remcos | c3ce62a44812edeca97182d5f26639b222ebe684021e7a7b922a499bd32d7f95

General

Target

Trust Duo Medicate Invoice_93838376389389363738938737633.exe
Size

704KB
MD5

7119c9e0e31551124c125d714e35bd1d
SHA1

628a5b9fd78e6d1d64eb7132aa84c017b0a6ca42
SHA256

c3ce62a44812edeca97182d5f26639b222ebe684021e7a7b922a499bd32d7f95
SHA512

300c2520745bc8b7ce839df746e9fba002b5c2e36c7d2837647975db8389e9b4ea944ee5f7163c80d273e51d2f9e8e84559f09f018d16d457470a73801e4f085

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

C2

216.38.7.225:6524

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Trust Duo Medicate Invoice_93838376389389363738938737633.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Jufjlp = "C:\\Users\\Public\\pljfuJ.url"	Trust Duo Medicate Invoice_93838376389389363738938737633.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Trust Duo Medicate Invoice_93838376389389363738938737633.exe

description	pid	process	target process
PID 1000 wrote to memory of 1196	1000	Trust Duo Medicate Invoice_93838376389389363738938737633.exe	secinit.exe
PID 1000 wrote to memory of 1196	1000	Trust Duo Medicate Invoice_93838376389389363738938737633.exe	secinit.exe
PID 1000 wrote to memory of 1196	1000	Trust Duo Medicate Invoice_93838376389389363738938737633.exe	secinit.exe
PID 1000 wrote to memory of 1196	1000	Trust Duo Medicate Invoice_93838376389389363738938737633.exe	secinit.exe
PID 1000 wrote to memory of 1196	1000	Trust Duo Medicate Invoice_93838376389389363738938737633.exe	secinit.exe
PID 1000 wrote to memory of 1196	1000	Trust Duo Medicate Invoice_93838376389389363738938737633.exe	secinit.exe
PID 1000 wrote to memory of 1196	1000	Trust Duo Medicate Invoice_93838376389389363738938737633.exe	secinit.exe
PID 1000 wrote to memory of 1196	1000	Trust Duo Medicate Invoice_93838376389389363738938737633.exe	secinit.exe
PID 1000 wrote to memory of 1196	1000	Trust Duo Medicate Invoice_93838376389389363738938737633.exe	secinit.exe
PID 1000 wrote to memory of 1196	1000	Trust Duo Medicate Invoice_93838376389389363738938737633.exe	secinit.exe
PID 1000 wrote to memory of 1196	1000	Trust Duo Medicate Invoice_93838376389389363738938737633.exe	secinit.exe
PID 1000 wrote to memory of 1196	1000	Trust Duo Medicate Invoice_93838376389389363738938737633.exe	secinit.exe
PID 1000 wrote to memory of 1196	1000	Trust Duo Medicate Invoice_93838376389389363738938737633.exe	secinit.exe
PID 1000 wrote to memory of 1196	1000	Trust Duo Medicate Invoice_93838376389389363738938737633.exe	secinit.exe
PID 1000 wrote to memory of 1196	1000	Trust Duo Medicate Invoice_93838376389389363738938737633.exe	secinit.exe

C:\Users\Admin\AppData\Local\Temp\Trust Duo Medicate Invoice_93838376389389363738938737633.exe
"C:\Users\Admin\AppData\Local\Temp\Trust Duo Medicate Invoice_93838376389389363738938737633.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\SysWOW64\secinit.exe
C:\Windows\System32\secinit.exe
2⤵
PID:1196

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1000-114-0x00000000005D0000-0x000000000071A000-memory.dmp

Filesize
1.3MB

Download
memory/1196-115-0x0000000000000000-mapping.dmp

Download
memory/1196-116-0x0000000002F60000-0x0000000002F61000-memory.dmp

Filesize
4KB

Download
memory/1196-118-0x0000000002F90000-0x0000000002F91000-memory.dmp

Filesize
4KB

Download
memory/1196-119-0x0000000010590000-0x000000001060C000-memory.dmp

Filesize
496KB

Download
memory/1196-120-0x0000000002EA0000-0x0000000002EA1000-memory.dmp

Filesize
4KB

Download
memory/1196-121-0x00000000047A0000-0x0000000004819000-memory.dmp

Filesize
484KB

Download

Analysis

Sharing