remcos | 5c4b26f4a1093361e2d2935343e6143541c151986fe8249cc3ef30968f118544

Analysis

max time kernel
269s
max time network
261s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
19-12-2024 11:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Order Inquiry Sample/Order Inquiry Sample.‮fdp.exe
Size

1.4MB
MD5

4918286bab253571011dca91a94c7a9d
SHA1

df4f5740aa5c17a6bab7f7df761f4485847bb1b9
SHA256

1d2318e3dc389cff6b70d6fb54e36d3af39c4953e10593f4cbb446f58788966d
SHA512

92cc906208c8895669cfa826813c2613aaf2eeb823d3c2482e8a3eb35a2e7ece94ef65006ebeb0338fc1dbadf638c083defecc0f202308fc62549feb1b0a54b1
SSDEEP

24576:TwJXLIjOU0HsOzj4j85M1hUQDAxzJX4wwI:kJXcjcsOzj4jGM1aK4FX

Score

10^/10

remcos wire 17/12 discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

wire 17/12

teebro1800.dynamic-dns.net:2195

teewire.ydns.eu:2195

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-CXQHPD
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\teee\teeeee.exe	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\teee\teeeee.exe	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2108	teeeee.exe
2180	teee.exe
940	teee.exe

Loads dropped DLL 4 IoCs

pid	Process
2812	cmd.exe
2812	cmd.exe
2108	teeeee.exe
2180	teee.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\teeee = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\teee\\teeeee.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2108 set thread context of 1432	2108	teeeee.exe	39

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	teee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	teee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Order Inquiry Sample.‮fdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	teeeee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2812	cmd.exe
1044	PING.EXE
2596	PING.EXE
1480	cmd.exe
2824	PING.EXE

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
2824	PING.EXE
1044	PING.EXE
2596	PING.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1856	Order Inquiry Sample.‮fdp.exe
1856	Order Inquiry Sample.‮fdp.exe
1856	Order Inquiry Sample.‮fdp.exe
1856	Order Inquiry Sample.‮fdp.exe
2108	teeeee.exe
2108	teeeee.exe
2108	teeeee.exe
2108	teeeee.exe
2180	teee.exe
940	teee.exe
940	teee.exe
940	teee.exe
2108	teeeee.exe
2108	teeeee.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1856	Order Inquiry Sample.‮fdp.exe
Token: SeDebugPrivilege	2108	teeeee.exe
Token: SeDebugPrivilege	2180	teee.exe
Token: SeDebugPrivilege	940	teee.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 1480	1856	Order Inquiry Sample.‮fdp.exe	30
PID 1856 wrote to memory of 1480	1856	Order Inquiry Sample.‮fdp.exe	30
PID 1856 wrote to memory of 1480	1856	Order Inquiry Sample.‮fdp.exe	30
PID 1856 wrote to memory of 1480	1856	Order Inquiry Sample.‮fdp.exe	30
PID 1480 wrote to memory of 2824	1480	cmd.exe	32
PID 1480 wrote to memory of 2824	1480	cmd.exe	32
PID 1480 wrote to memory of 2824	1480	cmd.exe	32
PID 1480 wrote to memory of 2824	1480	cmd.exe	32
PID 1856 wrote to memory of 2812	1856	Order Inquiry Sample.‮fdp.exe	33
PID 1856 wrote to memory of 2812	1856	Order Inquiry Sample.‮fdp.exe	33
PID 1856 wrote to memory of 2812	1856	Order Inquiry Sample.‮fdp.exe	33
PID 1856 wrote to memory of 2812	1856	Order Inquiry Sample.‮fdp.exe	33
PID 2812 wrote to memory of 1044	2812	cmd.exe	35
PID 2812 wrote to memory of 1044	2812	cmd.exe	35
PID 2812 wrote to memory of 1044	2812	cmd.exe	35
PID 2812 wrote to memory of 1044	2812	cmd.exe	35
PID 1480 wrote to memory of 2140	1480	cmd.exe	36
PID 1480 wrote to memory of 2140	1480	cmd.exe	36
PID 1480 wrote to memory of 2140	1480	cmd.exe	36
PID 1480 wrote to memory of 2140	1480	cmd.exe	36
PID 2812 wrote to memory of 2596	2812	cmd.exe	37
PID 2812 wrote to memory of 2596	2812	cmd.exe	37
PID 2812 wrote to memory of 2596	2812	cmd.exe	37
PID 2812 wrote to memory of 2596	2812	cmd.exe	37
PID 2812 wrote to memory of 2108	2812	cmd.exe	38
PID 2812 wrote to memory of 2108	2812	cmd.exe	38
PID 2812 wrote to memory of 2108	2812	cmd.exe	38
PID 2812 wrote to memory of 2108	2812	cmd.exe	38
PID 2108 wrote to memory of 1432	2108	teeeee.exe	39
PID 2108 wrote to memory of 1432	2108	teeeee.exe	39
PID 2108 wrote to memory of 1432	2108	teeeee.exe	39
PID 2108 wrote to memory of 1432	2108	teeeee.exe	39
PID 2108 wrote to memory of 1432	2108	teeeee.exe	39
PID 2108 wrote to memory of 1432	2108	teeeee.exe	39
PID 2108 wrote to memory of 1432	2108	teeeee.exe	39
PID 2108 wrote to memory of 1432	2108	teeeee.exe	39
PID 2108 wrote to memory of 1432	2108	teeeee.exe	39
PID 2108 wrote to memory of 1432	2108	teeeee.exe	39
PID 2108 wrote to memory of 1432	2108	teeeee.exe	39
PID 2108 wrote to memory of 1432	2108	teeeee.exe	39
PID 2108 wrote to memory of 1432	2108	teeeee.exe	39
PID 2108 wrote to memory of 2180	2108	teeeee.exe	40
PID 2108 wrote to memory of 2180	2108	teeeee.exe	40
PID 2108 wrote to memory of 2180	2108	teeeee.exe	40
PID 2108 wrote to memory of 2180	2108	teeeee.exe	40
PID 2180 wrote to memory of 940	2180	teee.exe	41
PID 2180 wrote to memory of 940	2180	teee.exe	41
PID 2180 wrote to memory of 940	2180	teee.exe	41
PID 2180 wrote to memory of 940	2180	teee.exe	41

C:\Users\Admin\AppData\Local\Temp\Order Inquiry Sample\Order Inquiry Sample.‮fdp.exe
"C:\Users\Admin\AppData\Local\Temp\Order Inquiry Sample\Order Inquiry Sample.‮fdp.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c ping 127.0.0.1 -n 39 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "teeee" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\teee\teeeee.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 39
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2824
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "teeee" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\teee\teeeee.exe"
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2140
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c ping 127.0.0.1 -n 40 > nul && copy "C:\Users\Admin\AppData\Local\Temp\Order Inquiry Sample\Order Inquiry Sample.‮fdp.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\teee\teeeee.exe" && ping 127.0.0.1 -n 40 > nul && "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\teee\teeeee.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 40
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1044
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 40
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2596
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\teee\teeeee.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\teee\teeeee.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1432
  - - C:\Users\Admin\AppData\Local\Temp\teee.exe
      "C:\Users\Admin\AppData\Local\Temp\teee.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2180
    - - C:\Users\Admin\AppData\Local\Temp\teee.exe
        
        "C:\Users\Admin\AppData\Local\Temp\teee.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\teee.txt

Filesize
103B

MD5
3407c6db8c7e4497379f397b0df24d29

SHA1
f32e80e98e02db02ccbfee9698bf015b03acf2a1

SHA256
21e3803a82219ba0ebe78efa57e4cf7ce8a2a2e4282a95736af25b90e10ccd97

SHA512
65762104f39ec4a4ec715316b7d8936cc7a3764dd54754a27c756869f90c38a95b3bcb1f09fb8b1356f21ed6a40d7b6529280f77a20fd506f21bb6e9683439f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\teee.txt

Filesize
105B

MD5
c27d2d12489845ffb25f6502b2d51626

SHA1
f02175982a5bb0db20917e7e9e4c040789a364ba

SHA256
37cea88f63a44a50928c2933ef5855e8612a976ac506d2167d3ee91f6d9cf05a

SHA512
3f3e9571f621c26d12b026495b4c6f31acd5a7f991c8e20dc0116715e42b01a96768c5b14252cb8fd57ec2243e980308f31e41f7aade1c6ccaedacba1b5506b9

Download Submit
\Users\Admin\AppData\Local\Temp\teee.exe

Filesize
76KB

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\teee\teeeee.exe

Filesize
1.4MB

MD5
4918286bab253571011dca91a94c7a9d

SHA1
df4f5740aa5c17a6bab7f7df761f4485847bb1b9

SHA256
1d2318e3dc389cff6b70d6fb54e36d3af39c4953e10593f4cbb446f58788966d

SHA512
92cc906208c8895669cfa826813c2613aaf2eeb823d3c2482e8a3eb35a2e7ece94ef65006ebeb0338fc1dbadf638c083defecc0f202308fc62549feb1b0a54b1

Download Submit
memory/1432-26-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1432-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1432-62-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1432-61-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1432-60-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1432-59-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1432-58-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1432-20-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1432-22-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1432-30-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1432-32-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1432-28-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1432-57-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1432-24-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1432-34-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1432-42-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1432-37-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1432-40-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1432-41-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1856-5-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/1856-0-0x00000000749EE000-0x00000000749EF000-memory.dmp

Filesize
4KB

Download
memory/1856-1-0x0000000000B70000-0x0000000000CD4000-memory.dmp

Filesize
1.4MB

Download
memory/1856-2-0x00000000003C0000-0x0000000000402000-memory.dmp

Filesize
264KB

Download
memory/1856-3-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/1856-4-0x00000000749EE000-0x00000000749EF000-memory.dmp

Filesize
4KB

Download
memory/1856-6-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/2108-19-0x0000000000730000-0x0000000000736000-memory.dmp

Filesize
24KB

Download
memory/2108-18-0x0000000000710000-0x000000000072A000-memory.dmp

Filesize
104KB

Download
memory/2108-17-0x00000000010F0000-0x0000000001254000-memory.dmp

Filesize
1.4MB

Download
memory/2180-49-0x0000000000D30000-0x0000000000D4A000-memory.dmp

Filesize
104KB

Download