remcos | af5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-11-2024 18:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c.exe
Size

894KB
MD5

7d297c7ac8ae14d5431181b79d20831b
SHA1

3aa890021a9ce5071ace233e72096e21a481c153
SHA256

af5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c
SHA512

4dfae8095bfc722b872ac7cbb6a96dc302893c6de8c33c7b67fdbd34645387bf463f42060e4cc50f91f8586cb9ec2ff599937d91970a7c4698ad46dff186f201
SSDEEP

12288:260nsDt02aQqTSpqdtQxIUPXnohqsMtc18p1THM4yHXxKoO3XdgO6wSmvL:21naampqdGTocsEcn467O3XdgrkL

Score

10^/10

remcos czt discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

czt

aadavidron.duckdns.org:53848

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
Windeep.exe
copy_folder
AppDir
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-FS2BKT
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

3040 powershell.exe
2144 powershell.exe

pid	process
3040	powershell.exe
2144	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

af5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c.exe

description	pid	process	target process
PID 3028 set thread context of 2972	3028	af5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c.exe	af5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

af5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c.exepowershell.exepowershell.exeschtasks.exeaf5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	af5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	af5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2848 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

3040 powershell.exe
2144 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2144 powershell.exe
Token: SeDebugPrivilege 3040 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

af5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c.exe

pid process

2972 af5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c.exe

pid	process
2848	schtasks.exe

pid	process
3040	powershell.exe
2144	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	3040	powershell.exe

pid	process
2972	af5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

af5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c.exe

description	pid	process	target process
PID 3028 wrote to memory of 3040	3028	af5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c.exe	powershell.exe
PID 3028 wrote to memory of 3040	3028	af5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c.exe	powershell.exe
PID 3028 wrote to memory of 3040	3028	af5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c.exe	powershell.exe
PID 3028 wrote to memory of 3040	3028	af5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c.exe	powershell.exe
PID 3028 wrote to memory of 2144	3028	af5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c.exe	powershell.exe
PID 3028 wrote to memory of 2144	3028	af5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c.exe	powershell.exe
PID 3028 wrote to memory of 2144	3028	af5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c.exe	powershell.exe
PID 3028 wrote to memory of 2144	3028	af5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c.exe	powershell.exe
PID 3028 wrote to memory of 2848	3028	af5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c.exe	schtasks.exe
PID 3028 wrote to memory of 2848	3028	af5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c.exe	schtasks.exe
PID 3028 wrote to memory of 2848	3028	af5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c.exe	schtasks.exe
PID 3028 wrote to memory of 2848	3028	af5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c.exe	schtasks.exe
PID 3028 wrote to memory of 2972	3028	af5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c.exe	af5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c.exe
PID 3028 wrote to memory of 2972	3028	af5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c.exe	af5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c.exe
PID 3028 wrote to memory of 2972	3028	af5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c.exe	af5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c.exe
PID 3028 wrote to memory of 2972	3028	af5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c.exe	af5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c.exe
PID 3028 wrote to memory of 2972	3028	af5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c.exe	af5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c.exe
PID 3028 wrote to memory of 2972	3028	af5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c.exe	af5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c.exe
PID 3028 wrote to memory of 2972	3028	af5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c.exe	af5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c.exe
PID 3028 wrote to memory of 2972	3028	af5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c.exe	af5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c.exe
PID 3028 wrote to memory of 2972	3028	af5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c.exe	af5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c.exe
PID 3028 wrote to memory of 2972	3028	af5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c.exe	af5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c.exe
PID 3028 wrote to memory of 2972	3028	af5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c.exe	af5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c.exe

C:\Users\Admin\AppData\Local\Temp\af5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c.exe
"C:\Users\Admin\AppData\Local\Temp\af5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\af5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3040
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\VSNeHYIHmY.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2144
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VSNeHYIHmY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp477C.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2848
- C:\Users\Admin\AppData\Local\Temp\af5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c.exe
  "C:\Users\Admin\AppData\Local\Temp\af5e154a353470228f0929245ef3eed1f151a962a68116d56a18b8619f83c77c.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
791c2e0a9ad9cd8fc33ff7c612fbd361

SHA1
a89015dcfaf1dfabf6aef7526b24fc11419103d3

SHA256
52b607bbc33497d055cdf067412903d5caccca9db214f03e5e110c31065c8a02

SHA512
4916f7bcb1b3da36fc61e4bc1a6fa22f6fc2db206e48df76d4d32883fbb9f3fd36228237e06fe881cc2a495513adbb81e053e3ca933d58b60a7747f6174038fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp477C.tmp

Filesize
1KB

MD5
e2619c4cfeb5ac6f6fe351c8e0bf1554

SHA1
04238116bb86dce1dfdc7f811150806c3387280d

SHA256
728ec57ebf1c8385c00e463362fa8341e74a1527255026ecb779e70341db2911

SHA512
c11ab16896818dea8fea57f1297051027661ea7e63dff6d78f00f48c0694664ced0137a8fbbd23d8aaaebeda2800b9bdd14652438a7e7628be34a288cdc1bbef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HVFNAVAZ6SLAXDOSMAI3.temp

Filesize
7KB

MD5
2ac8a8e2abb35d7adb4e91f5ff356bc2

SHA1
a614e60a2508978710ed831b66266fae51060c7e

SHA256
3263aa5b95ba47eccf0460d1a6aebad0b9faf2695ec2145b0ce519cd2da1cf64

SHA512
428c73df9cae52cecbf96fed5c0bc250b4d4cf53b6e6b38630e9a38038d431cc978230cd2e730120c79a60333982255260705c7fbdf8f755e20685b1acd12eec

Download Submit
memory/2972-51-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-84-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-89-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-88-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-34-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-33-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-29-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-28-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-25-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-23-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-55-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-52-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-85-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-53-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-83-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-82-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-21-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2972-39-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-40-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-41-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-42-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-43-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-44-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-45-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-47-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-48-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-49-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-50-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-32-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-87-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-37-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-81-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-56-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-57-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-58-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-59-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-60-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-61-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-63-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-64-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-65-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-66-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-67-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-68-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-69-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-71-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-72-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-73-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-74-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-75-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-76-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-77-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-78-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-19-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2972-80-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3028-2-0x0000000073D10000-0x00000000743FE000-memory.dmp

Filesize
6.9MB

Download
memory/3028-38-0x0000000073D10000-0x00000000743FE000-memory.dmp

Filesize
6.9MB

Download
memory/3028-6-0x0000000005210000-0x00000000052D4000-memory.dmp

Filesize
784KB

Download
memory/3028-5-0x0000000073D10000-0x00000000743FE000-memory.dmp

Filesize
6.9MB

Download
memory/3028-4-0x0000000073D1E000-0x0000000073D1F000-memory.dmp

Filesize
4KB

Download
memory/3028-3-0x0000000000360000-0x0000000000372000-memory.dmp

Filesize
72KB

Download
memory/3028-1-0x00000000012E0000-0x00000000013C6000-memory.dmp

Filesize
920KB

Download
memory/3028-0-0x0000000073D1E000-0x0000000073D1F000-memory.dmp

Filesize
4KB

Download