remcos | 1384907c30bf5d2185b80dfbc63359a50f087e87a5caa3c27edf8cb3a3a6d2d5

Analysis

max time kernel
149s
max time network
150s
platform
windows10_x64
resource
win10v20210408
submitted
23-04-2021 06:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe
Size

181KB
MD5

06b2befd05d60d47183797b1e079b6e8
SHA1

8d1abaeb6d198014767384dc6594b28bea6d6e69
SHA256

1384907c30bf5d2185b80dfbc63359a50f087e87a5caa3c27edf8cb3a3a6d2d5
SHA512

e10fc2a9b28e27b129e1208412ac4596f8e1314da58b2c88dbc82d8ddda8f61e7d58b0c30e0df6ece364fd57747616373a4efdc8889980bcf097fca624046a83

Score

10^/10

remcos evasion persistence rat trojan

Malware Config

Extracted

Family

remcos

databasepropersonombrecomercialideasearchwords.services:3521

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Nirsoft 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7b99cc64-277e-4a04-9e93-89c353d0589d\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\7b99cc64-277e-4a04-9e93-89c353d0589d\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\7b99cc64-277e-4a04-9e93-89c353d0589d\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\0a7d8e17-e6f1-4468-964b-1d035332cfad\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\0a7d8e17-e6f1-4468-964b-1d035332cfad\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\0a7d8e17-e6f1-4468-964b-1d035332cfad\AdvancedRun.exe	Nirsoft

Executes dropped EXE 6 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exePxxoServicesTrialNet1.exeAdvancedRun.exeAdvancedRun.exePxxoServicesTrialNet1.exe

pid process

432 AdvancedRun.exe
3004 AdvancedRun.exe
2872 PxxoServicesTrialNet1.exe
2224 AdvancedRun.exe
400 AdvancedRun.exe
528 PxxoServicesTrialNet1.exe

Windows security modification 2 TTPs 11 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exePxxoServicesTrialNet1.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe = "0"	PxxoServicesTrialNet1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe = "0"	Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exePxxoServicesTrialNet1.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\MservicesOrg2 = "\"C:\\Users\\Admin\\AppData\\Roaming\\System32\\PxxoServicesTrialNet1.exe\""	Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	PxxoServicesTrialNet1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\MservicesOrg2 = "\"C:\\Users\\Admin\\AppData\\Roaming\\System32\\PxxoServicesTrialNet1.exe\""	PxxoServicesTrialNet1.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exePxxoServicesTrialNet1.exe

description	pid	process	target process
PID 1040 set thread context of 3180	1040	Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe	Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe
PID 2872 set thread context of 528	2872	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exepowershell.exeAdvancedRun.exeAdvancedRun.exepowershell.exe

pid	process
432	AdvancedRun.exe
432	AdvancedRun.exe
432	AdvancedRun.exe
432	AdvancedRun.exe
3004	AdvancedRun.exe
3004	AdvancedRun.exe
3004	AdvancedRun.exe
3004	AdvancedRun.exe
1116	powershell.exe
1116	powershell.exe
1116	powershell.exe
2224	AdvancedRun.exe
2224	AdvancedRun.exe
2224	AdvancedRun.exe
2224	AdvancedRun.exe
400	AdvancedRun.exe
400	AdvancedRun.exe
400	AdvancedRun.exe
400	AdvancedRun.exe
1272	powershell.exe
1272	powershell.exe
1272	powershell.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exeAdvancedRun.exeAdvancedRun.exepowershell.exeAdvancedRun.exeAdvancedRun.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1040	Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe
Token: SeDebugPrivilege	432	AdvancedRun.exe
Token: SeImpersonatePrivilege	432	AdvancedRun.exe
Token: SeDebugPrivilege	3004	AdvancedRun.exe
Token: SeImpersonatePrivilege	3004	AdvancedRun.exe
Token: SeDebugPrivilege	1116	powershell.exe
Token: SeDebugPrivilege	2224	AdvancedRun.exe
Token: SeImpersonatePrivilege	2224	AdvancedRun.exe
Token: SeDebugPrivilege	400	AdvancedRun.exe
Token: SeImpersonatePrivilege	400	AdvancedRun.exe
Token: SeDebugPrivilege	1272	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

PxxoServicesTrialNet1.exe

pid process

528 PxxoServicesTrialNet1.exe

pid	process
528	PxxoServicesTrialNet1.exe

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exeAdvancedRun.exeFactura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exeWScript.execmd.exePxxoServicesTrialNet1.exeAdvancedRun.exe

description	pid	process	target process
PID 1040 wrote to memory of 432	1040	Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe	AdvancedRun.exe
PID 1040 wrote to memory of 432	1040	Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe	AdvancedRun.exe
PID 1040 wrote to memory of 432	1040	Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe	AdvancedRun.exe
PID 432 wrote to memory of 3004	432	AdvancedRun.exe	AdvancedRun.exe
PID 432 wrote to memory of 3004	432	AdvancedRun.exe	AdvancedRun.exe
PID 432 wrote to memory of 3004	432	AdvancedRun.exe	AdvancedRun.exe
PID 1040 wrote to memory of 1116	1040	Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe	powershell.exe
PID 1040 wrote to memory of 1116	1040	Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe	powershell.exe
PID 1040 wrote to memory of 1116	1040	Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe	powershell.exe
PID 1040 wrote to memory of 3180	1040	Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe	Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe
PID 1040 wrote to memory of 3180	1040	Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe	Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe
PID 1040 wrote to memory of 3180	1040	Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe	Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe
PID 1040 wrote to memory of 3180	1040	Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe	Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe
PID 1040 wrote to memory of 3180	1040	Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe	Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe
PID 1040 wrote to memory of 3180	1040	Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe	Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe
PID 1040 wrote to memory of 3180	1040	Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe	Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe
PID 1040 wrote to memory of 3180	1040	Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe	Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe
PID 1040 wrote to memory of 3180	1040	Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe	Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe
PID 1040 wrote to memory of 3180	1040	Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe	Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe
PID 3180 wrote to memory of 432	3180	Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe	WScript.exe
PID 3180 wrote to memory of 432	3180	Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe	WScript.exe
PID 3180 wrote to memory of 432	3180	Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe	WScript.exe
PID 432 wrote to memory of 3228	432	WScript.exe	cmd.exe
PID 432 wrote to memory of 3228	432	WScript.exe	cmd.exe
PID 432 wrote to memory of 3228	432	WScript.exe	cmd.exe
PID 3228 wrote to memory of 2872	3228	cmd.exe	PxxoServicesTrialNet1.exe
PID 3228 wrote to memory of 2872	3228	cmd.exe	PxxoServicesTrialNet1.exe
PID 3228 wrote to memory of 2872	3228	cmd.exe	PxxoServicesTrialNet1.exe
PID 2872 wrote to memory of 2224	2872	PxxoServicesTrialNet1.exe	AdvancedRun.exe
PID 2872 wrote to memory of 2224	2872	PxxoServicesTrialNet1.exe	AdvancedRun.exe
PID 2872 wrote to memory of 2224	2872	PxxoServicesTrialNet1.exe	AdvancedRun.exe
PID 2224 wrote to memory of 400	2224	AdvancedRun.exe	AdvancedRun.exe
PID 2224 wrote to memory of 400	2224	AdvancedRun.exe	AdvancedRun.exe
PID 2224 wrote to memory of 400	2224	AdvancedRun.exe	AdvancedRun.exe
PID 2872 wrote to memory of 1272	2872	PxxoServicesTrialNet1.exe	powershell.exe
PID 2872 wrote to memory of 1272	2872	PxxoServicesTrialNet1.exe	powershell.exe
PID 2872 wrote to memory of 1272	2872	PxxoServicesTrialNet1.exe	powershell.exe
PID 2872 wrote to memory of 528	2872	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2872 wrote to memory of 528	2872	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2872 wrote to memory of 528	2872	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2872 wrote to memory of 528	2872	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2872 wrote to memory of 528	2872	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2872 wrote to memory of 528	2872	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2872 wrote to memory of 528	2872	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2872 wrote to memory of 528	2872	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2872 wrote to memory of 528	2872	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2872 wrote to memory of 528	2872	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe

C:\Users\Admin\AppData\Local\Temp\Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe"
1⤵
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1040

C:\Users\Admin\AppData\Local\Temp\7b99cc64-277e-4a04-9e93-89c353d0589d\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\7b99cc64-277e-4a04-9e93-89c353d0589d\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\7b99cc64-277e-4a04-9e93-89c353d0589d\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:432

C:\Users\Admin\AppData\Local\Temp\7b99cc64-277e-4a04-9e93-89c353d0589d\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\7b99cc64-277e-4a04-9e93-89c353d0589d\AdvancedRun.exe" /SpecialRun 4101d8 432
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3004

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1116

C:\Users\Admin\AppData\Local\Temp\Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Factura Serfinanza_0296079315_661568_61612474042820568_45916442_20577348272646701_73141196223677_pdf.exe"
2⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3180

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:432

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:3228

C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
5⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2872

C:\Users\Admin\AppData\Local\Temp\0a7d8e17-e6f1-4468-964b-1d035332cfad\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\0a7d8e17-e6f1-4468-964b-1d035332cfad\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\0a7d8e17-e6f1-4468-964b-1d035332cfad\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224

C:\Users\Admin\AppData\Local\Temp\0a7d8e17-e6f1-4468-964b-1d035332cfad\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\0a7d8e17-e6f1-4468-964b-1d035332cfad\AdvancedRun.exe" /SpecialRun 4101d8 2224
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:400

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe" -Force
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
"C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
2360dcc7cf903d16abdfcb92d4e391cf

SHA1
2981466dd3c394764f3c7a0b136f7ce2cedc5498

SHA256
7e4384f7d5b70ee8b20e7eac96b1d06e6da4ab9d3e522ca62c3f7398cbb8613c

SHA512
800585e2c90e524eb93d1fa5a696cda29e060994289060648c81075c4a155f1ebc075eb7c0846be848debd80378d52ea46edadc0b04250ff73333df0542c7536

Download Submit
C:\Users\Admin\AppData\Local\Temp\0a7d8e17-e6f1-4468-964b-1d035332cfad\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\0a7d8e17-e6f1-4468-964b-1d035332cfad\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\0a7d8e17-e6f1-4468-964b-1d035332cfad\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7b99cc64-277e-4a04-9e93-89c353d0589d\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7b99cc64-277e-4a04-9e93-89c353d0589d\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7b99cc64-277e-4a04-9e93-89c353d0589d\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

MD5
a39af763b1c09ead3c98a6a615f377fe

SHA1
9bd3d39c89e47fe7072270ecc80b810103235c03

SHA256
a3930d7535eb768523ee52bbe69f13f857a0ae0f982d7bfc354d802f21010f8f

SHA512
3ed8e33ac95fd2536286b4afb2ed2a082bb5f98843478262b32263a14a5dbe0425de7b8d9662a5e482b207ebf8484ace8009ecd1881a6f6f8b0ccf3b0fdfe5da

Download Submit
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe

MD5
06b2befd05d60d47183797b1e079b6e8

SHA1
8d1abaeb6d198014767384dc6594b28bea6d6e69

SHA256
1384907c30bf5d2185b80dfbc63359a50f087e87a5caa3c27edf8cb3a3a6d2d5

SHA512
e10fc2a9b28e27b129e1208412ac4596f8e1314da58b2c88dbc82d8ddda8f61e7d58b0c30e0df6ece364fd57747616373a4efdc8889980bcf097fca624046a83

Download Submit
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe

MD5
06b2befd05d60d47183797b1e079b6e8

SHA1
8d1abaeb6d198014767384dc6594b28bea6d6e69

SHA256
1384907c30bf5d2185b80dfbc63359a50f087e87a5caa3c27edf8cb3a3a6d2d5

SHA512
e10fc2a9b28e27b129e1208412ac4596f8e1314da58b2c88dbc82d8ddda8f61e7d58b0c30e0df6ece364fd57747616373a4efdc8889980bcf097fca624046a83

Download Submit
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe

MD5
06b2befd05d60d47183797b1e079b6e8

SHA1
8d1abaeb6d198014767384dc6594b28bea6d6e69

SHA256
1384907c30bf5d2185b80dfbc63359a50f087e87a5caa3c27edf8cb3a3a6d2d5

SHA512
e10fc2a9b28e27b129e1208412ac4596f8e1314da58b2c88dbc82d8ddda8f61e7d58b0c30e0df6ece364fd57747616373a4efdc8889980bcf097fca624046a83

Download Submit
C:\Users\Admin\C7Tsb1Uu7wD5775e8c20s7854bGUc

MD5
6ae3577e0dc79bff5804404d6edc87e7

SHA1
3dac7d058229cfd90aae5474c5f385b4704ba889

SHA256
ab3375a0b7e76252d691c60487c6c4603f94c04e57305f205196370edb51e69c

SHA512
6b93ebe81c8da9b0509785424afba7be6bb261fed58e22c72720f05fe042ae59a30d9806387ea750de566893aa40c56b2c106216d17854ed7e1f39f218f029bf

Download Submit
memory/400-202-0x0000000000000000-mapping.dmp

Download
memory/432-149-0x0000000000000000-mapping.dmp

Download
memory/432-120-0x0000000000000000-mapping.dmp

Download
memory/528-211-0x0000000000413FA4-mapping.dmp

Download
memory/528-213-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1040-114-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1040-119-0x0000000006AB0000-0x0000000006AB1000-memory.dmp

Filesize
4KB

Download
memory/1040-118-0x0000000000BD0000-0x0000000000C40000-memory.dmp

Filesize
448KB

Download
memory/1040-117-0x0000000006510000-0x0000000006511000-memory.dmp

Filesize
4KB

Download
memory/1040-116-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download
memory/1116-130-0x00000000075D0000-0x00000000075D1000-memory.dmp

Filesize
4KB

Download
memory/1116-131-0x0000000006F92000-0x0000000006F93000-memory.dmp

Filesize
4KB

Download
memory/1116-125-0x0000000000000000-mapping.dmp

Download
memory/1116-150-0x00000000094C0000-0x00000000094F3000-memory.dmp

Filesize
204KB

Download
memory/1116-157-0x00000000094A0000-0x00000000094A1000-memory.dmp

Filesize
4KB

Download
memory/1116-162-0x0000000009890000-0x0000000009891000-memory.dmp

Filesize
4KB

Download
memory/1116-128-0x0000000006F50000-0x0000000006F51000-memory.dmp

Filesize
4KB

Download
memory/1116-164-0x0000000009A30000-0x0000000009A31000-memory.dmp

Filesize
4KB

Download
memory/1116-165-0x000000007F110000-0x000000007F111000-memory.dmp

Filesize
4KB

Download
memory/1116-166-0x0000000006F93000-0x0000000006F94000-memory.dmp

Filesize
4KB

Download
memory/1116-129-0x0000000006F90000-0x0000000006F91000-memory.dmp

Filesize
4KB

Download
memory/1116-132-0x0000000007CB0000-0x0000000007CB1000-memory.dmp

Filesize
4KB

Download
memory/1116-138-0x0000000008700000-0x0000000008701000-memory.dmp

Filesize
4KB

Download
memory/1116-137-0x0000000008790000-0x0000000008791000-memory.dmp

Filesize
4KB

Download
memory/1116-136-0x0000000008310000-0x0000000008311000-memory.dmp

Filesize
4KB

Download
memory/1116-133-0x0000000007D50000-0x0000000007D51000-memory.dmp

Filesize
4KB

Download
memory/1116-135-0x0000000007FA0000-0x0000000007FA1000-memory.dmp

Filesize
4KB

Download
memory/1116-134-0x0000000007E30000-0x0000000007E31000-memory.dmp

Filesize
4KB

Download
memory/1272-207-0x0000000004500000-0x0000000004501000-memory.dmp

Filesize
4KB

Download
memory/1272-204-0x0000000000000000-mapping.dmp

Download
memory/1272-208-0x0000000004502000-0x0000000004503000-memory.dmp

Filesize
4KB

Download
memory/1272-209-0x000000007EB10000-0x000000007EB11000-memory.dmp

Filesize
4KB

Download
memory/1272-210-0x0000000004503000-0x0000000004504000-memory.dmp

Filesize
4KB

Download
memory/2224-198-0x0000000000000000-mapping.dmp

Download
memory/2872-194-0x0000000000000000-mapping.dmp

Download
memory/2872-201-0x0000000005130000-0x0000000005131000-memory.dmp

Filesize
4KB

Download
memory/3004-123-0x0000000000000000-mapping.dmp

Download
memory/3180-145-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3180-141-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3180-142-0x0000000000413FA4-mapping.dmp

Download
memory/3228-193-0x0000000000000000-mapping.dmp

Download