remcos | bf44cea9ad3b2537695ad68051a3d76103f51acac12dae98046bcc67655a8d89

Analysis

max time kernel
128s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-11-2024 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Por medio de la presente, se le comunica que, en virtud del proceso No. 2024-52100-63561-56165, ejec.exe
Size

6.9MB
MD5

d15499b47bac23ac6c8f5f702fb21a24
SHA1

b8ee221f0025fc5d21b3c90d977e66fb0af91f63
SHA256

88c9ac51024b2d980e1076795b99f22be6c6a99e9cbc195531c65deeeae6381d
SHA512

eb927e17e4468c0bcf0e4e66dd109ec94f3810b095e8b3106dc50753a84f4f67416f21923adb2caaaafb430cfacc1eef1e3817f52e564db4a7785fad16ae29e0
SSDEEP

98304:/XTFjm3UAtTlMPoWXCo0B4nDk1vmp28nnnYFpyy3xjxTzCv/XLU:/XTFjm3TtTlMPoW4B95mpsdxVCvf4

Score

10^/10

remcos rojo discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

ROJO

nuevodntestchec.addns.org:3018

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
registros.dat
keylog_flag
false
keylog_folder
data
mouse_option
false
mutex
jjajbsfbisfablklsafg-LEIC4X
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Capturas de pantalla
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
Downloads MZ/PE file

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UnuKick = "C:\\Users\\Admin\\Videos\\Kick\\VideoUnu.exe"	Por medio de la presente, se le comunica que, en virtud del proceso No. 2024-52100-63561-56165, ejec.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1788 set thread context of 4448	1788	Por medio de la presente, se le comunica que, en virtud del proceso No. 2024-52100-63561-56165, ejec.exe	93
PID 4448 set thread context of 3812	4448	csc.exe	95

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	MSBuild.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Por medio de la presente, se le comunica que, en virtud del proceso No. 2024-52100-63561-56165, ejec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4448	csc.exe
4448	csc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4448	csc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3812	MSBuild.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 4448	1788	Por medio de la presente, se le comunica que, en virtud del proceso No. 2024-52100-63561-56165, ejec.exe	93
PID 1788 wrote to memory of 4448	1788	Por medio de la presente, se le comunica que, en virtud del proceso No. 2024-52100-63561-56165, ejec.exe	93
PID 1788 wrote to memory of 4448	1788	Por medio de la presente, se le comunica que, en virtud del proceso No. 2024-52100-63561-56165, ejec.exe	93
PID 1788 wrote to memory of 4448	1788	Por medio de la presente, se le comunica que, en virtud del proceso No. 2024-52100-63561-56165, ejec.exe	93
PID 1788 wrote to memory of 4448	1788	Por medio de la presente, se le comunica que, en virtud del proceso No. 2024-52100-63561-56165, ejec.exe	93
PID 4448 wrote to memory of 5640	4448	csc.exe	94
PID 4448 wrote to memory of 5640	4448	csc.exe	94
PID 4448 wrote to memory of 5640	4448	csc.exe	94
PID 4448 wrote to memory of 3812	4448	csc.exe	95
PID 4448 wrote to memory of 3812	4448	csc.exe	95
PID 4448 wrote to memory of 3812	4448	csc.exe	95
PID 4448 wrote to memory of 3812	4448	csc.exe	95
PID 4448 wrote to memory of 3812	4448	csc.exe	95
PID 4448 wrote to memory of 3812	4448	csc.exe	95
PID 4448 wrote to memory of 3812	4448	csc.exe	95
PID 4448 wrote to memory of 3812	4448	csc.exe	95
PID 4448 wrote to memory of 3812	4448	csc.exe	95
PID 4448 wrote to memory of 3812	4448	csc.exe	95
PID 3812 wrote to memory of 5888	3812	MSBuild.exe	98
PID 3812 wrote to memory of 5888	3812	MSBuild.exe	98
PID 3812 wrote to memory of 5888	3812	MSBuild.exe	98

C:\Users\Admin\AppData\Local\Temp\Por medio de la presente, se le comunica que, en virtud del proceso No. 2024-52100-63561-56165, ejec.exe
"C:\Users\Admin\AppData\Local\Temp\Por medio de la presente, se le comunica que, en virtud del proceso No. 2024-52100-63561-56165, ejec.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4448
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    3⤵
    PID:5640
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3812
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dgzaswrowflohczggavxhg.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\data\registros.dat

Filesize
184B

MD5
1f7eb09e0c6bac0673ebcc3e8a69ca43

SHA1
9bae1f4251cc13e7129501cce58d590dd963ecf5

SHA256
d546db9b1b42fa64cf820ec0ed4abb96e482647edf33a70c94e19c99754040b3

SHA512
0bdd4ab1f8aa7f2de86137f0f480df91cfbe291ee235012e1739d5e546fdd37d2f7628cf6ab3232b5f96cda145f7bdb5e747528b4b5e1e44541e337372fd9f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgzaswrowflohczggavxhg.vbs

Filesize
374B

MD5
92323d5eafdd057f2602a2a0b5f5230e

SHA1
9498775850b22af3303ce67d042c7cf3925b396b

SHA256
52512978ad3bd19b5bbc6a332b2cc7635947c9f29979f746f406161ffb3ac34a

SHA512
268d4fe79242535278a9ca3396d1e39f9be88285a4ea01304bd39415728e07e5d9b8392a778732ab3b65ab050aa6aa6aadf6f4d1443b39605763fc380637bb5c

Download Submit
memory/1788-8-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/1788-6-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/1788-5-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/1788-9-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/1788-1-0x0000000000573000-0x000000000058C000-memory.dmp

Filesize
100KB

Download
memory/1788-3-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/1788-4-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/1788-0-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/1788-171-0x0000000000AA9000-0x0000000000AB5000-memory.dmp

Filesize
48KB

Download
memory/1788-3129-0x0000000000573000-0x000000000058C000-memory.dmp

Filesize
100KB

Download
memory/3812-3985-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3812-3952-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3812-3940-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4448-44-0x0000000005780000-0x000000000584F000-memory.dmp

Filesize
828KB

Download
memory/4448-26-0x0000000005780000-0x000000000584F000-memory.dmp

Filesize
828KB

Download
memory/4448-254-0x0000000005940000-0x0000000005950000-memory.dmp

Filesize
64KB

Download
memory/4448-62-0x0000000005780000-0x000000000584F000-memory.dmp

Filesize
828KB

Download
memory/4448-60-0x0000000005780000-0x000000000584F000-memory.dmp

Filesize
828KB

Download
memory/4448-56-0x0000000005780000-0x000000000584F000-memory.dmp

Filesize
828KB

Download
memory/4448-55-0x0000000005780000-0x000000000584F000-memory.dmp

Filesize
828KB

Download
memory/4448-52-0x0000000005780000-0x000000000584F000-memory.dmp

Filesize
828KB

Download
memory/4448-50-0x0000000005780000-0x000000000584F000-memory.dmp

Filesize
828KB

Download
memory/4448-48-0x0000000005780000-0x000000000584F000-memory.dmp

Filesize
828KB

Download
memory/4448-46-0x0000000005780000-0x000000000584F000-memory.dmp

Filesize
828KB

Download
memory/4448-66-0x0000000005780000-0x000000000584F000-memory.dmp

Filesize
828KB

Download
memory/4448-42-0x0000000005780000-0x000000000584F000-memory.dmp

Filesize
828KB

Download
memory/4448-40-0x0000000005780000-0x000000000584F000-memory.dmp

Filesize
828KB

Download
memory/4448-36-0x0000000005780000-0x000000000584F000-memory.dmp

Filesize
828KB

Download
memory/4448-34-0x0000000005780000-0x000000000584F000-memory.dmp

Filesize
828KB

Download
memory/4448-32-0x0000000005780000-0x000000000584F000-memory.dmp

Filesize
828KB

Download
memory/4448-30-0x0000000005780000-0x000000000584F000-memory.dmp

Filesize
828KB

Download
memory/4448-28-0x0000000005780000-0x000000000584F000-memory.dmp

Filesize
828KB

Download
memory/4448-64-0x0000000005780000-0x000000000584F000-memory.dmp

Filesize
828KB

Download
memory/4448-22-0x0000000005780000-0x000000000584F000-memory.dmp

Filesize
828KB

Download
memory/4448-18-0x0000000005780000-0x000000000584F000-memory.dmp

Filesize
828KB

Download
memory/4448-16-0x0000000005780000-0x000000000584F000-memory.dmp

Filesize
828KB

Download
memory/4448-14-0x0000000005780000-0x000000000584F000-memory.dmp

Filesize
828KB

Download
memory/4448-11-0x0000000005780000-0x000000000584F000-memory.dmp

Filesize
828KB

Download
memory/4448-38-0x0000000005780000-0x000000000584F000-memory.dmp

Filesize
828KB

Download
memory/4448-12-0x0000000005780000-0x000000000584F000-memory.dmp

Filesize
828KB

Download
memory/4448-168-0x0000000073DEE000-0x0000000073DEF000-memory.dmp

Filesize
4KB

Download
memory/4448-3929-0x0000000005950000-0x00000000059A6000-memory.dmp

Filesize
344KB

Download
memory/4448-3930-0x00000000059B0000-0x00000000059FC000-memory.dmp

Filesize
304KB

Download
memory/4448-3931-0x0000000005A90000-0x0000000005AF6000-memory.dmp

Filesize
408KB

Download
memory/4448-3932-0x0000000073DEE000-0x0000000073DEF000-memory.dmp

Filesize
4KB

Download
memory/4448-3933-0x0000000006130000-0x0000000006184000-memory.dmp

Filesize
336KB

Download
memory/4448-58-0x0000000005780000-0x000000000584F000-memory.dmp

Filesize
828KB

Download
memory/4448-24-0x0000000005780000-0x000000000584F000-memory.dmp

Filesize
828KB

Download
memory/4448-21-0x0000000005780000-0x000000000584F000-memory.dmp

Filesize
828KB

Download
memory/4448-10-0x0000000005780000-0x0000000005854000-memory.dmp

Filesize
848KB

Download
memory/4448-7-0x00000000010A0000-0x0000000001144000-memory.dmp

Filesize
656KB

Download