3⤵
    - Adds policy Run key to start application
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1572
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2576
  - - C:\Users\Admin\AppData\Roaming\BraveShared\BraveSharedUpdater.exe
      "C:\Users\Admin\AppData\Roaming\BraveShared\BraveSharedUpdater.exe"
      4⤵
      Executes dropped EXE
      PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\BraveShared\BraveSharedUpdater.exe

Filesize
466KB

MD5
23350a33531966fa6a0cf02f9c27f053

SHA1
1f53024c59b6b65fcf032bd5bb69cedbdcc67dfa

SHA256
0d4bf4e1a47fa2cfdb5cdc23d8a2b1552c1d82c307e1eec95297e62a478d2f2d

SHA512
b6f8bbbbc5bf9b4d982bdab369513b5667835aa6660678917c259b599d563c7ad2d8f5233e4c62d962523393d8faa51087e3696fa72cabbde81ec1a39d3adfac

Download Submit
\Users\Admin\AppData\Roaming\BraveShared\BraveSharedUpdater.exe

Filesize
20KB

MD5
54a47f6b5e09a77e61649109c6a08866

SHA1
4af001b3c3816b860660cf2de2c0fd3c1dfb4878

SHA256
121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2

SHA512
88ee0ef5af1b0b38c19ab4c307636352fc403ea74f3bfb17e246f7fd815ac042183086133cd9fe805bd47e15854776871bb7d384e419862c91503eeb82bfb419

Download Submit
memory/2856-10-0x0000000000080000-0x00000000000FB000-memory.dmp

Filesize
492KB

Download
memory/2856-9-0x0000000000080000-0x00000000000FB000-memory.dmp

Filesize
492KB

Download
memory/2856-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download