remcos | 53ee1cf2f76ca5ca7eb3cbad6fa38a5dc04126fa7e3efa7e7449af4b1e659b8c

Analysis

max time kernel
148s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-12-2024 15:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Receipt-#202431029B3.exe
Size

1.2MB
MD5

152c7485cbeb3bc280d028e065891d6e
SHA1

0ddffbb675b4569217ea960b288da13a67801983
SHA256

1420ee82c4ec66f06a832f01c43b0aca270fa9990f82f23fb36b899cabe11590
SHA512

1dc27627c964b8d39251833e4a97b3c51b334fd9cdc132094082a1ac4cae4a6d97258e04e9b87de929c18340d4af53768fa99469085db777bafb59559b1208b3
SSDEEP

24576:dMZMXvpjs+e2azR9jSca2PEt2kWT3GJqhDYRoPd+pT2A:AMfpjs+b2PEfYY+PspT2A

Score

10^/10

remcos remotehost discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

172.245.244.69:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
JavaRuntime.exe
copy_folder
Java
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-I0P1F7
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
JavaRuntime
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1440	powershell.exe
764	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2312	JavaRuntime.exe
600	JavaRuntime.exe

Loads dropped DLL 1 IoCs

pid	Process
1604	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaRuntime = "\"C:\\ProgramData\\Java\\JavaRuntime.exe\""	Receipt-#202431029B3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\JavaRuntime = "\"C:\\ProgramData\\Java\\JavaRuntime.exe\""	JavaRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaRuntime = "\"C:\\ProgramData\\Java\\JavaRuntime.exe\""	JavaRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\JavaRuntime = "\"C:\\ProgramData\\Java\\JavaRuntime.exe\""	Receipt-#202431029B3.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2488 set thread context of 2360	2488	Receipt-#202431029B3.exe	35
PID 2312 set thread context of 600	2312	JavaRuntime.exe	44

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JavaRuntime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JavaRuntime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Receipt-#202431029B3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Receipt-#202431029B3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2768	schtasks.exe
852	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1440	powershell.exe
764	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	764	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
600	JavaRuntime.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 1440	2488	Receipt-#202431029B3.exe	31
PID 2488 wrote to memory of 1440	2488	Receipt-#202431029B3.exe	31
PID 2488 wrote to memory of 1440	2488	Receipt-#202431029B3.exe	31
PID 2488 wrote to memory of 1440	2488	Receipt-#202431029B3.exe	31
PID 2488 wrote to memory of 2768	2488	Receipt-#202431029B3.exe	33
PID 2488 wrote to memory of 2768	2488	Receipt-#202431029B3.exe	33
PID 2488 wrote to memory of 2768	2488	Receipt-#202431029B3.exe	33
PID 2488 wrote to memory of 2768	2488	Receipt-#202431029B3.exe	33
PID 2488 wrote to memory of 2360	2488	Receipt-#202431029B3.exe	35
PID 2488 wrote to memory of 2360	2488	Receipt-#202431029B3.exe	35
PID 2488 wrote to memory of 2360	2488	Receipt-#202431029B3.exe	35
PID 2488 wrote to memory of 2360	2488	Receipt-#202431029B3.exe	35
PID 2488 wrote to memory of 2360	2488	Receipt-#202431029B3.exe	35
PID 2488 wrote to memory of 2360	2488	Receipt-#202431029B3.exe	35
PID 2488 wrote to memory of 2360	2488	Receipt-#202431029B3.exe	35
PID 2488 wrote to memory of 2360	2488	Receipt-#202431029B3.exe	35
PID 2488 wrote to memory of 2360	2488	Receipt-#202431029B3.exe	35
PID 2488 wrote to memory of 2360	2488	Receipt-#202431029B3.exe	35
PID 2488 wrote to memory of 2360	2488	Receipt-#202431029B3.exe	35
PID 2488 wrote to memory of 2360	2488	Receipt-#202431029B3.exe	35
PID 2488 wrote to memory of 2360	2488	Receipt-#202431029B3.exe	35
PID 2360 wrote to memory of 2552	2360	Receipt-#202431029B3.exe	36
PID 2360 wrote to memory of 2552	2360	Receipt-#202431029B3.exe	36
PID 2360 wrote to memory of 2552	2360	Receipt-#202431029B3.exe	36
PID 2360 wrote to memory of 2552	2360	Receipt-#202431029B3.exe	36
PID 2552 wrote to memory of 1604	2552	WScript.exe	37
PID 2552 wrote to memory of 1604	2552	WScript.exe	37
PID 2552 wrote to memory of 1604	2552	WScript.exe	37
PID 2552 wrote to memory of 1604	2552	WScript.exe	37
PID 1604 wrote to memory of 2312	1604	cmd.exe	39
PID 1604 wrote to memory of 2312	1604	cmd.exe	39
PID 1604 wrote to memory of 2312	1604	cmd.exe	39
PID 1604 wrote to memory of 2312	1604	cmd.exe	39
PID 2312 wrote to memory of 764	2312	JavaRuntime.exe	40
PID 2312 wrote to memory of 764	2312	JavaRuntime.exe	40
PID 2312 wrote to memory of 764	2312	JavaRuntime.exe	40
PID 2312 wrote to memory of 764	2312	JavaRuntime.exe	40
PID 2312 wrote to memory of 852	2312	JavaRuntime.exe	42
PID 2312 wrote to memory of 852	2312	JavaRuntime.exe	42
PID 2312 wrote to memory of 852	2312	JavaRuntime.exe	42
PID 2312 wrote to memory of 852	2312	JavaRuntime.exe	42
PID 2312 wrote to memory of 600	2312	JavaRuntime.exe	44
PID 2312 wrote to memory of 600	2312	JavaRuntime.exe	44
PID 2312 wrote to memory of 600	2312	JavaRuntime.exe	44
PID 2312 wrote to memory of 600	2312	JavaRuntime.exe	44
PID 2312 wrote to memory of 600	2312	JavaRuntime.exe	44
PID 2312 wrote to memory of 600	2312	JavaRuntime.exe	44
PID 2312 wrote to memory of 600	2312	JavaRuntime.exe	44
PID 2312 wrote to memory of 600	2312	JavaRuntime.exe	44
PID 2312 wrote to memory of 600	2312	JavaRuntime.exe	44
PID 2312 wrote to memory of 600	2312	JavaRuntime.exe	44
PID 2312 wrote to memory of 600	2312	JavaRuntime.exe	44
PID 2312 wrote to memory of 600	2312	JavaRuntime.exe	44
PID 2312 wrote to memory of 600	2312	JavaRuntime.exe	44

C:\Users\Admin\AppData\Local\Temp\Receipt-#202431029B3.exe
"C:\Users\Admin\AppData\Local\Temp\Receipt-#202431029B3.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\EtEJXD.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1440
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EtEJXD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1D50.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2768
- C:\Users\Admin\AppData\Local\Temp\Receipt-#202431029B3.exe
  "C:\Users\Admin\AppData\Local\Temp\Receipt-#202431029B3.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Java\JavaRuntime.exe"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1604
    - - C:\ProgramData\Java\JavaRuntime.exe
        
        C:\ProgramData\Java\JavaRuntime.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2312
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\EtEJXD.exe"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:764
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EtEJXD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5F7E.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:852
      - C:\ProgramData\Java\JavaRuntime.exe
        
        "C:\ProgramData\Java\JavaRuntime.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Java\JavaRuntime.exe

Filesize
1.2MB

MD5
152c7485cbeb3bc280d028e065891d6e

SHA1
0ddffbb675b4569217ea960b288da13a67801983

SHA256
1420ee82c4ec66f06a832f01c43b0aca270fa9990f82f23fb36b899cabe11590

SHA512
1dc27627c964b8d39251833e4a97b3c51b334fd9cdc132094082a1ac4cae4a6d97258e04e9b87de929c18340d4af53768fa99469085db777bafb59559b1208b3

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
de91fdbfabaac3cf3fc31128b54b8089

SHA1
b1e34e0925518efbfcf0d96cbda206addaa6273f

SHA256
c52d415b688dbc923df45070bea56c3df754785e8cb694df9850f4726414e758

SHA512
d277e782106810407d27da9882ea5d52ddd61c1b0099d956329fd71d0b8f7adcbf696b5de7e69bdc430ca2d4282d87cbe96439f32059d9f213db67e2133314cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
392B

MD5
7935d3c5851b7744eaf93d733908c25c

SHA1
d4eea4f1943a84663fa887cea509f2527dc04e49

SHA256
bced2446ec2ee988dd2060e4a02be9b7413485da23be0be4e34934827518cb42

SHA512
25556efb93a58d6ba43345c1e5f39ba642a90fc1c051c3094e0e70b79d4a9d31221f1f1d9c6b03c59e852cf6a7a27ee2ce8124d885e14dd5ccca89062f0943cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1D50.tmp

Filesize
1KB

MD5
b842d3f18159091ce830fbc303461c66

SHA1
0d27b705191b655e88e875dc94b834f1950bd3a4

SHA256
19f217b1abcecf44e8baa670a97069c02d51d3559ab4ca00a9bec12c24c337f2

SHA512
e7258b3ade935389a4f6dbbb1f1bef91866e9ad2bfdee38b180b43e3077abcd6c869cc05a0dac0a074128732e31483e75aa9c8995dd4c15d5c663be1062640db

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
fc49d25e902a5b7b8f99408b811db37d

SHA1
b01e86a5458b50a2e3bad49daaa444ae27f9f9c1

SHA256
4be52ec72ccac1f7404829530aecd3ec75bd81596e3cae9cd2d3548188e37b51

SHA512
42ab9bac73e6f377c46a41c61c3bd9dc8248daa29d396590c2483a1a6dacca4705082103018a977f0fde00db741716a81c3729dae705a9b13fbaf4a247cb43ba

Download Submit
memory/600-93-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/600-96-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/600-95-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/600-77-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/600-76-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/600-75-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/600-61-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/600-92-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/600-65-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/600-66-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/600-69-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/600-70-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/600-97-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2312-42-0x0000000000A40000-0x0000000000B70000-memory.dmp

Filesize
1.2MB

Download
memory/2360-18-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2360-31-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2360-22-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2360-26-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2360-16-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2360-20-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2360-24-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2360-28-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2360-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2360-14-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2360-32-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2488-0-0x000000007469E000-0x000000007469F000-memory.dmp

Filesize
4KB

Download
memory/2488-35-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2488-6-0x000000000A910000-0x000000000A9D0000-memory.dmp

Filesize
768KB

Download
memory/2488-5-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2488-4-0x000000007469E000-0x000000007469F000-memory.dmp

Filesize
4KB

Download
memory/2488-3-0x0000000002100000-0x0000000002126000-memory.dmp

Filesize
152KB

Download
memory/2488-2-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2488-1-0x00000000009D0000-0x0000000000B00000-memory.dmp

Filesize
1.2MB

Download