remcos | 329886b8af71b45a41f94d0d9a69761b6b6fe80d36b7f7a6201fd97dc33234d5

General

Target

CONFIRMACION DEL PEDIDO CVE6535,PDF.exe
Size

372KB
MD5

a962399ee6a55b52ad2432702a800597
SHA1

2ae09b6b627b86bb4a6e2e7b2d33fdc6f8e1579f
SHA256

329886b8af71b45a41f94d0d9a69761b6b6fe80d36b7f7a6201fd97dc33234d5
SHA512

7914d464cbba0de5392a19d9bd986be7246fca19d15cad5303cf81f1a9dd56cbf94729bd5d1f7f2b2b3e0cb545bb689cc6114b8ee08a8c508c4f8d1eeb86b8a6

Score

10^/10

remcos coreentity rat rezer0

Malware Config

Extracted

Family

remcos

C2

thankyoulord.ddns.net:5050

Signatures

CoreEntity .NET Packer 1 IoCs

A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

coreentity

Processes:

resource	yara_rule
behavioral1/memory/1848-4-0x0000000000230000-0x0000000000233000-memory.dmp	coreentity

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

rezer0 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/1848-5-0x0000000007330000-0x0000000007357000-memory.dmp	rezer0

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

CONFIRMACION DEL PEDIDO CVE6535,PDF.exe

description pid process target process

PID 1848 set thread context of 960 1848 CONFIRMACION DEL PEDIDO CVE6535,PDF.exe vbc.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1448 schtasks.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

CONFIRMACION DEL PEDIDO CVE6535,PDF.exe

description pid process

Token: SeDebugPrivilege 1848 CONFIRMACION DEL PEDIDO CVE6535,PDF.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

CONFIRMACION DEL PEDIDO CVE6535,PDF.exe

pid process

1848 CONFIRMACION DEL PEDIDO CVE6535,PDF.exe
1848 CONFIRMACION DEL PEDIDO CVE6535,PDF.exe

description	pid	process	target process
PID 1848 set thread context of 960	1848	CONFIRMACION DEL PEDIDO CVE6535,PDF.exe	vbc.exe

pid	process
1448	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	1848	CONFIRMACION DEL PEDIDO CVE6535,PDF.exe

pid	process
1848	CONFIRMACION DEL PEDIDO CVE6535,PDF.exe
1848	CONFIRMACION DEL PEDIDO CVE6535,PDF.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

CONFIRMACION DEL PEDIDO CVE6535,PDF.exe

description	pid	process	target process
PID 1848 wrote to memory of 1448	1848	CONFIRMACION DEL PEDIDO CVE6535,PDF.exe	schtasks.exe
PID 1848 wrote to memory of 1448	1848	CONFIRMACION DEL PEDIDO CVE6535,PDF.exe	schtasks.exe
PID 1848 wrote to memory of 1448	1848	CONFIRMACION DEL PEDIDO CVE6535,PDF.exe	schtasks.exe
PID 1848 wrote to memory of 1448	1848	CONFIRMACION DEL PEDIDO CVE6535,PDF.exe	schtasks.exe
PID 1848 wrote to memory of 960	1848	CONFIRMACION DEL PEDIDO CVE6535,PDF.exe	vbc.exe
PID 1848 wrote to memory of 960	1848	CONFIRMACION DEL PEDIDO CVE6535,PDF.exe	vbc.exe
PID 1848 wrote to memory of 960	1848	CONFIRMACION DEL PEDIDO CVE6535,PDF.exe	vbc.exe
PID 1848 wrote to memory of 960	1848	CONFIRMACION DEL PEDIDO CVE6535,PDF.exe	vbc.exe
PID 1848 wrote to memory of 960	1848	CONFIRMACION DEL PEDIDO CVE6535,PDF.exe	vbc.exe
PID 1848 wrote to memory of 960	1848	CONFIRMACION DEL PEDIDO CVE6535,PDF.exe	vbc.exe
PID 1848 wrote to memory of 960	1848	CONFIRMACION DEL PEDIDO CVE6535,PDF.exe	vbc.exe
PID 1848 wrote to memory of 960	1848	CONFIRMACION DEL PEDIDO CVE6535,PDF.exe	vbc.exe
PID 1848 wrote to memory of 960	1848	CONFIRMACION DEL PEDIDO CVE6535,PDF.exe	vbc.exe
PID 1848 wrote to memory of 960	1848	CONFIRMACION DEL PEDIDO CVE6535,PDF.exe	vbc.exe
PID 1848 wrote to memory of 960	1848	CONFIRMACION DEL PEDIDO CVE6535,PDF.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe
"C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1848

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CfGuVGvIV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4A5B.tmp"
2⤵
- Creates scheduled task(s)
PID:1448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
2⤵
PID:960

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4A5B.tmp
MD5
6f034f247ff434fdf03cbe467d528312

SHA1
894bae0158a82ede3c4c8e48349d49f621cf9032

SHA256
68a695d53c232920102c555e384bcbc6efc6eac421011b4ceaf9b30c2ce6fd7d

SHA512
43d86aab0e7e4565dad4abddc9a1645030fa2ab9c6a26359f7ed0d1354212fcae11ca535299eaecad6998b9c7a8a9fd3be0e6cea01cc3e5e78ba9707464b3fe1

Download Submit
memory/960-8-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/960-9-0x0000000000413A84-mapping.dmp

Download
memory/960-10-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1448-6-0x0000000000000000-mapping.dmp

Download
memory/1848-0-0x00000000742C0000-0x00000000749AE000-memory.dmp

Filesize
6.9MB

Download
memory/1848-1-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/1848-4-0x0000000000230000-0x0000000000233000-memory.dmp

Filesize
12KB

Download
memory/1848-5-0x0000000007330000-0x0000000007357000-memory.dmp

Filesize
156KB

Download
memory/1984-3-0x000007FEF6680000-0x000007FEF68FA000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads