remcos | 4903333c4aca1501316d62fadbee470fba700b11a23fbcdbc1435ff1b73f7aaf

General

Target

Order no 2.exe
Size

335KB
MD5

2a2c8b50c3774bca1ceabe117b2c969f
SHA1

4bc31c902a4edc434d53afac8dac5ccf0cea447d
SHA256

4903333c4aca1501316d62fadbee470fba700b11a23fbcdbc1435ff1b73f7aaf
SHA512

02a1d3f74d01a8f629a232a4108a6fda3cfa41b642641c8717d3e2381558b67149f427f7974652b103e1d94d8f98ad442bd4b62e628881b4c9d3d78ccd86869b

Score

10^/10

remcos rat

Malware Config

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

328 schtasks.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Order no 2.exe

pid process

820 Order no 2.exe

pid	process
328	schtasks.exe

pid	process
820	Order no 2.exe

Suspicious use of WriteProcessMemory 76 IoCs

Processes:

Order no 2.exeOrder no 2.execmd.exeOrder no 2.exeOrder no 2.exeOrder no 2.exe

description	pid	process	target process
PID 1744 wrote to memory of 1204	1744	Order no 2.exe	cmd.exe
PID 1744 wrote to memory of 1204	1744	Order no 2.exe	cmd.exe
PID 1744 wrote to memory of 1204	1744	Order no 2.exe	cmd.exe
PID 1744 wrote to memory of 1204	1744	Order no 2.exe	cmd.exe
PID 1744 wrote to memory of 1424	1744	Order no 2.exe	cmd.exe
PID 1744 wrote to memory of 1424	1744	Order no 2.exe	cmd.exe
PID 1744 wrote to memory of 1424	1744	Order no 2.exe	cmd.exe
PID 1744 wrote to memory of 1424	1744	Order no 2.exe	cmd.exe
PID 1744 wrote to memory of 1684	1744	Order no 2.exe	cmd.exe
PID 1744 wrote to memory of 1684	1744	Order no 2.exe	cmd.exe
PID 1744 wrote to memory of 1684	1744	Order no 2.exe	cmd.exe
PID 1744 wrote to memory of 1684	1744	Order no 2.exe	cmd.exe
PID 1744 wrote to memory of 1376	1744	Order no 2.exe	Order no 2.exe
PID 1744 wrote to memory of 1376	1744	Order no 2.exe	Order no 2.exe
PID 1744 wrote to memory of 1376	1744	Order no 2.exe	Order no 2.exe
PID 1744 wrote to memory of 1376	1744	Order no 2.exe	Order no 2.exe
PID 1376 wrote to memory of 1552	1376	Order no 2.exe	cmd.exe
PID 1376 wrote to memory of 1552	1376	Order no 2.exe	cmd.exe
PID 1376 wrote to memory of 1552	1376	Order no 2.exe	cmd.exe
PID 1376 wrote to memory of 1552	1376	Order no 2.exe	cmd.exe
PID 1376 wrote to memory of 644	1376	Order no 2.exe	cmd.exe
PID 1376 wrote to memory of 644	1376	Order no 2.exe	cmd.exe
PID 1376 wrote to memory of 644	1376	Order no 2.exe	cmd.exe
PID 1376 wrote to memory of 644	1376	Order no 2.exe	cmd.exe
PID 1684 wrote to memory of 328	1684	cmd.exe	schtasks.exe
PID 1684 wrote to memory of 328	1684	cmd.exe	schtasks.exe
PID 1684 wrote to memory of 328	1684	cmd.exe	schtasks.exe
PID 1684 wrote to memory of 328	1684	cmd.exe	schtasks.exe
PID 1376 wrote to memory of 1096	1376	Order no 2.exe	Order no 2.exe
PID 1376 wrote to memory of 1096	1376	Order no 2.exe	Order no 2.exe
PID 1376 wrote to memory of 1096	1376	Order no 2.exe	Order no 2.exe
PID 1376 wrote to memory of 1096	1376	Order no 2.exe	Order no 2.exe
PID 1096 wrote to memory of 432	1096	Order no 2.exe	cmd.exe
PID 1096 wrote to memory of 432	1096	Order no 2.exe	cmd.exe
PID 1096 wrote to memory of 432	1096	Order no 2.exe	cmd.exe
PID 1096 wrote to memory of 432	1096	Order no 2.exe	cmd.exe
PID 1096 wrote to memory of 592	1096	Order no 2.exe	cmd.exe
PID 1096 wrote to memory of 592	1096	Order no 2.exe	cmd.exe
PID 1096 wrote to memory of 592	1096	Order no 2.exe	cmd.exe
PID 1096 wrote to memory of 592	1096	Order no 2.exe	cmd.exe
PID 1096 wrote to memory of 552	1096	Order no 2.exe	Order no 2.exe
PID 1096 wrote to memory of 552	1096	Order no 2.exe	Order no 2.exe
PID 1096 wrote to memory of 552	1096	Order no 2.exe	Order no 2.exe
PID 1096 wrote to memory of 552	1096	Order no 2.exe	Order no 2.exe
PID 552 wrote to memory of 472	552	Order no 2.exe	cmd.exe
PID 552 wrote to memory of 472	552	Order no 2.exe	cmd.exe
PID 552 wrote to memory of 472	552	Order no 2.exe	cmd.exe
PID 552 wrote to memory of 472	552	Order no 2.exe	cmd.exe
PID 552 wrote to memory of 760	552	Order no 2.exe	cmd.exe
PID 552 wrote to memory of 760	552	Order no 2.exe	cmd.exe
PID 552 wrote to memory of 760	552	Order no 2.exe	cmd.exe
PID 552 wrote to memory of 760	552	Order no 2.exe	cmd.exe
PID 552 wrote to memory of 1012	552	Order no 2.exe	Order no 2.exe
PID 552 wrote to memory of 1012	552	Order no 2.exe	Order no 2.exe
PID 552 wrote to memory of 1012	552	Order no 2.exe	Order no 2.exe
PID 552 wrote to memory of 1012	552	Order no 2.exe	Order no 2.exe
PID 1012 wrote to memory of 1276	1012	Order no 2.exe	cmd.exe
PID 1012 wrote to memory of 1276	1012	Order no 2.exe	cmd.exe
PID 1012 wrote to memory of 1276	1012	Order no 2.exe	cmd.exe
PID 1012 wrote to memory of 1276	1012	Order no 2.exe	cmd.exe
PID 1012 wrote to memory of 968	1012	Order no 2.exe	cmd.exe
PID 1012 wrote to memory of 968	1012	Order no 2.exe	cmd.exe
PID 1012 wrote to memory of 968	1012	Order no 2.exe	cmd.exe
PID 1012 wrote to memory of 968	1012	Order no 2.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Order no 2.exe
"C:\Users\Admin\AppData\Local\Temp\Order no 2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1424

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /Create /TN appdata /XML "C:\Users\Admin\AppData\Local\Temp\a0adabb92e8b44c08965708e82c7e16e.xml"
2⤵
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /TN appdata /XML "C:\Users\Admin\AppData\Local\Temp\a0adabb92e8b44c08965708e82c7e16e.xml"
3⤵
- Creates scheduled task(s)
PID:328

C:\Users\Admin\AppData\Local\Temp\Order no 2.exe
"C:\Users\Admin\AppData\Local\Temp\Order no 2.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:1552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:644

C:\Users\Admin\AppData\Local\Temp\Order no 2.exe
"C:\Users\Admin\AppData\Local\Temp\Order no 2.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
4⤵
PID:432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
4⤵
PID:592

C:\Users\Admin\AppData\Local\Temp\Order no 2.exe
"C:\Users\Admin\AppData\Local\Temp\Order no 2.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
5⤵
PID:472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
5⤵
PID:760

C:\Users\Admin\AppData\Local\Temp\Order no 2.exe
"C:\Users\Admin\AppData\Local\Temp\Order no 2.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
6⤵
PID:1276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
6⤵
PID:968

C:\Users\Admin\AppData\Local\Temp\Order no 2.exe
"C:\Users\Admin\AppData\Local\Temp\Order no 2.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
7⤵
PID:672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
7⤵
PID:1816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a0adabb92e8b44c08965708e82c7e16e.xml
MD5
999e741701956fa7ff22c7bb00654985

SHA1
a977a28dc57ca1c249b0c9e256c1679e35ef0fe1

SHA256
07af9974e2b573a5e6e1e8036029d55fca14db7b34df0dbf60fa17cc54fc4e1f

SHA512
ff898ca3298719a8e5541f910a98c4c0f11bf0c458b441b0879bf701dabfb77909aa675e9f599689cbf0ae5da7f09a726c5e8be24f4d3d95a827a619b0294c1f

Download Submit
memory/328-8-0x0000000000000000-mapping.dmp

Download
memory/432-11-0x0000000000000000-mapping.dmp

Download
memory/472-14-0x0000000000000000-mapping.dmp

Download
memory/552-13-0x0000000000000000-mapping.dmp

Download
memory/592-12-0x0000000000000000-mapping.dmp

Download
memory/644-7-0x0000000000000000-mapping.dmp

Download
memory/672-20-0x0000000000000000-mapping.dmp

Download
memory/760-15-0x0000000000000000-mapping.dmp

Download
memory/820-19-0x0000000000000000-mapping.dmp

Download
memory/968-18-0x0000000000000000-mapping.dmp

Download
memory/1012-16-0x0000000000000000-mapping.dmp

Download
memory/1096-10-0x0000000000000000-mapping.dmp

Download
memory/1204-2-0x0000000000000000-mapping.dmp

Download
memory/1276-17-0x0000000000000000-mapping.dmp

Download
memory/1376-5-0x0000000000000000-mapping.dmp

Download
memory/1424-3-0x0000000000000000-mapping.dmp

Download
memory/1552-6-0x0000000000000000-mapping.dmp

Download
memory/1684-4-0x0000000000000000-mapping.dmp

Download
memory/1816-21-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads