remcos | 3ba181bbdfdd57e0fbc79d5eec317db90663f5f9bd5ac306ec246b1a6f0b4640

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-01-2025 23:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

zxplugmancryptedmn.exe
Size

1.0MB
MD5

139a100bdbef4afcd45377d48b1beb85
SHA1

060748f2572808df5c93131a5656fff82ab870c1
SHA256

3ba181bbdfdd57e0fbc79d5eec317db90663f5f9bd5ac306ec246b1a6f0b4640
SHA512

716c0cb31a58a261c72b54225ebd2e6f310363d9f884ccd9eac394b70fa6f1b9cfbdced87c0bf004facb9e3c7d43b58ab7e6f2e19b0142611e6c935044b55afb
SSDEEP

24576:y7JN+UVsa/olWwNeKP6eXuDabB39s9RAuOPt4OsOW:u3+UfPwNXC32W9MPc

Score

10^/10

remcos remotehost discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

www.kposlifestyle.design:2404

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
edefdefffff
mouse_option
false
mutex
Rmc-OH1QS4
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2932	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1788 set thread context of 2948	1788	zxplugmancryptedmn.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zxplugmancryptedmn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zxplugmancryptedmn.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2932	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2948	zxplugmancryptedmn.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2932	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2948	zxplugmancryptedmn.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 2932	1788	zxplugmancryptedmn.exe	28
PID 1788 wrote to memory of 2932	1788	zxplugmancryptedmn.exe	28
PID 1788 wrote to memory of 2932	1788	zxplugmancryptedmn.exe	28
PID 1788 wrote to memory of 2932	1788	zxplugmancryptedmn.exe	28
PID 1788 wrote to memory of 2948	1788	zxplugmancryptedmn.exe	30
PID 1788 wrote to memory of 2948	1788	zxplugmancryptedmn.exe	30
PID 1788 wrote to memory of 2948	1788	zxplugmancryptedmn.exe	30
PID 1788 wrote to memory of 2948	1788	zxplugmancryptedmn.exe	30
PID 1788 wrote to memory of 2948	1788	zxplugmancryptedmn.exe	30
PID 1788 wrote to memory of 2948	1788	zxplugmancryptedmn.exe	30
PID 1788 wrote to memory of 2948	1788	zxplugmancryptedmn.exe	30
PID 1788 wrote to memory of 2948	1788	zxplugmancryptedmn.exe	30
PID 1788 wrote to memory of 2948	1788	zxplugmancryptedmn.exe	30
PID 1788 wrote to memory of 2948	1788	zxplugmancryptedmn.exe	30
PID 1788 wrote to memory of 2948	1788	zxplugmancryptedmn.exe	30

C:\Users\Admin\AppData\Local\Temp\zxplugmancryptedmn.exe
"C:\Users\Admin\AppData\Local\Temp\zxplugmancryptedmn.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\zxplugmancryptedmn.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2932
- C:\Users\Admin\AppData\Local\Temp\zxplugmancryptedmn.exe
  "C:\Users\Admin\AppData\Local\Temp\zxplugmancryptedmn.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\edefdefffff\logs.dat

Filesize
230B

MD5
b80f153dbe1c85521df056c2307a58c0

SHA1
4de144e1bf47698c1997dc6c8cf542375723aa1f

SHA256
4a9d954be965aa78e12bd005f8c20923e9666967f9fe7cffe3588afd4502a33f

SHA512
0bf0c2777bbaebeff7579b70435fb6da9f70da5de821a1788abe6a6a2092a304d9e36d53634fad5d245c118c899b9a14b186b1b70f5e43930d209e405d9930aa

Download Submit
C:\ProgramData\edefdefffff\logs.dat

Filesize
144B

MD5
0542659aa450e9fc68df455167130c53

SHA1
6bf5c01c35f78ffe2006df52ad43afbd170d50ff

SHA256
2d7d63ededd9b9fc518e25efa355bf01f419a5045ede5ade471613cb74770306

SHA512
cb7fe23387e748bfaca89b03dedac44e5d4e1e9e7fdfdf8941b1169a1bf72c36295a8afccb0d7562b8fc94f2cb4f34d90aba20a0b12f82052e0c5eed0e871212

Download Submit
memory/1788-0-0x0000000074ABE000-0x0000000074ABF000-memory.dmp

Filesize
4KB

Download
memory/1788-1-0x00000000010F0000-0x00000000011FC000-memory.dmp

Filesize
1.0MB

Download
memory/1788-2-0x0000000074AB0000-0x000000007519E000-memory.dmp

Filesize
6.9MB

Download
memory/1788-3-0x0000000000500000-0x0000000000526000-memory.dmp

Filesize
152KB

Download
memory/1788-4-0x0000000074ABE000-0x0000000074ABF000-memory.dmp

Filesize
4KB

Download
memory/1788-5-0x0000000074AB0000-0x000000007519E000-memory.dmp

Filesize
6.9MB

Download
memory/1788-6-0x000000000A240000-0x000000000A304000-memory.dmp

Filesize
784KB

Download
memory/1788-21-0x0000000074AB0000-0x000000007519E000-memory.dmp

Filesize
6.9MB

Download
memory/2948-9-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-15-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-22-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-23-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-18-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-17-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2948-12-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-11-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-10-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-24-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-8-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-7-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-27-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-28-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-29-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-30-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-32-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-33-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-34-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-35-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-37-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-38-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-39-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-40-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-41-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-42-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-44-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-45-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-46-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-47-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-49-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-50-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-51-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-52-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-53-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-55-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-56-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-57-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-58-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-60-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-61-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-62-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-63-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-64-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-66-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-67-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-68-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-69-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-71-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-72-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-73-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-74-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-75-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-77-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-78-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-79-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-80-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-82-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-83-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-84-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2948-85-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download