remcos | 6027eb649c27aa6c1ee848061c7733403a250a40989c4fdee84e7ffee3811cf7

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-12-2024 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

InspectorNvidiaPro-64.exe
Size

1.6MB
MD5

912c89ac3e4ab699bd11cd2fc5da0bb2
SHA1

cd1499b70f084dca31343adb170fe3f618bd5933
SHA256

01f24017584c20793bdb7a066a1054b4474310ccda8ddd19a9521aa7cb0708ba
SHA512

b7fcf3222e862afae298ab32ba82be3fa90b01fc04f66c3a4e6b2b9e1f6556e15be9b8f331b0f466dcd1be127d14d2fa0ad711bcea46e0485454a53642c74ccd
SSDEEP

24576:j7FUDowAyrTVE3U5FEimXsOKK56BCObsE6UtoZmUd2N6xSIJQRn+KAXu:jBuZrEUzmXb0CUj1Ud2sMnNJ

Score

10^/10

remcos 5003 discovery rat

Malware Config

Extracted

Family

remcos

Botnet

5003

92.255.85.63:5003

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-7Z8WNB
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	InspectorNvidiaPro-64.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	nvidiaInspector.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	InspectorNvidiaPro-64.tmp

Executes dropped EXE 5 IoCs

pid	Process
3128	InspectorNvidiaPro-64.tmp
3508	InspectorNvidiaPro-64.tmp
3416	nvidiaInspector.exe
3360	IDRService.exe
4348	IDRService.exe

Loads dropped DLL 8 IoCs

pid	Process
3128	InspectorNvidiaPro-64.tmp
3128	InspectorNvidiaPro-64.tmp
3508	InspectorNvidiaPro-64.tmp
3508	InspectorNvidiaPro-64.tmp
3360	IDRService.exe
3360	IDRService.exe
4348	IDRService.exe
4348	IDRService.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4348 set thread context of 2024	4348	IDRService.exe	99

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InspectorNvidiaPro-64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InspectorNvidiaPro-64.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InspectorNvidiaPro-64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InspectorNvidiaPro-64.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IDRService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IDRService.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3508	InspectorNvidiaPro-64.tmp
3508	InspectorNvidiaPro-64.tmp
3360	IDRService.exe
4348	IDRService.exe
4348	IDRService.exe
2024	cmd.exe
2024	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4348	IDRService.exe
2024	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3416	nvidiaInspector.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3508	InspectorNvidiaPro-64.tmp

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 3128	4808	InspectorNvidiaPro-64.exe	83
PID 4808 wrote to memory of 3128	4808	InspectorNvidiaPro-64.exe	83
PID 4808 wrote to memory of 3128	4808	InspectorNvidiaPro-64.exe	83
PID 3128 wrote to memory of 1936	3128	InspectorNvidiaPro-64.tmp	84
PID 3128 wrote to memory of 1936	3128	InspectorNvidiaPro-64.tmp	84
PID 3128 wrote to memory of 1936	3128	InspectorNvidiaPro-64.tmp	84
PID 1936 wrote to memory of 3508	1936	InspectorNvidiaPro-64.exe	85
PID 1936 wrote to memory of 3508	1936	InspectorNvidiaPro-64.exe	85
PID 1936 wrote to memory of 3508	1936	InspectorNvidiaPro-64.exe	85
PID 3508 wrote to memory of 3416	3508	InspectorNvidiaPro-64.tmp	86
PID 3508 wrote to memory of 3416	3508	InspectorNvidiaPro-64.tmp	86
PID 3508 wrote to memory of 3360	3508	InspectorNvidiaPro-64.tmp	97
PID 3508 wrote to memory of 3360	3508	InspectorNvidiaPro-64.tmp	97
PID 3508 wrote to memory of 3360	3508	InspectorNvidiaPro-64.tmp	97
PID 3360 wrote to memory of 4348	3360	IDRService.exe	98
PID 3360 wrote to memory of 4348	3360	IDRService.exe	98
PID 3360 wrote to memory of 4348	3360	IDRService.exe	98
PID 4348 wrote to memory of 2024	4348	IDRService.exe	99
PID 4348 wrote to memory of 2024	4348	IDRService.exe	99
PID 4348 wrote to memory of 2024	4348	IDRService.exe	99
PID 4348 wrote to memory of 2024	4348	IDRService.exe	99
PID 2024 wrote to memory of 4680	2024	cmd.exe	105
PID 2024 wrote to memory of 4680	2024	cmd.exe	105
PID 2024 wrote to memory of 4680	2024	cmd.exe	105
PID 2024 wrote to memory of 4680	2024	cmd.exe	105

C:\Users\Admin\AppData\Local\Temp\InspectorNvidiaPro-64.exe
"C:\Users\Admin\AppData\Local\Temp\InspectorNvidiaPro-64.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Users\Admin\AppData\Local\Temp\is-Q5PN6.tmp\InspectorNvidiaPro-64.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-Q5PN6.tmp\InspectorNvidiaPro-64.tmp" /SL5="$8003E,791552,0,C:\Users\Admin\AppData\Local\Temp\InspectorNvidiaPro-64.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3128
- - C:\Users\Admin\AppData\Local\Temp\InspectorNvidiaPro-64.exe
    "C:\Users\Admin\AppData\Local\Temp\InspectorNvidiaPro-64.exe" /VERYSILENT
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Users\Admin\AppData\Local\Temp\is-CDKRA.tmp\InspectorNvidiaPro-64.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-CDKRA.tmp\InspectorNvidiaPro-64.tmp" /SL5="$B0046,791552,0,C:\Users\Admin\AppData\Local\Temp\InspectorNvidiaPro-64.exe" /VERYSILENT
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:3508
    - - C:\Users\Admin\AppData\Roaming\nvidiaInspector.exe
        
        "C:\Users\Admin\AppData\Roaming\nvidiaInspector.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3416
    - - C:\Users\Admin\AppData\Roaming\IDRService.exe
        
        "C:\Users\Admin\AppData\Roaming\IDRService.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3360
      - C:\Users\Admin\AppData\Roaming\KO_Power\IDRService.exe
        
        C:\Users\Admin\AppData\Roaming\KO_Power\IDRService.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b27cfd0e

Filesize
1.2MB

MD5
2c026ea4a0cb1a26139691e5db120e1b

SHA1
d2454edda46b85003a79b444a9c19363a9636d4c

SHA256
26603885ec35988994957e2d90a03f1bc0ccfb3eae960ecbf7b7da2a04d51c96

SHA512
82cb1e7e01a43cdcce14b74a475581333e95495d368524b9c1b1eabd5e5e3c10f2b88b75dd6a03e6c19fad03afab386af1d547d41e3cf4af1863e982efab3216

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4CMQ4.tmp\_isetup\_isdecmp.dll

Filesize
34KB

MD5
c6ae924ad02500284f7e4efa11fa7cfc

SHA1
2a7770b473b0a7dc9a331d017297ff5af400fed8

SHA256
31d04c1e4bfdfa34704c142fa98f80c0a3076e4b312d6ada57c4be9d9c7dcf26

SHA512
f321e4820b39d1642fc43bf1055471a323edcc0c4cbd3ddd5ad26a7b28c4fb9fc4e57c00ae7819a4f45a3e0bb9c7baa0ba19c3ceedacf38b911cdf625aa7ddae

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-Q5PN6.tmp\InspectorNvidiaPro-64.tmp

Filesize
3.0MB

MD5
2ef50af4f6fbe0a32630f748382dfa1c

SHA1
88dd765da4dc6a867e3a81eb1bbc53cc1729ae98

SHA256
353f635294d95ba4a4fdfa10222aea50a085007003a9156ee7f50c0295b56b77

SHA512
d6f25178299b5a7f354dbb46a8cff0233ece08479e5b4fe05a31613597757813962fb1700509ec2d6264158c2b94ecb51a876a0d8009f01992f6c40db0e08890

Download Submit
C:\Users\Admin\AppData\Roaming\IDRService.exe

Filesize
1.6MB

MD5
ec539c4a9c60b3690fbd891e19333362

SHA1
7cd141b72d9c6701c27f939b790624ebe04668fd

SHA256
1d60149ce640f4e07bceeb8940950441025277f1eba4f501f8afe558030b34fe

SHA512
b6a3496e7b6f7aed5dcc7e0bb3fe903d2c231ff5470bbedd37e8bea83b1951dc835f32ac6508dea8b561bfd6354e7741227a42eb49fc0575ce64e12b494c00c1

Download Submit
C:\Users\Admin\AppData\Roaming\cde

Filesize
947KB

MD5
77a94cd64437ca28cdbb889864900dfe

SHA1
430575f9c462aceed520494ec5fb2087d999d420

SHA256
82823bd91c34e24b0b225075f0f69f9d2313e58df01862bccd3fcfbf5ae36733

SHA512
627b67ba09d7e25a7207b69630d3a1b2c5c2c3f93e47644ef61e057f8a0f68c62051a6cb75c05c8acd728b8122fd27e8529265635def1ac70a9290af65c8476f

Download Submit
C:\Users\Admin\AppData\Roaming\datastate.dll

Filesize
59KB

MD5
92b8cc6f16f9455446cbf1d748a2a30f

SHA1
d0a2700230bd4f095d02ed0f533b3687b3e36767

SHA256
1a0bf6db185254e352e6bf47b9d86986cb9191339390e3b5f638b962d433d22c

SHA512
023a642123b3e056092b6550f14f2f6feaa9c5c6c3e2343732e4bee791946795df12bcdbcffb67e99eb5c1746e564be356b426aefb014190e6e0d3c72c671784

Download Submit
C:\Users\Admin\AppData\Roaming\llnjxu

Filesize
16KB

MD5
b613ff11758faed863380d6a1e3abac0

SHA1
959fc450422dca5babbe1ef395f68e93724a4616

SHA256
120e44ed51661e0e86dc8c92cb78a6869192e4331376d7d62fe8287eb340215e

SHA512
cd1bdec448913f173f8204eaedbe862bbe7380480c3c629d88bfb1ef254ca9cbc191b8ee8a41c0648565a7429436bad698d06b9ed06a221ce0a85c9a2215f5c9

Download Submit
C:\Users\Admin\AppData\Roaming\nvidiaInspector.exe

Filesize
484KB

MD5
83c9984b29ee1f908b45a963cfb8adea

SHA1
bd20801c13ae2e9b7d6ee1b8835615d921f057eb

SHA256
4128026b5a096ee35198fa18db1f6c6d27a81096aac48bc86803e5ad8a2dea7a

SHA512
d3f388eac1eaf0ea4f723cf9a5f8defbe8d43d0082216d591fdff81e2bbc4fdf1ff16acbc5c45120d15edacca3058ff2ab9aa3be43f5e4daeb7764cfba9d93e7

Download Submit
C:\Users\Admin\AppData\Roaming\sqlite3.dll

Filesize
904KB

MD5
9d255e04106ba7dcbd0bcb549e9a5a4e

SHA1
a9becb85b181c37ee5a940e149754c1912a901f1

SHA256
02f37a8e3d1790ac90c04bc50de73cd1a93e27caf833a1e1211b9cc6294ecee5

SHA512
54c54787a4ca8643271169be403069bc5f1e319a55d6a0ebd84fb0d96f6e9bddc52b0908541d29db04a042b531abd6c05073e27b0b2753196e0055b8b8200b09

Download Submit
memory/1936-17-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/1936-15-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/1936-96-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/1936-56-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2024-126-0x00007FFE62070000-0x00007FFE62265000-memory.dmp

Filesize
2.0MB

Download
memory/2024-128-0x00000000754D0000-0x000000007564B000-memory.dmp

Filesize
1.5MB

Download
memory/3128-19-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/3128-6-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/3360-110-0x0000000061E00000-0x0000000061ECA000-memory.dmp

Filesize
808KB

Download
memory/3360-100-0x00007FFE62070000-0x00007FFE62265000-memory.dmp

Filesize
2.0MB

Download
memory/3360-108-0x0000000000400000-0x00000000005ED000-memory.dmp

Filesize
1.9MB

Download
memory/3360-99-0x00000000754D0000-0x000000007564B000-memory.dmp

Filesize
1.5MB

Download
memory/3416-53-0x000000001B220000-0x000000001B228000-memory.dmp

Filesize
32KB

Download
memory/3416-52-0x000000001BC80000-0x000000001BD1C000-memory.dmp

Filesize
624KB

Download
memory/3416-51-0x000000001B710000-0x000000001BBDE000-memory.dmp

Filesize
4.8MB

Download
memory/3416-50-0x000000001B1A0000-0x000000001B202000-memory.dmp

Filesize
392KB

Download
memory/3508-25-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/3508-93-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/3508-58-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/4348-117-0x00000000754D0000-0x000000007564B000-memory.dmp

Filesize
1.5MB

Download
memory/4348-118-0x00007FFE62070000-0x00007FFE62265000-memory.dmp

Filesize
2.0MB

Download
memory/4348-120-0x0000000061E00000-0x0000000061ECA000-memory.dmp

Filesize
808KB

Download
memory/4348-119-0x0000000000400000-0x00000000005ED000-memory.dmp

Filesize
1.9MB

Download
memory/4348-121-0x00000000754D0000-0x000000007564B000-memory.dmp

Filesize
1.5MB

Download
memory/4680-130-0x00007FFE62070000-0x00007FFE62265000-memory.dmp

Filesize
2.0MB

Download
memory/4680-131-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4808-0-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/4808-21-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/4808-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download