remcos | 923bc7641ff951ee9d5c248e26268a97df150351e70b2b40fd7cb058fc8a7a03

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 08:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5498717122869040384804207296301042825657055179317810230152782008590075092500563444688795186316167466.exe
Size

668KB
MD5

8aa1a76b4376bff1b15c61ac32356e3d
SHA1

166dd235cc46a451cfcf1a064ec57fc723487f54
SHA256

e727ed652a2b4da65d9a31ed081a59179d18a504cdfb52387e977a5c3689398d
SHA512

9d12f905afcf295bb818c7d78045b4b61c12c9e697b4b883d11367253da565a588396fb59c859c744c92f217f85b11e70c3475b7bc0ceda2317bc36219046bdc
SSDEEP

12288:a3aGraE/mdQVnY8AiThjQ5wBXIUo7oew04zsNijwh:Ob/m+VnFBdjQwI1iOh

Score

10^/10

remcos team33 discovery evasion persistence rat trojan

Malware Config

Extracted

Family

remcos

Version

2.0.5 Pro

Botnet

team33

wiskiriski15.duckdns.org:1626

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
csrss.exe
copy_folder
Microsoft
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
true
install_path
%WinDir%\System32
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
TKeSkxi-O6GOWP
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
csrss
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 1 IoCs

pid	Process
2612	csrss.exe

Loads dropped DLL 1 IoCs

pid	Process
2580	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\SysWOW64\\Microsoft\\csrss.exe\""	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\SysWOW64\\Microsoft\\csrss.exe\""	5498717122869040384804207296301042825657055179317810230152782008590075092500563444688795186316167466.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\SysWOW64\\Microsoft\\csrss.exe\""	5498717122869040384804207296301042825657055179317810230152782008590075092500563444688795186316167466.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\SysWOW64\\Microsoft\\csrss.exe\""	csrss.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Microsoft\csrss.exe	5498717122869040384804207296301042825657055179317810230152782008590075092500563444688795186316167466.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft\csrss.exe	5498717122869040384804207296301042825657055179317810230152782008590075092500563444688795186316167466.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft	5498717122869040384804207296301042825657055179317810230152782008590075092500563444688795186316167466.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5498717122869040384804207296301042825657055179317810230152782008590075092500563444688795186316167466.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2888	reg.exe
1352	reg.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
328	5498717122869040384804207296301042825657055179317810230152782008590075092500563444688795186316167466.exe
2612	csrss.exe
2612	csrss.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 328 wrote to memory of 2264	328	5498717122869040384804207296301042825657055179317810230152782008590075092500563444688795186316167466.exe	31
PID 328 wrote to memory of 2264	328	5498717122869040384804207296301042825657055179317810230152782008590075092500563444688795186316167466.exe	31
PID 328 wrote to memory of 2264	328	5498717122869040384804207296301042825657055179317810230152782008590075092500563444688795186316167466.exe	31
PID 328 wrote to memory of 2264	328	5498717122869040384804207296301042825657055179317810230152782008590075092500563444688795186316167466.exe	31
PID 328 wrote to memory of 2824	328	5498717122869040384804207296301042825657055179317810230152782008590075092500563444688795186316167466.exe	33
PID 328 wrote to memory of 2824	328	5498717122869040384804207296301042825657055179317810230152782008590075092500563444688795186316167466.exe	33
PID 328 wrote to memory of 2824	328	5498717122869040384804207296301042825657055179317810230152782008590075092500563444688795186316167466.exe	33
PID 328 wrote to memory of 2824	328	5498717122869040384804207296301042825657055179317810230152782008590075092500563444688795186316167466.exe	33
PID 2264 wrote to memory of 2888	2264	cmd.exe	34
PID 2264 wrote to memory of 2888	2264	cmd.exe	34
PID 2264 wrote to memory of 2888	2264	cmd.exe	34
PID 2264 wrote to memory of 2888	2264	cmd.exe	34
PID 2824 wrote to memory of 2580	2824	WScript.exe	35
PID 2824 wrote to memory of 2580	2824	WScript.exe	35
PID 2824 wrote to memory of 2580	2824	WScript.exe	35
PID 2824 wrote to memory of 2580	2824	WScript.exe	35
PID 2580 wrote to memory of 2612	2580	cmd.exe	37
PID 2580 wrote to memory of 2612	2580	cmd.exe	37
PID 2580 wrote to memory of 2612	2580	cmd.exe	37
PID 2580 wrote to memory of 2612	2580	cmd.exe	37
PID 2612 wrote to memory of 1948	2612	csrss.exe	38
PID 2612 wrote to memory of 1948	2612	csrss.exe	38
PID 2612 wrote to memory of 1948	2612	csrss.exe	38
PID 2612 wrote to memory of 1948	2612	csrss.exe	38
PID 1948 wrote to memory of 1352	1948	cmd.exe	40
PID 1948 wrote to memory of 1352	1948	cmd.exe	40
PID 1948 wrote to memory of 1352	1948	cmd.exe	40
PID 1948 wrote to memory of 1352	1948	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\5498717122869040384804207296301042825657055179317810230152782008590075092500563444688795186316167466.exe
"C:\Users\Admin\AppData\Local\Temp\5498717122869040384804207296301042825657055179317810230152782008590075092500563444688795186316167466.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:328
- C:\Windows\SysWOW64\cmd.exe
  /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2888
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Windows\SysWOW64\Microsoft\csrss.exe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Windows\SysWOW64\Microsoft\csrss.exe
      C:\Windows\SysWOW64\Microsoft\csrss.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2612
    - - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1948
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
400B

MD5
9c8579f9315e8e65b0ee4be56d256efb

SHA1
9c0f70021bb8b89a98c8a789ee891abcf83122a7

SHA256
b68b386469bff1d8cf2e39d6c19860fffed2799e4ddf2cd50e74fcbf3d78549e

SHA512
0d489992eafa651977dd31b966c9acfe8143af27ad944df72f9b7ce3f130072d5be4b994400f569188c89c3b3b2f0385e8aafb031fec7b2070d9f6f6d21ab452

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\logs.dat

Filesize
79B

MD5
deda203bbc7b55e0cda4311d03ba80f2

SHA1
7f65126aa8d667804b01064318ab9be3b1277bf1

SHA256
1877cb252f85ec7f085108281c52ac77b7c824fd5e9c28c7de41f001cd2fddc5

SHA512
2bb53a533c30a2764e1b489096deaae8669e36d62ce75f4166fed3a47a3658c0f7b2a5dfbb7ad0c6737a2e5867648cad16279f1ff97ffcd2afcf19d696b9ee7a

Download Submit
C:\Windows\SysWOW64\Microsoft\csrss.exe

Filesize
668KB

MD5
8aa1a76b4376bff1b15c61ac32356e3d

SHA1
166dd235cc46a451cfcf1a064ec57fc723487f54

SHA256
e727ed652a2b4da65d9a31ed081a59179d18a504cdfb52387e977a5c3689398d

SHA512
9d12f905afcf295bb818c7d78045b4b61c12c9e697b4b883d11367253da565a588396fb59c859c744c92f217f85b11e70c3475b7bc0ceda2317bc36219046bdc

Download Submit
memory/328-9-0x00000000003C0000-0x00000000003CC000-memory.dmp

Filesize
48KB

Download
memory/328-8-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/328-1-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/328-0-0x00000000003C0000-0x00000000003CC000-memory.dmp

Filesize
48KB

Download
memory/2612-20-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2612-18-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2612-16-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2612-22-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2612-24-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2612-14-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2612-27-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2612-29-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2612-31-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads