remcos | 5f830899b3b1cb680b762b896862e87fb11e68526fda9568d1e135160014413c

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-11-2024 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mixazed_20210808-071120.exe
Size

542KB
MD5

bdff95108f1380b097200f1a1063775c
SHA1

ae61a14382009adde7b63fc0d2cac23cba715dfe
SHA256

874e9527126f7470fb2482a75d1e8016f988c7ed7b417ae7e0a991e49bc094a5
SHA512

8592f307efeb628e81167f693dc85d8ed54531f9540dc6cab1d35b76546b763448cab7e38380e35c8365678f798ba1a296e72044374a82f40fe7b3157b4f02e2
SSDEEP

12288:3NfcfEpahAGNjIlJbkGaDmZ0uNEQxUbzkMbbzScgC:efSal+kG4w0uNEQxUbIp

Score

10^/10

remcos winslogon discovery evasion persistence rat trojan

Malware Config

Extracted

Family

remcos

Version

3.1.5 Pro

Botnet

winslogon

178.18.247.224:45265

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
winslogon.exe
copy_folder
sys
delete_file
true
hide_file
false
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
sys
keylog_path
%AppData%
mouse_option
false
mutex
winslogon-QT8NX3
screenshot_crypt
true
screenshot_flag
true
screenshot_folder
systemp
screenshot_path
%AppData%
screenshot_time
1
startup_value
winslogon
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	mixazed_20210808-071120.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winslogon = "\"C:\\Users\\Admin\\AppData\\Roaming\\sys\\winslogon.exe\""	mixazed_20210808-071120.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winslogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winslogon = "\"C:\\Users\\Admin\\AppData\\Roaming\\sys\\winslogon.exe\""	winslogon.exe

Deletes itself 1 IoCs

pid	Process
1600	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
2724	winslogon.exe

Loads dropped DLL 2 IoCs

pid	Process
776	cmd.exe
776	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\winslogon = "\"C:\\Users\\Admin\\AppData\\Roaming\\sys\\winslogon.exe\""	winslogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winslogon = "\"C:\\Users\\Admin\\AppData\\Roaming\\sys\\winslogon.exe\""	winslogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\winslogon = "\"C:\\Users\\Admin\\AppData\\Roaming\\sys\\winslogon.exe\""	mixazed_20210808-071120.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winslogon = "\"C:\\Users\\Admin\\AppData\\Roaming\\sys\\winslogon.exe\""	mixazed_20210808-071120.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mixazed_20210808-071120.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winslogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2748	reg.exe
1784	reg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2724	winslogon.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 1864	2416	mixazed_20210808-071120.exe	30
PID 2416 wrote to memory of 1864	2416	mixazed_20210808-071120.exe	30
PID 2416 wrote to memory of 1864	2416	mixazed_20210808-071120.exe	30
PID 2416 wrote to memory of 1864	2416	mixazed_20210808-071120.exe	30
PID 1864 wrote to memory of 1784	1864	cmd.exe	32
PID 1864 wrote to memory of 1784	1864	cmd.exe	32
PID 1864 wrote to memory of 1784	1864	cmd.exe	32
PID 1864 wrote to memory of 1784	1864	cmd.exe	32
PID 2416 wrote to memory of 1600	2416	mixazed_20210808-071120.exe	33
PID 2416 wrote to memory of 1600	2416	mixazed_20210808-071120.exe	33
PID 2416 wrote to memory of 1600	2416	mixazed_20210808-071120.exe	33
PID 2416 wrote to memory of 1600	2416	mixazed_20210808-071120.exe	33
PID 1600 wrote to memory of 776	1600	WScript.exe	35
PID 1600 wrote to memory of 776	1600	WScript.exe	35
PID 1600 wrote to memory of 776	1600	WScript.exe	35
PID 1600 wrote to memory of 776	1600	WScript.exe	35
PID 776 wrote to memory of 2724	776	cmd.exe	37
PID 776 wrote to memory of 2724	776	cmd.exe	37
PID 776 wrote to memory of 2724	776	cmd.exe	37
PID 776 wrote to memory of 2724	776	cmd.exe	37
PID 2724 wrote to memory of 2824	2724	winslogon.exe	38
PID 2724 wrote to memory of 2824	2724	winslogon.exe	38
PID 2724 wrote to memory of 2824	2724	winslogon.exe	38
PID 2724 wrote to memory of 2824	2724	winslogon.exe	38
PID 2724 wrote to memory of 2904	2724	winslogon.exe	40
PID 2724 wrote to memory of 2904	2724	winslogon.exe	40
PID 2724 wrote to memory of 2904	2724	winslogon.exe	40
PID 2724 wrote to memory of 2904	2724	winslogon.exe	40
PID 2824 wrote to memory of 2748	2824	cmd.exe	41
PID 2824 wrote to memory of 2748	2824	cmd.exe	41
PID 2824 wrote to memory of 2748	2824	cmd.exe	41
PID 2824 wrote to memory of 2748	2824	cmd.exe	41

C:\Users\Admin\AppData\Local\Temp\mixazed_20210808-071120.exe
"C:\Users\Admin\AppData\Local\Temp\mixazed_20210808-071120.exe"
1⤵
- Adds policy Run key to start application
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\SysWOW64\cmd.exe
  /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1784
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\sys\winslogon.exe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:776
  - - C:\Users\Admin\AppData\Roaming\sys\winslogon.exe
      C:\Users\Admin\AppData\Roaming\sys\winslogon.exe
      4⤵
      Adds policy Run key to start application
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2824
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2748
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        5⤵
        
        PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
576B

MD5
7c01e4ef9d70bfb4dd8940a38601a1aa

SHA1
f6464b830b2720844a8867d31a0cef1913334d4e

SHA256
950afb6215d6e9192f80a349f0acf3caf9b4787cb07cc96f1c47808e67e26c3a

SHA512
9614e9112453f511766b369d33a34e3af48060c2e203a35720dadd2856c323ef1debbb3978f21e9d4aac542b7fc1c0f1156d6e5125142d316a78dbd248480e9c

Download Submit
C:\Users\Admin\AppData\Roaming\systemp\time_20241110_214013.png

Filesize
350KB

MD5
3b69fb1e9c7f99bed0b3d19d2d0ddff0

SHA1
498ebaed231af4df1232f09110e948371d4f84bf

SHA256
b1ec64a6d9279f0919241d4e896a67bf7e35e6dac8cd6bc48ea961e6b62e97cf

SHA512
844c3bc82761a1ca271eaa501f0e028f40bbe0abef0583e1de7dea456f18aed3ff71c09564869aec6c282c9e972f517f21ca2a6b71773221686be4da9cce82cb

Download Submit
\Users\Admin\AppData\Roaming\sys\winslogon.exe

Filesize
542KB

MD5
bdff95108f1380b097200f1a1063775c

SHA1
ae61a14382009adde7b63fc0d2cac23cba715dfe

SHA256
874e9527126f7470fb2482a75d1e8016f988c7ed7b417ae7e0a991e49bc094a5

SHA512
8592f307efeb628e81167f693dc85d8ed54531f9540dc6cab1d35b76546b763448cab7e38380e35c8365678f798ba1a296e72044374a82f40fe7b3157b4f02e2

Download Submit
memory/2416-1-0x0000000003330000-0x0000000003430000-memory.dmp

Filesize
1024KB

Download
memory/2416-2-0x00000000002D0000-0x0000000000343000-memory.dmp

Filesize
460KB

Download
memory/2416-5-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2416-9-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2416-10-0x0000000003330000-0x0000000003430000-memory.dmp

Filesize
1024KB

Download
memory/2416-11-0x00000000002D0000-0x0000000000343000-memory.dmp

Filesize
460KB

Download
memory/2416-8-0x0000000000400000-0x0000000003283000-memory.dmp

Filesize
46.5MB

Download
memory/2724-27-0x0000000000400000-0x0000000003283000-memory.dmp

Filesize
46.5MB

Download
memory/2724-36-0x0000000000400000-0x0000000003283000-memory.dmp

Filesize
46.5MB

Download
memory/2724-25-0x0000000000400000-0x0000000003283000-memory.dmp

Filesize
46.5MB

Download
memory/2724-28-0x0000000000400000-0x0000000003283000-memory.dmp

Filesize
46.5MB

Download
memory/2724-29-0x0000000000400000-0x0000000003283000-memory.dmp

Filesize
46.5MB

Download
memory/2724-34-0x0000000000400000-0x0000000003283000-memory.dmp

Filesize
46.5MB

Download
memory/2724-35-0x0000000000400000-0x0000000003283000-memory.dmp

Filesize
46.5MB

Download
memory/2724-26-0x0000000000400000-0x0000000003283000-memory.dmp

Filesize
46.5MB

Download
memory/2724-37-0x0000000000400000-0x0000000003283000-memory.dmp

Filesize
46.5MB

Download
memory/2724-38-0x0000000000400000-0x0000000003283000-memory.dmp

Filesize
46.5MB

Download
memory/2724-24-0x0000000000400000-0x0000000003283000-memory.dmp

Filesize
46.5MB

Download
memory/2724-39-0x0000000000400000-0x0000000003283000-memory.dmp

Filesize
46.5MB

Download
memory/2724-44-0x0000000000400000-0x0000000003283000-memory.dmp

Filesize
46.5MB

Download
memory/2724-45-0x0000000000400000-0x0000000003283000-memory.dmp

Filesize
46.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads