remcos | 4467138cf6bec169b6c0cb9abe48e86202b75a5301828766b059c8af06d4a0f5

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-06-2024 06:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4467138cf6bec169b6c0cb9abe48e86202b75a5301828766b059c8af06d4a0f5_NeikiAnalytics.exe
Size

137KB
MD5

e00031d57b49909b95ded10db62617d0
SHA1

18058c6408248bd17b68344118e03a8ca30b47c3
SHA256

4467138cf6bec169b6c0cb9abe48e86202b75a5301828766b059c8af06d4a0f5
SHA512

5cc7b09643456ac64e1a87437882d021be18c07b70d21b104c4cea0e0230f874732dd364a6ae7840ebce511aafc2e365e1fc71c02f86f7c7ebf8564db0bc50fc
SSDEEP

1536:ITHiPBX4nDzMyRXGHrc9YRHqbTypgpmb5Q+ZReSdhk/J+YLgD3mrxb53cSuYQjKR:xPd4n/M+WLcilrpgGH/GwY87mVmIXB

Score

10^/10

remcos host persistence rat

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

systemcontrol.ddns.net:45000

systemcontrol2.ddns.net:45000

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
OfficeUpgrade.exe
copy_folder
OfficeUpgrade
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
Upgrader.dat
keylog_flag
false
keylog_folder
Upgrader
keylog_path
%AppData%
mouse_option
false
mutex
req_khauflaoyr
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
OfficeUpgrade
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4467138cf6bec169b6c0cb9abe48e86202b75a5301828766b059c8af06d4a0f5_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	4467138cf6bec169b6c0cb9abe48e86202b75a5301828766b059c8af06d4a0f5_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

Processes:

wn2ra4ohzdr.exewn2ra4ohzdr.exe

pid process

2344 wn2ra4ohzdr.exe
1820 wn2ra4ohzdr.exe

pid	process
2344	wn2ra4ohzdr.exe
1820	wn2ra4ohzdr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

4467138cf6bec169b6c0cb9abe48e86202b75a5301828766b059c8af06d4a0f5_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raj4dkhhiap = "C:\\Users\\Admin\\AppData\\Roaming\\raj4dkhhiap\\wn2ra4ohzdr.exe"	4467138cf6bec169b6c0cb9abe48e86202b75a5301828766b059c8af06d4a0f5_NeikiAnalytics.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

wn2ra4ohzdr.exe

description pid process target process

PID 2344 set thread context of 1820 2344 wn2ra4ohzdr.exe wn2ra4ohzdr.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wn2ra4ohzdr.exe

pid process

1820 wn2ra4ohzdr.exe

description	pid	process	target process
PID 2344 set thread context of 1820	2344	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe

pid	process
1820	wn2ra4ohzdr.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

4467138cf6bec169b6c0cb9abe48e86202b75a5301828766b059c8af06d4a0f5_NeikiAnalytics.exewn2ra4ohzdr.exe

description	pid	process	target process
PID 1644 wrote to memory of 2344	1644	4467138cf6bec169b6c0cb9abe48e86202b75a5301828766b059c8af06d4a0f5_NeikiAnalytics.exe	wn2ra4ohzdr.exe
PID 1644 wrote to memory of 2344	1644	4467138cf6bec169b6c0cb9abe48e86202b75a5301828766b059c8af06d4a0f5_NeikiAnalytics.exe	wn2ra4ohzdr.exe
PID 1644 wrote to memory of 2344	1644	4467138cf6bec169b6c0cb9abe48e86202b75a5301828766b059c8af06d4a0f5_NeikiAnalytics.exe	wn2ra4ohzdr.exe
PID 2344 wrote to memory of 1820	2344	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe
PID 2344 wrote to memory of 1820	2344	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe
PID 2344 wrote to memory of 1820	2344	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe
PID 2344 wrote to memory of 1820	2344	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe
PID 2344 wrote to memory of 1820	2344	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe
PID 2344 wrote to memory of 1820	2344	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe
PID 2344 wrote to memory of 1820	2344	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe
PID 2344 wrote to memory of 1820	2344	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe
PID 2344 wrote to memory of 1820	2344	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe

C:\Users\Admin\AppData\Local\Temp\4467138cf6bec169b6c0cb9abe48e86202b75a5301828766b059c8af06d4a0f5_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4467138cf6bec169b6c0cb9abe48e86202b75a5301828766b059c8af06d4a0f5_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1644

C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe
"C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2344

C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe
"C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1820

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe
Filesize
137KB

MD5
d925eb5d288e60e0e74df7bbd03a5b98

SHA1
b483740bfa64ea92abe9c3a99e362981ca3c4920

SHA256
c6fac2851f8396a7ce39dd34ddb229a435fced514641e525ee874647037f2381

SHA512
c3dd1d566ce11fadc27fcf3e7ec6c63e8fbcc46f1c5ca91146aca68975bbc1e279a6b77d1a94b15270c5c5e6db7f876dd6a1d212cecca90a7f4e3c2bfaea905c

Download Submit
memory/1644-20-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/1644-5-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/1644-0-0x00000000746AE000-0x00000000746AF000-memory.dmp

Filesize
4KB

Download
memory/1644-4-0x00000000058E0000-0x00000000058EA000-memory.dmp

Filesize
40KB

Download
memory/1644-2-0x0000000005C10000-0x00000000061B4000-memory.dmp

Filesize
5.6MB

Download
memory/1644-6-0x00000000059B0000-0x00000000059D0000-memory.dmp

Filesize
128KB

Download
memory/1644-1-0x0000000000D10000-0x0000000000D38000-memory.dmp

Filesize
160KB

Download
memory/1644-3-0x0000000005740000-0x00000000057D2000-memory.dmp

Filesize
584KB

Download
memory/1820-23-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1820-26-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1820-25-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1820-24-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1820-29-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1820-30-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2344-22-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/2344-21-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/2344-36-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download