remcos | 767a12aba903c3382c309843125edd0132a350f36720ce66209ea20f2158711e

Analysis

max time kernel
7s
max time network
157s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 03:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quotation-04 - 609967.scr
Size

95KB
MD5

50cf2b84679ea401530b7e30d16f166b
SHA1

1720348ae4b55ce19a252e2161c6eb0684ebea10
SHA256

0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd
SHA512

273a2fe9402a237314dce9937a1ec0c36cdcef8a0e2820dcaf40382061fa7fc85ef9df7bfba0b237b40eb10d4ecc236eb650f528400860dd309666c1a1d519b1
SSDEEP

1536:mOhzJDZr9BzDNATEk9UbTV0+gRLVNI6e:lhzbrjDNATEkebh0BRk6e

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

107.173.62.181:17120

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-F9ZGZ8
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Quotation-04 - 609967.scr = "C:\\Users\\Admin\\Documents\\Quotation-04 - 609967.scr.pif"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Quotation-04 - 609967.scr

description pid process target process

PID 1684 set thread context of 2736 1684 Quotation-04 - 609967.scr Quotation-04 - 609967.scr

description	pid	process	target process
PID 1684 set thread context of 2736	1684	Quotation-04 - 609967.scr	Quotation-04 - 609967.scr

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

Quotation-04 - 609967.scr

pid	process
1684	Quotation-04 - 609967.scr
1684	Quotation-04 - 609967.scr
1684	Quotation-04 - 609967.scr
1684	Quotation-04 - 609967.scr
1684	Quotation-04 - 609967.scr
1684	Quotation-04 - 609967.scr
1684	Quotation-04 - 609967.scr
1684	Quotation-04 - 609967.scr
1684	Quotation-04 - 609967.scr
1684	Quotation-04 - 609967.scr
1684	Quotation-04 - 609967.scr
1684	Quotation-04 - 609967.scr
1684	Quotation-04 - 609967.scr
1684	Quotation-04 - 609967.scr
1684	Quotation-04 - 609967.scr
1684	Quotation-04 - 609967.scr
1684	Quotation-04 - 609967.scr
1684	Quotation-04 - 609967.scr
1684	Quotation-04 - 609967.scr
1684	Quotation-04 - 609967.scr
1684	Quotation-04 - 609967.scr
1684	Quotation-04 - 609967.scr
1684	Quotation-04 - 609967.scr
1684	Quotation-04 - 609967.scr
1684	Quotation-04 - 609967.scr
1684	Quotation-04 - 609967.scr

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Quotation-04 - 609967.scr

description pid process

Token: SeDebugPrivilege 1684 Quotation-04 - 609967.scr

description	pid	process
Token: SeDebugPrivilege	1684	Quotation-04 - 609967.scr

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

Quotation-04 - 609967.scrcmd.exe

description	pid	process	target process
PID 1684 wrote to memory of 3068	1684	Quotation-04 - 609967.scr	cmd.exe
PID 1684 wrote to memory of 3068	1684	Quotation-04 - 609967.scr	cmd.exe
PID 1684 wrote to memory of 3068	1684	Quotation-04 - 609967.scr	cmd.exe
PID 1684 wrote to memory of 3068	1684	Quotation-04 - 609967.scr	cmd.exe
PID 3068 wrote to memory of 1272	3068	cmd.exe	reg.exe
PID 3068 wrote to memory of 1272	3068	cmd.exe	reg.exe
PID 3068 wrote to memory of 1272	3068	cmd.exe	reg.exe
PID 3068 wrote to memory of 1272	3068	cmd.exe	reg.exe
PID 1684 wrote to memory of 2732	1684	Quotation-04 - 609967.scr	cmd.exe
PID 1684 wrote to memory of 2732	1684	Quotation-04 - 609967.scr	cmd.exe
PID 1684 wrote to memory of 2732	1684	Quotation-04 - 609967.scr	cmd.exe
PID 1684 wrote to memory of 2732	1684	Quotation-04 - 609967.scr	cmd.exe
PID 1684 wrote to memory of 2736	1684	Quotation-04 - 609967.scr	Quotation-04 - 609967.scr
PID 1684 wrote to memory of 2736	1684	Quotation-04 - 609967.scr	Quotation-04 - 609967.scr
PID 1684 wrote to memory of 2736	1684	Quotation-04 - 609967.scr	Quotation-04 - 609967.scr
PID 1684 wrote to memory of 2736	1684	Quotation-04 - 609967.scr	Quotation-04 - 609967.scr
PID 1684 wrote to memory of 2736	1684	Quotation-04 - 609967.scr	Quotation-04 - 609967.scr
PID 1684 wrote to memory of 2736	1684	Quotation-04 - 609967.scr	Quotation-04 - 609967.scr
PID 1684 wrote to memory of 2736	1684	Quotation-04 - 609967.scr	Quotation-04 - 609967.scr
PID 1684 wrote to memory of 2736	1684	Quotation-04 - 609967.scr	Quotation-04 - 609967.scr
PID 1684 wrote to memory of 2736	1684	Quotation-04 - 609967.scr	Quotation-04 - 609967.scr
PID 1684 wrote to memory of 2736	1684	Quotation-04 - 609967.scr	Quotation-04 - 609967.scr
PID 1684 wrote to memory of 2736	1684	Quotation-04 - 609967.scr	Quotation-04 - 609967.scr
PID 1684 wrote to memory of 2736	1684	Quotation-04 - 609967.scr	Quotation-04 - 609967.scr
PID 1684 wrote to memory of 2736	1684	Quotation-04 - 609967.scr	Quotation-04 - 609967.scr

C:\Users\Admin\AppData\Local\Temp\Quotation-04 - 609967.scr
"C:\Users\Admin\AppData\Local\Temp\Quotation-04 - 609967.scr" /S
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Quotation-04 - 609967.scr" /t REG_SZ /F /D "C:\Users\Admin\Documents\Quotation-04 - 609967.scr.pif"
2⤵
- Suspicious use of WriteProcessMemory
PID:3068

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Quotation-04 - 609967.scr" /t REG_SZ /F /D "C:\Users\Admin\Documents\Quotation-04 - 609967.scr.pif"
3⤵
- Adds Run key to start application
PID:1272

C:\Windows\SysWOW64\cmd.exe
cmd /c Copy "C:\Users\Admin\AppData\Local\Temp\Quotation-04 - 609967.scr" "C:\Users\Admin\Documents\Quotation-04 - 609967.scr.pif"
2⤵
PID:2732

C:\Users\Admin\AppData\Local\Temp\Quotation-04 - 609967.scr
"C:\Users\Admin\AppData\Local\Temp\Quotation-04 - 609967.scr"
2⤵
PID:2736

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
144B

MD5
0f4e1ae8323685eb3dae24b6c7d78d83

SHA1
3693c618a02c126e6ad1f90b27812ce5fb5229fa

SHA256
e373a723a5aa600fa0a00e1d2ca30720a7feda03dad9377e4d52fd5acf4919c8

SHA512
a68cb9d3a0d749896236b370f7d6630be85e333a6cfed6c25676d5d53b5e6c0ca6453ef1f873fe863ab5e227daf10be7119985e35e4a5b69081740399457efbc

Download Submit
memory/1684-33-0x00000000746B0000-0x0000000074D9E000-memory.dmp

Filesize
6.9MB

Download
memory/1684-1-0x0000000000DB0000-0x0000000000DCE000-memory.dmp

Filesize
120KB

Download
memory/1684-2-0x00000000746B0000-0x0000000074D9E000-memory.dmp

Filesize
6.9MB

Download
memory/1684-3-0x0000000005320000-0x00000000053A2000-memory.dmp

Filesize
520KB

Download
memory/1684-0-0x00000000746BE000-0x00000000746BF000-memory.dmp

Filesize
4KB

Download
memory/2736-14-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-38-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-32-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-24-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-31-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-26-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2736-12-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-19-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-17-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-20-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-10-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-8-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-27-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-39-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-40-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-6-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-45-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-46-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-52-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-53-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-58-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-59-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-64-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-66-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-71-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2736-72-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download