Analysis

  • max time kernel
    148s
  • max time network
    143s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    14-01-2021 06:59

General

  • Target

    ORDER 33.exe

  • Size

    456KB

  • MD5

    093f7881caf5cb7a06058de4f4678590

  • SHA1

    67d9b27fc723315444144cb30cd63e5062e8e496

  • SHA256

    4c73230621e55c51c6e4a32e354dca5e8fd3aaaa2df450b73991e6e21257a742

  • SHA512

    a0d99614a0ca3bcfb0d3677d1bf2a60876c1c3d1ca257d0e610ac3d8fdfc78f2fd514f0c503d4d4868b6f6fd04866e7a2293ccd6df743d3a43928017c9555823

Score
10/10

Malware Config

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ORDER 33.exe
    "C:\Users\Admin\AppData\Local\Temp\ORDER 33.exe"
    1⤵
    • Adds Run key to start application
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1316
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /Create /TN flies /XML "C:\Users\Admin\AppData\Local\Temp\7b42f087c00e411bac6e43aba58552f2.xml"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:692
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /Create /TN flies /XML "C:\Users\Admin\AppData\Local\Temp\7b42f087c00e411bac6e43aba58552f2.xml"
        3⤵
        • Creates scheduled task(s)
        PID:3972
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:812
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\cos\cos.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3656
        • C:\Users\Admin\AppData\Roaming\cos\cos.exe
          C:\Users\Admin\AppData\Roaming\cos\cos.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1380
          • C:\Users\Admin\AppData\Roaming\cos\cos.exe
            "C:\Users\Admin\AppData\Roaming\cos\cos.exe"
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1732
            • C:\Windows\SysWOW64\svchost.exe
              C:\Windows\SysWOW64\svchost.exe
              6⤵
                PID:2944
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x3d8
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1132

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Modify Registry

    1
    T1112

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\7b42f087c00e411bac6e43aba58552f2.xml
      MD5

      b362d71396554606927de2efedfc5241

      SHA1

      d3c90e9a7b8ab2ec0b7b9035e075484edd8d03ea

      SHA256

      331bd5a3066a33606e45a9ba66d7f0dc616542192dd6142ef87ff10f1549fcd7

      SHA512

      998b67e295973833cc48e0f74cd39e98aefbc2f2b9395be3085590703be2e79a265d0dec7019546a5349f58cfc6282bd579a6a780267eb5e678fec05c5dc8f05

    • C:\Users\Admin\AppData\Local\Temp\install.vbs
      MD5

      53b5b01ab6df628a783870090504f195

      SHA1

      4c175a9e57fba856c3926c6017aadb86316eb62a

      SHA256

      7f45e4f97baaccd07b2134f61c5e702af72f8a0b39cea6b5b4955daa289ed701

      SHA512

      fcc1948c81aa59ec6f391d47be7fa9160abb835dd584d14b057fbc057ea3ebf2918d660a859ab4b481260e5abee2aaf7fa5ee749097bff6a6f386e4389e1b3ba

    • C:\Users\Admin\AppData\Roaming\cos\cos.exe
      MD5

      093f7881caf5cb7a06058de4f4678590

      SHA1

      67d9b27fc723315444144cb30cd63e5062e8e496

      SHA256

      4c73230621e55c51c6e4a32e354dca5e8fd3aaaa2df450b73991e6e21257a742

      SHA512

      a0d99614a0ca3bcfb0d3677d1bf2a60876c1c3d1ca257d0e610ac3d8fdfc78f2fd514f0c503d4d4868b6f6fd04866e7a2293ccd6df743d3a43928017c9555823

    • C:\Users\Admin\AppData\Roaming\cos\cos.exe
      MD5

      093f7881caf5cb7a06058de4f4678590

      SHA1

      67d9b27fc723315444144cb30cd63e5062e8e496

      SHA256

      4c73230621e55c51c6e4a32e354dca5e8fd3aaaa2df450b73991e6e21257a742

      SHA512

      a0d99614a0ca3bcfb0d3677d1bf2a60876c1c3d1ca257d0e610ac3d8fdfc78f2fd514f0c503d4d4868b6f6fd04866e7a2293ccd6df743d3a43928017c9555823

    • C:\Users\Admin\AppData\Roaming\cos\cos.exe
      MD5

      093f7881caf5cb7a06058de4f4678590

      SHA1

      67d9b27fc723315444144cb30cd63e5062e8e496

      SHA256

      4c73230621e55c51c6e4a32e354dca5e8fd3aaaa2df450b73991e6e21257a742

      SHA512

      a0d99614a0ca3bcfb0d3677d1bf2a60876c1c3d1ca257d0e610ac3d8fdfc78f2fd514f0c503d4d4868b6f6fd04866e7a2293ccd6df743d3a43928017c9555823

    • memory/692-2-0x0000000000000000-mapping.dmp
    • memory/812-4-0x0000000000000000-mapping.dmp
    • memory/1380-8-0x0000000000000000-mapping.dmp
    • memory/1732-11-0x0000000000000000-mapping.dmp
    • memory/3656-7-0x0000000000000000-mapping.dmp
    • memory/3972-3-0x0000000000000000-mapping.dmp