remcos | e4462cda605a876b2c8f72bcecbabd3e1abb00303a78047892ce463afef53127

General

Target

ADJUNTOEXTRACTO590878174787097120989222355748.exe
Size

127KB
MD5

163544e7689d9be18b302b75c1e6d037
SHA1

98a76b052c08e51ab2420658354eed23a1f11a57
SHA256

e4462cda605a876b2c8f72bcecbabd3e1abb00303a78047892ce463afef53127
SHA512

c9189ae0246baa56d7f55be2e81cd2a795c3802a4b61f017131740d92fced381ffa33b1e8fe424c24bc3d4cf94ddaadb4bd73ce6db911e1c71b1ba9f7aa32b78

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

C2

databasepropersonombrecomercialideasearchwords.services:3521

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

PxxoServicesTrialNet1.exePxxoServicesTrialNet1.exe

pid process

2084 PxxoServicesTrialNet1.exe
3784 PxxoServicesTrialNet1.exe

pid	process
2084	PxxoServicesTrialNet1.exe
3784	PxxoServicesTrialNet1.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

PxxoServicesTrialNet1.exeADJUNTOEXTRACTO590878174787097120989222355748.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\MservicesOrg2 = "\"C:\\Users\\Admin\\AppData\\Roaming\\System32\\PxxoServicesTrialNet1.exe\""	PxxoServicesTrialNet1.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	ADJUNTOEXTRACTO590878174787097120989222355748.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\MservicesOrg2 = "\"C:\\Users\\Admin\\AppData\\Roaming\\System32\\PxxoServicesTrialNet1.exe\""	ADJUNTOEXTRACTO590878174787097120989222355748.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	PxxoServicesTrialNet1.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

ADJUNTOEXTRACTO590878174787097120989222355748.exePxxoServicesTrialNet1.exe

description	pid	process	target process
PID 796 set thread context of 1452	796	ADJUNTOEXTRACTO590878174787097120989222355748.exe	ADJUNTOEXTRACTO590878174787097120989222355748.exe
PID 2084 set thread context of 3784	2084	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

ADJUNTOEXTRACTO590878174787097120989222355748.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	ADJUNTOEXTRACTO590878174787097120989222355748.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ADJUNTOEXTRACTO590878174787097120989222355748.exe

pid process

796 ADJUNTOEXTRACTO590878174787097120989222355748.exe
796 ADJUNTOEXTRACTO590878174787097120989222355748.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ADJUNTOEXTRACTO590878174787097120989222355748.exe

description pid process

Token: SeDebugPrivilege 796 ADJUNTOEXTRACTO590878174787097120989222355748.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

PxxoServicesTrialNet1.exe

pid process

3784 PxxoServicesTrialNet1.exe

pid	process
796	ADJUNTOEXTRACTO590878174787097120989222355748.exe
796	ADJUNTOEXTRACTO590878174787097120989222355748.exe

description	pid	process
Token: SeDebugPrivilege	796	ADJUNTOEXTRACTO590878174787097120989222355748.exe

pid	process
3784	PxxoServicesTrialNet1.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

ADJUNTOEXTRACTO590878174787097120989222355748.exeADJUNTOEXTRACTO590878174787097120989222355748.exeWScript.execmd.exePxxoServicesTrialNet1.exe

description	pid	process	target process
PID 796 wrote to memory of 2200	796	ADJUNTOEXTRACTO590878174787097120989222355748.exe	ADJUNTOEXTRACTO590878174787097120989222355748.exe
PID 796 wrote to memory of 2200	796	ADJUNTOEXTRACTO590878174787097120989222355748.exe	ADJUNTOEXTRACTO590878174787097120989222355748.exe
PID 796 wrote to memory of 2200	796	ADJUNTOEXTRACTO590878174787097120989222355748.exe	ADJUNTOEXTRACTO590878174787097120989222355748.exe
PID 796 wrote to memory of 1452	796	ADJUNTOEXTRACTO590878174787097120989222355748.exe	ADJUNTOEXTRACTO590878174787097120989222355748.exe
PID 796 wrote to memory of 1452	796	ADJUNTOEXTRACTO590878174787097120989222355748.exe	ADJUNTOEXTRACTO590878174787097120989222355748.exe
PID 796 wrote to memory of 1452	796	ADJUNTOEXTRACTO590878174787097120989222355748.exe	ADJUNTOEXTRACTO590878174787097120989222355748.exe
PID 796 wrote to memory of 1452	796	ADJUNTOEXTRACTO590878174787097120989222355748.exe	ADJUNTOEXTRACTO590878174787097120989222355748.exe
PID 796 wrote to memory of 1452	796	ADJUNTOEXTRACTO590878174787097120989222355748.exe	ADJUNTOEXTRACTO590878174787097120989222355748.exe
PID 796 wrote to memory of 1452	796	ADJUNTOEXTRACTO590878174787097120989222355748.exe	ADJUNTOEXTRACTO590878174787097120989222355748.exe
PID 796 wrote to memory of 1452	796	ADJUNTOEXTRACTO590878174787097120989222355748.exe	ADJUNTOEXTRACTO590878174787097120989222355748.exe
PID 796 wrote to memory of 1452	796	ADJUNTOEXTRACTO590878174787097120989222355748.exe	ADJUNTOEXTRACTO590878174787097120989222355748.exe
PID 796 wrote to memory of 1452	796	ADJUNTOEXTRACTO590878174787097120989222355748.exe	ADJUNTOEXTRACTO590878174787097120989222355748.exe
PID 796 wrote to memory of 1452	796	ADJUNTOEXTRACTO590878174787097120989222355748.exe	ADJUNTOEXTRACTO590878174787097120989222355748.exe
PID 1452 wrote to memory of 2680	1452	ADJUNTOEXTRACTO590878174787097120989222355748.exe	WScript.exe
PID 1452 wrote to memory of 2680	1452	ADJUNTOEXTRACTO590878174787097120989222355748.exe	WScript.exe
PID 1452 wrote to memory of 2680	1452	ADJUNTOEXTRACTO590878174787097120989222355748.exe	WScript.exe
PID 2680 wrote to memory of 1180	2680	WScript.exe	cmd.exe
PID 2680 wrote to memory of 1180	2680	WScript.exe	cmd.exe
PID 2680 wrote to memory of 1180	2680	WScript.exe	cmd.exe
PID 1180 wrote to memory of 2084	1180	cmd.exe	PxxoServicesTrialNet1.exe
PID 1180 wrote to memory of 2084	1180	cmd.exe	PxxoServicesTrialNet1.exe
PID 1180 wrote to memory of 2084	1180	cmd.exe	PxxoServicesTrialNet1.exe
PID 2084 wrote to memory of 3784	2084	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2084 wrote to memory of 3784	2084	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2084 wrote to memory of 3784	2084	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2084 wrote to memory of 3784	2084	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2084 wrote to memory of 3784	2084	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2084 wrote to memory of 3784	2084	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2084 wrote to memory of 3784	2084	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2084 wrote to memory of 3784	2084	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2084 wrote to memory of 3784	2084	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2084 wrote to memory of 3784	2084	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe

C:\Users\Admin\AppData\Local\Temp\ADJUNTOEXTRACTO590878174787097120989222355748.exe
"C:\Users\Admin\AppData\Local\Temp\ADJUNTOEXTRACTO590878174787097120989222355748.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:796

C:\Users\Admin\AppData\Local\Temp\ADJUNTOEXTRACTO590878174787097120989222355748.exe
"C:\Users\Admin\AppData\Local\Temp\ADJUNTOEXTRACTO590878174787097120989222355748.exe"
2⤵
PID:2200

C:\Users\Admin\AppData\Local\Temp\ADJUNTOEXTRACTO590878174787097120989222355748.exe
"C:\Users\Admin\AppData\Local\Temp\ADJUNTOEXTRACTO590878174787097120989222355748.exe"
2⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1180

C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2084

C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
"C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:3784

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
a39af763b1c09ead3c98a6a615f377fe

SHA1
9bd3d39c89e47fe7072270ecc80b810103235c03

SHA256
a3930d7535eb768523ee52bbe69f13f857a0ae0f982d7bfc354d802f21010f8f

SHA512
3ed8e33ac95fd2536286b4afb2ed2a082bb5f98843478262b32263a14a5dbe0425de7b8d9662a5e482b207ebf8484ace8009ecd1881a6f6f8b0ccf3b0fdfe5da

Download Submit
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
MD5
163544e7689d9be18b302b75c1e6d037

SHA1
98a76b052c08e51ab2420658354eed23a1f11a57

SHA256
e4462cda605a876b2c8f72bcecbabd3e1abb00303a78047892ce463afef53127

SHA512
c9189ae0246baa56d7f55be2e81cd2a795c3802a4b61f017131740d92fced381ffa33b1e8fe424c24bc3d4cf94ddaadb4bd73ce6db911e1c71b1ba9f7aa32b78

Download Submit
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
MD5
163544e7689d9be18b302b75c1e6d037

SHA1
98a76b052c08e51ab2420658354eed23a1f11a57

SHA256
e4462cda605a876b2c8f72bcecbabd3e1abb00303a78047892ce463afef53127

SHA512
c9189ae0246baa56d7f55be2e81cd2a795c3802a4b61f017131740d92fced381ffa33b1e8fe424c24bc3d4cf94ddaadb4bd73ce6db911e1c71b1ba9f7aa32b78

Download Submit
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
MD5
163544e7689d9be18b302b75c1e6d037

SHA1
98a76b052c08e51ab2420658354eed23a1f11a57

SHA256
e4462cda605a876b2c8f72bcecbabd3e1abb00303a78047892ce463afef53127

SHA512
c9189ae0246baa56d7f55be2e81cd2a795c3802a4b61f017131740d92fced381ffa33b1e8fe424c24bc3d4cf94ddaadb4bd73ce6db911e1c71b1ba9f7aa32b78

Download Submit
C:\Users\Admin\FgdEzluGJmODUBXWMnzAKbnNYtmftnkZcRYqJHjDNKBmVLnc
MD5
9d3bc982e740dbba36ea9a28ed270c56

SHA1
831e5831f5e03cc02ed3952d096a60c42b395422

SHA256
2205f82a4554237514466aed98dd02ceec4a2802af4efa5d0948fa0fd28b4036

SHA512
25f739abd7ce13dd43b31c1f03ea7e88f59b1ad89a75ede16f43040e091db0ca52c2535fcb06a4e3385d773f32d76ca6c011dfd53bc156199a93596c16e43f43

Download Submit
memory/796-118-0x0000000002A00000-0x0000000002A2B000-memory.dmp

Filesize
172KB

Download
memory/796-116-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/796-117-0x0000000005160000-0x0000000005161000-memory.dmp

Filesize
4KB

Download
memory/796-119-0x00000000061E0000-0x00000000061E1000-memory.dmp

Filesize
4KB

Download
memory/796-114-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/1180-125-0x0000000000000000-mapping.dmp

Download
memory/1452-121-0x0000000000413FA4-mapping.dmp

Download
memory/1452-124-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1452-120-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2084-135-0x0000000004C80000-0x0000000004C81000-memory.dmp

Filesize
4KB

Download
memory/2084-126-0x0000000000000000-mapping.dmp

Download
memory/2680-122-0x0000000000000000-mapping.dmp

Download
memory/3784-137-0x0000000000413FA4-mapping.dmp

Download
memory/3784-139-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads