remcos | 4c73230621e55c51c6e4a32e354dca5e8fd3aaaa2df450b73991e6e21257a742

General

Target

ORDER 33.exe
Size

456KB
MD5

093f7881caf5cb7a06058de4f4678590
SHA1

67d9b27fc723315444144cb30cd63e5062e8e496
SHA256

4c73230621e55c51c6e4a32e354dca5e8fd3aaaa2df450b73991e6e21257a742
SHA512

a0d99614a0ca3bcfb0d3677d1bf2a60876c1c3d1ca257d0e610ac3d8fdfc78f2fd514f0c503d4d4868b6f6fd04866e7a2293ccd6df743d3a43928017c9555823

Score

10^/10

remcos persistence rat

Malware Config

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

cos.execos.exe

pid process

1380 cos.exe
1732 cos.exe

pid	process
1380	cos.exe
1732	cos.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ORDER 33.execos.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\	ORDER 33.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\cos\\cos.exe\""	ORDER 33.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\	cos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\cos\\cos.exe\""	cos.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3972 schtasks.exe
Modifies registry class 1 IoCs

Processes:

ORDER 33.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings ORDER 33.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 1132 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 1132 AUDIODG.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cos.exe

pid process

1732 cos.exe

pid	process
3972	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	ORDER 33.exe

description	pid	process
Token: 33	1132	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1132	AUDIODG.EXE

pid	process
1732	cos.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

ORDER 33.execmd.exeWScript.execmd.execos.execos.exe

description	pid	process	target process
PID 1316 wrote to memory of 692	1316	ORDER 33.exe	cmd.exe
PID 1316 wrote to memory of 692	1316	ORDER 33.exe	cmd.exe
PID 1316 wrote to memory of 692	1316	ORDER 33.exe	cmd.exe
PID 692 wrote to memory of 3972	692	cmd.exe	schtasks.exe
PID 692 wrote to memory of 3972	692	cmd.exe	schtasks.exe
PID 692 wrote to memory of 3972	692	cmd.exe	schtasks.exe
PID 1316 wrote to memory of 812	1316	ORDER 33.exe	WScript.exe
PID 1316 wrote to memory of 812	1316	ORDER 33.exe	WScript.exe
PID 1316 wrote to memory of 812	1316	ORDER 33.exe	WScript.exe
PID 812 wrote to memory of 3656	812	WScript.exe	cmd.exe
PID 812 wrote to memory of 3656	812	WScript.exe	cmd.exe
PID 812 wrote to memory of 3656	812	WScript.exe	cmd.exe
PID 3656 wrote to memory of 1380	3656	cmd.exe	cos.exe
PID 3656 wrote to memory of 1380	3656	cmd.exe	cos.exe
PID 3656 wrote to memory of 1380	3656	cmd.exe	cos.exe
PID 1380 wrote to memory of 1732	1380	cos.exe	cos.exe
PID 1380 wrote to memory of 1732	1380	cos.exe	cos.exe
PID 1380 wrote to memory of 1732	1380	cos.exe	cos.exe
PID 1732 wrote to memory of 2944	1732	cos.exe	svchost.exe
PID 1732 wrote to memory of 2944	1732	cos.exe	svchost.exe
PID 1732 wrote to memory of 2944	1732	cos.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\ORDER 33.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER 33.exe"
1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /Create /TN flies /XML "C:\Users\Admin\AppData\Local\Temp\7b42f087c00e411bac6e43aba58552f2.xml"
2⤵
- Suspicious use of WriteProcessMemory
PID:692

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /TN flies /XML "C:\Users\Admin\AppData\Local\Temp\7b42f087c00e411bac6e43aba58552f2.xml"
3⤵
- Creates scheduled task(s)
PID:3972

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\cos\cos.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3656

C:\Users\Admin\AppData\Roaming\cos\cos.exe
C:\Users\Admin\AppData\Roaming\cos\cos.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380

C:\Users\Admin\AppData\Roaming\cos\cos.exe
"C:\Users\Admin\AppData\Roaming\cos\cos.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
6⤵
PID:2944

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3d8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1132

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7b42f087c00e411bac6e43aba58552f2.xml
MD5
b362d71396554606927de2efedfc5241

SHA1
d3c90e9a7b8ab2ec0b7b9035e075484edd8d03ea

SHA256
331bd5a3066a33606e45a9ba66d7f0dc616542192dd6142ef87ff10f1549fcd7

SHA512
998b67e295973833cc48e0f74cd39e98aefbc2f2b9395be3085590703be2e79a265d0dec7019546a5349f58cfc6282bd579a6a780267eb5e678fec05c5dc8f05

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
53b5b01ab6df628a783870090504f195

SHA1
4c175a9e57fba856c3926c6017aadb86316eb62a

SHA256
7f45e4f97baaccd07b2134f61c5e702af72f8a0b39cea6b5b4955daa289ed701

SHA512
fcc1948c81aa59ec6f391d47be7fa9160abb835dd584d14b057fbc057ea3ebf2918d660a859ab4b481260e5abee2aaf7fa5ee749097bff6a6f386e4389e1b3ba

Download Submit
C:\Users\Admin\AppData\Roaming\cos\cos.exe
MD5
093f7881caf5cb7a06058de4f4678590

SHA1
67d9b27fc723315444144cb30cd63e5062e8e496

SHA256
4c73230621e55c51c6e4a32e354dca5e8fd3aaaa2df450b73991e6e21257a742

SHA512
a0d99614a0ca3bcfb0d3677d1bf2a60876c1c3d1ca257d0e610ac3d8fdfc78f2fd514f0c503d4d4868b6f6fd04866e7a2293ccd6df743d3a43928017c9555823

Download Submit
C:\Users\Admin\AppData\Roaming\cos\cos.exe
MD5
093f7881caf5cb7a06058de4f4678590

SHA1
67d9b27fc723315444144cb30cd63e5062e8e496

SHA256
4c73230621e55c51c6e4a32e354dca5e8fd3aaaa2df450b73991e6e21257a742

SHA512
a0d99614a0ca3bcfb0d3677d1bf2a60876c1c3d1ca257d0e610ac3d8fdfc78f2fd514f0c503d4d4868b6f6fd04866e7a2293ccd6df743d3a43928017c9555823

Download Submit
C:\Users\Admin\AppData\Roaming\cos\cos.exe
MD5
093f7881caf5cb7a06058de4f4678590

SHA1
67d9b27fc723315444144cb30cd63e5062e8e496

SHA256
4c73230621e55c51c6e4a32e354dca5e8fd3aaaa2df450b73991e6e21257a742

SHA512
a0d99614a0ca3bcfb0d3677d1bf2a60876c1c3d1ca257d0e610ac3d8fdfc78f2fd514f0c503d4d4868b6f6fd04866e7a2293ccd6df743d3a43928017c9555823

Download Submit
memory/692-2-0x0000000000000000-mapping.dmp

Download
memory/812-4-0x0000000000000000-mapping.dmp

Download
memory/1380-8-0x0000000000000000-mapping.dmp

Download
memory/1732-11-0x0000000000000000-mapping.dmp

Download
memory/3656-7-0x0000000000000000-mapping.dmp

Download
memory/3972-3-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads