remcos | 6027eb649c27aa6c1ee848061c7733403a250a40989c4fdee84e7ffee3811cf7

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-12-2024 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

InspectorNvidiaPro-64.exe
Size

1.6MB
MD5

912c89ac3e4ab699bd11cd2fc5da0bb2
SHA1

cd1499b70f084dca31343adb170fe3f618bd5933
SHA256

01f24017584c20793bdb7a066a1054b4474310ccda8ddd19a9521aa7cb0708ba
SHA512

b7fcf3222e862afae298ab32ba82be3fa90b01fc04f66c3a4e6b2b9e1f6556e15be9b8f331b0f466dcd1be127d14d2fa0ad711bcea46e0485454a53642c74ccd
SSDEEP

24576:j7FUDowAyrTVE3U5FEimXsOKK56BCObsE6UtoZmUd2N6xSIJQRn+KAXu:jBuZrEUzmXb0CUj1Ud2sMnNJ

Score

10^/10

remcos 5003 discovery rat

Malware Config

Extracted

Family

remcos

Botnet

5003

92.255.85.63:5003

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-7Z8WNB
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Executes dropped EXE 5 IoCs

pid	Process
2096	InspectorNvidiaPro-64.tmp
2204	InspectorNvidiaPro-64.tmp
2796	nvidiaInspector.exe
1892	IDRService.exe
3024	IDRService.exe

Loads dropped DLL 12 IoCs

pid	Process
876	InspectorNvidiaPro-64.exe
2096	InspectorNvidiaPro-64.tmp
2640	InspectorNvidiaPro-64.exe
2204	InspectorNvidiaPro-64.tmp
2204	InspectorNvidiaPro-64.tmp
2204	InspectorNvidiaPro-64.tmp
1892	IDRService.exe
1892	IDRService.exe
1892	IDRService.exe
3024	IDRService.exe
3024	IDRService.exe
1940	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3024 set thread context of 1940	3024	IDRService.exe	38

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InspectorNvidiaPro-64.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InspectorNvidiaPro-64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InspectorNvidiaPro-64.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IDRService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IDRService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InspectorNvidiaPro-64.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2204	InspectorNvidiaPro-64.tmp
2204	InspectorNvidiaPro-64.tmp
1892	IDRService.exe
3024	IDRService.exe
3024	IDRService.exe
1940	cmd.exe
1940	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
3024	IDRService.exe
1940	cmd.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2204	InspectorNvidiaPro-64.tmp

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 876 wrote to memory of 2096	876	InspectorNvidiaPro-64.exe	31
PID 876 wrote to memory of 2096	876	InspectorNvidiaPro-64.exe	31
PID 876 wrote to memory of 2096	876	InspectorNvidiaPro-64.exe	31
PID 876 wrote to memory of 2096	876	InspectorNvidiaPro-64.exe	31
PID 876 wrote to memory of 2096	876	InspectorNvidiaPro-64.exe	31
PID 876 wrote to memory of 2096	876	InspectorNvidiaPro-64.exe	31
PID 876 wrote to memory of 2096	876	InspectorNvidiaPro-64.exe	31
PID 2096 wrote to memory of 2640	2096	InspectorNvidiaPro-64.tmp	32
PID 2096 wrote to memory of 2640	2096	InspectorNvidiaPro-64.tmp	32
PID 2096 wrote to memory of 2640	2096	InspectorNvidiaPro-64.tmp	32
PID 2096 wrote to memory of 2640	2096	InspectorNvidiaPro-64.tmp	32
PID 2640 wrote to memory of 2204	2640	InspectorNvidiaPro-64.exe	33
PID 2640 wrote to memory of 2204	2640	InspectorNvidiaPro-64.exe	33
PID 2640 wrote to memory of 2204	2640	InspectorNvidiaPro-64.exe	33
PID 2640 wrote to memory of 2204	2640	InspectorNvidiaPro-64.exe	33
PID 2640 wrote to memory of 2204	2640	InspectorNvidiaPro-64.exe	33
PID 2640 wrote to memory of 2204	2640	InspectorNvidiaPro-64.exe	33
PID 2640 wrote to memory of 2204	2640	InspectorNvidiaPro-64.exe	33
PID 2204 wrote to memory of 2796	2204	InspectorNvidiaPro-64.tmp	34
PID 2204 wrote to memory of 2796	2204	InspectorNvidiaPro-64.tmp	34
PID 2204 wrote to memory of 2796	2204	InspectorNvidiaPro-64.tmp	34
PID 2204 wrote to memory of 2796	2204	InspectorNvidiaPro-64.tmp	34
PID 2204 wrote to memory of 1892	2204	InspectorNvidiaPro-64.tmp	36
PID 2204 wrote to memory of 1892	2204	InspectorNvidiaPro-64.tmp	36
PID 2204 wrote to memory of 1892	2204	InspectorNvidiaPro-64.tmp	36
PID 2204 wrote to memory of 1892	2204	InspectorNvidiaPro-64.tmp	36
PID 1892 wrote to memory of 3024	1892	IDRService.exe	37
PID 1892 wrote to memory of 3024	1892	IDRService.exe	37
PID 1892 wrote to memory of 3024	1892	IDRService.exe	37
PID 1892 wrote to memory of 3024	1892	IDRService.exe	37
PID 3024 wrote to memory of 1940	3024	IDRService.exe	38
PID 3024 wrote to memory of 1940	3024	IDRService.exe	38
PID 3024 wrote to memory of 1940	3024	IDRService.exe	38
PID 3024 wrote to memory of 1940	3024	IDRService.exe	38
PID 3024 wrote to memory of 1940	3024	IDRService.exe	38
PID 1940 wrote to memory of 2316	1940	cmd.exe	41
PID 1940 wrote to memory of 2316	1940	cmd.exe	41
PID 1940 wrote to memory of 2316	1940	cmd.exe	41
PID 1940 wrote to memory of 2316	1940	cmd.exe	41
PID 1940 wrote to memory of 2316	1940	cmd.exe	41

C:\Users\Admin\AppData\Local\Temp\InspectorNvidiaPro-64.exe
"C:\Users\Admin\AppData\Local\Temp\InspectorNvidiaPro-64.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:876
- C:\Users\Admin\AppData\Local\Temp\is-9GBUT.tmp\InspectorNvidiaPro-64.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-9GBUT.tmp\InspectorNvidiaPro-64.tmp" /SL5="$400EE,791552,0,C:\Users\Admin\AppData\Local\Temp\InspectorNvidiaPro-64.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Users\Admin\AppData\Local\Temp\InspectorNvidiaPro-64.exe
    "C:\Users\Admin\AppData\Local\Temp\InspectorNvidiaPro-64.exe" /VERYSILENT
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Users\Admin\AppData\Local\Temp\is-G13NT.tmp\InspectorNvidiaPro-64.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-G13NT.tmp\InspectorNvidiaPro-64.tmp" /SL5="$30144,791552,0,C:\Users\Admin\AppData\Local\Temp\InspectorNvidiaPro-64.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2204
    - - C:\Users\Admin\AppData\Roaming\nvidiaInspector.exe
        
        "C:\Users\Admin\AppData\Roaming\nvidiaInspector.exe"
        5⤵
        Executes dropped EXE
        
        PID:2796
    - - C:\Users\Admin\AppData\Roaming\IDRService.exe
        
        "C:\Users\Admin\AppData\Roaming\IDRService.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1892
      - C:\Users\Admin\AppData\Roaming\KO_Power\IDRService.exe
        
        C:\Users\Admin\AppData\Roaming\KO_Power\IDRService.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\284598a9

Filesize
1.2MB

MD5
cf368de09b683d29bc16c44b98800961

SHA1
7534791443306544cebbdca56713a2bf26ceea11

SHA256
782813295f576d26829dba2eb3735af36be70f8a574a72e1daa737f595a14e46

SHA512
1868da9b069fd23c91a7089228a3b5bbf58b8e02f578f9026b33d61c5687b7762dcc2e4cc060e9951ebade983cbebed214b7f129950691d259c4b4faff20fe3a

Download Submit
C:\Users\Admin\AppData\Roaming\cde

Filesize
947KB

MD5
77a94cd64437ca28cdbb889864900dfe

SHA1
430575f9c462aceed520494ec5fb2087d999d420

SHA256
82823bd91c34e24b0b225075f0f69f9d2313e58df01862bccd3fcfbf5ae36733

SHA512
627b67ba09d7e25a7207b69630d3a1b2c5c2c3f93e47644ef61e057f8a0f68c62051a6cb75c05c8acd728b8122fd27e8529265635def1ac70a9290af65c8476f

Download Submit
C:\Users\Admin\AppData\Roaming\llnjxu

Filesize
16KB

MD5
b613ff11758faed863380d6a1e3abac0

SHA1
959fc450422dca5babbe1ef395f68e93724a4616

SHA256
120e44ed51661e0e86dc8c92cb78a6869192e4331376d7d62fe8287eb340215e

SHA512
cd1bdec448913f173f8204eaedbe862bbe7380480c3c629d88bfb1ef254ca9cbc191b8ee8a41c0648565a7429436bad698d06b9ed06a221ce0a85c9a2215f5c9

Download Submit
\Users\Admin\AppData\Local\Temp\is-69MSI.tmp\_isetup\_isdecmp.dll

Filesize
34KB

MD5
c6ae924ad02500284f7e4efa11fa7cfc

SHA1
2a7770b473b0a7dc9a331d017297ff5af400fed8

SHA256
31d04c1e4bfdfa34704c142fa98f80c0a3076e4b312d6ada57c4be9d9c7dcf26

SHA512
f321e4820b39d1642fc43bf1055471a323edcc0c4cbd3ddd5ad26a7b28c4fb9fc4e57c00ae7819a4f45a3e0bb9c7baa0ba19c3ceedacf38b911cdf625aa7ddae

Download Submit
\Users\Admin\AppData\Local\Temp\is-9GBUT.tmp\InspectorNvidiaPro-64.tmp

Filesize
3.0MB

MD5
2ef50af4f6fbe0a32630f748382dfa1c

SHA1
88dd765da4dc6a867e3a81eb1bbc53cc1729ae98

SHA256
353f635294d95ba4a4fdfa10222aea50a085007003a9156ee7f50c0295b56b77

SHA512
d6f25178299b5a7f354dbb46a8cff0233ece08479e5b4fe05a31613597757813962fb1700509ec2d6264158c2b94ecb51a876a0d8009f01992f6c40db0e08890

Download Submit
\Users\Admin\AppData\Roaming\IDRService.exe

Filesize
1.6MB

MD5
ec539c4a9c60b3690fbd891e19333362

SHA1
7cd141b72d9c6701c27f939b790624ebe04668fd

SHA256
1d60149ce640f4e07bceeb8940950441025277f1eba4f501f8afe558030b34fe

SHA512
b6a3496e7b6f7aed5dcc7e0bb3fe903d2c231ff5470bbedd37e8bea83b1951dc835f32ac6508dea8b561bfd6354e7741227a42eb49fc0575ce64e12b494c00c1

Download Submit
\Users\Admin\AppData\Roaming\datastate.dll

Filesize
59KB

MD5
92b8cc6f16f9455446cbf1d748a2a30f

SHA1
d0a2700230bd4f095d02ed0f533b3687b3e36767

SHA256
1a0bf6db185254e352e6bf47b9d86986cb9191339390e3b5f638b962d433d22c

SHA512
023a642123b3e056092b6550f14f2f6feaa9c5c6c3e2343732e4bee791946795df12bcdbcffb67e99eb5c1746e564be356b426aefb014190e6e0d3c72c671784

Download Submit
\Users\Admin\AppData\Roaming\nvidiaInspector.exe

Filesize
484KB

MD5
83c9984b29ee1f908b45a963cfb8adea

SHA1
bd20801c13ae2e9b7d6ee1b8835615d921f057eb

SHA256
4128026b5a096ee35198fa18db1f6c6d27a81096aac48bc86803e5ad8a2dea7a

SHA512
d3f388eac1eaf0ea4f723cf9a5f8defbe8d43d0082216d591fdff81e2bbc4fdf1ff16acbc5c45120d15edacca3058ff2ab9aa3be43f5e4daeb7764cfba9d93e7

Download Submit
\Users\Admin\AppData\Roaming\sqlite3.dll

Filesize
904KB

MD5
9d255e04106ba7dcbd0bcb549e9a5a4e

SHA1
a9becb85b181c37ee5a940e149754c1912a901f1

SHA256
02f37a8e3d1790ac90c04bc50de73cd1a93e27caf833a1e1211b9cc6294ecee5

SHA512
54c54787a4ca8643271169be403069bc5f1e319a55d6a0ebd84fb0d96f6e9bddc52b0908541d29db04a042b531abd6c05073e27b0b2753196e0055b8b8200b09

Download Submit
memory/876-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/876-0-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/876-29-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/1892-99-0x0000000061E00000-0x0000000061ECA000-memory.dmp

Filesize
808KB

Download
memory/1892-86-0x0000000074710000-0x0000000074884000-memory.dmp

Filesize
1.5MB

Download
memory/1892-97-0x0000000000400000-0x00000000005ED000-memory.dmp

Filesize
1.9MB

Download
memory/1892-87-0x00000000772F0000-0x0000000077499000-memory.dmp

Filesize
1.7MB

Download
memory/1940-115-0x00000000772F0000-0x0000000077499000-memory.dmp

Filesize
1.7MB

Download
memory/1940-162-0x00000000747B0000-0x0000000074924000-memory.dmp

Filesize
1.5MB

Download
memory/2096-12-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/2096-18-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/2204-77-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/2204-52-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/2316-164-0x00000000772F0000-0x0000000077499000-memory.dmp

Filesize
1.7MB

Download
memory/2316-165-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2316-168-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2640-51-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2640-79-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2640-16-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/3024-106-0x00000000747B0000-0x0000000074924000-memory.dmp

Filesize
1.5MB

Download
memory/3024-107-0x00000000772F0000-0x0000000077499000-memory.dmp

Filesize
1.7MB

Download
memory/3024-109-0x0000000061E00000-0x0000000061ECA000-memory.dmp

Filesize
808KB

Download
memory/3024-108-0x0000000000400000-0x00000000005ED000-memory.dmp

Filesize
1.9MB

Download
memory/3024-110-0x00000000747B0000-0x0000000074924000-memory.dmp

Filesize
1.5MB

Download