remcos | 6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 01:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe
Size

1006KB
MD5

ae9e6ffdc6b75b93d96748b6e2801096
SHA1

c3ba04cbc0d773ca5b036c44e6b7b97b4c5e936f
SHA256

6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978
SHA512

fbdedb0d46d9417abb21495bc928db10275b5a5edfcbcf94a570721ee534f74b915dec23ebf0125fcaf154c24fed89982680ab8be18260cf6c1c79f8a3dd148a
SSDEEP

24576:yJZQK8ebdmaOLAuHz7SaLf+/9S+YrMpjrh1y:yJZQ9aOs47SaL2/c+jh1y

Score

10^/10

remcos remotehost execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

204.10.160.230:7983

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-O7QOC3
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2656 powershell.exe
2732 powershell.exe

pid	process
2656	powershell.exe
2732	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe

description	pid	process	target process
PID 2216 set thread context of 1944	2216	6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe	6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2788 schtasks.exe

pid	process
2788	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exepowershell.exepowershell.exe

pid	process
2216	6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe
2216	6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe
2216	6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe
2216	6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe
2216	6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe
2216	6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe
2216	6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe
2732	powershell.exe
2656	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2216 6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe
Token: SeDebugPrivilege 2732 powershell.exe
Token: SeDebugPrivilege 2656 powershell.exe

description	pid	process
Token: SeDebugPrivilege	2216	6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe

description	pid	process	target process
PID 2216 wrote to memory of 2656	2216	6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe	powershell.exe
PID 2216 wrote to memory of 2656	2216	6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe	powershell.exe
PID 2216 wrote to memory of 2656	2216	6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe	powershell.exe
PID 2216 wrote to memory of 2656	2216	6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe	powershell.exe
PID 2216 wrote to memory of 2732	2216	6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe	powershell.exe
PID 2216 wrote to memory of 2732	2216	6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe	powershell.exe
PID 2216 wrote to memory of 2732	2216	6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe	powershell.exe
PID 2216 wrote to memory of 2732	2216	6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe	powershell.exe
PID 2216 wrote to memory of 2788	2216	6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe	schtasks.exe
PID 2216 wrote to memory of 2788	2216	6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe	schtasks.exe
PID 2216 wrote to memory of 2788	2216	6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe	schtasks.exe
PID 2216 wrote to memory of 2788	2216	6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe	schtasks.exe
PID 2216 wrote to memory of 1944	2216	6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe	6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe
PID 2216 wrote to memory of 1944	2216	6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe	6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe
PID 2216 wrote to memory of 1944	2216	6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe	6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe
PID 2216 wrote to memory of 1944	2216	6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe	6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe
PID 2216 wrote to memory of 1944	2216	6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe	6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe
PID 2216 wrote to memory of 1944	2216	6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe	6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe
PID 2216 wrote to memory of 1944	2216	6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe	6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe
PID 2216 wrote to memory of 1944	2216	6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe	6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe
PID 2216 wrote to memory of 1944	2216	6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe	6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe
PID 2216 wrote to memory of 1944	2216	6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe	6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe
PID 2216 wrote to memory of 1944	2216	6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe	6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe
PID 2216 wrote to memory of 1944	2216	6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe	6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe
PID 2216 wrote to memory of 1944	2216	6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe	6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe

C:\Users\Admin\AppData\Local\Temp\6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe
"C:\Users\Admin\AppData\Local\Temp\6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\PQHcRKfCm.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PQHcRKfCm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp70AD.tmp"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Users\Admin\AppData\Local\Temp\6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe
"C:\Users\Admin\AppData\Local\Temp\6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978.exe"
2⤵
PID:1944

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp70AD.tmp
Filesize
1KB

MD5
9dd9c4e655ff6c7ad7310fcf3731b60b

SHA1
6ce2f0d1db396ea9a681a82e4b62cc5e5f80d557

SHA256
d5545c1c89c2942d59cfd95d3c93316aee3a89e98cf37a246c58a71ce3b128e0

SHA512
8632cc8a85fd4ff869ee1e818e3e00918d7cad173cf96fdbd8e96ff85aef3958dc2f26c7258e8f5cf37d11707482010a5bb566b1042cf647d7e3ff19acb8aef8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
5eed63ae067395cc6da79750166e80bc

SHA1
ea62a6a57547fc9167465e5781b62354c0860ae9

SHA256
a838db32784178e09ee61dba884623d206f79c2ddd9dec2e4a163a833a499ab1

SHA512
3c773567e49b6605b9ac93cb3ac3694a4dde1435b6750fcd383b54bccd32ffa1e256eb9f3623eb0b34620690735ecfda4d7dcb68a80b7c94bc6346a0cdf20fae

Download Submit
memory/1944-32-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1944-47-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1944-54-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1944-28-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1944-53-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1944-52-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1944-51-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1944-26-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1944-34-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1944-38-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1944-40-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1944-39-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1944-37-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1944-24-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1944-50-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1944-30-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1944-49-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1944-48-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1944-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1944-20-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1944-22-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1944-44-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1944-42-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1944-43-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2216-41-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/2216-3-0x00000000009E0000-0x00000000009FA000-memory.dmp

Filesize
104KB

Download
memory/2216-1-0x0000000001230000-0x000000000132E000-memory.dmp

Filesize
1016KB

Download
memory/2216-5-0x0000000000CF0000-0x0000000000CFC000-memory.dmp

Filesize
48KB

Download
memory/2216-0-0x00000000749EE000-0x00000000749EF000-memory.dmp

Filesize
4KB

Download
memory/2216-2-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/2216-9-0x00000000749EE000-0x00000000749EF000-memory.dmp

Filesize
4KB

Download
memory/2216-6-0x0000000005400000-0x00000000054BE000-memory.dmp

Filesize
760KB

Download
memory/2216-4-0x0000000000BB0000-0x0000000000BB8000-memory.dmp

Filesize
32KB

Download