remcos | 0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-11-2024 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe
Size

1002KB
MD5

1e3d5cf8e89402325bca1e6a1329f7c7
SHA1

bc31f499894600db104ca347f9e9bbcb6a66c539
SHA256

0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e
SHA512

8a6297f965cd6228e6b63fb3c4c2cd88db6488d8459a94e6f20706454c4af4fab793abe850fe16d1b18149bef0d54240fcd4e1c25c6a42fb8ba36494a598cdbc
SSDEEP

24576:XwMpzxWUtVGnc3iMD6od9f9SbVJQshT3bJhcAZ+ViKqd2:3WU7b3Rt9YpJfrJhl+gKU2

Score

10^/10

remcos document discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

Document

45.138.48.25:3333

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
WinUpdate.exe
copy_folder
WinUpdate
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%Temp%
keylog_crypt
false
keylog_file
WinUpdat.dat
keylog_flag
false
keylog_folder
WinUpdat
mouse_option
false
mutex
Rmc-E10MWO
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exe

pid	Process
2408	powershell.exe
2608	powershell.exe

Executes dropped EXE 6 IoCs

Processes:

WinUpdate.exeWinUpdate.exeWinUpdate.exeWinUpdate.exeWinUpdate.exeWinUpdate.exe

pid	Process
2656	WinUpdate.exe
1904	WinUpdate.exe
2876	WinUpdate.exe
1792	WinUpdate.exe
268	WinUpdate.exe
2784	WinUpdate.exe

Loads dropped DLL 6 IoCs

Processes:

0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exeWinUpdate.exe

pid	Process
2260	0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe
2656	WinUpdate.exe
2656	WinUpdate.exe
2656	WinUpdate.exe
2656	WinUpdate.exe
2656	WinUpdate.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-E10MWO = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinUpdate\\WinUpdate.exe\""	0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe

description	pid	Process	procid_target
PID 2024 set thread context of 2260	2024	0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.exe0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exepowershell.exe0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exeWinUpdate.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinUpdate.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exeWinUpdate.exepowershell.exe

pid	Process
2408	powershell.exe
2656	WinUpdate.exe
2656	WinUpdate.exe
2656	WinUpdate.exe
2656	WinUpdate.exe
2656	WinUpdate.exe
2656	WinUpdate.exe
2656	WinUpdate.exe
2656	WinUpdate.exe
2656	WinUpdate.exe
2656	WinUpdate.exe
2608	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exeWinUpdate.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	2656	WinUpdate.exe
Token: SeDebugPrivilege	2608	powershell.exe

Suspicious use of WriteProcessMemory 61 IoCs

Processes:

0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exeWinUpdate.exe

description	pid	Process	procid_target
PID 2024 wrote to memory of 2408	2024	0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe	31
PID 2024 wrote to memory of 2408	2024	0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe	31
PID 2024 wrote to memory of 2408	2024	0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe	31
PID 2024 wrote to memory of 2408	2024	0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe	31
PID 2024 wrote to memory of 2260	2024	0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe	33
PID 2024 wrote to memory of 2260	2024	0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe	33
PID 2024 wrote to memory of 2260	2024	0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe	33
PID 2024 wrote to memory of 2260	2024	0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe	33
PID 2024 wrote to memory of 2260	2024	0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe	33
PID 2024 wrote to memory of 2260	2024	0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe	33
PID 2024 wrote to memory of 2260	2024	0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe	33
PID 2024 wrote to memory of 2260	2024	0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe	33
PID 2024 wrote to memory of 2260	2024	0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe	33
PID 2024 wrote to memory of 2260	2024	0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe	33
PID 2024 wrote to memory of 2260	2024	0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe	33
PID 2260 wrote to memory of 2656	2260	0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe	34
PID 2260 wrote to memory of 2656	2260	0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe	34
PID 2260 wrote to memory of 2656	2260	0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe	34
PID 2260 wrote to memory of 2656	2260	0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe	34
PID 2260 wrote to memory of 2656	2260	0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe	34
PID 2260 wrote to memory of 2656	2260	0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe	34
PID 2260 wrote to memory of 2656	2260	0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe	34
PID 2656 wrote to memory of 2608	2656	WinUpdate.exe	35
PID 2656 wrote to memory of 2608	2656	WinUpdate.exe	35
PID 2656 wrote to memory of 2608	2656	WinUpdate.exe	35
PID 2656 wrote to memory of 2608	2656	WinUpdate.exe	35
PID 2656 wrote to memory of 2876	2656	WinUpdate.exe	37
PID 2656 wrote to memory of 2876	2656	WinUpdate.exe	37
PID 2656 wrote to memory of 2876	2656	WinUpdate.exe	37
PID 2656 wrote to memory of 2876	2656	WinUpdate.exe	37
PID 2656 wrote to memory of 2876	2656	WinUpdate.exe	37
PID 2656 wrote to memory of 2876	2656	WinUpdate.exe	37
PID 2656 wrote to memory of 2876	2656	WinUpdate.exe	37
PID 2656 wrote to memory of 1904	2656	WinUpdate.exe	38
PID 2656 wrote to memory of 1904	2656	WinUpdate.exe	38
PID 2656 wrote to memory of 1904	2656	WinUpdate.exe	38
PID 2656 wrote to memory of 1904	2656	WinUpdate.exe	38
PID 2656 wrote to memory of 1904	2656	WinUpdate.exe	38
PID 2656 wrote to memory of 1904	2656	WinUpdate.exe	38
PID 2656 wrote to memory of 1904	2656	WinUpdate.exe	38
PID 2656 wrote to memory of 1792	2656	WinUpdate.exe	39
PID 2656 wrote to memory of 1792	2656	WinUpdate.exe	39
PID 2656 wrote to memory of 1792	2656	WinUpdate.exe	39
PID 2656 wrote to memory of 1792	2656	WinUpdate.exe	39
PID 2656 wrote to memory of 1792	2656	WinUpdate.exe	39
PID 2656 wrote to memory of 1792	2656	WinUpdate.exe	39
PID 2656 wrote to memory of 1792	2656	WinUpdate.exe	39
PID 2656 wrote to memory of 268	2656	WinUpdate.exe	40
PID 2656 wrote to memory of 268	2656	WinUpdate.exe	40
PID 2656 wrote to memory of 268	2656	WinUpdate.exe	40
PID 2656 wrote to memory of 268	2656	WinUpdate.exe	40
PID 2656 wrote to memory of 268	2656	WinUpdate.exe	40
PID 2656 wrote to memory of 268	2656	WinUpdate.exe	40
PID 2656 wrote to memory of 268	2656	WinUpdate.exe	40
PID 2656 wrote to memory of 2784	2656	WinUpdate.exe	41
PID 2656 wrote to memory of 2784	2656	WinUpdate.exe	41
PID 2656 wrote to memory of 2784	2656	WinUpdate.exe	41
PID 2656 wrote to memory of 2784	2656	WinUpdate.exe	41
PID 2656 wrote to memory of 2784	2656	WinUpdate.exe	41
PID 2656 wrote to memory of 2784	2656	WinUpdate.exe	41
PID 2656 wrote to memory of 2784	2656	WinUpdate.exe	41

C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe
"C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2408
- C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe
  "C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
    "C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2608
  - - C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
      "C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe"
      4⤵
      Executes dropped EXE
      PID:2876
  - - C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
      "C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe"
      4⤵
      Executes dropped EXE
      PID:1904
  - - C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
      "C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe"
      4⤵
      Executes dropped EXE
      PID:1792
  - - C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
      "C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe"
      4⤵
      Executes dropped EXE
      PID:268
  - - C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
      "C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe"
      4⤵
      Executes dropped EXE
      PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0d27b882dd6e1c9388b5c6f828bfe0c

SHA1
ceb56b27b6ccc3525007266e9042b9bc8b99beb8

SHA256
45629ca452a66a9c50740197ad12c3cf33d1b830d9d521df38d3e2e65dde605a

SHA512
0c032e42a11b2ceeee5eea9e67dd15cd582519ce6706804c71a240a513c6f1edb202b224c3035520c66bb0a3a2ef229966214bac31023b9c459fde9f63f2f260

Download Submit
\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe

Filesize
1002KB

MD5
1e3d5cf8e89402325bca1e6a1329f7c7

SHA1
bc31f499894600db104ca347f9e9bbcb6a66c539

SHA256
0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e

SHA512
8a6297f965cd6228e6b63fb3c4c2cd88db6488d8459a94e6f20706454c4af4fab793abe850fe16d1b18149bef0d54240fcd4e1c25c6a42fb8ba36494a598cdbc

Download Submit
memory/2024-0-0x000000007429E000-0x000000007429F000-memory.dmp

Filesize
4KB

Download
memory/2024-1-0x0000000001120000-0x0000000001220000-memory.dmp

Filesize
1024KB

Download
memory/2024-2-0x0000000074290000-0x000000007497E000-memory.dmp

Filesize
6.9MB

Download
memory/2024-3-0x0000000000210000-0x0000000000222000-memory.dmp

Filesize
72KB

Download
memory/2024-4-0x000000007429E000-0x000000007429F000-memory.dmp

Filesize
4KB

Download
memory/2024-5-0x0000000074290000-0x000000007497E000-memory.dmp

Filesize
6.9MB

Download
memory/2024-6-0x0000000004F20000-0x0000000004FE2000-memory.dmp

Filesize
776KB

Download
memory/2024-29-0x0000000074290000-0x000000007497E000-memory.dmp

Filesize
6.9MB

Download
memory/2260-24-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2260-14-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2260-12-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2260-11-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2260-22-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2260-9-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2260-20-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2260-7-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2260-30-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2260-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2260-16-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2656-35-0x0000000000320000-0x0000000000420000-memory.dmp

Filesize
1024KB

Download
memory/2656-36-0x0000000000430000-0x0000000000442000-memory.dmp

Filesize
72KB

Download