remcos | 5c4b26f4a1093361e2d2935343e6143541c151986fe8249cc3ef30968f118544

Analysis

max time kernel
267s
max time network
270s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 11:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Order Inquiry Sample/Order Inquiry Sample.‮fdp.exe
Size

1.4MB
MD5

4918286bab253571011dca91a94c7a9d
SHA1

df4f5740aa5c17a6bab7f7df761f4485847bb1b9
SHA256

1d2318e3dc389cff6b70d6fb54e36d3af39c4953e10593f4cbb446f58788966d
SHA512

92cc906208c8895669cfa826813c2613aaf2eeb823d3c2482e8a3eb35a2e7ece94ef65006ebeb0338fc1dbadf638c083defecc0f202308fc62549feb1b0a54b1
SSDEEP

24576:TwJXLIjOU0HsOzj4j85M1hUQDAxzJX4wwI:kJXcjcsOzj4jGM1aK4FX

Score

10^/10

remcos wire 17/12 discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

wire 17/12

teebro1800.dynamic-dns.net:2195

teewire.ydns.eu:2195

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-CXQHPD
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	teeeee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	teee.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\teee\teeeee.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\teee\teeeee.exe	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
4376	teeeee.exe
1748	teee.exe
1932	teee.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teeee = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\teee\\teeeee.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4376 set thread context of 4212	4376	teeeee.exe	110

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	teeeee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	teee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Order Inquiry Sample.‮fdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	teee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1464	PING.EXE
2092	cmd.exe
1928	PING.EXE
4100	PING.EXE
100	cmd.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
1464	PING.EXE
1928	PING.EXE
4100	PING.EXE

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
1520	Order Inquiry Sample.‮fdp.exe
1520	Order Inquiry Sample.‮fdp.exe
1520	Order Inquiry Sample.‮fdp.exe
1520	Order Inquiry Sample.‮fdp.exe
1520	Order Inquiry Sample.‮fdp.exe
1520	Order Inquiry Sample.‮fdp.exe
1520	Order Inquiry Sample.‮fdp.exe
1520	Order Inquiry Sample.‮fdp.exe
1520	Order Inquiry Sample.‮fdp.exe
1520	Order Inquiry Sample.‮fdp.exe
1520	Order Inquiry Sample.‮fdp.exe
1520	Order Inquiry Sample.‮fdp.exe
1520	Order Inquiry Sample.‮fdp.exe
1520	Order Inquiry Sample.‮fdp.exe
1520	Order Inquiry Sample.‮fdp.exe
1520	Order Inquiry Sample.‮fdp.exe
1520	Order Inquiry Sample.‮fdp.exe
1520	Order Inquiry Sample.‮fdp.exe
1520	Order Inquiry Sample.‮fdp.exe
1520	Order Inquiry Sample.‮fdp.exe
1520	Order Inquiry Sample.‮fdp.exe
1520	Order Inquiry Sample.‮fdp.exe
1520	Order Inquiry Sample.‮fdp.exe
1520	Order Inquiry Sample.‮fdp.exe
4376	teeeee.exe
4376	teeeee.exe
4376	teeeee.exe
4376	teeeee.exe
1748	teee.exe
1932	teee.exe
1932	teee.exe
1932	teee.exe
4376	teeeee.exe
4376	teeeee.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1520	Order Inquiry Sample.‮fdp.exe
Token: SeDebugPrivilege	4376	teeeee.exe
Token: SeDebugPrivilege	1748	teee.exe
Token: SeDebugPrivilege	1932	teee.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 100	1520	Order Inquiry Sample.‮fdp.exe	83
PID 1520 wrote to memory of 100	1520	Order Inquiry Sample.‮fdp.exe	83
PID 1520 wrote to memory of 100	1520	Order Inquiry Sample.‮fdp.exe	83
PID 100 wrote to memory of 1464	100	cmd.exe	85
PID 100 wrote to memory of 1464	100	cmd.exe	85
PID 100 wrote to memory of 1464	100	cmd.exe	85
PID 1520 wrote to memory of 2092	1520	Order Inquiry Sample.‮fdp.exe	101
PID 1520 wrote to memory of 2092	1520	Order Inquiry Sample.‮fdp.exe	101
PID 1520 wrote to memory of 2092	1520	Order Inquiry Sample.‮fdp.exe	101
PID 2092 wrote to memory of 1928	2092	cmd.exe	103
PID 2092 wrote to memory of 1928	2092	cmd.exe	103
PID 2092 wrote to memory of 1928	2092	cmd.exe	103
PID 100 wrote to memory of 4072	100	cmd.exe	104
PID 100 wrote to memory of 4072	100	cmd.exe	104
PID 100 wrote to memory of 4072	100	cmd.exe	104
PID 2092 wrote to memory of 4100	2092	cmd.exe	108
PID 2092 wrote to memory of 4100	2092	cmd.exe	108
PID 2092 wrote to memory of 4100	2092	cmd.exe	108
PID 2092 wrote to memory of 4376	2092	cmd.exe	109
PID 2092 wrote to memory of 4376	2092	cmd.exe	109
PID 2092 wrote to memory of 4376	2092	cmd.exe	109
PID 4376 wrote to memory of 4212	4376	teeeee.exe	110
PID 4376 wrote to memory of 4212	4376	teeeee.exe	110
PID 4376 wrote to memory of 4212	4376	teeeee.exe	110
PID 4376 wrote to memory of 4212	4376	teeeee.exe	110
PID 4376 wrote to memory of 4212	4376	teeeee.exe	110
PID 4376 wrote to memory of 4212	4376	teeeee.exe	110
PID 4376 wrote to memory of 4212	4376	teeeee.exe	110
PID 4376 wrote to memory of 4212	4376	teeeee.exe	110
PID 4376 wrote to memory of 4212	4376	teeeee.exe	110
PID 4376 wrote to memory of 4212	4376	teeeee.exe	110
PID 4376 wrote to memory of 4212	4376	teeeee.exe	110
PID 4376 wrote to memory of 4212	4376	teeeee.exe	110
PID 4376 wrote to memory of 1748	4376	teeeee.exe	112
PID 4376 wrote to memory of 1748	4376	teeeee.exe	112
PID 4376 wrote to memory of 1748	4376	teeeee.exe	112
PID 1748 wrote to memory of 1932	1748	teee.exe	113
PID 1748 wrote to memory of 1932	1748	teee.exe	113
PID 1748 wrote to memory of 1932	1748	teee.exe	113

C:\Users\Admin\AppData\Local\Temp\Order Inquiry Sample\Order Inquiry Sample.‮fdp.exe
"C:\Users\Admin\AppData\Local\Temp\Order Inquiry Sample\Order Inquiry Sample.‮fdp.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "teeee" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\teee\teeeee.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:100
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 38
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1464
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "teeee" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\teee\teeeee.exe"
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:4072
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c ping 127.0.0.1 -n 40 > nul && copy "C:\Users\Admin\AppData\Local\Temp\Order Inquiry Sample\Order Inquiry Sample.‮fdp.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\teee\teeeee.exe" && ping 127.0.0.1 -n 40 > nul && "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\teee\teeeee.exe"
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 40
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1928
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 40
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4100
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\teee\teeeee.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\teee\teeeee.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4376
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4212
  - - C:\Users\Admin\AppData\Local\Temp\teee.exe
      "C:\Users\Admin\AppData\Local\Temp\teee.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1748
    - - C:\Users\Admin\AppData\Local\Temp\teee.exe
        
        "C:\Users\Admin\AppData\Local\Temp\teee.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\teee.exe.log

Filesize
1KB

MD5
7dca233df92b3884663fa5a40db8d49c

SHA1
208b8f27b708c4e06ac37f974471cc7b29c29b60

SHA256
90c83311e35da0b5f8aa65aa2109745feb68ee9540e863f4ed909872e9c6a84c

SHA512
d134b96fd33c79c85407608f76afc5a9f937bff453b1c90727a3ed992006c7d4c8329be6a2b5ba6b11da1a32f7cd60e9bc380be388b586d6cd5c2e6b1f57bd07

Download Submit
C:\Users\Admin\AppData\Local\Temp\teee.exe

Filesize
76KB

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\teee.txt

Filesize
103B

MD5
62c3495a16adb867915d37b7f0c4e87e

SHA1
9fd0f9b8bd327686a2500ddfd883ed779d688fa8

SHA256
ae04c36f98ad50376a16df6435ff701a3b5b372bbf54425f35ff7dcdebee3901

SHA512
ea5d317f04368fdd9b012b95102979f47a57b42777f366de29c7efde75e85feaeeb99beabf24b44e6c4a84e6663fda94e45b2742512badc6e39e3c1933cd3c00

Download Submit
C:\Users\Admin\AppData\Local\Temp\teee.txt

Filesize
106B

MD5
b17f994a19fbf4cba98a329a658586b0

SHA1
f13d7cf2612f97a3fc74265c2e06deeba4b14d06

SHA256
970a3adfa2aa4e276efb9580bb05eeb78e9eaaaf4a3ba7b5c4e2871865698527

SHA512
60cc0447cb06f8bedacb42d17cc776579a1fcb7942e10f7abf08bb559fa5a677ac7807b20e8cc91d93f9a6ef8efe521798e0f86148698e0544f8ccf8cddfd905

Download Submit
C:\Users\Admin\AppData\Local\Temp\teee.txt

Filesize
106B

MD5
989faa465d743c2809c3221797b2854d

SHA1
538a10595cd4572243c646ebfe1eb3a60913eddb

SHA256
2ea791874bb715f21fd9b1accdf2bbf705b26f5cbb58df8eede67eac062c069e

SHA512
4bd763b8c03728e8e74cc98d00f0d7d643c8ba931b90515911670c108da38ebbf7f32037e0db7924c2b26fe88bd0a3b9a0e73db00edf7f62c66fac39961f2f87

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\teee\teeeee.exe

Filesize
1.4MB

MD5
4918286bab253571011dca91a94c7a9d

SHA1
df4f5740aa5c17a6bab7f7df761f4485847bb1b9

SHA256
1d2318e3dc389cff6b70d6fb54e36d3af39c4953e10593f4cbb446f58788966d

SHA512
92cc906208c8895669cfa826813c2613aaf2eeb823d3c2482e8a3eb35a2e7ece94ef65006ebeb0338fc1dbadf638c083defecc0f202308fc62549feb1b0a54b1

Download Submit
memory/1520-9-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/1520-7-0x00000000052E0000-0x00000000052EA000-memory.dmp

Filesize
40KB

Download
memory/1520-8-0x0000000074BDE000-0x0000000074BDF000-memory.dmp

Filesize
4KB

Download
memory/1520-0-0x0000000074BDE000-0x0000000074BDF000-memory.dmp

Filesize
4KB

Download
memory/1520-10-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/1520-12-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/1520-6-0x00000000051F0000-0x0000000005232000-memory.dmp

Filesize
264KB

Download
memory/1520-1-0x0000000000140000-0x00000000002A4000-memory.dmp

Filesize
1.4MB

Download
memory/1520-2-0x0000000005810000-0x0000000005DB4000-memory.dmp

Filesize
5.6MB

Download
memory/1520-3-0x0000000005300000-0x0000000005392000-memory.dmp

Filesize
584KB

Download
memory/1520-4-0x00000000053A0000-0x000000000543C000-memory.dmp

Filesize
624KB

Download
memory/1520-5-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/1748-41-0x00000000008A0000-0x00000000008BA000-memory.dmp

Filesize
104KB

Download
memory/4212-28-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4212-50-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4212-54-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4212-29-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4212-30-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4212-25-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4212-55-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4212-53-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4212-52-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4212-51-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4376-23-0x0000000007740000-0x000000000775A000-memory.dmp

Filesize
104KB

Download
memory/4376-18-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/4376-19-0x0000000000D80000-0x0000000000EE4000-memory.dmp

Filesize
1.4MB

Download
memory/4376-20-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/4376-21-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/4376-22-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/4376-24-0x0000000007760000-0x0000000007766000-memory.dmp

Filesize
24KB

Download