remcos | 357a5929cd1b2559b2a50320b4ef80b4f0b004d2aaa40b139888b848fe1cc0f8

Analysis

max time kernel
150s
max time network
36s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
01-02-2025 08:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DarkCrypter2.1a.exe
Size

4.4MB
MD5

9d4c4dccaf0b326d53d28486caba0695
SHA1

dab4f18ce630e70ddeb13cc15e6ce49a612c9659
SHA256

357a5929cd1b2559b2a50320b4ef80b4f0b004d2aaa40b139888b848fe1cc0f8
SHA512

f639c4e3f58b08ea33a0576da409a6a3c7d30d525ff7a9e23da4fe55890f860baa08b434eccc2332628ab8989ecaf0e995767df433b10340d1f053032371f458
SSDEEP

98304:CQBZnWAWcWbFbIpvObbzkn/wYOjhGcwkn39d9Iq1sqZ26m/zItUxsbb:xWJcYbcObbzk/wYA8md1sqZ26mstUxs

Score

10^/10

remcos rmnoncrypt discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RmNONcrypt

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
19
connect_interval
12
copy_file
redistkb_102241.exe
copy_folder
.monosvc
delete_file
true
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
dmpmini.dat
keylog_flag
false
keylog_folder
.monosvc
keylog_path
%AppData%
mouse_option
false
mutex
h9KMA-TKWTGJ
screenshot_crypt
true
screenshot_flag
false
screenshot_folder
fstlock
screenshot_path
%AppData%
screenshot_time
10
startup_value
Battery status
take_screenshot_option
true
take_screenshot_time
6
take_screenshot_title
Account;Payment;PayPal;License;Activation;Client;Banking

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Executes dropped EXE 3 IoCs

pid	Process
2528	redistkb_102241.exe
2836	DarkCrypter.exe
2856	redistkb_102241.exe

Loads dropped DLL 2 IoCs

pid	Process
2712	cmd.exe
2712	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Battery status = "\"C:\\Users\\Admin\\AppData\\Roaming\\.monosvc\\redistkb_102241.exe\""	redistkb_102241.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Battery status = "\"C:\\Users\\Admin\\AppData\\Roaming\\.monosvc\\redistkb_102241.exe\""	redistkb_102241.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2856 set thread context of 2684	2856	redistkb_102241.exe	35
PID 2684 set thread context of 2236	2684	iexplore.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	redistkb_102241.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	redistkb_102241.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DarkCrypter.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
108	DarkCrypter2.1a.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2684	iexplore.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2856	redistkb_102241.exe
2684	iexplore.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	108	DarkCrypter2.1a.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 108 wrote to memory of 2528	108	DarkCrypter2.1a.exe	29
PID 108 wrote to memory of 2528	108	DarkCrypter2.1a.exe	29
PID 108 wrote to memory of 2528	108	DarkCrypter2.1a.exe	29
PID 108 wrote to memory of 2528	108	DarkCrypter2.1a.exe	29
PID 108 wrote to memory of 2836	108	DarkCrypter2.1a.exe	30
PID 108 wrote to memory of 2836	108	DarkCrypter2.1a.exe	30
PID 108 wrote to memory of 2836	108	DarkCrypter2.1a.exe	30
PID 108 wrote to memory of 2836	108	DarkCrypter2.1a.exe	30
PID 2528 wrote to memory of 2560	2528	redistkb_102241.exe	31
PID 2528 wrote to memory of 2560	2528	redistkb_102241.exe	31
PID 2528 wrote to memory of 2560	2528	redistkb_102241.exe	31
PID 2528 wrote to memory of 2560	2528	redistkb_102241.exe	31
PID 2560 wrote to memory of 2712	2560	WScript.exe	32
PID 2560 wrote to memory of 2712	2560	WScript.exe	32
PID 2560 wrote to memory of 2712	2560	WScript.exe	32
PID 2560 wrote to memory of 2712	2560	WScript.exe	32
PID 2712 wrote to memory of 2856	2712	cmd.exe	34
PID 2712 wrote to memory of 2856	2712	cmd.exe	34
PID 2712 wrote to memory of 2856	2712	cmd.exe	34
PID 2712 wrote to memory of 2856	2712	cmd.exe	34
PID 2856 wrote to memory of 2684	2856	redistkb_102241.exe	35
PID 2856 wrote to memory of 2684	2856	redistkb_102241.exe	35
PID 2856 wrote to memory of 2684	2856	redistkb_102241.exe	35
PID 2856 wrote to memory of 2684	2856	redistkb_102241.exe	35
PID 2856 wrote to memory of 2684	2856	redistkb_102241.exe	35
PID 2684 wrote to memory of 2236	2684	iexplore.exe	36
PID 2684 wrote to memory of 2236	2684	iexplore.exe	36
PID 2684 wrote to memory of 2236	2684	iexplore.exe	36
PID 2684 wrote to memory of 2236	2684	iexplore.exe	36
PID 2684 wrote to memory of 2236	2684	iexplore.exe	36

C:\Users\Admin\AppData\Local\Temp\DarkCrypter2.1a.exe
"C:\Users\Admin\AppData\Local\Temp\DarkCrypter2.1a.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:108
- C:\Users\Admin\AppData\Local\redistkb_102241.exe
  "C:\Users\Admin\AppData\Local\redistkb_102241.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\.monosvc\redistkb_102241.exe"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\Users\Admin\AppData\Roaming\.monosvc\redistkb_102241.exe
        
        C:\Users\Admin\AppData\Roaming\.monosvc\redistkb_102241.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2856
      - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe"
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        7⤵
        
        PID:2236
- C:\Users\Admin\AppData\Local\Temp\DarkCrypter.exe
  "C:\Users\Admin\AppData\Local\Temp\DarkCrypter.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DarkCrypter.exe

Filesize
590KB

MD5
3e3c7cbd439042a60a5a0eb150d2e7aa

SHA1
7b1303e7eef008c97ac1f407de34af08d95291eb

SHA256
5f9a1bc81cf3bfffe81067630dd5fe4c25d516353e54132e420eff35f0156514

SHA512
1a65a02aecfcfdf9a49516644c76b3a94904f70944537dc436ebfdb95f030f8f7a387505d66cb9c415b5dcccf681d20b5dc8e3692d6fc95b1a0f8e0945804d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
572B

MD5
d2359c5691ac3ffcfc78ab585b32deca

SHA1
09709fe850bb4db30459173d634682ad3ed78a81

SHA256
930795647c90cf9044215ad8f76189bd485d2b56b329e728a4ad9a9047f419e1

SHA512
ae427f1f73afd54316a2d7d5f4cf8c10a8d0fd8bde683d939d56352be6727428f5d9598c663bb7b5af832a2be002e9ab802216fc4c3923e19192bec9c2f6c521

Download Submit
C:\Users\Admin\AppData\Local\redistkb_102241.exe

Filesize
519KB

MD5
166baf7c1b376aba82e83c643a6450e1

SHA1
9baac4d43b1c2d92eadd212f817b7f38976984b7

SHA256
470b1ff5a7d8b9bc71793b1f3da5dfa5fef5bf0c96f7b62982c6999b5bdbee8e

SHA512
a9c6aef0e70a5c1873302eedfa510eefc56366750f9fcb2c2e260099afcc7aad1133a41af7d94f116b966b980ec86b4004dbbadc6e315ea0616037c986f5ffc4

Download Submit
memory/108-1-0x0000000000C50000-0x00000000010C4000-memory.dmp

Filesize
4.5MB

Download
memory/108-2-0x000000001B800000-0x000000001BF20000-memory.dmp

Filesize
7.1MB

Download
memory/108-3-0x000007FEF65A0000-0x000007FEF6F8C000-memory.dmp

Filesize
9.9MB

Download
memory/108-4-0x000000001A870000-0x000000001AC3A000-memory.dmp

Filesize
3.8MB

Download
memory/108-0-0x000007FEF65A3000-0x000007FEF65A4000-memory.dmp

Filesize
4KB

Download
memory/108-31-0x000007FEF65A0000-0x000007FEF6F8C000-memory.dmp

Filesize
9.9MB

Download
memory/2236-47-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2236-51-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2528-29-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2684-56-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2684-66-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2684-40-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2684-45-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2684-43-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2684-42-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2684-38-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2684-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2684-52-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2684-53-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2684-54-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2684-55-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2684-87-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2684-58-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2684-59-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2684-60-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2684-62-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2684-63-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2684-64-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2684-86-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2684-67-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2684-68-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2684-70-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2684-71-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2684-72-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2684-74-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2684-73-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2684-75-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2684-76-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2684-78-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2684-79-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2684-80-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2684-82-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2684-83-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2684-84-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2836-22-0x00000000003B0000-0x000000000044A000-memory.dmp

Filesize
616KB

Download
memory/2856-39-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download