remcos | 0f3cac160b09665561487322c11c5ee1ad0eb221b32edfecf1fe01d5b5f278f7

General

Target

Dringende Bestellung Zitat CTX88467638,pdf.exe
Size

769KB
MD5

66525016cb1f9420e5e5c178082346cf
SHA1

afe3c32389f0009959d9de94feb11e2bf1f1abd7
SHA256

0f3cac160b09665561487322c11c5ee1ad0eb221b32edfecf1fe01d5b5f278f7
SHA512

26eefff0cdc04747ccfb432c0154ec271b2b9ad6ead105fe0f9cd07ba08df05f13d15771eafaeec9912acf02b289ecde134d56c5c398198c9c256b6580058d7c

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

C2

ongod4life.ddns.net:4344

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Dringende Bestellung Zitat CTX88467638,pdf.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ntozkw = "C:\\Users\\Public\\Libraries\\wkzotN.url"	Dringende Bestellung Zitat CTX88467638,pdf.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Dringende Bestellung Zitat CTX88467638,pdf.exe

description	pid	process	target process
PID 4768 wrote to memory of 4424	4768	Dringende Bestellung Zitat CTX88467638,pdf.exe	secinit.exe
PID 4768 wrote to memory of 4424	4768	Dringende Bestellung Zitat CTX88467638,pdf.exe	secinit.exe
PID 4768 wrote to memory of 4424	4768	Dringende Bestellung Zitat CTX88467638,pdf.exe	secinit.exe
PID 4768 wrote to memory of 4424	4768	Dringende Bestellung Zitat CTX88467638,pdf.exe	secinit.exe
PID 4768 wrote to memory of 4424	4768	Dringende Bestellung Zitat CTX88467638,pdf.exe	secinit.exe
PID 4768 wrote to memory of 4424	4768	Dringende Bestellung Zitat CTX88467638,pdf.exe	secinit.exe
PID 4768 wrote to memory of 4424	4768	Dringende Bestellung Zitat CTX88467638,pdf.exe	secinit.exe
PID 4768 wrote to memory of 4424	4768	Dringende Bestellung Zitat CTX88467638,pdf.exe	secinit.exe
PID 4768 wrote to memory of 4424	4768	Dringende Bestellung Zitat CTX88467638,pdf.exe	secinit.exe
PID 4768 wrote to memory of 4424	4768	Dringende Bestellung Zitat CTX88467638,pdf.exe	secinit.exe
PID 4768 wrote to memory of 4424	4768	Dringende Bestellung Zitat CTX88467638,pdf.exe	secinit.exe
PID 4768 wrote to memory of 4424	4768	Dringende Bestellung Zitat CTX88467638,pdf.exe	secinit.exe
PID 4768 wrote to memory of 4424	4768	Dringende Bestellung Zitat CTX88467638,pdf.exe	secinit.exe
PID 4768 wrote to memory of 4424	4768	Dringende Bestellung Zitat CTX88467638,pdf.exe	secinit.exe
PID 4768 wrote to memory of 4424	4768	Dringende Bestellung Zitat CTX88467638,pdf.exe	secinit.exe

C:\Users\Admin\AppData\Local\Temp\Dringende Bestellung Zitat CTX88467638,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Dringende Bestellung Zitat CTX88467638,pdf.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4768

C:\Windows\SysWOW64\secinit.exe
C:\Windows\System32\secinit.exe
2⤵
PID:4424

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4424-119-0x0000000000000000-mapping.dmp

Download
memory/4424-121-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/4424-120-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/4424-123-0x00000000032F0000-0x00000000032F1000-memory.dmp

Filesize
4KB

Download
memory/4424-125-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4424-124-0x0000000010540000-0x0000000010564000-memory.dmp

Filesize
144KB

Download
memory/4768-114-0x00000000004D0000-0x000000000057E000-memory.dmp

Filesize
696KB

Download
memory/4768-117-0x0000000000600000-0x000000000061A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing