remcos | 7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29

General

Target

7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe
Size

900KB
MD5

c9d033467bd4405db131e2db7dd8abbf
SHA1

31a47ebb0a372ce4dea8f9ad0d7e547816ff7103
SHA256

7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29
SHA512

08b643c8ed42b6f59d9879eff287f9cf1f11696794c084dcc337f4d893cc759868457d8ef2fc095b73aa43deec5527d12dffbbdce528a71f758e8c0af335ffc2
SSDEEP

24576:QHIlObe6kDOI8hCMghsuN3OqyDzORPW3fa:FciJ2N4spU+i

Score

10^/10

remcos lee discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

lee

C2

lack.work.gd:3124

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
vlc
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
ios
mouse_option
false
mutex
gig-RM2DNS
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
sos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3020	powershell.exe
1900	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2508 set thread context of 2664	2508	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2924	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2508	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe
2508	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe
2508	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe
2508	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe
2508	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe
2508	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe
2508	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe
1900	powershell.exe
3020	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2508	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2664	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 3020	2508	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe	31
PID 2508 wrote to memory of 3020	2508	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe	31
PID 2508 wrote to memory of 3020	2508	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe	31
PID 2508 wrote to memory of 3020	2508	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe	31
PID 2508 wrote to memory of 1900	2508	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe	33
PID 2508 wrote to memory of 1900	2508	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe	33
PID 2508 wrote to memory of 1900	2508	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe	33
PID 2508 wrote to memory of 1900	2508	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe	33
PID 2508 wrote to memory of 2924	2508	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe	34
PID 2508 wrote to memory of 2924	2508	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe	34
PID 2508 wrote to memory of 2924	2508	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe	34
PID 2508 wrote to memory of 2924	2508	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe	34
PID 2508 wrote to memory of 2664	2508	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe	37
PID 2508 wrote to memory of 2664	2508	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe	37
PID 2508 wrote to memory of 2664	2508	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe	37
PID 2508 wrote to memory of 2664	2508	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe	37
PID 2508 wrote to memory of 2664	2508	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe	37
PID 2508 wrote to memory of 2664	2508	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe	37
PID 2508 wrote to memory of 2664	2508	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe	37
PID 2508 wrote to memory of 2664	2508	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe	37
PID 2508 wrote to memory of 2664	2508	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe	37
PID 2508 wrote to memory of 2664	2508	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe	37
PID 2508 wrote to memory of 2664	2508	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe	37
PID 2508 wrote to memory of 2664	2508	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe	37
PID 2508 wrote to memory of 2664	2508	7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe	37

C:\Users\Admin\AppData\Local\Temp\7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe
"C:\Users\Admin\AppData\Local\Temp\7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3020
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\njEnUdtKgG.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1900
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\njEnUdtKgG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7AE.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2924
- C:\Users\Admin\AppData\Local\Temp\7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe
  "C:\Users\Admin\AppData\Local\Temp\7943aab15dc5804448102c5c1fc5341b65708bff970773e25f0f27d807e90d29.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ios\logs.dat

Filesize
144B

MD5
d100674b8170cbbfe04f0c928a64fbfe

SHA1
8fcb862f3a690d8834b50dba6fb8bcfb1a547251

SHA256
47f71a50de246b2faf5077eccf9e6adc3bd569cf3870c1c2f66ecc946f389ac8

SHA512
b4f74786cac740351c0a296ed56edd457c9e32b7d832eb65d29d6e4ab4e1491a0c54e3eb4d106ef05c804276b52e973fbd1171807d60db00ff358900ffab5a58

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7AE.tmp

Filesize
1KB

MD5
db2f8f9e3605f5313996c32cab49f7ea

SHA1
5dccfbb63741a734196951d7dc83fe805a76179b

SHA256
66ecf55943e4792120d38caa58610d64ba89aa56c3b531a708fd2ec960763d18

SHA512
d95f485671e77320a0c9872c778278d1877e4f3a51d4bb3d92bcf1b840363fa587d55ccaf09ff5ee2e86a5a7a6099ecd1c536c501f258874d02367ce60650950

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
8821db9c2648990546567718dbc5cc6d

SHA1
2136a1ee07c1cea055ec0ff3c5eb286a48cd8efd

SHA256
0935f388ed61bb15dfc669b4b2204ed5ed9918c43ac7f02608bea49f3216be47

SHA512
7e9973bebf4901f0a0d464b2f263691bdbf9ebab0b592d126ce13fba8706e5749b0d2fad5395f5a2cf6e8c5a3b64fc07caf7741184dffd2a8893aaaf4a7cde39

Download Submit
memory/2508-0-0x0000000073D0E000-0x0000000073D0F000-memory.dmp

Filesize
4KB

Download
memory/2508-1-0x0000000000D40000-0x0000000000E26000-memory.dmp

Filesize
920KB

Download
memory/2508-2-0x0000000073D00000-0x00000000743EE000-memory.dmp

Filesize
6.9MB

Download
memory/2508-3-0x0000000000950000-0x0000000000962000-memory.dmp

Filesize
72KB

Download
memory/2508-4-0x0000000073D0E000-0x0000000073D0F000-memory.dmp

Filesize
4KB

Download
memory/2508-5-0x0000000073D00000-0x00000000743EE000-memory.dmp

Filesize
6.9MB

Download
memory/2508-6-0x0000000005E30000-0x0000000005EF0000-memory.dmp

Filesize
768KB

Download
memory/2508-42-0x0000000073D00000-0x00000000743EE000-memory.dmp

Filesize
6.9MB

Download
memory/2664-31-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2664-37-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2664-36-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2664-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2664-33-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2664-41-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2664-29-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2664-27-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2664-25-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2664-23-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2664-21-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2664-38-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2664-43-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2664-44-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2664-45-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2664-46-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2664-19-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2664-55-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2664-56-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2664-63-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2664-64-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2664-71-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2664-72-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads