remcos | 39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-11-2024 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe
Size

1.3MB
MD5

5c44a72a49fe4fbc94f1c1aa8cbf0ab6
SHA1

d0d0903f73b4aa11ee580fb6fd8d80775e6e88de
SHA256

39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129
SHA512

d92503e2ebbaa4e8728098cf6d0079de711a4f92663ad9db8583d848721818e4ecf3790a65253a0cd850c23eed8a46f98049a11f77b9f106344e501d124fbb97
SSDEEP

24576:ctcKivRdWnSyEHyfE75BP/+mgWdm/bTLLK6:LKmXWSy6r2mgxv

Score

10^/10

remcos slaves discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

SLAVES

windowslavesclient.duckdns.org:1604

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-J3MJAP
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
Executes dropped EXE 1 IoCs

Processes:

Images.exe

pid process

2116 Images.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

2904 cmd.exe
2904 cmd.exe

pid	process
2116	Images.exe

pid	process
2904	cmd.exe
2904	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Videoss = "C:\\Users\\Admin\\AppData\\Roaming\\Images.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Images.exe

description pid process target process

PID 2116 set thread context of 2472 2116 Images.exe AddInProcess32.exe

description	pid	process	target process
PID 2116 set thread context of 2472	2116	Images.exe	AddInProcess32.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exePING.EXEImages.exeAddInProcess32.exereg.exe39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exePING.EXEcmd.exePING.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Images.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

cmd.exePING.EXEcmd.exePING.EXEPING.EXE

pid process

2564 cmd.exe
2592 PING.EXE
2904 cmd.exe
2896 PING.EXE
2788 PING.EXE
Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

2592 PING.EXE
2896 PING.EXE
2788 PING.EXE

pid	process
2564	cmd.exe
2592	PING.EXE
2904	cmd.exe
2896	PING.EXE
2788	PING.EXE

pid	process
2592	PING.EXE
2896	PING.EXE
2788	PING.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exeImages.exe

pid	process
2512	39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe
2512	39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe
2512	39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe
2512	39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe
2512	39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe
2512	39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe
2116	Images.exe
2116	Images.exe
2116	Images.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exeImages.exe

description	pid	process
Token: SeDebugPrivilege	2512	39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe
Token: SeDebugPrivilege	2116	Images.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.execmd.execmd.exeImages.exe

description	pid	process	target process
PID 2512 wrote to memory of 2564	2512	39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe	cmd.exe
PID 2512 wrote to memory of 2564	2512	39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe	cmd.exe
PID 2512 wrote to memory of 2564	2512	39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe	cmd.exe
PID 2512 wrote to memory of 2564	2512	39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe	cmd.exe
PID 2564 wrote to memory of 2592	2564	cmd.exe	PING.EXE
PID 2564 wrote to memory of 2592	2564	cmd.exe	PING.EXE
PID 2564 wrote to memory of 2592	2564	cmd.exe	PING.EXE
PID 2564 wrote to memory of 2592	2564	cmd.exe	PING.EXE
PID 2512 wrote to memory of 2904	2512	39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe	cmd.exe
PID 2512 wrote to memory of 2904	2512	39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe	cmd.exe
PID 2512 wrote to memory of 2904	2512	39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe	cmd.exe
PID 2512 wrote to memory of 2904	2512	39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe	cmd.exe
PID 2904 wrote to memory of 2896	2904	cmd.exe	PING.EXE
PID 2904 wrote to memory of 2896	2904	cmd.exe	PING.EXE
PID 2904 wrote to memory of 2896	2904	cmd.exe	PING.EXE
PID 2904 wrote to memory of 2896	2904	cmd.exe	PING.EXE
PID 2564 wrote to memory of 2936	2564	cmd.exe	reg.exe
PID 2564 wrote to memory of 2936	2564	cmd.exe	reg.exe
PID 2564 wrote to memory of 2936	2564	cmd.exe	reg.exe
PID 2564 wrote to memory of 2936	2564	cmd.exe	reg.exe
PID 2904 wrote to memory of 2788	2904	cmd.exe	PING.EXE
PID 2904 wrote to memory of 2788	2904	cmd.exe	PING.EXE
PID 2904 wrote to memory of 2788	2904	cmd.exe	PING.EXE
PID 2904 wrote to memory of 2788	2904	cmd.exe	PING.EXE
PID 2904 wrote to memory of 2116	2904	cmd.exe	Images.exe
PID 2904 wrote to memory of 2116	2904	cmd.exe	Images.exe
PID 2904 wrote to memory of 2116	2904	cmd.exe	Images.exe
PID 2904 wrote to memory of 2116	2904	cmd.exe	Images.exe
PID 2116 wrote to memory of 2472	2116	Images.exe	AddInProcess32.exe
PID 2116 wrote to memory of 2472	2116	Images.exe	AddInProcess32.exe
PID 2116 wrote to memory of 2472	2116	Images.exe	AddInProcess32.exe
PID 2116 wrote to memory of 2472	2116	Images.exe	AddInProcess32.exe
PID 2116 wrote to memory of 2472	2116	Images.exe	AddInProcess32.exe
PID 2116 wrote to memory of 2472	2116	Images.exe	AddInProcess32.exe
PID 2116 wrote to memory of 2472	2116	Images.exe	AddInProcess32.exe
PID 2116 wrote to memory of 2472	2116	Images.exe	AddInProcess32.exe
PID 2116 wrote to memory of 2472	2116	Images.exe	AddInProcess32.exe
PID 2116 wrote to memory of 2472	2116	Images.exe	AddInProcess32.exe
PID 2116 wrote to memory of 2472	2116	Images.exe	AddInProcess32.exe

C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe
"C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c ping 127.0.0.1 -n 19 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Videoss" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Images.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 19
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2592
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Videoss" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Images.exe"
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2936
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c ping 127.0.0.1 -n 18 > nul && copy "C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe" "C:\Users\Admin\AppData\Roaming\Images.exe" && ping 127.0.0.1 -n 18 > nul && "C:\Users\Admin\AppData\Roaming\Images.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 18
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2896
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 18
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2788
- - C:\Users\Admin\AppData\Roaming\Images.exe
    "C:\Users\Admin\AppData\Roaming\Images.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2116
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Images.exe

Filesize
1.3MB

MD5
5c44a72a49fe4fbc94f1c1aa8cbf0ab6

SHA1
d0d0903f73b4aa11ee580fb6fd8d80775e6e88de

SHA256
39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129

SHA512
d92503e2ebbaa4e8728098cf6d0079de711a4f92663ad9db8583d848721818e4ecf3790a65253a0cd850c23eed8a46f98049a11f77b9f106344e501d124fbb97

Download Submit
memory/2116-17-0x0000000000BC0000-0x0000000000D06000-memory.dmp

Filesize
1.3MB

Download
memory/2116-18-0x0000000000770000-0x000000000078A000-memory.dmp

Filesize
104KB

Download
memory/2116-19-0x0000000000790000-0x0000000000796000-memory.dmp

Filesize
24KB

Download
memory/2472-54-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-37-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-83-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-22-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-28-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-56-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-30-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-26-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-24-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-33-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-34-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-35-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-36-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-57-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-38-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-39-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-40-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-41-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-42-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-43-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-44-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-45-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-46-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-47-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-48-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-58-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-50-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-51-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-52-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-53-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-20-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-55-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2472-82-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-49-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-59-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-60-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-61-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-62-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-63-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-64-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-65-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-66-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-67-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-68-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-69-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-70-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-71-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-72-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-73-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-74-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-75-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-76-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-77-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-78-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-79-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-80-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2472-81-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2512-3-0x0000000073CC0000-0x00000000743AE000-memory.dmp

Filesize
6.9MB

Download
memory/2512-2-0x0000000000760000-0x00000000007A4000-memory.dmp

Filesize
272KB

Download
memory/2512-1-0x0000000000150000-0x0000000000296000-memory.dmp

Filesize
1.3MB

Download
memory/2512-0-0x0000000073CCE000-0x0000000073CCF000-memory.dmp

Filesize
4KB

Download
memory/2512-4-0x0000000073CCE000-0x0000000073CCF000-memory.dmp

Filesize
4KB

Download
memory/2512-5-0x0000000073CC0000-0x00000000743AE000-memory.dmp

Filesize
6.9MB

Download
memory/2512-6-0x0000000073CC0000-0x00000000743AE000-memory.dmp

Filesize
6.9MB

Download