remcos | 7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29

General

Target

7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe
Size

900KB
MD5

c9d033467bd4405db131e2db7dd8abbf
SHA1

31a47ebb0a372ce4dea8f9ad0d7e547816ff7103
SHA256

7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29
SHA512

08b643c8ed42b6f59d9879eff287f9cf1f11696794c084dcc337f4d893cc759868457d8ef2fc095b73aa43deec5527d12dffbbdce528a71f758e8c0af335ffc2
SSDEEP

24576:QHIlObe6kDOI8hCMghsuN3OqyDzORPW3fa:FciJ2N4spU+i

Score

10^/10

remcos lee discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

lee

C2

lack.work.gd:3124

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
vlc
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
ios
mouse_option
false
mutex
gig-RM2DNS
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
sos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2784	powershell.exe
1108	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2544 set thread context of 2648	2544	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2748	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2544	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe
2544	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe
2544	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe
2544	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe
2544	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe
2544	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe
2544	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe
1108	powershell.exe
2784	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2544	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe
Token: SeDebugPrivilege	1108	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2648	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 2784	2544	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe	31
PID 2544 wrote to memory of 2784	2544	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe	31
PID 2544 wrote to memory of 2784	2544	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe	31
PID 2544 wrote to memory of 2784	2544	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe	31
PID 2544 wrote to memory of 1108	2544	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe	33
PID 2544 wrote to memory of 1108	2544	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe	33
PID 2544 wrote to memory of 1108	2544	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe	33
PID 2544 wrote to memory of 1108	2544	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe	33
PID 2544 wrote to memory of 2748	2544	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe	35
PID 2544 wrote to memory of 2748	2544	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe	35
PID 2544 wrote to memory of 2748	2544	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe	35
PID 2544 wrote to memory of 2748	2544	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe	35
PID 2544 wrote to memory of 2648	2544	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe	37
PID 2544 wrote to memory of 2648	2544	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe	37
PID 2544 wrote to memory of 2648	2544	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe	37
PID 2544 wrote to memory of 2648	2544	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe	37
PID 2544 wrote to memory of 2648	2544	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe	37
PID 2544 wrote to memory of 2648	2544	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe	37
PID 2544 wrote to memory of 2648	2544	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe	37
PID 2544 wrote to memory of 2648	2544	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe	37
PID 2544 wrote to memory of 2648	2544	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe	37
PID 2544 wrote to memory of 2648	2544	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe	37
PID 2544 wrote to memory of 2648	2544	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe	37
PID 2544 wrote to memory of 2648	2544	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe	37
PID 2544 wrote to memory of 2648	2544	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe	37

C:\Users\Admin\AppData\Local\Temp\7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe
"C:\Users\Admin\AppData\Local\Temp\7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2784
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\njEnUdtKgG.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1108
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\njEnUdtKgG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4F77.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2748
- C:\Users\Admin\AppData\Local\Temp\7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe
  "C:\Users\Admin\AppData\Local\Temp\7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ios\logs.dat

Filesize
144B

MD5
0f1b3756b5c6a40bd11074d517192960

SHA1
cbf3de284347264a632929cc617ba25d9b545aa3

SHA256
a1b7bb26927966f4ce7335a09867c227c2f7e575114e08e69b393e19eb9edf77

SHA512
7109e77471292efb8d8ceaa29ddab767a98a5e10125ed0cf2ac74d725d984003261eb8fe2ddad7f827629f3b9d51c7f019810861cf237db121a33890baa5bce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4F77.tmp

Filesize
1KB

MD5
49171387c3812148cdf37a6fa6c7c049

SHA1
2cfb343805db3bc973803a415e0ce3bc5c13dc22

SHA256
95cac34d45618e7ed6f3a2b658669730027ee39f6801b9588ae40db0ce457271

SHA512
ed796918a17c1836357165af2d77a97bea572667c136bd30747bdf4e3c3d5fa4c20dc643f32775e1f714e85359a7eb8eadf6c048abadd12499c30544f86e168c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\N0IEBMM3PWU1ABRE36W6.temp

Filesize
7KB

MD5
90ae76cb6a82f7dd8acee5bc00e91b03

SHA1
1e831f2f2baed6c0f83345fbb0cd07651ee3e841

SHA256
21251a56e817dfdccac22eb08e15243aabd0864352ab0e2b207e179907ea6233

SHA512
bde55d926201afc72b4711d80353ee8908f018e9f657d1a916c4d3a5ce2bc2ce3b1f777829669e3dbb72200082159b615fd882895ce58b1f6c25d0e95dd495d7

Download Submit
memory/2544-0-0x000000007422E000-0x000000007422F000-memory.dmp

Filesize
4KB

Download
memory/2544-1-0x0000000000AD0000-0x0000000000BB6000-memory.dmp

Filesize
920KB

Download
memory/2544-2-0x0000000074220000-0x000000007490E000-memory.dmp

Filesize
6.9MB

Download
memory/2544-3-0x0000000000990000-0x00000000009A2000-memory.dmp

Filesize
72KB

Download
memory/2544-4-0x0000000074220000-0x000000007490E000-memory.dmp

Filesize
6.9MB

Download
memory/2544-5-0x0000000005F40000-0x0000000006000000-memory.dmp

Filesize
768KB

Download
memory/2544-41-0x0000000074220000-0x000000007490E000-memory.dmp

Filesize
6.9MB

Download
memory/2648-32-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2648-18-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2648-37-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2648-36-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2648-35-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2648-34-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2648-25-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2648-30-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2648-28-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2648-26-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2648-22-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2648-40-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2648-42-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2648-43-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2648-44-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2648-45-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2648-20-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2648-54-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2648-55-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2648-62-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2648-63-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2648-71-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2648-72-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads