remcos | 39df3cbc48867b449d4828185b06f2e4d647562724da9205a46f5fd5763e6545

Analysis

max time kernel
144s
max time network
146s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 03:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39df3cbc48867b449d4828185b06f2e4d647562724da9205a46f5fd5763e6545.exe
Size

137KB
MD5

986bc47d1b0a81e13f3563269f543790
SHA1

7d651dc71a4fa25db318daa755e0af5ff1918435
SHA256

39df3cbc48867b449d4828185b06f2e4d647562724da9205a46f5fd5763e6545
SHA512

5eba05177aade9052ac34516027b74b4b2f5c31ae3314dec450d79e49eef0f19061825a1c54b43dda7d26c92530bcb5edcde2b5e6f2df8b2fde48850bc38359d
SSDEEP

1536:ITHiPBX4nDzMyRXGHrc9YRHqbTypgpmb5Q+ZReSdhk/J+YLgD3mrxb53cSuYQjKj:xPd4n/M+WLcilrpgGH/GwY87mVmIXT

Score

10^/10

remcos host persistence rat

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

systemcontrol.ddns.net:45000

systemcontrol2.ddns.net:45000

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
OfficeUpgrade.exe
copy_folder
OfficeUpgrade
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
Upgrader.dat
keylog_flag
false
keylog_folder
Upgrader
keylog_path
%AppData%
mouse_option
false
mutex
req_khauflaoyr
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
OfficeUpgrade
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

wn2ra4ohzdr.exewn2ra4ohzdr.exe

pid process

2784 wn2ra4ohzdr.exe
2716 wn2ra4ohzdr.exe
Loads dropped DLL 1 IoCs

Processes:

39df3cbc48867b449d4828185b06f2e4d647562724da9205a46f5fd5763e6545.exe

pid process

2440 39df3cbc48867b449d4828185b06f2e4d647562724da9205a46f5fd5763e6545.exe

pid	process
2784	wn2ra4ohzdr.exe
2716	wn2ra4ohzdr.exe

pid	process
2440	39df3cbc48867b449d4828185b06f2e4d647562724da9205a46f5fd5763e6545.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

39df3cbc48867b449d4828185b06f2e4d647562724da9205a46f5fd5763e6545.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\raj4dkhhiap = "C:\\Users\\Admin\\AppData\\Roaming\\raj4dkhhiap\\wn2ra4ohzdr.exe"	39df3cbc48867b449d4828185b06f2e4d647562724da9205a46f5fd5763e6545.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

wn2ra4ohzdr.exe

description pid process target process

PID 2784 set thread context of 2716 2784 wn2ra4ohzdr.exe wn2ra4ohzdr.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wn2ra4ohzdr.exe

pid process

2716 wn2ra4ohzdr.exe

description	pid	process	target process
PID 2784 set thread context of 2716	2784	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe

pid	process
2716	wn2ra4ohzdr.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

39df3cbc48867b449d4828185b06f2e4d647562724da9205a46f5fd5763e6545.exewn2ra4ohzdr.exe

description	pid	process	target process
PID 2440 wrote to memory of 2784	2440	39df3cbc48867b449d4828185b06f2e4d647562724da9205a46f5fd5763e6545.exe	wn2ra4ohzdr.exe
PID 2440 wrote to memory of 2784	2440	39df3cbc48867b449d4828185b06f2e4d647562724da9205a46f5fd5763e6545.exe	wn2ra4ohzdr.exe
PID 2440 wrote to memory of 2784	2440	39df3cbc48867b449d4828185b06f2e4d647562724da9205a46f5fd5763e6545.exe	wn2ra4ohzdr.exe
PID 2440 wrote to memory of 2784	2440	39df3cbc48867b449d4828185b06f2e4d647562724da9205a46f5fd5763e6545.exe	wn2ra4ohzdr.exe
PID 2784 wrote to memory of 2716	2784	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe
PID 2784 wrote to memory of 2716	2784	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe
PID 2784 wrote to memory of 2716	2784	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe
PID 2784 wrote to memory of 2716	2784	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe
PID 2784 wrote to memory of 2716	2784	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe
PID 2784 wrote to memory of 2716	2784	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe
PID 2784 wrote to memory of 2716	2784	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe
PID 2784 wrote to memory of 2716	2784	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe
PID 2784 wrote to memory of 2716	2784	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe
PID 2784 wrote to memory of 2716	2784	wn2ra4ohzdr.exe	wn2ra4ohzdr.exe

C:\Users\Admin\AppData\Local\Temp\39df3cbc48867b449d4828185b06f2e4d647562724da9205a46f5fd5763e6545.exe
"C:\Users\Admin\AppData\Local\Temp\39df3cbc48867b449d4828185b06f2e4d647562724da9205a46f5fd5763e6545.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2440

C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe
"C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2784

C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe
"C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2716

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe
Filesize
137KB

MD5
71a4c8ee343324f77978da8e68a94e17

SHA1
31326c1872a8f15b3e7b679db6970275d7d392bc

SHA256
252cd135680c0083c7b10ba0155897c54db52fc1ffc89a127c99b6f68dad7db6

SHA512
5d80f4c8af3df3853efe527de4d2a412bec90dda45fe1b0da85d75b18b11bcf3e784defd71776b76414d11ed44e636bc28abcccdd3c6190c2d19bd3c7b4b57dd

Download Submit
memory/2440-0-0x0000000074E4E000-0x0000000074E4F000-memory.dmp

Filesize
4KB

Download
memory/2440-1-0x0000000001090000-0x00000000010B8000-memory.dmp

Filesize
160KB

Download
memory/2440-2-0x0000000074E40000-0x000000007552E000-memory.dmp

Filesize
6.9MB

Download
memory/2440-3-0x0000000000980000-0x00000000009A0000-memory.dmp

Filesize
128KB

Download
memory/2440-32-0x0000000074E40000-0x000000007552E000-memory.dmp

Filesize
6.9MB

Download
memory/2716-17-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2716-19-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2716-16-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2716-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2716-23-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2716-21-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2716-15-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2716-28-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2716-29-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2784-14-0x0000000074E40000-0x000000007552E000-memory.dmp

Filesize
6.9MB

Download
memory/2784-13-0x0000000000C90000-0x0000000000CB8000-memory.dmp

Filesize
160KB

Download
memory/2784-12-0x0000000074E40000-0x000000007552E000-memory.dmp

Filesize
6.9MB

Download
memory/2784-33-0x0000000074E40000-0x000000007552E000-memory.dmp

Filesize
6.9MB

Download