Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
04-12-2024 03:17
Static task
static1
Behavioral task
behavioral1
Sample
cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exe
Resource
win10v2004-20241007-en
General
-
Target
cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exe
-
Size
896KB
-
MD5
b464444a180c10a26843bc549cd87601
-
SHA1
545b633847b6148c0016f58fc2d9a949778b0433
-
SHA256
cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048
-
SHA512
b2f849290ce0948f3f43336818c9448b6538ef14dbeae122943d91a159acb8cf81976bb84f9c7f313c64943cdc7b02f9d3b804866c5befdc0cf260e01595a1f0
-
SSDEEP
24576:mn9Cgx+s7vOBnRtyy3/DaIiZD7kFOoLGV0EFemOoZ0IZ:UwgvezycbtI4OH0EFePo2IZ
Malware Config
Extracted
remcos
RemoteHost
eadzagba1.duckdns.org:4877
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-8XMYGH
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid Process 2180 powershell.exe 3028 powershell.exe 2584 powershell.exe 2596 powershell.exe -
Executes dropped EXE 2 IoCs
Processes:
remcos.exeremcos.exepid Process 3016 remcos.exe 2436 remcos.exe -
Loads dropped DLL 2 IoCs
Processes:
cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exepid Process 1488 cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exe 1488 cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exeremcos.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-8XMYGH = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-8XMYGH = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-8XMYGH = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" remcos.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-8XMYGH = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" remcos.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exeremcos.exedescription pid Process procid_target PID 2196 set thread context of 1488 2196 cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exe 36 PID 3016 set thread context of 2436 3016 remcos.exe 44 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
remcos.exeschtasks.execbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exepowershell.execbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exepowershell.exepowershell.exeremcos.exepowershell.exeschtasks.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid Process 236 schtasks.exe 2492 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exepowershell.exepowershell.exeremcos.exepowershell.exepowershell.exepid Process 2196 cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exe 2196 cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exe 2196 cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exe 2196 cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exe 2196 cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exe 2196 cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exe 2196 cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exe 2584 powershell.exe 2596 powershell.exe 3016 remcos.exe 3016 remcos.exe 3016 remcos.exe 3016 remcos.exe 3016 remcos.exe 3016 remcos.exe 2180 powershell.exe 3028 powershell.exe 3016 remcos.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exepowershell.exepowershell.exeremcos.exepowershell.exepowershell.exedescription pid Process Token: SeDebugPrivilege 2196 cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exe Token: SeDebugPrivilege 2584 powershell.exe Token: SeDebugPrivilege 2596 powershell.exe Token: SeDebugPrivilege 3016 remcos.exe Token: SeDebugPrivilege 2180 powershell.exe Token: SeDebugPrivilege 3028 powershell.exe -
Suspicious use of WriteProcessMemory 54 IoCs
Processes:
cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.execbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exeremcos.exedescription pid Process procid_target PID 2196 wrote to memory of 2584 2196 cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exe 30 PID 2196 wrote to memory of 2584 2196 cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exe 30 PID 2196 wrote to memory of 2584 2196 cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exe 30 PID 2196 wrote to memory of 2584 2196 cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exe 30 PID 2196 wrote to memory of 2596 2196 cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exe 32 PID 2196 wrote to memory of 2596 2196 cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exe 32 PID 2196 wrote to memory of 2596 2196 cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exe 32 PID 2196 wrote to memory of 2596 2196 cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exe 32 PID 2196 wrote to memory of 236 2196 cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exe 34 PID 2196 wrote to memory of 236 2196 cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exe 34 PID 2196 wrote to memory of 236 2196 cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exe 34 PID 2196 wrote to memory of 236 2196 cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exe 34 PID 2196 wrote to memory of 1488 2196 cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exe 36 PID 2196 wrote to memory of 1488 2196 cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exe 36 PID 2196 wrote to memory of 1488 2196 cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exe 36 PID 2196 wrote to memory of 1488 2196 cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exe 36 PID 2196 wrote to memory of 1488 2196 cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exe 36 PID 2196 wrote to memory of 1488 2196 cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exe 36 PID 2196 wrote to memory of 1488 2196 cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exe 36 PID 2196 wrote to memory of 1488 2196 cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exe 36 PID 2196 wrote to memory of 1488 2196 cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exe 36 PID 2196 wrote to memory of 1488 2196 cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exe 36 PID 2196 wrote to memory of 1488 2196 cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exe 36 PID 2196 wrote to memory of 1488 2196 cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exe 36 PID 2196 wrote to memory of 1488 2196 cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exe 36 PID 1488 wrote to memory of 3016 1488 cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exe 37 PID 1488 wrote to memory of 3016 1488 cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exe 37 PID 1488 wrote to memory of 3016 1488 cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exe 37 PID 1488 wrote to memory of 3016 1488 cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exe 37 PID 3016 wrote to memory of 2180 3016 remcos.exe 38 PID 3016 wrote to memory of 2180 3016 remcos.exe 38 PID 3016 wrote to memory of 2180 3016 remcos.exe 38 PID 3016 wrote to memory of 2180 3016 remcos.exe 38 PID 3016 wrote to memory of 3028 3016 remcos.exe 40 PID 3016 wrote to memory of 3028 3016 remcos.exe 40 PID 3016 wrote to memory of 3028 3016 remcos.exe 40 PID 3016 wrote to memory of 3028 3016 remcos.exe 40 PID 3016 wrote to memory of 2492 3016 remcos.exe 42 PID 3016 wrote to memory of 2492 3016 remcos.exe 42 PID 3016 wrote to memory of 2492 3016 remcos.exe 42 PID 3016 wrote to memory of 2492 3016 remcos.exe 42 PID 3016 wrote to memory of 2436 3016 remcos.exe 44 PID 3016 wrote to memory of 2436 3016 remcos.exe 44 PID 3016 wrote to memory of 2436 3016 remcos.exe 44 PID 3016 wrote to memory of 2436 3016 remcos.exe 44 PID 3016 wrote to memory of 2436 3016 remcos.exe 44 PID 3016 wrote to memory of 2436 3016 remcos.exe 44 PID 3016 wrote to memory of 2436 3016 remcos.exe 44 PID 3016 wrote to memory of 2436 3016 remcos.exe 44 PID 3016 wrote to memory of 2436 3016 remcos.exe 44 PID 3016 wrote to memory of 2436 3016 remcos.exe 44 PID 3016 wrote to memory of 2436 3016 remcos.exe 44 PID 3016 wrote to memory of 2436 3016 remcos.exe 44 PID 3016 wrote to memory of 2436 3016 remcos.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exe"C:\Users\Admin\AppData\Local\Temp\cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2584
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rJxVpYQDxuAdz.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rJxVpYQDxuAdz" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE31E.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:236
-
-
C:\Users\Admin\AppData\Local\Temp\cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exe"C:\Users\Admin\AppData\Local\Temp\cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\ProgramData\Remcos\remcos.exe"C:\ProgramData\Remcos\remcos.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Remcos\remcos.exe"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2180
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rJxVpYQDxuAdz.exe"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3028
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rJxVpYQDxuAdz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8F73.tmp"4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2492
-
-
C:\ProgramData\Remcos\remcos.exe"C:\ProgramData\Remcos\remcos.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2436
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
896KB
MD5b464444a180c10a26843bc549cd87601
SHA1545b633847b6148c0016f58fc2d9a949778b0433
SHA256cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048
SHA512b2f849290ce0948f3f43336818c9448b6538ef14dbeae122943d91a159acb8cf81976bb84f9c7f313c64943cdc7b02f9d3b804866c5befdc0cf260e01595a1f0
-
Filesize
1KB
MD5cf23546e8546927b763dd80f0622af50
SHA192e030b9e51d5be838145da24b11f2a0435afab6
SHA256f2ffc55432628655873fa49966f6240af7749e9224bfd2970796124fcdfd21b2
SHA5121eada1eb6e38a25e4e777d6aa335823e7454e72624b11097fd027d4b70cf20429f55283b5d2970ad48a0727641445824f7fd4f0b87e7d6f248e9320a1db8065b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4KPR0PQCIPMJWQEDQX67.temp
Filesize7KB
MD59d717acc1495414010388ce6c6deabcd
SHA1f78158678cf1f14316ffee94fd41657904c98898
SHA2562987315aeec26f8328dd6fcee8682f878bfb2402e1218e1b17ad8eb9f3b03af5
SHA5123bd53708227a459b3bdccfa996017ca326b79a8229726ae92d487f944172237b08e0363d9e634a932d7e2143273f62d9d80bd043b9c1f0a3a17d9fc95b1d29d3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5a90ef71ca8beb35d73534dd3cbe2f176
SHA11c48b74eca31ea0d936c4bd061da9a247397d87f
SHA256c531236ea0d791c1d1c41d593d3543670877d543cb45fce077353d7864bf7337
SHA512772c317b6acfc9f83f3652190796e01005b353faa9dcd788f64553d747e5b01a36596f7e9b80b39aad17094232fe90f904b448f9846eaaeffca2b294213df238
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e