remcos | e744e0aa890a2d9b5e6eed8403cb16f6098baee4a0529b1fabc0644ee4ba6b32

Analysis

max time kernel
148s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-11-2024 04:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e744e0aa890a2d9b5e6eed8403cb16f6098baee4a0529b1fabc0644ee4ba6b32.exe
Size

959KB
MD5

b074e2458b987efec69536a58316d5a6
SHA1

ffebefa18462d47fc8b82abc9069c9fdd6079da9
SHA256

e744e0aa890a2d9b5e6eed8403cb16f6098baee4a0529b1fabc0644ee4ba6b32
SHA512

1f76d7ae0558962781b913b765ff6b92b5f03aa511c6be2f206ff17c361052d4b34a37d46e49447a0860586474c3bc656ed34d9d094b605d06a6ebfbcc0a2422
SSDEEP

24576:YQm35eXO2xQ7nEP9FsGu0ftQbg665Xp3GuD+XjK:jej2ynElFsGu0fsgD5XpTqXj

Score

10^/10

remcos document discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

Document

45.138.48.25:3333

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
WinUpdate.exe
copy_folder
WinUpdate
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%Temp%
keylog_crypt
false
keylog_file
WinUpdat.dat
keylog_flag
false
keylog_folder
WinUpdat
mouse_option
false
mutex
Rmc-E10MWO
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2568	powershell.exe
2044	powershell.exe

Executes dropped EXE 3 IoCs

pid	Process
3040	WinUpdate.exe
2400	WinUpdate.exe
2124	WinUpdate.exe

Loads dropped DLL 3 IoCs

pid	Process
2876	e744e0aa890a2d9b5e6eed8403cb16f6098baee4a0529b1fabc0644ee4ba6b32.exe
3040	WinUpdate.exe
3040	WinUpdate.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-E10MWO = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinUpdate\\WinUpdate.exe\""	e744e0aa890a2d9b5e6eed8403cb16f6098baee4a0529b1fabc0644ee4ba6b32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-E10MWO = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinUpdate\\WinUpdate.exe\""	WinUpdate.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2664 set thread context of 2876	2664	e744e0aa890a2d9b5e6eed8403cb16f6098baee4a0529b1fabc0644ee4ba6b32.exe	34
PID 3040 set thread context of 2124	3040	WinUpdate.exe	39

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e744e0aa890a2d9b5e6eed8403cb16f6098baee4a0529b1fabc0644ee4ba6b32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e744e0aa890a2d9b5e6eed8403cb16f6098baee4a0529b1fabc0644ee4ba6b32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2664	e744e0aa890a2d9b5e6eed8403cb16f6098baee4a0529b1fabc0644ee4ba6b32.exe
2664	e744e0aa890a2d9b5e6eed8403cb16f6098baee4a0529b1fabc0644ee4ba6b32.exe
2568	powershell.exe
3040	WinUpdate.exe
3040	WinUpdate.exe
2044	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2664	e744e0aa890a2d9b5e6eed8403cb16f6098baee4a0529b1fabc0644ee4ba6b32.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	3040	WinUpdate.exe
Token: SeDebugPrivilege	2044	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2124	WinUpdate.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 2568	2664	e744e0aa890a2d9b5e6eed8403cb16f6098baee4a0529b1fabc0644ee4ba6b32.exe	31
PID 2664 wrote to memory of 2568	2664	e744e0aa890a2d9b5e6eed8403cb16f6098baee4a0529b1fabc0644ee4ba6b32.exe	31
PID 2664 wrote to memory of 2568	2664	e744e0aa890a2d9b5e6eed8403cb16f6098baee4a0529b1fabc0644ee4ba6b32.exe	31
PID 2664 wrote to memory of 2568	2664	e744e0aa890a2d9b5e6eed8403cb16f6098baee4a0529b1fabc0644ee4ba6b32.exe	31
PID 2664 wrote to memory of 2728	2664	e744e0aa890a2d9b5e6eed8403cb16f6098baee4a0529b1fabc0644ee4ba6b32.exe	32
PID 2664 wrote to memory of 2728	2664	e744e0aa890a2d9b5e6eed8403cb16f6098baee4a0529b1fabc0644ee4ba6b32.exe	32
PID 2664 wrote to memory of 2728	2664	e744e0aa890a2d9b5e6eed8403cb16f6098baee4a0529b1fabc0644ee4ba6b32.exe	32
PID 2664 wrote to memory of 2728	2664	e744e0aa890a2d9b5e6eed8403cb16f6098baee4a0529b1fabc0644ee4ba6b32.exe	32
PID 2664 wrote to memory of 2876	2664	e744e0aa890a2d9b5e6eed8403cb16f6098baee4a0529b1fabc0644ee4ba6b32.exe	34
PID 2664 wrote to memory of 2876	2664	e744e0aa890a2d9b5e6eed8403cb16f6098baee4a0529b1fabc0644ee4ba6b32.exe	34
PID 2664 wrote to memory of 2876	2664	e744e0aa890a2d9b5e6eed8403cb16f6098baee4a0529b1fabc0644ee4ba6b32.exe	34
PID 2664 wrote to memory of 2876	2664	e744e0aa890a2d9b5e6eed8403cb16f6098baee4a0529b1fabc0644ee4ba6b32.exe	34
PID 2664 wrote to memory of 2876	2664	e744e0aa890a2d9b5e6eed8403cb16f6098baee4a0529b1fabc0644ee4ba6b32.exe	34
PID 2664 wrote to memory of 2876	2664	e744e0aa890a2d9b5e6eed8403cb16f6098baee4a0529b1fabc0644ee4ba6b32.exe	34
PID 2664 wrote to memory of 2876	2664	e744e0aa890a2d9b5e6eed8403cb16f6098baee4a0529b1fabc0644ee4ba6b32.exe	34
PID 2664 wrote to memory of 2876	2664	e744e0aa890a2d9b5e6eed8403cb16f6098baee4a0529b1fabc0644ee4ba6b32.exe	34
PID 2664 wrote to memory of 2876	2664	e744e0aa890a2d9b5e6eed8403cb16f6098baee4a0529b1fabc0644ee4ba6b32.exe	34
PID 2664 wrote to memory of 2876	2664	e744e0aa890a2d9b5e6eed8403cb16f6098baee4a0529b1fabc0644ee4ba6b32.exe	34
PID 2664 wrote to memory of 2876	2664	e744e0aa890a2d9b5e6eed8403cb16f6098baee4a0529b1fabc0644ee4ba6b32.exe	34
PID 2876 wrote to memory of 3040	2876	e744e0aa890a2d9b5e6eed8403cb16f6098baee4a0529b1fabc0644ee4ba6b32.exe	35
PID 2876 wrote to memory of 3040	2876	e744e0aa890a2d9b5e6eed8403cb16f6098baee4a0529b1fabc0644ee4ba6b32.exe	35
PID 2876 wrote to memory of 3040	2876	e744e0aa890a2d9b5e6eed8403cb16f6098baee4a0529b1fabc0644ee4ba6b32.exe	35
PID 2876 wrote to memory of 3040	2876	e744e0aa890a2d9b5e6eed8403cb16f6098baee4a0529b1fabc0644ee4ba6b32.exe	35
PID 2876 wrote to memory of 3040	2876	e744e0aa890a2d9b5e6eed8403cb16f6098baee4a0529b1fabc0644ee4ba6b32.exe	35
PID 2876 wrote to memory of 3040	2876	e744e0aa890a2d9b5e6eed8403cb16f6098baee4a0529b1fabc0644ee4ba6b32.exe	35
PID 2876 wrote to memory of 3040	2876	e744e0aa890a2d9b5e6eed8403cb16f6098baee4a0529b1fabc0644ee4ba6b32.exe	35
PID 3040 wrote to memory of 2044	3040	WinUpdate.exe	36
PID 3040 wrote to memory of 2044	3040	WinUpdate.exe	36
PID 3040 wrote to memory of 2044	3040	WinUpdate.exe	36
PID 3040 wrote to memory of 2044	3040	WinUpdate.exe	36
PID 3040 wrote to memory of 2400	3040	WinUpdate.exe	38
PID 3040 wrote to memory of 2400	3040	WinUpdate.exe	38
PID 3040 wrote to memory of 2400	3040	WinUpdate.exe	38
PID 3040 wrote to memory of 2400	3040	WinUpdate.exe	38
PID 3040 wrote to memory of 2400	3040	WinUpdate.exe	38
PID 3040 wrote to memory of 2400	3040	WinUpdate.exe	38
PID 3040 wrote to memory of 2400	3040	WinUpdate.exe	38
PID 3040 wrote to memory of 2124	3040	WinUpdate.exe	39
PID 3040 wrote to memory of 2124	3040	WinUpdate.exe	39
PID 3040 wrote to memory of 2124	3040	WinUpdate.exe	39
PID 3040 wrote to memory of 2124	3040	WinUpdate.exe	39
PID 3040 wrote to memory of 2124	3040	WinUpdate.exe	39
PID 3040 wrote to memory of 2124	3040	WinUpdate.exe	39
PID 3040 wrote to memory of 2124	3040	WinUpdate.exe	39
PID 3040 wrote to memory of 2124	3040	WinUpdate.exe	39
PID 3040 wrote to memory of 2124	3040	WinUpdate.exe	39
PID 3040 wrote to memory of 2124	3040	WinUpdate.exe	39
PID 3040 wrote to memory of 2124	3040	WinUpdate.exe	39
PID 3040 wrote to memory of 2124	3040	WinUpdate.exe	39
PID 3040 wrote to memory of 2124	3040	WinUpdate.exe	39
PID 3040 wrote to memory of 2124	3040	WinUpdate.exe	39

C:\Users\Admin\AppData\Local\Temp\e744e0aa890a2d9b5e6eed8403cb16f6098baee4a0529b1fabc0644ee4ba6b32.exe
"C:\Users\Admin\AppData\Local\Temp\e744e0aa890a2d9b5e6eed8403cb16f6098baee4a0529b1fabc0644ee4ba6b32.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e744e0aa890a2d9b5e6eed8403cb16f6098baee4a0529b1fabc0644ee4ba6b32.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2568
- C:\Users\Admin\AppData\Local\Temp\e744e0aa890a2d9b5e6eed8403cb16f6098baee4a0529b1fabc0644ee4ba6b32.exe
  "C:\Users\Admin\AppData\Local\Temp\e744e0aa890a2d9b5e6eed8403cb16f6098baee4a0529b1fabc0644ee4ba6b32.exe"
  2⤵
  PID:2728
- C:\Users\Admin\AppData\Local\Temp\e744e0aa890a2d9b5e6eed8403cb16f6098baee4a0529b1fabc0644ee4ba6b32.exe
  "C:\Users\Admin\AppData\Local\Temp\e744e0aa890a2d9b5e6eed8403cb16f6098baee4a0529b1fabc0644ee4ba6b32.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
    "C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3040
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2044
  - - C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
      "C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe"
      4⤵
      Executes dropped EXE
      PID:2400
  - - C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
      "C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetWindowsHookEx
      PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e17cc9a66fcb3b6826063fec85e7fe18

SHA1
143061781411c6cd4dde884a8c7935d60505e237

SHA256
7394c150fd0ee568ce1faeb3795dd2e2d0d795cc21181cbd49e3584f65c8d112

SHA512
19aa6db4eabfa598a6b0fc32469fbd1b18be238c0996a8fafef0e22c2997191b6db8b94d16690793ed747d41efd751efe152180e03de138a81f545da86116fc9

Download Submit
\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe

Filesize
959KB

MD5
b074e2458b987efec69536a58316d5a6

SHA1
ffebefa18462d47fc8b82abc9069c9fdd6079da9

SHA256
e744e0aa890a2d9b5e6eed8403cb16f6098baee4a0529b1fabc0644ee4ba6b32

SHA512
1f76d7ae0558962781b913b765ff6b92b5f03aa511c6be2f206ff17c361052d4b34a37d46e49447a0860586474c3bc656ed34d9d094b605d06a6ebfbcc0a2422

Download Submit
memory/2124-63-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2124-50-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2124-54-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2124-46-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2124-49-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2124-68-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2124-62-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2124-67-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2124-65-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2124-61-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2124-53-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2124-66-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2124-64-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2664-27-0x0000000074D30000-0x000000007541E000-memory.dmp

Filesize
6.9MB

Download
memory/2664-2-0x0000000074D30000-0x000000007541E000-memory.dmp

Filesize
6.9MB

Download
memory/2664-0-0x0000000074D3E000-0x0000000074D3F000-memory.dmp

Filesize
4KB

Download
memory/2664-3-0x00000000004F0000-0x000000000050C000-memory.dmp

Filesize
112KB

Download
memory/2664-1-0x0000000000260000-0x0000000000356000-memory.dmp

Filesize
984KB

Download
memory/2664-6-0x0000000005800000-0x00000000058C4000-memory.dmp

Filesize
784KB

Download
memory/2664-5-0x0000000074D30000-0x000000007541E000-memory.dmp

Filesize
6.9MB

Download
memory/2664-4-0x0000000074D3E000-0x0000000074D3F000-memory.dmp

Filesize
4KB

Download
memory/2876-19-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2876-7-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2876-8-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2876-9-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2876-10-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2876-11-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2876-12-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2876-25-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2876-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2876-15-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2876-17-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3040-28-0x0000000000020000-0x0000000000116000-memory.dmp

Filesize
984KB

Download