remcos | d0481cc270efd488b2366bf1273284e5bbcff6d789dbfca69f44326c50891b15

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-01-2025 07:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quotation Sheet.rtf
Size

513KB
MD5

6ebd151b1a37761336dd8e064ed8d365
SHA1

a86119e2cbc335eb1075330b7f20b60dd1263e98
SHA256

d0481cc270efd488b2366bf1273284e5bbcff6d789dbfca69f44326c50891b15
SHA512

d99ace34043d39a820f717fd6fe2e32dc0a878a56d67e53ceffa38c69a46f9d85a49d31dcc330d68d8ce9a70797c54c8b719ef029df5be44aaa455b9236988f6
SSDEEP

6144:zwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAL:LemhR

Score

10^/10

remcos remotehost discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

www.kposlifestyle.design:2404

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
edefdefffff
mouse_option
false
mutex
Rmc-OH1QS4
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2516	EQNEDT32.EXE
7	2516	EQNEDT32.EXE

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1688	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2812	explorerplug.exe
1284	explorerplug.exe

Loads dropped DLL 1 IoCs

pid	Process
2516	EQNEDT32.EXE

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2812 set thread context of 1284	2812	explorerplug.exe	37

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorerplug.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorerplug.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2516	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2996	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1688	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1688	powershell.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2996	WINWORD.EXE
2996	WINWORD.EXE
1284	explorerplug.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 2812	2516	EQNEDT32.EXE	32
PID 2516 wrote to memory of 2812	2516	EQNEDT32.EXE	32
PID 2516 wrote to memory of 2812	2516	EQNEDT32.EXE	32
PID 2516 wrote to memory of 2812	2516	EQNEDT32.EXE	32
PID 2996 wrote to memory of 2952	2996	WINWORD.EXE	35
PID 2996 wrote to memory of 2952	2996	WINWORD.EXE	35
PID 2996 wrote to memory of 2952	2996	WINWORD.EXE	35
PID 2996 wrote to memory of 2952	2996	WINWORD.EXE	35
PID 2812 wrote to memory of 1688	2812	explorerplug.exe	36
PID 2812 wrote to memory of 1688	2812	explorerplug.exe	36
PID 2812 wrote to memory of 1688	2812	explorerplug.exe	36
PID 2812 wrote to memory of 1688	2812	explorerplug.exe	36
PID 2812 wrote to memory of 1284	2812	explorerplug.exe	37
PID 2812 wrote to memory of 1284	2812	explorerplug.exe	37
PID 2812 wrote to memory of 1284	2812	explorerplug.exe	37
PID 2812 wrote to memory of 1284	2812	explorerplug.exe	37
PID 2812 wrote to memory of 1284	2812	explorerplug.exe	37
PID 2812 wrote to memory of 1284	2812	explorerplug.exe	37
PID 2812 wrote to memory of 1284	2812	explorerplug.exe	37
PID 2812 wrote to memory of 1284	2812	explorerplug.exe	37
PID 2812 wrote to memory of 1284	2812	explorerplug.exe	37
PID 2812 wrote to memory of 1284	2812	explorerplug.exe	37
PID 2812 wrote to memory of 1284	2812	explorerplug.exe	37
PID 1284 wrote to memory of 1364	1284	explorerplug.exe	40
PID 1284 wrote to memory of 1364	1284	explorerplug.exe	40
PID 1284 wrote to memory of 1364	1284	explorerplug.exe	40
PID 1284 wrote to memory of 1364	1284	explorerplug.exe	40

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Quotation Sheet.rtf"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2952

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Users\Admin\AppData\Roaming\explorerplug.exe
  "C:\Users\Admin\AppData\Roaming\explorerplug.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\explorerplug.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1688
- - C:\Users\Admin\AppData\Roaming\explorerplug.exe
    "C:\Users\Admin\AppData\Roaming\explorerplug.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1284
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bmjentvtqxdovtlqdisno.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bmjentvtqxdovtlqdisno.vbs

Filesize
508B

MD5
58f8694dbc00b091854a8075ea6763ab

SHA1
e86e8bd082a4e46bbac2a9a6cbce5cc0e38b212a

SHA256
eb1d3ed9790c8237d7c622e2552b3c5c05b6e35ee612826f5984aba9d758bf08

SHA512
edda4bfb19d2852bf46685f651e091333b953e971823f591cc9d66e945d7a6287e6558ad4b85ff2cffadf49f6ec9ecae1a0f862c77b4f91e60407ba56f1a3110

Download Submit
\Users\Admin\AppData\Roaming\explorerplug.exe

Filesize
1.0MB

MD5
51bb5f38593e255c16ab2712757cda43

SHA1
458fbe81fed707852864c3bcc4997b27d6a65832

SHA256
1c80bf8e780ae58203e7f816c8fe04f66df434a3fbd981ba7c6e52e588622c03

SHA512
80d2f4464d5f036000318ef6ba43b23c8e5576c67989b0097adbf13545b790df1340937d1f7f67d0d8630b2f80c8b85e3286032554868424d2bb5612fda6dcf9

Download Submit
memory/1284-48-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1284-67-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1284-46-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1284-85-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1284-79-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1284-74-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1284-36-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1284-38-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1284-40-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1284-56-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1284-55-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1284-52-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1284-51-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1284-49-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1284-71-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1284-70-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1284-69-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1284-42-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1284-59-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1284-60-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1284-61-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1284-63-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1284-44-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1284-66-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2812-27-0x0000000000E40000-0x0000000000F48000-memory.dmp

Filesize
1.0MB

Download
memory/2812-35-0x00000000052E0000-0x00000000053A2000-memory.dmp

Filesize
776KB

Download
memory/2812-28-0x0000000000460000-0x0000000000486000-memory.dmp

Filesize
152KB

Download
memory/2996-2-0x00000000717ED000-0x00000000717F8000-memory.dmp

Filesize
44KB

Download
memory/2996-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2996-33-0x00000000717ED000-0x00000000717F8000-memory.dmp

Filesize
44KB

Download
memory/2996-0-0x000000002F7F1000-0x000000002F7F2000-memory.dmp

Filesize
4KB

Download