remcos | 7debbe024dbb6e548f266c653d22b6dfb1738615a4a7653eea9964d34d111eeb

Analysis

max time kernel
151s
max time network
135s
platform
windows7_x64
resource
win7v200430
submitted
13/07/2020, 06:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
Size

269KB
MD5

de11b124fd6ddebb30c9424ffb07fa0b
SHA1

1209452da9bb0ac7e2728c5e22d9306e56f54b14
SHA256

7debbe024dbb6e548f266c653d22b6dfb1738615a4a7653eea9964d34d111eeb
SHA512

6de0e740d9f8e8aec8660ad552dfe85776ef6fc60d45b58c9ce08ca6cad440e84b1430157b2552b67682fb34829e0cf8a9ace6d54c307b7a1114e78a9f28351a

Score

10^/10

persistence rat remcos

Malware Config

Extracted

Family

remcos

recuperaciondecartera.website:6790

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1612	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1524	PXServiceNet.exe
1840	PXServiceNet.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1840	PXServiceNet.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1092 set thread context of 1436	1092	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe	27
PID 1524 set thread context of 1840	1524	PXServiceNet.exe	32

Adds Run entry to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\MServices = "\"C:\\Users\\Admin\\AppData\\Roaming\\System32\\PXServiceNet.exe\""	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\	PXServiceNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\MServices = "\"C:\\Users\\Admin\\AppData\\Roaming\\System32\\PXServiceNet.exe\""	PXServiceNet.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1092	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
Token: SeDebugPrivilege	1524	PXServiceNet.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1092	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
1092	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
1092	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
1092	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
1092	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
1092	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
1092	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
1092	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
1092	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
1092	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
1092	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
1092	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
1092	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
1092	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
1092	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
1092	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
1092	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
1092	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
1092	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
1524	PXServiceNet.exe
1524	PXServiceNet.exe
1524	PXServiceNet.exe
1524	PXServiceNet.exe
1524	PXServiceNet.exe
1524	PXServiceNet.exe
1524	PXServiceNet.exe
1524	PXServiceNet.exe
1524	PXServiceNet.exe
1524	PXServiceNet.exe
1524	PXServiceNet.exe
1524	PXServiceNet.exe
1524	PXServiceNet.exe
1524	PXServiceNet.exe
1524	PXServiceNet.exe
1524	PXServiceNet.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 1092 wrote to memory of 1412	1092	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe	24
PID 1092 wrote to memory of 1412	1092	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe	24
PID 1092 wrote to memory of 1412	1092	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe	24
PID 1092 wrote to memory of 1412	1092	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe	24
PID 1092 wrote to memory of 1420	1092	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe	25
PID 1092 wrote to memory of 1420	1092	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe	25
PID 1092 wrote to memory of 1420	1092	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe	25
PID 1092 wrote to memory of 1420	1092	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe	25
PID 1092 wrote to memory of 744	1092	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe	26
PID 1092 wrote to memory of 744	1092	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe	26
PID 1092 wrote to memory of 744	1092	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe	26
PID 1092 wrote to memory of 744	1092	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe	26
PID 1092 wrote to memory of 1436	1092	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe	27
PID 1092 wrote to memory of 1436	1092	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe	27
PID 1092 wrote to memory of 1436	1092	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe	27
PID 1092 wrote to memory of 1436	1092	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe	27
PID 1092 wrote to memory of 1436	1092	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe	27
PID 1092 wrote to memory of 1436	1092	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe	27
PID 1092 wrote to memory of 1436	1092	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe	27
PID 1092 wrote to memory of 1436	1092	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe	27
PID 1092 wrote to memory of 1436	1092	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe	27
PID 1092 wrote to memory of 1436	1092	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe	27
PID 1092 wrote to memory of 1436	1092	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe	27
PID 1436 wrote to memory of 916	1436	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe	28
PID 1436 wrote to memory of 916	1436	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe	28
PID 1436 wrote to memory of 916	1436	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe	28
PID 1436 wrote to memory of 916	1436	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe	28
PID 916 wrote to memory of 1612	916	WScript.exe	29
PID 916 wrote to memory of 1612	916	WScript.exe	29
PID 916 wrote to memory of 1612	916	WScript.exe	29
PID 916 wrote to memory of 1612	916	WScript.exe	29
PID 1612 wrote to memory of 1524	1612	cmd.exe	31
PID 1612 wrote to memory of 1524	1612	cmd.exe	31
PID 1612 wrote to memory of 1524	1612	cmd.exe	31
PID 1612 wrote to memory of 1524	1612	cmd.exe	31
PID 1524 wrote to memory of 1840	1524	PXServiceNet.exe	32
PID 1524 wrote to memory of 1840	1524	PXServiceNet.exe	32
PID 1524 wrote to memory of 1840	1524	PXServiceNet.exe	32
PID 1524 wrote to memory of 1840	1524	PXServiceNet.exe	32
PID 1524 wrote to memory of 1840	1524	PXServiceNet.exe	32
PID 1524 wrote to memory of 1840	1524	PXServiceNet.exe	32
PID 1524 wrote to memory of 1840	1524	PXServiceNet.exe	32
PID 1524 wrote to memory of 1840	1524	PXServiceNet.exe	32
PID 1524 wrote to memory of 1840	1524	PXServiceNet.exe	32
PID 1524 wrote to memory of 1840	1524	PXServiceNet.exe	32
PID 1524 wrote to memory of 1840	1524	PXServiceNet.exe	32

C:\Users\Admin\AppData\Local\Temp\ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
"C:\Users\Admin\AppData\Local\Temp\ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Users\Admin\AppData\Local\Temp\ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
  "C:\Users\Admin\AppData\Local\Temp\ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe"
  2⤵
  PID:1412
- C:\Users\Admin\AppData\Local\Temp\ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
  "C:\Users\Admin\AppData\Local\Temp\ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe"
  2⤵
  PID:1420
- C:\Users\Admin\AppData\Local\Temp\ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
  "C:\Users\Admin\AppData\Local\Temp\ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe"
  2⤵
  PID:744
- C:\Users\Admin\AppData\Local\Temp\ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
  "C:\Users\Admin\AppData\Local\Temp\ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe"
  2⤵
  - Adds Run entry to start application
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:916
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\System32\PXServiceNet.exe"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1612
    - - C:\Users\Admin\AppData\Roaming\System32\PXServiceNet.exe
        
        C:\Users\Admin\AppData\Roaming\System32\PXServiceNet.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1524
      - C:\Users\Admin\AppData\Roaming\System32\PXServiceNet.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\PXServiceNet.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Adds Run entry to start application
        
        PID:1840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/916-6-0x0000000002600000-0x0000000002604000-memory.dmp

Filesize
16KB

Download
memory/1436-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1436-2-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1840-14-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download