remcos | 7debbe024dbb6e548f266c653d22b6dfb1738615a4a7653eea9964d34d111eeb

General

Target

ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
Size

269KB
MD5

de11b124fd6ddebb30c9424ffb07fa0b
SHA1

1209452da9bb0ac7e2728c5e22d9306e56f54b14
SHA256

7debbe024dbb6e548f266c653d22b6dfb1738615a4a7653eea9964d34d111eeb
SHA512

6de0e740d9f8e8aec8660ad552dfe85776ef6fc60d45b58c9ce08ca6cad440e84b1430157b2552b67682fb34829e0cf8a9ace6d54c307b7a1114e78a9f28351a

Score

10^/10

persistence rat remcos

Malware Config

Extracted

Family

remcos

C2

recuperaciondecartera.website:6790

Signatures

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exePXServiceNet.exe

description	pid	process
Token: SeDebugPrivilege	3820	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
Token: SeDebugPrivilege	2840	PXServiceNet.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exePXServiceNet.exe

description	pid	process	target process
PID 3820 set thread context of 3800	3820	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
PID 2840 set thread context of 3672	2840	PXServiceNet.exe	PXServiceNet.exe

Modifies registry class 1 IoCs

Processes:

ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exePXServiceNet.exe

pid	process
3820	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
3820	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
3820	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
3820	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
3820	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
3820	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
3820	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
3820	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
3820	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
3820	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
3820	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
3820	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
3820	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
3820	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
3820	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
3820	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
2840	PXServiceNet.exe
2840	PXServiceNet.exe
2840	PXServiceNet.exe
2840	PXServiceNet.exe
2840	PXServiceNet.exe
2840	PXServiceNet.exe
2840	PXServiceNet.exe
2840	PXServiceNet.exe
2840	PXServiceNet.exe
2840	PXServiceNet.exe
2840	PXServiceNet.exe
2840	PXServiceNet.exe
2840	PXServiceNet.exe
2840	PXServiceNet.exe
2840	PXServiceNet.exe
2840	PXServiceNet.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exeADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exeWScript.execmd.exePXServiceNet.exe

description	pid	process	target process
PID 3820 wrote to memory of 3800	3820	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
PID 3820 wrote to memory of 3800	3820	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
PID 3820 wrote to memory of 3800	3820	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
PID 3820 wrote to memory of 3800	3820	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
PID 3820 wrote to memory of 3800	3820	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
PID 3820 wrote to memory of 3800	3820	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
PID 3820 wrote to memory of 3800	3820	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
PID 3820 wrote to memory of 3800	3820	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
PID 3820 wrote to memory of 3800	3820	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
PID 3820 wrote to memory of 3800	3820	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
PID 3800 wrote to memory of 296	3800	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe	WScript.exe
PID 3800 wrote to memory of 296	3800	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe	WScript.exe
PID 3800 wrote to memory of 296	3800	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe	WScript.exe
PID 296 wrote to memory of 3104	296	WScript.exe	cmd.exe
PID 296 wrote to memory of 3104	296	WScript.exe	cmd.exe
PID 296 wrote to memory of 3104	296	WScript.exe	cmd.exe
PID 3104 wrote to memory of 2840	3104	cmd.exe	PXServiceNet.exe
PID 3104 wrote to memory of 2840	3104	cmd.exe	PXServiceNet.exe
PID 3104 wrote to memory of 2840	3104	cmd.exe	PXServiceNet.exe
PID 2840 wrote to memory of 3672	2840	PXServiceNet.exe	PXServiceNet.exe
PID 2840 wrote to memory of 3672	2840	PXServiceNet.exe	PXServiceNet.exe
PID 2840 wrote to memory of 3672	2840	PXServiceNet.exe	PXServiceNet.exe
PID 2840 wrote to memory of 3672	2840	PXServiceNet.exe	PXServiceNet.exe
PID 2840 wrote to memory of 3672	2840	PXServiceNet.exe	PXServiceNet.exe
PID 2840 wrote to memory of 3672	2840	PXServiceNet.exe	PXServiceNet.exe
PID 2840 wrote to memory of 3672	2840	PXServiceNet.exe	PXServiceNet.exe
PID 2840 wrote to memory of 3672	2840	PXServiceNet.exe	PXServiceNet.exe
PID 2840 wrote to memory of 3672	2840	PXServiceNet.exe	PXServiceNet.exe
PID 2840 wrote to memory of 3672	2840	PXServiceNet.exe	PXServiceNet.exe

Executes dropped EXE 2 IoCs

Processes:

PXServiceNet.exePXServiceNet.exe

pid process

2840 PXServiceNet.exe
3672 PXServiceNet.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

PXServiceNet.exe

pid process

3672 PXServiceNet.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

PXServiceNet.exe

pid process

3672 PXServiceNet.exe

pid	process
2840	PXServiceNet.exe
3672	PXServiceNet.exe

pid	process
3672	PXServiceNet.exe

pid	process
3672	PXServiceNet.exe

Adds Run entry to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exePXServiceNet.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\MServices = "\"C:\\Users\\Admin\\AppData\\Roaming\\System32\\PXServiceNet.exe\""	ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\	PXServiceNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\MServices = "\"C:\\Users\\Admin\\AppData\\Roaming\\System32\\PXServiceNet.exe\""	PXServiceNet.exe

C:\Users\Admin\AppData\Local\Temp\ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
"C:\Users\Admin\AppData\Local\Temp\ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3820

C:\Users\Admin\AppData\Local\Temp\ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe
"C:\Users\Admin\AppData\Local\Temp\ADJUNTO_EXTRACTO_75422514701354879545042432022154657988454047224024231254457878797857055454242204243.exe"
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
- Adds Run entry to start application
PID:3800

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:296

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\System32\PXServiceNet.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:3104

C:\Users\Admin\AppData\Roaming\System32\PXServiceNet.exe
C:\Users\Admin\AppData\Roaming\System32\PXServiceNet.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:2840

C:\Users\Admin\AppData\Roaming\System32\PXServiceNet.exe
"C:\Users\Admin\AppData\Roaming\System32\PXServiceNet.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: GetForegroundWindowSpam
- Adds Run entry to start application
PID:3672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

Download Submit
C:\Users\Admin\AppData\Roaming\System32\PXServiceNet.exe

Download Submit
C:\Users\Admin\AppData\Roaming\System32\PXServiceNet.exe

Download Submit
C:\Users\Admin\AppData\Roaming\System32\PXServiceNet.exe

Download Submit
memory/296-3-0x0000000000000000-mapping.dmp

Download
memory/2840-6-0x0000000000000000-mapping.dmp

Download
memory/3104-5-0x0000000000000000-mapping.dmp

Download
memory/3672-10-0x0000000000413B74-mapping.dmp

Download
memory/3672-12-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3800-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3800-1-0x0000000000413B74-mapping.dmp

Download
memory/3800-2-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads