remcos | 4fff31fe2dc28e3080189ef8bdf5001f1a441be3c67392864966512d7dc79217

General

Target

Neues Lieferantenformular,pdf.scr
Size

832KB
MD5

3f4f150ed7ab62f3f08315fa85a1e1f0
SHA1

24890995fabbfb50230729d5cceb4d5a92199a42
SHA256

f0896ba259cc40a67474db857cbca2cd43099f5b49be45c3e3a3a34a06765b7f
SHA512

67df52b24d57dc399c2c819d27749e8b54b7494563d075c7305716d57eae1625321ea8083c1964d76721a1ec436e5a0d53403c2c737d895c9068c0632ea78248

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

C2

Officialsw.chickenkiller.com:2310

official.ydns.eu:2310

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Neues Lieferantenformular,pdf.scr

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rwdfnm = "C:\\Users\\Admin\\AppData\\Local\\mnfdwR.url"	Neues Lieferantenformular,pdf.scr

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

Neues Lieferantenformular,pdf.scr

description	pid	process	target process
PID 1652 wrote to memory of 1840	1652	Neues Lieferantenformular,pdf.scr	DpiScaling.exe
PID 1652 wrote to memory of 1840	1652	Neues Lieferantenformular,pdf.scr	DpiScaling.exe
PID 1652 wrote to memory of 1840	1652	Neues Lieferantenformular,pdf.scr	DpiScaling.exe
PID 1652 wrote to memory of 1840	1652	Neues Lieferantenformular,pdf.scr	DpiScaling.exe
PID 1652 wrote to memory of 1840	1652	Neues Lieferantenformular,pdf.scr	DpiScaling.exe
PID 1652 wrote to memory of 1840	1652	Neues Lieferantenformular,pdf.scr	DpiScaling.exe
PID 1652 wrote to memory of 1840	1652	Neues Lieferantenformular,pdf.scr	DpiScaling.exe
PID 1652 wrote to memory of 1840	1652	Neues Lieferantenformular,pdf.scr	DpiScaling.exe
PID 1652 wrote to memory of 1840	1652	Neues Lieferantenformular,pdf.scr	DpiScaling.exe
PID 1652 wrote to memory of 1840	1652	Neues Lieferantenformular,pdf.scr	DpiScaling.exe
PID 1652 wrote to memory of 1840	1652	Neues Lieferantenformular,pdf.scr	DpiScaling.exe
PID 1652 wrote to memory of 1840	1652	Neues Lieferantenformular,pdf.scr	DpiScaling.exe
PID 1652 wrote to memory of 1840	1652	Neues Lieferantenformular,pdf.scr	DpiScaling.exe
PID 1652 wrote to memory of 1840	1652	Neues Lieferantenformular,pdf.scr	DpiScaling.exe
PID 1652 wrote to memory of 1840	1652	Neues Lieferantenformular,pdf.scr	DpiScaling.exe
PID 1652 wrote to memory of 1840	1652	Neues Lieferantenformular,pdf.scr	DpiScaling.exe

C:\Users\Admin\AppData\Local\Temp\Neues Lieferantenformular,pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Neues Lieferantenformular,pdf.scr" /S
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\SysWOW64\DpiScaling.exe
C:\Windows\System32\DpiScaling.exe
2⤵
PID:1840

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1652-59-0x00000000754F1000-0x00000000754F3000-memory.dmp

Filesize
8KB

Download
memory/1652-60-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1652-62-0x00000000004E0000-0x00000000004FA000-memory.dmp

Filesize
104KB

Download
memory/1840-65-0x0000000000000000-mapping.dmp

Download
memory/1840-67-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1840-69-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1840-70-0x0000000010590000-0x000000001060B000-memory.dmp

Filesize
492KB

Download
memory/1840-71-0x0000000000500000-0x0000000000578000-memory.dmp

Filesize
480KB

Download
memory/1840-72-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing