remcos | b805f68139469a793d97d7082a7d46a5eedcea8fa39676fd4ce557dae2725fff

Analysis

max time kernel
152s
max time network
149s
platform
windows10_x64
resource
win10v20210408
submitted
23-04-2021 05:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe
Size

179KB
MD5

f18ecb4ec01c8696b450b53e255f8e32
SHA1

18e24ceb9004c164db0d204d9ca513b5a64060fa
SHA256

b805f68139469a793d97d7082a7d46a5eedcea8fa39676fd4ce557dae2725fff
SHA512

59f5c4616b17aaeba753318fcffacba71dc76bcc599665e31a50e7d31026ed2edc598bd285b1de9e19a09e9a6987318be3f17cee827a7b7ce2a89e6385d8f36d

Score

10^/10

remcos evasion persistence rat trojan

Malware Config

Extracted

Family

remcos

databasepropersonombrecomercialideasearchwords.services:3521

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Nirsoft 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\9f0f3838-81d3-4984-bd01-6cd2194906dc\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\9f0f3838-81d3-4984-bd01-6cd2194906dc\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\9f0f3838-81d3-4984-bd01-6cd2194906dc\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\28012b50-221a-4bd1-8e4a-f90746d586b7\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\28012b50-221a-4bd1-8e4a-f90746d586b7\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\28012b50-221a-4bd1-8e4a-f90746d586b7\AdvancedRun.exe	Nirsoft

Executes dropped EXE 6 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exePxxoServicesTrialNet1.exeAdvancedRun.exeAdvancedRun.exePxxoServicesTrialNet1.exe

pid process

1296 AdvancedRun.exe
1964 AdvancedRun.exe
416 PxxoServicesTrialNet1.exe
2228 AdvancedRun.exe
4016 AdvancedRun.exe
424 PxxoServicesTrialNet1.exe

Windows security modification 2 TTPs 11 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exePxxoServicesTrialNet1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe = "0"	PxxoServicesTrialNet1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe = "0"	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exePxxoServicesTrialNet1.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\MservicesOrg2 = "\"C:\\Users\\Admin\\AppData\\Roaming\\System32\\PxxoServicesTrialNet1.exe\""	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	PxxoServicesTrialNet1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\MservicesOrg2 = "\"C:\\Users\\Admin\\AppData\\Roaming\\System32\\PxxoServicesTrialNet1.exe\""	PxxoServicesTrialNet1.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exePxxoServicesTrialNet1.exe

description	pid	process	target process
PID 736 set thread context of 3352	736	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe
PID 416 set thread context of 424	416	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exepowershell.exeAdvancedRun.exeAdvancedRun.exepowershell.exe

pid	process
1296	AdvancedRun.exe
1296	AdvancedRun.exe
1296	AdvancedRun.exe
1296	AdvancedRun.exe
1964	AdvancedRun.exe
1964	AdvancedRun.exe
1964	AdvancedRun.exe
1964	AdvancedRun.exe
2064	powershell.exe
2064	powershell.exe
2064	powershell.exe
2228	AdvancedRun.exe
2228	AdvancedRun.exe
2228	AdvancedRun.exe
2228	AdvancedRun.exe
4016	AdvancedRun.exe
4016	AdvancedRun.exe
4016	AdvancedRun.exe
4016	AdvancedRun.exe
1420	powershell.exe
1420	powershell.exe
1420	powershell.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exeAdvancedRun.exeAdvancedRun.exepowershell.exeAdvancedRun.exeAdvancedRun.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	736	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe
Token: SeDebugPrivilege	1296	AdvancedRun.exe
Token: SeImpersonatePrivilege	1296	AdvancedRun.exe
Token: SeDebugPrivilege	1964	AdvancedRun.exe
Token: SeImpersonatePrivilege	1964	AdvancedRun.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	2228	AdvancedRun.exe
Token: SeImpersonatePrivilege	2228	AdvancedRun.exe
Token: SeDebugPrivilege	4016	AdvancedRun.exe
Token: SeImpersonatePrivilege	4016	AdvancedRun.exe
Token: SeDebugPrivilege	1420	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

PxxoServicesTrialNet1.exe

pid process

424 PxxoServicesTrialNet1.exe

pid	process
424	PxxoServicesTrialNet1.exe

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exeAdvancedRun.exeADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exeWScript.execmd.exePxxoServicesTrialNet1.exeAdvancedRun.exe

description	pid	process	target process
PID 736 wrote to memory of 1296	736	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe	AdvancedRun.exe
PID 736 wrote to memory of 1296	736	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe	AdvancedRun.exe
PID 736 wrote to memory of 1296	736	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe	AdvancedRun.exe
PID 1296 wrote to memory of 1964	1296	AdvancedRun.exe	AdvancedRun.exe
PID 1296 wrote to memory of 1964	1296	AdvancedRun.exe	AdvancedRun.exe
PID 1296 wrote to memory of 1964	1296	AdvancedRun.exe	AdvancedRun.exe
PID 736 wrote to memory of 2064	736	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe	powershell.exe
PID 736 wrote to memory of 2064	736	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe	powershell.exe
PID 736 wrote to memory of 2064	736	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe	powershell.exe
PID 736 wrote to memory of 3352	736	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe
PID 736 wrote to memory of 3352	736	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe
PID 736 wrote to memory of 3352	736	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe
PID 736 wrote to memory of 3352	736	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe
PID 736 wrote to memory of 3352	736	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe
PID 736 wrote to memory of 3352	736	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe
PID 736 wrote to memory of 3352	736	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe
PID 736 wrote to memory of 3352	736	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe
PID 736 wrote to memory of 3352	736	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe
PID 736 wrote to memory of 3352	736	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe
PID 3352 wrote to memory of 684	3352	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe	WScript.exe
PID 3352 wrote to memory of 684	3352	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe	WScript.exe
PID 3352 wrote to memory of 684	3352	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe	WScript.exe
PID 684 wrote to memory of 2276	684	WScript.exe	cmd.exe
PID 684 wrote to memory of 2276	684	WScript.exe	cmd.exe
PID 684 wrote to memory of 2276	684	WScript.exe	cmd.exe
PID 2276 wrote to memory of 416	2276	cmd.exe	PxxoServicesTrialNet1.exe
PID 2276 wrote to memory of 416	2276	cmd.exe	PxxoServicesTrialNet1.exe
PID 2276 wrote to memory of 416	2276	cmd.exe	PxxoServicesTrialNet1.exe
PID 416 wrote to memory of 2228	416	PxxoServicesTrialNet1.exe	AdvancedRun.exe
PID 416 wrote to memory of 2228	416	PxxoServicesTrialNet1.exe	AdvancedRun.exe
PID 416 wrote to memory of 2228	416	PxxoServicesTrialNet1.exe	AdvancedRun.exe
PID 2228 wrote to memory of 4016	2228	AdvancedRun.exe	AdvancedRun.exe
PID 2228 wrote to memory of 4016	2228	AdvancedRun.exe	AdvancedRun.exe
PID 2228 wrote to memory of 4016	2228	AdvancedRun.exe	AdvancedRun.exe
PID 416 wrote to memory of 1420	416	PxxoServicesTrialNet1.exe	powershell.exe
PID 416 wrote to memory of 1420	416	PxxoServicesTrialNet1.exe	powershell.exe
PID 416 wrote to memory of 1420	416	PxxoServicesTrialNet1.exe	powershell.exe
PID 416 wrote to memory of 424	416	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 416 wrote to memory of 424	416	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 416 wrote to memory of 424	416	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 416 wrote to memory of 424	416	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 416 wrote to memory of 424	416	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 416 wrote to memory of 424	416	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 416 wrote to memory of 424	416	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 416 wrote to memory of 424	416	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 416 wrote to memory of 424	416	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 416 wrote to memory of 424	416	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe

C:\Users\Admin\AppData\Local\Temp\ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe"
1⤵
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:736

C:\Users\Admin\AppData\Local\Temp\9f0f3838-81d3-4984-bd01-6cd2194906dc\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\9f0f3838-81d3-4984-bd01-6cd2194906dc\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\9f0f3838-81d3-4984-bd01-6cd2194906dc\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1296

C:\Users\Admin\AppData\Local\Temp\9f0f3838-81d3-4984-bd01-6cd2194906dc\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\9f0f3838-81d3-4984-bd01-6cd2194906dc\AdvancedRun.exe" /SpecialRun 4101d8 1296
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2064

C:\Users\Admin\AppData\Local\Temp\ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe"
2⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3352

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2276

C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
5⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:416

C:\Users\Admin\AppData\Local\Temp\28012b50-221a-4bd1-8e4a-f90746d586b7\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\28012b50-221a-4bd1-8e4a-f90746d586b7\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\28012b50-221a-4bd1-8e4a-f90746d586b7\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228

C:\Users\Admin\AppData\Local\Temp\28012b50-221a-4bd1-8e4a-f90746d586b7\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\28012b50-221a-4bd1-8e4a-f90746d586b7\AdvancedRun.exe" /SpecialRun 4101d8 2228
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4016

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe" -Force
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
"C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:424

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\2fidKeete159
MD5
dee768f4e18ce1c6b628d10e3fd590cc

SHA1
9c654c839392e55d028a0587fad5f86edb237b3e

SHA256
6ba324573a086fb66b4a40e806ce864b4cc9d4e096ed870bf2addefb11cbf4e7

SHA512
9a791b7c033546ca4ad1e9bb2648886b17105775b284d24d690921ff07b5551ba73ecee3137097a8f82122a42719fea72c6e915d838355ad2534aa15a1c2d10f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
06d468fa569f1bb9f601d6f034fd482c

SHA1
f07fbef22a97a7ad7ec92eea8d20709b042a0e7f

SHA256
8f4bff7e9f17fa57ade63e1fa7b59c2f5b5426458468ae764dd1ea7332d06832

SHA512
588600505aa6864ca6727d8c4a00d2ecf434ca9fcf3f81bd9f7c20a9b230ab70bb6e722c42a8d9019c27d7a56a55d53d85fd8dbd5e2dafee3aa964af0c417046

Download Submit
C:\Users\Admin\AppData\Local\Temp\28012b50-221a-4bd1-8e4a-f90746d586b7\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\28012b50-221a-4bd1-8e4a-f90746d586b7\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\28012b50-221a-4bd1-8e4a-f90746d586b7\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9f0f3838-81d3-4984-bd01-6cd2194906dc\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9f0f3838-81d3-4984-bd01-6cd2194906dc\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9f0f3838-81d3-4984-bd01-6cd2194906dc\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
a39af763b1c09ead3c98a6a615f377fe

SHA1
9bd3d39c89e47fe7072270ecc80b810103235c03

SHA256
a3930d7535eb768523ee52bbe69f13f857a0ae0f982d7bfc354d802f21010f8f

SHA512
3ed8e33ac95fd2536286b4afb2ed2a082bb5f98843478262b32263a14a5dbe0425de7b8d9662a5e482b207ebf8484ace8009ecd1881a6f6f8b0ccf3b0fdfe5da

Download Submit
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
MD5
f18ecb4ec01c8696b450b53e255f8e32

SHA1
18e24ceb9004c164db0d204d9ca513b5a64060fa

SHA256
b805f68139469a793d97d7082a7d46a5eedcea8fa39676fd4ce557dae2725fff

SHA512
59f5c4616b17aaeba753318fcffacba71dc76bcc599665e31a50e7d31026ed2edc598bd285b1de9e19a09e9a6987318be3f17cee827a7b7ce2a89e6385d8f36d

Download Submit
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
MD5
f18ecb4ec01c8696b450b53e255f8e32

SHA1
18e24ceb9004c164db0d204d9ca513b5a64060fa

SHA256
b805f68139469a793d97d7082a7d46a5eedcea8fa39676fd4ce557dae2725fff

SHA512
59f5c4616b17aaeba753318fcffacba71dc76bcc599665e31a50e7d31026ed2edc598bd285b1de9e19a09e9a6987318be3f17cee827a7b7ce2a89e6385d8f36d

Download Submit
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
MD5
f18ecb4ec01c8696b450b53e255f8e32

SHA1
18e24ceb9004c164db0d204d9ca513b5a64060fa

SHA256
b805f68139469a793d97d7082a7d46a5eedcea8fa39676fd4ce557dae2725fff

SHA512
59f5c4616b17aaeba753318fcffacba71dc76bcc599665e31a50e7d31026ed2edc598bd285b1de9e19a09e9a6987318be3f17cee827a7b7ce2a89e6385d8f36d

Download Submit
memory/416-203-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/416-194-0x0000000000000000-mapping.dmp

Download
memory/424-211-0x0000000000413FA4-mapping.dmp

Download
memory/424-213-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/684-190-0x0000000000000000-mapping.dmp

Download
memory/736-119-0x0000000005FA0000-0x0000000005FA1000-memory.dmp

Filesize
4KB

Download
memory/736-114-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/736-116-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/736-117-0x0000000005A00000-0x0000000005A01000-memory.dmp

Filesize
4KB

Download
memory/736-118-0x0000000004B30000-0x0000000004BA0000-memory.dmp

Filesize
448KB

Download
memory/1296-120-0x0000000000000000-mapping.dmp

Download
memory/1420-206-0x00000000046C0000-0x00000000046C1000-memory.dmp

Filesize
4KB

Download
memory/1420-204-0x0000000000000000-mapping.dmp

Download
memory/1420-210-0x00000000046C3000-0x00000000046C4000-memory.dmp

Filesize
4KB

Download
memory/1420-207-0x00000000046C2000-0x00000000046C3000-memory.dmp

Filesize
4KB

Download
memory/1420-209-0x000000007EEB0000-0x000000007EEB1000-memory.dmp

Filesize
4KB

Download
memory/1964-123-0x0000000000000000-mapping.dmp

Download
memory/2064-130-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/2064-146-0x0000000009470000-0x00000000094A3000-memory.dmp

Filesize
204KB

Download
memory/2064-125-0x0000000000000000-mapping.dmp

Download
memory/2064-128-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

Filesize
4KB

Download
memory/2064-161-0x0000000004BB3000-0x0000000004BB4000-memory.dmp

Filesize
4KB

Download
memory/2064-160-0x000000007F160000-0x000000007F161000-memory.dmp

Filesize
4KB

Download
memory/2064-159-0x00000000099E0000-0x00000000099E1000-memory.dmp

Filesize
4KB

Download
memory/2064-129-0x00000000075B0000-0x00000000075B1000-memory.dmp

Filesize
4KB

Download
memory/2064-158-0x0000000009850000-0x0000000009851000-memory.dmp

Filesize
4KB

Download
memory/2064-153-0x0000000009450000-0x0000000009451000-memory.dmp

Filesize
4KB

Download
memory/2064-131-0x0000000004BB2000-0x0000000004BB3000-memory.dmp

Filesize
4KB

Download
memory/2064-132-0x0000000007C60000-0x0000000007C61000-memory.dmp

Filesize
4KB

Download
memory/2064-138-0x00000000086F0000-0x00000000086F1000-memory.dmp

Filesize
4KB

Download
memory/2064-137-0x0000000008410000-0x0000000008411000-memory.dmp

Filesize
4KB

Download
memory/2064-136-0x00000000082C0000-0x00000000082C1000-memory.dmp

Filesize
4KB

Download
memory/2064-135-0x0000000007F50000-0x0000000007F51000-memory.dmp

Filesize
4KB

Download
memory/2064-134-0x0000000007D00000-0x0000000007D01000-memory.dmp

Filesize
4KB

Download
memory/2064-133-0x0000000007EE0000-0x0000000007EE1000-memory.dmp

Filesize
4KB

Download
memory/2228-198-0x0000000000000000-mapping.dmp

Download
memory/2276-193-0x0000000000000000-mapping.dmp

Download
memory/3352-191-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3352-189-0x0000000000413FA4-mapping.dmp

Download
memory/4016-201-0x0000000000000000-mapping.dmp

Download