remcos | 767a12aba903c3382c309843125edd0132a350f36720ce66209ea20f2158711e

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 03:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quotation-04 - 609967.scr
Size

95KB
MD5

50cf2b84679ea401530b7e30d16f166b
SHA1

1720348ae4b55ce19a252e2161c6eb0684ebea10
SHA256

0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd
SHA512

273a2fe9402a237314dce9937a1ec0c36cdcef8a0e2820dcaf40382061fa7fc85ef9df7bfba0b237b40eb10d4ecc236eb650f528400860dd309666c1a1d519b1
SSDEEP

1536:mOhzJDZr9BzDNATEk9UbTV0+gRLVNI6e:lhzbrjDNATEkebh0BRk6e

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

107.173.62.181:17120

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-F9ZGZ8
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Quotation-04 - 609967.scr = "C:\\Users\\Admin\\Documents\\Quotation-04 - 609967.scr.pif"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Quotation-04 - 609967.scr

description pid process target process

PID 4720 set thread context of 4732 4720 Quotation-04 - 609967.scr Quotation-04 - 609967.scr

description	pid	process	target process
PID 4720 set thread context of 4732	4720	Quotation-04 - 609967.scr	Quotation-04 - 609967.scr

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

Quotation-04 - 609967.scr

pid	process
4720	Quotation-04 - 609967.scr
4720	Quotation-04 - 609967.scr
4720	Quotation-04 - 609967.scr
4720	Quotation-04 - 609967.scr
4720	Quotation-04 - 609967.scr
4720	Quotation-04 - 609967.scr
4720	Quotation-04 - 609967.scr
4720	Quotation-04 - 609967.scr
4720	Quotation-04 - 609967.scr
4720	Quotation-04 - 609967.scr
4720	Quotation-04 - 609967.scr
4720	Quotation-04 - 609967.scr
4720	Quotation-04 - 609967.scr
4720	Quotation-04 - 609967.scr
4720	Quotation-04 - 609967.scr
4720	Quotation-04 - 609967.scr
4720	Quotation-04 - 609967.scr
4720	Quotation-04 - 609967.scr
4720	Quotation-04 - 609967.scr
4720	Quotation-04 - 609967.scr
4720	Quotation-04 - 609967.scr
4720	Quotation-04 - 609967.scr
4720	Quotation-04 - 609967.scr
4720	Quotation-04 - 609967.scr
4720	Quotation-04 - 609967.scr
4720	Quotation-04 - 609967.scr

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Quotation-04 - 609967.scr

description pid process

Token: SeDebugPrivilege 4720 Quotation-04 - 609967.scr
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Quotation-04 - 609967.scr

pid process

4732 Quotation-04 - 609967.scr

description	pid	process
Token: SeDebugPrivilege	4720	Quotation-04 - 609967.scr

pid	process
4732	Quotation-04 - 609967.scr

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

Quotation-04 - 609967.scrcmd.exe

description	pid	process	target process
PID 4720 wrote to memory of 2932	4720	Quotation-04 - 609967.scr	cmd.exe
PID 4720 wrote to memory of 2932	4720	Quotation-04 - 609967.scr	cmd.exe
PID 4720 wrote to memory of 2932	4720	Quotation-04 - 609967.scr	cmd.exe
PID 2932 wrote to memory of 388	2932	cmd.exe	reg.exe
PID 2932 wrote to memory of 388	2932	cmd.exe	reg.exe
PID 2932 wrote to memory of 388	2932	cmd.exe	reg.exe
PID 4720 wrote to memory of 3344	4720	Quotation-04 - 609967.scr	cmd.exe
PID 4720 wrote to memory of 3344	4720	Quotation-04 - 609967.scr	cmd.exe
PID 4720 wrote to memory of 3344	4720	Quotation-04 - 609967.scr	cmd.exe
PID 4720 wrote to memory of 4732	4720	Quotation-04 - 609967.scr	Quotation-04 - 609967.scr
PID 4720 wrote to memory of 4732	4720	Quotation-04 - 609967.scr	Quotation-04 - 609967.scr
PID 4720 wrote to memory of 4732	4720	Quotation-04 - 609967.scr	Quotation-04 - 609967.scr
PID 4720 wrote to memory of 4732	4720	Quotation-04 - 609967.scr	Quotation-04 - 609967.scr
PID 4720 wrote to memory of 4732	4720	Quotation-04 - 609967.scr	Quotation-04 - 609967.scr
PID 4720 wrote to memory of 4732	4720	Quotation-04 - 609967.scr	Quotation-04 - 609967.scr
PID 4720 wrote to memory of 4732	4720	Quotation-04 - 609967.scr	Quotation-04 - 609967.scr
PID 4720 wrote to memory of 4732	4720	Quotation-04 - 609967.scr	Quotation-04 - 609967.scr
PID 4720 wrote to memory of 4732	4720	Quotation-04 - 609967.scr	Quotation-04 - 609967.scr
PID 4720 wrote to memory of 4732	4720	Quotation-04 - 609967.scr	Quotation-04 - 609967.scr
PID 4720 wrote to memory of 4732	4720	Quotation-04 - 609967.scr	Quotation-04 - 609967.scr
PID 4720 wrote to memory of 4732	4720	Quotation-04 - 609967.scr	Quotation-04 - 609967.scr

C:\Users\Admin\AppData\Local\Temp\Quotation-04 - 609967.scr
"C:\Users\Admin\AppData\Local\Temp\Quotation-04 - 609967.scr" /S
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4720

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Quotation-04 - 609967.scr" /t REG_SZ /F /D "C:\Users\Admin\Documents\Quotation-04 - 609967.scr.pif"
2⤵
- Suspicious use of WriteProcessMemory
PID:2932

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Quotation-04 - 609967.scr" /t REG_SZ /F /D "C:\Users\Admin\Documents\Quotation-04 - 609967.scr.pif"
3⤵
- Adds Run key to start application
PID:388

C:\Windows\SysWOW64\cmd.exe
cmd /c Copy "C:\Users\Admin\AppData\Local\Temp\Quotation-04 - 609967.scr" "C:\Users\Admin\Documents\Quotation-04 - 609967.scr.pif"
2⤵
PID:3344

C:\Users\Admin\AppData\Local\Temp\Quotation-04 - 609967.scr
"C:\Users\Admin\AppData\Local\Temp\Quotation-04 - 609967.scr"
2⤵
- Suspicious use of SetWindowsHookEx
PID:4732

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
144B

MD5
7ec744aa1f288bfdddcd4f41af786506

SHA1
e3ffa548337702bcf5443f7a02e7b29cf6ed4d29

SHA256
3a49254276ddb6a1f0b7ff43ed92ef7ba7309aafe0927764866d10983fd1d537

SHA512
e889605d61fa316fcfe6174ee53ed81afb0edb1a812a42f3c9a8e5f0f4c246d1e9dd0c9c2435fba9f4bc181408e08450642b5799aab5160d7aa15d2b1c6eebf2

Download Submit
memory/4720-0-0x00000000751AE000-0x00000000751AF000-memory.dmp

Filesize
4KB

Download
memory/4720-1-0x0000000000D70000-0x0000000000D8E000-memory.dmp

Filesize
120KB

Download
memory/4720-2-0x0000000005CB0000-0x0000000006254000-memory.dmp

Filesize
5.6MB

Download
memory/4720-3-0x00000000057A0000-0x0000000005832000-memory.dmp

Filesize
584KB

Download
memory/4720-4-0x0000000005750000-0x000000000575A000-memory.dmp

Filesize
40KB

Download
memory/4720-5-0x00000000751A0000-0x0000000075950000-memory.dmp

Filesize
7.7MB

Download
memory/4720-6-0x0000000006D20000-0x0000000006DA2000-memory.dmp

Filesize
520KB

Download
memory/4720-7-0x0000000006F40000-0x0000000006FDC000-memory.dmp

Filesize
624KB

Download
memory/4720-8-0x0000000006FE0000-0x0000000007046000-memory.dmp

Filesize
408KB

Download
memory/4720-20-0x00000000751A0000-0x0000000075950000-memory.dmp

Filesize
7.7MB

Download
memory/4732-21-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4732-32-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4732-19-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4732-14-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4732-12-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4732-16-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4732-26-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4732-27-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4732-11-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4732-15-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4732-33-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4732-38-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4732-40-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4732-45-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4732-46-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4732-51-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4732-52-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4732-58-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4732-59-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download