remcos | 51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-01-2025 22:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe
Size

962KB
MD5

4a9440baa61be8363a372b0bbc5933ad
SHA1

9aa5380dc87829c6fa22e9029cadcab9f6221ef9
SHA256

51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c
SHA512

648bd4434ce14e15c3faba25945525fffec6dad028e8fe26982d70096ccd448ca6e114e10739b1e990ea65970db97897713b8054450f1cd98c9aacb596436b0c
SSDEEP

24576:fdFeteG2H+FLBvmhCWWmLiUZklZGIo/KCrB:FA9w+bvmhCWWpUZkbDo5rB

Score

10^/10

remcos graias discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

Graias

185.234.72.215:4444

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
graias.exe
copy_folder
Graias
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
graias
mouse_option
false
mutex
Rmc-O844B9
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2072	powershell.exe
1756	powershell.exe

Executes dropped EXE 6 IoCs

pid	Process
3068	graias.exe
2440	graias.exe
1620	graias.exe
1712	graias.exe
2524	graias.exe
1852	graias.exe

Loads dropped DLL 7 IoCs

pid	Process
2140	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe
2140	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe
1948	WerFault.exe
1948	WerFault.exe
1948	WerFault.exe
1948	WerFault.exe
1948	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-O844B9 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Graias\\graias.exe\""	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2488 set thread context of 2140	2488	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2652	2488	WerFault.exe	30
1948	3068	WerFault.exe	35

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	graias.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2072	powershell.exe
3068	graias.exe
3068	graias.exe
3068	graias.exe
3068	graias.exe
3068	graias.exe
3068	graias.exe
3068	graias.exe
3068	graias.exe
3068	graias.exe
3068	graias.exe
1756	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	3068	graias.exe
Token: SeDebugPrivilege	1756	powershell.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2072	2488	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	31
PID 2488 wrote to memory of 2072	2488	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	31
PID 2488 wrote to memory of 2072	2488	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	31
PID 2488 wrote to memory of 2072	2488	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	31
PID 2488 wrote to memory of 2140	2488	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	32
PID 2488 wrote to memory of 2140	2488	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	32
PID 2488 wrote to memory of 2140	2488	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	32
PID 2488 wrote to memory of 2140	2488	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	32
PID 2488 wrote to memory of 2140	2488	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	32
PID 2488 wrote to memory of 2140	2488	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	32
PID 2488 wrote to memory of 2140	2488	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	32
PID 2488 wrote to memory of 2140	2488	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	32
PID 2488 wrote to memory of 2140	2488	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	32
PID 2488 wrote to memory of 2140	2488	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	32
PID 2488 wrote to memory of 2140	2488	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	32
PID 2488 wrote to memory of 2652	2488	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	34
PID 2488 wrote to memory of 2652	2488	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	34
PID 2488 wrote to memory of 2652	2488	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	34
PID 2488 wrote to memory of 2652	2488	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	34
PID 2140 wrote to memory of 3068	2140	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	35
PID 2140 wrote to memory of 3068	2140	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	35
PID 2140 wrote to memory of 3068	2140	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	35
PID 2140 wrote to memory of 3068	2140	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	35
PID 3068 wrote to memory of 1756	3068	graias.exe	36
PID 3068 wrote to memory of 1756	3068	graias.exe	36
PID 3068 wrote to memory of 1756	3068	graias.exe	36
PID 3068 wrote to memory of 1756	3068	graias.exe	36
PID 3068 wrote to memory of 2440	3068	graias.exe	38
PID 3068 wrote to memory of 2440	3068	graias.exe	38
PID 3068 wrote to memory of 2440	3068	graias.exe	38
PID 3068 wrote to memory of 2440	3068	graias.exe	38
PID 3068 wrote to memory of 1712	3068	graias.exe	39
PID 3068 wrote to memory of 1712	3068	graias.exe	39
PID 3068 wrote to memory of 1712	3068	graias.exe	39
PID 3068 wrote to memory of 1712	3068	graias.exe	39
PID 3068 wrote to memory of 1620	3068	graias.exe	40
PID 3068 wrote to memory of 1620	3068	graias.exe	40
PID 3068 wrote to memory of 1620	3068	graias.exe	40
PID 3068 wrote to memory of 1620	3068	graias.exe	40
PID 3068 wrote to memory of 1852	3068	graias.exe	41
PID 3068 wrote to memory of 1852	3068	graias.exe	41
PID 3068 wrote to memory of 1852	3068	graias.exe	41
PID 3068 wrote to memory of 1852	3068	graias.exe	41
PID 3068 wrote to memory of 2524	3068	graias.exe	42
PID 3068 wrote to memory of 2524	3068	graias.exe	42
PID 3068 wrote to memory of 2524	3068	graias.exe	42
PID 3068 wrote to memory of 2524	3068	graias.exe	42
PID 3068 wrote to memory of 1948	3068	graias.exe	43
PID 3068 wrote to memory of 1948	3068	graias.exe	43
PID 3068 wrote to memory of 1948	3068	graias.exe	43
PID 3068 wrote to memory of 1948	3068	graias.exe	43

C:\Users\Admin\AppData\Local\Temp\51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe
"C:\Users\Admin\AppData\Local\Temp\51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2072
- C:\Users\Admin\AppData\Local\Temp\51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe
  "C:\Users\Admin\AppData\Local\Temp\51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Users\Admin\AppData\Roaming\Graias\graias.exe
    "C:\Users\Admin\AppData\Roaming\Graias\graias.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Graias\graias.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1756
  - - C:\Users\Admin\AppData\Roaming\Graias\graias.exe
      "C:\Users\Admin\AppData\Roaming\Graias\graias.exe"
      4⤵
      Executes dropped EXE
      PID:2440
  - - C:\Users\Admin\AppData\Roaming\Graias\graias.exe
      "C:\Users\Admin\AppData\Roaming\Graias\graias.exe"
      4⤵
      Executes dropped EXE
      PID:1712
  - - C:\Users\Admin\AppData\Roaming\Graias\graias.exe
      "C:\Users\Admin\AppData\Roaming\Graias\graias.exe"
      4⤵
      Executes dropped EXE
      PID:1620
  - - C:\Users\Admin\AppData\Roaming\Graias\graias.exe
      "C:\Users\Admin\AppData\Roaming\Graias\graias.exe"
      4⤵
      Executes dropped EXE
      PID:1852
  - - C:\Users\Admin\AppData\Roaming\Graias\graias.exe
      "C:\Users\Admin\AppData\Roaming\Graias\graias.exe"
      4⤵
      Executes dropped EXE
      PID:2524
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 892
      4⤵
      Loads dropped DLL
      Program crash
      PID:1948
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 900
  2⤵
  - Program crash
  PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UYPFS3BVA9DLTFQS83QN.temp

Filesize
7KB

MD5
a3b4bd3a6a2b1edea86f65ac3f6dd01c

SHA1
091f7915dab61a1b69e1780f34321accf272242e

SHA256
fa6596049c8d2193f0ce339063435b06574faa21efe9d1ed3f08d967168aa561

SHA512
53dab344d40bb7b7ccf924d4f68b33617962262fc1c41c025cb1f5d01c36dc6e6bcfa8b5ab4f38db50c8ad6d2e6227e2e332e58fb9190e00ac64229ebd9dcc79

Download Submit
\Users\Admin\AppData\Roaming\Graias\graias.exe

Filesize
962KB

MD5
4a9440baa61be8363a372b0bbc5933ad

SHA1
9aa5380dc87829c6fa22e9029cadcab9f6221ef9

SHA256
51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c

SHA512
648bd4434ce14e15c3faba25945525fffec6dad028e8fe26982d70096ccd448ca6e114e10739b1e990ea65970db97897713b8054450f1cd98c9aacb596436b0c

Download Submit
memory/2140-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2140-11-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2140-37-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2140-8-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2140-9-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2140-20-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2140-16-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2140-22-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2140-25-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2140-14-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2140-12-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2488-3-0x00000000002E0000-0x00000000002F4000-memory.dmp

Filesize
80KB

Download
memory/2488-6-0x0000000005190000-0x0000000005254000-memory.dmp

Filesize
784KB

Download
memory/2488-0-0x000000007426E000-0x000000007426F000-memory.dmp

Filesize
4KB

Download
memory/2488-5-0x0000000074260000-0x000000007494E000-memory.dmp

Filesize
6.9MB

Download
memory/2488-2-0x0000000074260000-0x000000007494E000-memory.dmp

Filesize
6.9MB

Download
memory/2488-4-0x000000007426E000-0x000000007426F000-memory.dmp

Filesize
4KB

Download
memory/2488-39-0x0000000074260000-0x000000007494E000-memory.dmp

Filesize
6.9MB

Download
memory/2488-1-0x00000000013E0000-0x00000000014D8000-memory.dmp

Filesize
992KB

Download
memory/3068-38-0x00000000001D0000-0x00000000002C8000-memory.dmp

Filesize
992KB

Download
memory/3068-40-0x0000000004ED0000-0x0000000004F94000-memory.dmp

Filesize
784KB

Download