remcos | 20fefa38a50cd99ab81181ab99bee40c3639dbdd465ce2e277eebf1bd6308433

Resubmissions

07-01-2025 16:33

250107-t21fbs1kel 10

07-01-2025 16:25

250107-txdqrsynbz 10

Analysis

max time kernel
231s
max time network
233s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-01-2025 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Remcos v5.3.0 Light.exe
Size

38.5MB
MD5

be1aa2a7600e0845d73cd004cd385135
SHA1

b49bfa8ada17ce0f4497a2f2e589824e700360ba
SHA256

20fefa38a50cd99ab81181ab99bee40c3639dbdd465ce2e277eebf1bd6308433
SHA512

adea6c19d96435f853cfa4685f836d20970d944d8155b0ec9d30b7ba3499bb46d9b3125a5a3baf5c244247de3ccd79de0835a3bbc0416b36083e78a1fc865e10
SSDEEP

786432:i3hQRdPjIyoLKX7ho1zqC0tIvNFom4jeA+bG:vvPj0CNUzqCYSaLjeZa

Score

10^/10

remcos discovery rat

Malware Config

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Executes dropped EXE 1 IoCs

pid	Process
3156	remcos_a.exe

Loads dropped DLL 2 IoCs

pid	Process
1096	Remcos v5.3.0 Light.exe
1096	Remcos v5.3.0 Light.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1096	Remcos v5.3.0 Light.exe
1096	Remcos v5.3.0 Light.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3892	3156	WerFault.exe	96

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos_a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Remcos v5.3.0 Light.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies registry class 57 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Remcos v5.3.0 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	Remcos v5.3.0 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	Remcos v5.3.0 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	Remcos v5.3.0 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Remcos v5.3.0 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Remcos v5.3.0 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	Remcos v5.3.0 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	Remcos v5.3.0 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	Remcos v5.3.0 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	Remcos v5.3.0 Light.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Remcos v5.3.0 Light.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Remcos v5.3.0 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	Remcos v5.3.0 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	Remcos v5.3.0 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Remcos v5.3.0 Light.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff	Remcos v5.3.0 Light.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	Remcos v5.3.0 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	Remcos v5.3.0 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	Remcos v5.3.0 Light.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	Remcos v5.3.0 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	Remcos v5.3.0 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	Remcos v5.3.0 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	Remcos v5.3.0 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	Remcos v5.3.0 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Remcos v5.3.0 Light.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Remcos v5.3.0 Light.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Remcos v5.3.0 Light.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Remcos v5.3.0 Light.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	Remcos v5.3.0 Light.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Remcos v5.3.0 Light.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	Remcos v5.3.0 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	Remcos v5.3.0 Light.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Remcos v5.3.0 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Remcos v5.3.0 Light.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	Remcos v5.3.0 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	Remcos v5.3.0 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Remcos v5.3.0 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	Remcos v5.3.0 Light.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Remcos v5.3.0 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	Remcos v5.3.0 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Remcos v5.3.0 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	Remcos v5.3.0 Light.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	Remcos v5.3.0 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	Remcos v5.3.0 Light.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Remcos v5.3.0 Light.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	Remcos v5.3.0 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	Remcos v5.3.0 Light.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Remcos v5.3.0 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	Remcos v5.3.0 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Remcos v5.3.0 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	Remcos v5.3.0 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	Remcos v5.3.0 Light.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	Remcos v5.3.0 Light.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	Remcos v5.3.0 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	Remcos v5.3.0 Light.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Remcos v5.3.0 Light.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e8005398e082303024b98265d99428e115f0000	Remcos v5.3.0 Light.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1096	Remcos v5.3.0 Light.exe
1096	Remcos v5.3.0 Light.exe
1096	Remcos v5.3.0 Light.exe
1096	Remcos v5.3.0 Light.exe
1096	Remcos v5.3.0 Light.exe
1096	Remcos v5.3.0 Light.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1096	Remcos v5.3.0 Light.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1300	taskmgr.exe
Token: SeSystemProfilePrivilege	1300	taskmgr.exe
Token: SeCreateGlobalPrivilege	1300	taskmgr.exe
Token: 33	1300	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1300	taskmgr.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
1096	Remcos v5.3.0 Light.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe

Suspicious use of SendNotifyMessage 38 IoCs

pid	Process
1096	Remcos v5.3.0 Light.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe
1300	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1096	Remcos v5.3.0 Light.exe
1096	Remcos v5.3.0 Light.exe

C:\Users\Admin\AppData\Local\Temp\Remcos v5.3.0 Light.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v5.3.0 Light.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1096

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3428

C:\Users\Admin\Downloads\remcos_a.exe
"C:\Users\Admin\Downloads\remcos_a.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3156
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 536
  2⤵
  - Program crash
  PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3156 -ip 3156
1⤵
PID:4948

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Remcos_Settings.ini

Filesize
63B

MD5
4570d3a7dfd7f24d6185ec87d2bc5626

SHA1
8ba80e608f1ca729a42df668be505816a38faf3a

SHA256
2d181dc1597e200d60085f99baa3cc8273ba8b6ec1c1d48d9e0279f9a18ec972

SHA512
5bda5b6e59f029c308b84877fdeb17deaf8bbb8f95bbd88daa29727d1dcdc51451f76a39eba3714c6dab7ee3703b649552094353b3bb55508d09400c98db9aec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Remcos_Settings.ini

Filesize
29B

MD5
5ef6edd2053ba7dae1c9b137deddff92

SHA1
3f8a68838109ca0fa42e451aded13c1dcb5496e3

SHA256
4ef0b5f5085ee7b911b8f64a66c40c45cc3049b74e1e8154acc8338337ab717f

SHA512
f1a3a705e9d49ad6f1f4408a2cd2f7b1803c15ea0c2d7d1326e52e27689add38a5a718f87015697cfd4af043a64718f369e9a1e9276940c0304efcee3098572e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TLS\libeay32.dll

Filesize
1.3MB

MD5
fa5def992198121d4bb5ff3bde39fdc9

SHA1
f684152c245cc708fbaf4d1c0472d783b26c5b18

SHA256
5264a4a478383f501961f2bd9beb1f77a43a487b76090561bba2cbfe951e5305

SHA512
4589382a71cd3a577b83bab4a0209e72e02f603e7da6ef3175b6a74bd958e70a891091dbdff4be0725baca2d665470594b03f074983b3ed3242e5cd04783fdba

Download Submit
C:\Users\Admin\AppData\Local\Temp\TLS\ssleay32.dll

Filesize
330KB

MD5
2117e31688aef8ecf267978265bfcdcd

SHA1
e8c3cfd65ed7947f23b1bb0b66185e1e73913cfc

SHA256
0a4031ab00664cc5e202c8731798800f0475ef76800122cebd71d249655d725f

SHA512
dd03899429c2d542558e30c84a076d7e5dbde5128495954093a7031854c1df68f8ff8eca4c791144937288b084dd261fbe090c4ff9a3e0768e26f0616b474eca

Download Submit
C:\Users\Admin\Downloads\remcos_a.exe

Filesize
428KB

MD5
c5f09b7719c8b0fff49750c4207b06b2

SHA1
a4e05827087c2db01d12677bde55079d549271a3

SHA256
254062f88f40324329b91a934ecd2b38355225a18f90e0d6f6588f8e181163b8

SHA512
d69a070d0ef9e937be6c5aba18ae21ba37f6a2c502a1b8d48ae9d088d338f3134b52ec1b920ceec9d2450b59bd90ac37b90b966ac3cabdc4304d83cb2b4742c0

Download Submit
memory/1096-7-0x0000000006DB0000-0x0000000006DB1000-memory.dmp

Filesize
4KB

Download
memory/1096-4-0x00000000067D0000-0x00000000067D1000-memory.dmp

Filesize
4KB

Download
memory/1096-0-0x0000000000401000-0x0000000000843000-memory.dmp

Filesize
4.3MB

Download
memory/1096-5-0x0000000006D90000-0x0000000006D91000-memory.dmp

Filesize
4KB

Download
memory/1096-9-0x0000000000400000-0x00000000065DB000-memory.dmp

Filesize
97.9MB

Download
memory/1096-12-0x0000000000400000-0x00000000065DB000-memory.dmp

Filesize
97.9MB

Download
memory/1096-13-0x0000000000400000-0x00000000065DB000-memory.dmp

Filesize
97.9MB

Download
memory/1096-14-0x0000000000400000-0x00000000065DB000-memory.dmp

Filesize
97.9MB

Download
memory/1096-6-0x0000000006DA0000-0x0000000006DA1000-memory.dmp

Filesize
4KB

Download
memory/1096-1-0x0000000006790000-0x0000000006791000-memory.dmp

Filesize
4KB

Download
memory/1096-2-0x00000000067B0000-0x00000000067B1000-memory.dmp

Filesize
4KB

Download
memory/1096-8-0x0000000006DC0000-0x0000000006DC1000-memory.dmp

Filesize
4KB

Download
memory/1096-3-0x00000000067C0000-0x00000000067C1000-memory.dmp

Filesize
4KB

Download
memory/1300-159-0x0000026CD2710000-0x0000026CD2711000-memory.dmp

Filesize
4KB

Download
memory/1300-161-0x0000026CD2710000-0x0000026CD2711000-memory.dmp

Filesize
4KB

Download
memory/1300-160-0x0000026CD2710000-0x0000026CD2711000-memory.dmp

Filesize
4KB

Download
memory/1300-171-0x0000026CD2710000-0x0000026CD2711000-memory.dmp

Filesize
4KB

Download
memory/1300-170-0x0000026CD2710000-0x0000026CD2711000-memory.dmp

Filesize
4KB

Download
memory/1300-169-0x0000026CD2710000-0x0000026CD2711000-memory.dmp

Filesize
4KB

Download
memory/1300-168-0x0000026CD2710000-0x0000026CD2711000-memory.dmp

Filesize
4KB

Download
memory/1300-167-0x0000026CD2710000-0x0000026CD2711000-memory.dmp

Filesize
4KB

Download
memory/1300-166-0x0000026CD2710000-0x0000026CD2711000-memory.dmp

Filesize
4KB

Download
memory/1300-165-0x0000026CD2710000-0x0000026CD2711000-memory.dmp

Filesize
4KB

Download