remcos | 934d049015fd5a92d80510b13b3c12ab62ff84eb959fa07a935d2457d43d8459

Analysis

max time kernel
14s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
10-11-2024 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

asdx.exe
Size

469KB
MD5

a9f64aa3ea27e2143a39b81f50982690
SHA1

6c7fb6a5e778144817c437a735145f6cb47d5bf3
SHA256

934d049015fd5a92d80510b13b3c12ab62ff84eb959fa07a935d2457d43d8459
SHA512

a42d83fd63b42c8215729c3e7bc6551c000effb7200d47c096835f724ab430bb40733b6557110a160e874f47179878c24fa5d2fb47787535636a3da6af2aba6a
SSDEEP

12288:Omnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSun9:2iLJbpI7I2WhQqZ7u9

Score

10^/10

remcos remotehost discovery evasion persistence rat trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

camera-ms.gl.at.ply.gg:50534

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
system.exe
copy_folder
Remcos
delete_file
true
hide_file
true
hide_keylog_file
false
install_flag
true
install_path
%WinDir%\System32
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-DVSGBY
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Deletes itself 1 IoCs

pid	Process
1260	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
2824	system.exe

Loads dropped DLL 2 IoCs

pid	Process
2776	cmd.exe
2776	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Windows\\SysWOW64\\Remcos\\system.exe\""	asdx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Windows\\SysWOW64\\Remcos\\system.exe\""	asdx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Windows\\SysWOW64\\Remcos\\system.exe\""	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Windows\\SysWOW64\\Remcos\\system.exe\""	system.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Remcos\system.exe	asdx.exe
File opened for modification	C:\Windows\SysWOW64\Remcos\system.exe	asdx.exe
File opened for modification	C:\Windows\SysWOW64\Remcos	asdx.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2824 set thread context of 2932	2824	system.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asdx.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2164	reg.exe
2940	reg.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2824	system.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 2604	2344	asdx.exe	29
PID 2344 wrote to memory of 2604	2344	asdx.exe	29
PID 2344 wrote to memory of 2604	2344	asdx.exe	29
PID 2344 wrote to memory of 2604	2344	asdx.exe	29
PID 2604 wrote to memory of 2164	2604	cmd.exe	31
PID 2604 wrote to memory of 2164	2604	cmd.exe	31
PID 2604 wrote to memory of 2164	2604	cmd.exe	31
PID 2604 wrote to memory of 2164	2604	cmd.exe	31
PID 2344 wrote to memory of 1260	2344	asdx.exe	32
PID 2344 wrote to memory of 1260	2344	asdx.exe	32
PID 2344 wrote to memory of 1260	2344	asdx.exe	32
PID 2344 wrote to memory of 1260	2344	asdx.exe	32
PID 1260 wrote to memory of 2776	1260	WScript.exe	33
PID 1260 wrote to memory of 2776	1260	WScript.exe	33
PID 1260 wrote to memory of 2776	1260	WScript.exe	33
PID 1260 wrote to memory of 2776	1260	WScript.exe	33
PID 2776 wrote to memory of 2824	2776	cmd.exe	35
PID 2776 wrote to memory of 2824	2776	cmd.exe	35
PID 2776 wrote to memory of 2824	2776	cmd.exe	35
PID 2776 wrote to memory of 2824	2776	cmd.exe	35
PID 2824 wrote to memory of 2920	2824	system.exe	36
PID 2824 wrote to memory of 2920	2824	system.exe	36
PID 2824 wrote to memory of 2920	2824	system.exe	36
PID 2824 wrote to memory of 2920	2824	system.exe	36
PID 2824 wrote to memory of 2932	2824	system.exe	37
PID 2824 wrote to memory of 2932	2824	system.exe	37
PID 2824 wrote to memory of 2932	2824	system.exe	37
PID 2824 wrote to memory of 2932	2824	system.exe	37
PID 2824 wrote to memory of 2932	2824	system.exe	37
PID 2920 wrote to memory of 2940	2920	cmd.exe	39
PID 2920 wrote to memory of 2940	2920	cmd.exe	39
PID 2920 wrote to memory of 2940	2920	cmd.exe	39
PID 2920 wrote to memory of 2940	2920	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\asdx.exe
"C:\Users\Admin\AppData\Local\Temp\asdx.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\SysWOW64\cmd.exe
  /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2164
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Windows\SysWOW64\Remcos\system.exe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\SysWOW64\Remcos\system.exe
      C:\Windows\SysWOW64\Remcos\system.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2824
    - - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2920
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2940
    - - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe"
        5⤵
        
        PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
516B

MD5
648dd04dff78101d26637971db01fd8d

SHA1
3ec110cd0f4dee65aadf8ace25f6b992093dc972

SHA256
65e8204faf79f16f273e5c5dff6d6d37272ff3ddb83f0b2908c4c9b1c1576719

SHA512
aa2579ea7a03e97b13d13f4a50b20d44934634e084ee3e76d9c3e354f584d489f905c85db02db2b1ec55cc317cb91b34f6cceb0b4a919e294640ef0296741649

Download Submit
\Windows\SysWOW64\Remcos\system.exe

Filesize
469KB

MD5
a9f64aa3ea27e2143a39b81f50982690

SHA1
6c7fb6a5e778144817c437a735145f6cb47d5bf3

SHA256
934d049015fd5a92d80510b13b3c12ab62ff84eb959fa07a935d2457d43d8459

SHA512
a42d83fd63b42c8215729c3e7bc6551c000effb7200d47c096835f724ab430bb40733b6557110a160e874f47179878c24fa5d2fb47787535636a3da6af2aba6a

Download Submit
memory/2932-12-0x0000000000110000-0x000000000018F000-memory.dmp

Filesize
508KB

Download
memory/2932-11-0x0000000000110000-0x000000000018F000-memory.dmp

Filesize
508KB

Download
memory/2932-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads