remcos | ee6d59e7ff1910806b465f8ae5fd6b2dd918cbe56fb1e3144d1484ba7b266eec

Analysis

max time kernel
148s
max time network
143s
platform
windows10_x64
resource
win10v20210410
submitted
21-04-2021 14:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12.exe
Size

619KB
MD5

98f413548ec275b2b0ead9caf86119eb
SHA1

cd39fdbed9c2011ef1d33dec7f50704664c33e63
SHA256

ee6d59e7ff1910806b465f8ae5fd6b2dd918cbe56fb1e3144d1484ba7b266eec
SHA512

266370e9871a3e8c9c26835de8dec3be658d4bbb8709b3e26bfd986c60d312a065b587935e737e866907946f07cd25a6b7b2e416aabf8693bccc6fb694d6c6ef

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

abujafirms1.duckdns.org:12000

194.5.98.203:1988

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

12.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Weikql = "C:\\Users\\Public\\Libraries\\lqkieW.url"	12.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

12.exe

description	pid	process	target process
PID 4040 wrote to memory of 3540	4040	12.exe	secinit.exe
PID 4040 wrote to memory of 3540	4040	12.exe	secinit.exe
PID 4040 wrote to memory of 3540	4040	12.exe	secinit.exe
PID 4040 wrote to memory of 3540	4040	12.exe	secinit.exe
PID 4040 wrote to memory of 3540	4040	12.exe	secinit.exe
PID 4040 wrote to memory of 3540	4040	12.exe	secinit.exe
PID 4040 wrote to memory of 3540	4040	12.exe	secinit.exe
PID 4040 wrote to memory of 3540	4040	12.exe	secinit.exe
PID 4040 wrote to memory of 3540	4040	12.exe	secinit.exe
PID 4040 wrote to memory of 3540	4040	12.exe	secinit.exe
PID 4040 wrote to memory of 3540	4040	12.exe	secinit.exe
PID 4040 wrote to memory of 3540	4040	12.exe	secinit.exe
PID 4040 wrote to memory of 3540	4040	12.exe	secinit.exe
PID 4040 wrote to memory of 3540	4040	12.exe	secinit.exe
PID 4040 wrote to memory of 3540	4040	12.exe	secinit.exe

C:\Users\Admin\AppData\Local\Temp\12.exe
"C:\Users\Admin\AppData\Local\Temp\12.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4040

C:\Windows\SysWOW64\secinit.exe
C:\Windows\System32\secinit.exe
2⤵
PID:3540

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3540-119-0x0000000000000000-mapping.dmp

Download
memory/3540-121-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/3540-120-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/3540-123-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/3540-124-0x0000000010590000-0x000000001060B000-memory.dmp

Filesize
492KB

Download
memory/3540-125-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4040-114-0x0000000002090000-0x0000000002091000-memory.dmp

Filesize
4KB

Download
memory/4040-116-0x00000000020C0000-0x00000000020DA000-memory.dmp

Filesize
104KB

Download