remcos | 4903333c4aca1501316d62fadbee470fba700b11a23fbcdbc1435ff1b73f7aaf

General

Target

Order no 2.exe
Size

335KB
MD5

2a2c8b50c3774bca1ceabe117b2c969f
SHA1

4bc31c902a4edc434d53afac8dac5ccf0cea447d
SHA256

4903333c4aca1501316d62fadbee470fba700b11a23fbcdbc1435ff1b73f7aaf
SHA512

02a1d3f74d01a8f629a232a4108a6fda3cfa41b642641c8717d3e2381558b67149f427f7974652b103e1d94d8f98ad442bd4b62e628881b4c9d3d78ccd86869b

Score

10^/10

remcos persistence rat

Malware Config

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 1 IoCs

Processes:

filessystem32.exe

pid process

896 filessystem32.exe

pid	process
896	filessystem32.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Order no 2.exefilessystem32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\	Order no 2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\system64bit = "\"C:\\Windows\\SysWOW64\\systemfiles\\filessystem32.exe\""	Order no 2.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	Order no 2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system64bit = "\"C:\\Windows\\SysWOW64\\systemfiles\\filessystem32.exe\""	Order no 2.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\	filessystem32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\system64bit = "\"C:\\Windows\\SysWOW64\\systemfiles\\filessystem32.exe\""	filessystem32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	filessystem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system64bit = "\"C:\\Windows\\SysWOW64\\systemfiles\\filessystem32.exe\""	filessystem32.exe

Drops file in System32 directory 3 IoCs

Processes:

Order no 2.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\systemfiles\filessystem32.exe	Order no 2.exe
File opened for modification	C:\Windows\SysWOW64\systemfiles	Order no 2.exe
File created	C:\Windows\SysWOW64\systemfiles\filessystem32.exe	Order no 2.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3188 schtasks.exe
Modifies registry class 1 IoCs

Processes:

Order no 2.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings Order no 2.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

filessystem32.exe

pid process

896 filessystem32.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

filessystem32.exe

pid process

896 filessystem32.exe

pid	process
3188	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	Order no 2.exe

pid	process
896	filessystem32.exe

pid	process
896	filessystem32.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

Order no 2.exeOrder no 2.execmd.exeWScript.execmd.exefilessystem32.exe

description	pid	process	target process
PID 4688 wrote to memory of 4140	4688	Order no 2.exe	cmd.exe
PID 4688 wrote to memory of 4140	4688	Order no 2.exe	cmd.exe
PID 4688 wrote to memory of 4140	4688	Order no 2.exe	cmd.exe
PID 4688 wrote to memory of 4164	4688	Order no 2.exe	cmd.exe
PID 4688 wrote to memory of 4164	4688	Order no 2.exe	cmd.exe
PID 4688 wrote to memory of 4164	4688	Order no 2.exe	cmd.exe
PID 4688 wrote to memory of 4108	4688	Order no 2.exe	cmd.exe
PID 4688 wrote to memory of 4108	4688	Order no 2.exe	cmd.exe
PID 4688 wrote to memory of 4108	4688	Order no 2.exe	cmd.exe
PID 4688 wrote to memory of 3156	4688	Order no 2.exe	Order no 2.exe
PID 4688 wrote to memory of 3156	4688	Order no 2.exe	Order no 2.exe
PID 4688 wrote to memory of 3156	4688	Order no 2.exe	Order no 2.exe
PID 3156 wrote to memory of 3804	3156	Order no 2.exe	cmd.exe
PID 3156 wrote to memory of 3804	3156	Order no 2.exe	cmd.exe
PID 3156 wrote to memory of 3804	3156	Order no 2.exe	cmd.exe
PID 4108 wrote to memory of 3188	4108	cmd.exe	schtasks.exe
PID 4108 wrote to memory of 3188	4108	cmd.exe	schtasks.exe
PID 4108 wrote to memory of 3188	4108	cmd.exe	schtasks.exe
PID 3156 wrote to memory of 3424	3156	Order no 2.exe	cmd.exe
PID 3156 wrote to memory of 3424	3156	Order no 2.exe	cmd.exe
PID 3156 wrote to memory of 3424	3156	Order no 2.exe	cmd.exe
PID 3156 wrote to memory of 3088	3156	Order no 2.exe	WScript.exe
PID 3156 wrote to memory of 3088	3156	Order no 2.exe	WScript.exe
PID 3156 wrote to memory of 3088	3156	Order no 2.exe	WScript.exe
PID 3088 wrote to memory of 848	3088	WScript.exe	cmd.exe
PID 3088 wrote to memory of 848	3088	WScript.exe	cmd.exe
PID 3088 wrote to memory of 848	3088	WScript.exe	cmd.exe
PID 848 wrote to memory of 896	848	cmd.exe	filessystem32.exe
PID 848 wrote to memory of 896	848	cmd.exe	filessystem32.exe
PID 848 wrote to memory of 896	848	cmd.exe	filessystem32.exe
PID 896 wrote to memory of 1156	896	filessystem32.exe	cmd.exe
PID 896 wrote to memory of 1156	896	filessystem32.exe	cmd.exe
PID 896 wrote to memory of 1156	896	filessystem32.exe	cmd.exe
PID 896 wrote to memory of 1248	896	filessystem32.exe	cmd.exe
PID 896 wrote to memory of 1248	896	filessystem32.exe	cmd.exe
PID 896 wrote to memory of 1248	896	filessystem32.exe	cmd.exe
PID 896 wrote to memory of 1548	896	filessystem32.exe	svchost.exe
PID 896 wrote to memory of 1548	896	filessystem32.exe	svchost.exe
PID 896 wrote to memory of 1548	896	filessystem32.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\Order no 2.exe
"C:\Users\Admin\AppData\Local\Temp\Order no 2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4164

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /Create /TN appdata /XML "C:\Users\Admin\AppData\Local\Temp\a0adabb92e8b44c08965708e82c7e16e.xml"
2⤵
- Suspicious use of WriteProcessMemory
PID:4108

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /TN appdata /XML "C:\Users\Admin\AppData\Local\Temp\a0adabb92e8b44c08965708e82c7e16e.xml"
3⤵
- Creates scheduled task(s)
PID:3188

C:\Users\Admin\AppData\Local\Temp\Order no 2.exe
"C:\Users\Admin\AppData\Local\Temp\Order no 2.exe"
2⤵
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:3804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:3424

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:3088

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Windows\SysWOW64\systemfiles\filessystem32.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\SysWOW64\systemfiles\filessystem32.exe
C:\Windows\SysWOW64\systemfiles\filessystem32.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
6⤵
PID:1156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
6⤵
PID:1248

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
6⤵
PID:1548

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a0adabb92e8b44c08965708e82c7e16e.xml
MD5
a7b55b9ce76f3b7074bf6a187a6fa51d

SHA1
085dc1dd5a9814c1497a402f3be98251a1e6b5ab

SHA256
9f441d855bdb45b41e55fe1fbe2d24f9d7e0b538b28e6acd1c1f536ee0a0f788

SHA512
2a86463d20f502e8c9502a9ad2ff7e719c1e2a44cb8bfb61b899c09f4405c7bfb7b6b7acd81207cab1124cfd435a66e5a390ee81c023682a17d58fa994feeca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
3e538061aa4bbf338a8cd7a5f9582185

SHA1
539613d08fc9019a4f051cf6a00cc062ba694c4c

SHA256
a88ded9a6dd694ef4bdf41e877dd2f053545ca3ea00ba23f846a7897da013ff0

SHA512
577c71dfc24063a6f2a6f6b1d0d420c9622271d33025b2698ce39d0e4c7a01f06099f18ec262cf9198f4cd3f91ecb8ccd1777ebead5c97cb7f6387e0cd9a5b40

Download Submit
C:\Windows\SysWOW64\systemfiles\filessystem32.exe
MD5
2a2c8b50c3774bca1ceabe117b2c969f

SHA1
4bc31c902a4edc434d53afac8dac5ccf0cea447d

SHA256
4903333c4aca1501316d62fadbee470fba700b11a23fbcdbc1435ff1b73f7aaf

SHA512
02a1d3f74d01a8f629a232a4108a6fda3cfa41b642641c8717d3e2381558b67149f427f7974652b103e1d94d8f98ad442bd4b62e628881b4c9d3d78ccd86869b

Download Submit
C:\Windows\SysWOW64\systemfiles\filessystem32.exe
MD5
2a2c8b50c3774bca1ceabe117b2c969f

SHA1
4bc31c902a4edc434d53afac8dac5ccf0cea447d

SHA256
4903333c4aca1501316d62fadbee470fba700b11a23fbcdbc1435ff1b73f7aaf

SHA512
02a1d3f74d01a8f629a232a4108a6fda3cfa41b642641c8717d3e2381558b67149f427f7974652b103e1d94d8f98ad442bd4b62e628881b4c9d3d78ccd86869b

Download Submit
memory/848-12-0x0000000000000000-mapping.dmp

Download
memory/896-13-0x0000000000000000-mapping.dmp

Download
memory/1156-16-0x0000000000000000-mapping.dmp

Download
memory/1248-17-0x0000000000000000-mapping.dmp

Download
memory/3088-10-0x0000000000000000-mapping.dmp

Download
memory/3156-5-0x0000000000000000-mapping.dmp

Download
memory/3188-7-0x0000000000000000-mapping.dmp

Download
memory/3424-8-0x0000000000000000-mapping.dmp

Download
memory/3804-6-0x0000000000000000-mapping.dmp

Download
memory/4108-4-0x0000000000000000-mapping.dmp

Download
memory/4140-2-0x0000000000000000-mapping.dmp

Download
memory/4164-3-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads