remcos | b805f68139469a793d97d7082a7d46a5eedcea8fa39676fd4ce557dae2725fff

Analysis

max time kernel
151s
max time network
151s
platform
windows10_x64
resource
win10v20210408
submitted
23-04-2021 06:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe
Size

179KB
MD5

f18ecb4ec01c8696b450b53e255f8e32
SHA1

18e24ceb9004c164db0d204d9ca513b5a64060fa
SHA256

b805f68139469a793d97d7082a7d46a5eedcea8fa39676fd4ce557dae2725fff
SHA512

59f5c4616b17aaeba753318fcffacba71dc76bcc599665e31a50e7d31026ed2edc598bd285b1de9e19a09e9a6987318be3f17cee827a7b7ce2a89e6385d8f36d

Score

10^/10

remcos evasion persistence rat trojan

Malware Config

Extracted

Family

remcos

databasepropersonombrecomercialideasearchwords.services:3521

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Nirsoft 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\cbea3c5e-3a91-4e3b-b97c-73d681391f5b\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\cbea3c5e-3a91-4e3b-b97c-73d681391f5b\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\cbea3c5e-3a91-4e3b-b97c-73d681391f5b\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\92259401-1d67-4a9c-a691-e35ec63a3304\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\92259401-1d67-4a9c-a691-e35ec63a3304\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\92259401-1d67-4a9c-a691-e35ec63a3304\AdvancedRun.exe	Nirsoft

Executes dropped EXE 6 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exePxxoServicesTrialNet1.exeAdvancedRun.exeAdvancedRun.exePxxoServicesTrialNet1.exe

pid process

188 AdvancedRun.exe
2940 AdvancedRun.exe
4084 PxxoServicesTrialNet1.exe
1332 AdvancedRun.exe
3352 AdvancedRun.exe
3012 PxxoServicesTrialNet1.exe

Windows security modification 2 TTPs 11 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exePxxoServicesTrialNet1.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe = "0"	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe = "0"	PxxoServicesTrialNet1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exePxxoServicesTrialNet1.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\MservicesOrg2 = "\"C:\\Users\\Admin\\AppData\\Roaming\\System32\\PxxoServicesTrialNet1.exe\""	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	PxxoServicesTrialNet1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\MservicesOrg2 = "\"C:\\Users\\Admin\\AppData\\Roaming\\System32\\PxxoServicesTrialNet1.exe\""	PxxoServicesTrialNet1.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exePxxoServicesTrialNet1.exe

description	pid	process	target process
PID 908 set thread context of 3652	908	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe
PID 4084 set thread context of 3012	4084	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exepowershell.exeAdvancedRun.exeAdvancedRun.exepowershell.exe

pid	process
188	AdvancedRun.exe
188	AdvancedRun.exe
188	AdvancedRun.exe
188	AdvancedRun.exe
2940	AdvancedRun.exe
2940	AdvancedRun.exe
2940	AdvancedRun.exe
2940	AdvancedRun.exe
2252	powershell.exe
2252	powershell.exe
2252	powershell.exe
1332	AdvancedRun.exe
1332	AdvancedRun.exe
1332	AdvancedRun.exe
1332	AdvancedRun.exe
3352	AdvancedRun.exe
3352	AdvancedRun.exe
3352	AdvancedRun.exe
3352	AdvancedRun.exe
2208	powershell.exe
2208	powershell.exe
2208	powershell.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exeAdvancedRun.exeAdvancedRun.exepowershell.exeAdvancedRun.exeAdvancedRun.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	908	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe
Token: SeDebugPrivilege	188	AdvancedRun.exe
Token: SeImpersonatePrivilege	188	AdvancedRun.exe
Token: SeDebugPrivilege	2940	AdvancedRun.exe
Token: SeImpersonatePrivilege	2940	AdvancedRun.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	1332	AdvancedRun.exe
Token: SeImpersonatePrivilege	1332	AdvancedRun.exe
Token: SeDebugPrivilege	3352	AdvancedRun.exe
Token: SeImpersonatePrivilege	3352	AdvancedRun.exe
Token: SeDebugPrivilege	2208	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

PxxoServicesTrialNet1.exe

pid process

3012 PxxoServicesTrialNet1.exe

pid	process
3012	PxxoServicesTrialNet1.exe

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exeAdvancedRun.exeADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exeWScript.execmd.exePxxoServicesTrialNet1.exeAdvancedRun.exe

description	pid	process	target process
PID 908 wrote to memory of 188	908	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe	AdvancedRun.exe
PID 908 wrote to memory of 188	908	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe	AdvancedRun.exe
PID 908 wrote to memory of 188	908	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe	AdvancedRun.exe
PID 188 wrote to memory of 2940	188	AdvancedRun.exe	AdvancedRun.exe
PID 188 wrote to memory of 2940	188	AdvancedRun.exe	AdvancedRun.exe
PID 188 wrote to memory of 2940	188	AdvancedRun.exe	AdvancedRun.exe
PID 908 wrote to memory of 2252	908	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe	powershell.exe
PID 908 wrote to memory of 2252	908	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe	powershell.exe
PID 908 wrote to memory of 2252	908	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe	powershell.exe
PID 908 wrote to memory of 3652	908	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe
PID 908 wrote to memory of 3652	908	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe
PID 908 wrote to memory of 3652	908	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe
PID 908 wrote to memory of 3652	908	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe
PID 908 wrote to memory of 3652	908	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe
PID 908 wrote to memory of 3652	908	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe
PID 908 wrote to memory of 3652	908	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe
PID 908 wrote to memory of 3652	908	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe
PID 908 wrote to memory of 3652	908	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe
PID 908 wrote to memory of 3652	908	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe
PID 3652 wrote to memory of 3464	3652	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe	WScript.exe
PID 3652 wrote to memory of 3464	3652	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe	WScript.exe
PID 3652 wrote to memory of 3464	3652	ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe	WScript.exe
PID 3464 wrote to memory of 4036	3464	WScript.exe	cmd.exe
PID 3464 wrote to memory of 4036	3464	WScript.exe	cmd.exe
PID 3464 wrote to memory of 4036	3464	WScript.exe	cmd.exe
PID 4036 wrote to memory of 4084	4036	cmd.exe	PxxoServicesTrialNet1.exe
PID 4036 wrote to memory of 4084	4036	cmd.exe	PxxoServicesTrialNet1.exe
PID 4036 wrote to memory of 4084	4036	cmd.exe	PxxoServicesTrialNet1.exe
PID 4084 wrote to memory of 1332	4084	PxxoServicesTrialNet1.exe	AdvancedRun.exe
PID 4084 wrote to memory of 1332	4084	PxxoServicesTrialNet1.exe	AdvancedRun.exe
PID 4084 wrote to memory of 1332	4084	PxxoServicesTrialNet1.exe	AdvancedRun.exe
PID 1332 wrote to memory of 3352	1332	AdvancedRun.exe	AdvancedRun.exe
PID 1332 wrote to memory of 3352	1332	AdvancedRun.exe	AdvancedRun.exe
PID 1332 wrote to memory of 3352	1332	AdvancedRun.exe	AdvancedRun.exe
PID 4084 wrote to memory of 2208	4084	PxxoServicesTrialNet1.exe	powershell.exe
PID 4084 wrote to memory of 2208	4084	PxxoServicesTrialNet1.exe	powershell.exe
PID 4084 wrote to memory of 2208	4084	PxxoServicesTrialNet1.exe	powershell.exe
PID 4084 wrote to memory of 3012	4084	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 4084 wrote to memory of 3012	4084	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 4084 wrote to memory of 3012	4084	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 4084 wrote to memory of 3012	4084	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 4084 wrote to memory of 3012	4084	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 4084 wrote to memory of 3012	4084	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 4084 wrote to memory of 3012	4084	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 4084 wrote to memory of 3012	4084	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 4084 wrote to memory of 3012	4084	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 4084 wrote to memory of 3012	4084	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe

C:\Users\Admin\AppData\Local\Temp\ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe"
1⤵
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:908

C:\Users\Admin\AppData\Local\Temp\cbea3c5e-3a91-4e3b-b97c-73d681391f5b\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\cbea3c5e-3a91-4e3b-b97c-73d681391f5b\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\cbea3c5e-3a91-4e3b-b97c-73d681391f5b\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:188

C:\Users\Admin\AppData\Local\Temp\cbea3c5e-3a91-4e3b-b97c-73d681391f5b\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\cbea3c5e-3a91-4e3b-b97c-73d681391f5b\AdvancedRun.exe" /SpecialRun 4101d8 188
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2252

C:\Users\Admin\AppData\Local\Temp\ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\ADJUNTO_EXTRACTO_57971132761620070018881_09935417206929246064486_21739530852328700789183845_619471746722927151121122_pdf.exe"
2⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3652

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:3464

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:4036

C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
5⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4084

C:\Users\Admin\AppData\Local\Temp\92259401-1d67-4a9c-a691-e35ec63a3304\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\92259401-1d67-4a9c-a691-e35ec63a3304\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\92259401-1d67-4a9c-a691-e35ec63a3304\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1332

C:\Users\Admin\AppData\Local\Temp\92259401-1d67-4a9c-a691-e35ec63a3304\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\92259401-1d67-4a9c-a691-e35ec63a3304\AdvancedRun.exe" /SpecialRun 4101d8 1332
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3352

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe" -Force
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
"C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:3012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\2fidKeete159

MD5
dee768f4e18ce1c6b628d10e3fd590cc

SHA1
9c654c839392e55d028a0587fad5f86edb237b3e

SHA256
6ba324573a086fb66b4a40e806ce864b4cc9d4e096ed870bf2addefb11cbf4e7

SHA512
9a791b7c033546ca4ad1e9bb2648886b17105775b284d24d690921ff07b5551ba73ecee3137097a8f82122a42719fea72c6e915d838355ad2534aa15a1c2d10f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
6d105341216b697ec18b5bd065605d47

SHA1
18df536ac708bf3d5dda6d2f56e5254862db0460

SHA256
07270135d111bcba21f3892f051ae0557980adeded345e6fc8b3c88324f70660

SHA512
cbc764deefafbd70848778c59a64b4538e1de46a1f96cf60889bef07bd3387a2a97e752119373d284ef823d55b71b29369ff49a8722aff3aa797d0005f713c36

Download Submit
C:\Users\Admin\AppData\Local\Temp\92259401-1d67-4a9c-a691-e35ec63a3304\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\92259401-1d67-4a9c-a691-e35ec63a3304\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\92259401-1d67-4a9c-a691-e35ec63a3304\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbea3c5e-3a91-4e3b-b97c-73d681391f5b\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbea3c5e-3a91-4e3b-b97c-73d681391f5b\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbea3c5e-3a91-4e3b-b97c-73d681391f5b\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

MD5
a39af763b1c09ead3c98a6a615f377fe

SHA1
9bd3d39c89e47fe7072270ecc80b810103235c03

SHA256
a3930d7535eb768523ee52bbe69f13f857a0ae0f982d7bfc354d802f21010f8f

SHA512
3ed8e33ac95fd2536286b4afb2ed2a082bb5f98843478262b32263a14a5dbe0425de7b8d9662a5e482b207ebf8484ace8009ecd1881a6f6f8b0ccf3b0fdfe5da

Download Submit
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe

MD5
f18ecb4ec01c8696b450b53e255f8e32

SHA1
18e24ceb9004c164db0d204d9ca513b5a64060fa

SHA256
b805f68139469a793d97d7082a7d46a5eedcea8fa39676fd4ce557dae2725fff

SHA512
59f5c4616b17aaeba753318fcffacba71dc76bcc599665e31a50e7d31026ed2edc598bd285b1de9e19a09e9a6987318be3f17cee827a7b7ce2a89e6385d8f36d

Download Submit
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe

MD5
f18ecb4ec01c8696b450b53e255f8e32

SHA1
18e24ceb9004c164db0d204d9ca513b5a64060fa

SHA256
b805f68139469a793d97d7082a7d46a5eedcea8fa39676fd4ce557dae2725fff

SHA512
59f5c4616b17aaeba753318fcffacba71dc76bcc599665e31a50e7d31026ed2edc598bd285b1de9e19a09e9a6987318be3f17cee827a7b7ce2a89e6385d8f36d

Download Submit
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe

MD5
f18ecb4ec01c8696b450b53e255f8e32

SHA1
18e24ceb9004c164db0d204d9ca513b5a64060fa

SHA256
b805f68139469a793d97d7082a7d46a5eedcea8fa39676fd4ce557dae2725fff

SHA512
59f5c4616b17aaeba753318fcffacba71dc76bcc599665e31a50e7d31026ed2edc598bd285b1de9e19a09e9a6987318be3f17cee827a7b7ce2a89e6385d8f36d

Download Submit
memory/188-120-0x0000000000000000-mapping.dmp

Download
memory/908-114-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/908-116-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/908-119-0x0000000005EB0000-0x0000000005EB1000-memory.dmp

Filesize
4KB

Download
memory/908-117-0x0000000005910000-0x0000000005911000-memory.dmp

Filesize
4KB

Download
memory/908-118-0x0000000004AA0000-0x0000000004B10000-memory.dmp

Filesize
448KB

Download
memory/1332-198-0x0000000000000000-mapping.dmp

Download
memory/2208-210-0x00000000066F3000-0x00000000066F4000-memory.dmp

Filesize
4KB

Download
memory/2208-204-0x0000000000000000-mapping.dmp

Download
memory/2208-206-0x00000000066F0000-0x00000000066F1000-memory.dmp

Filesize
4KB

Download
memory/2208-207-0x00000000066F2000-0x00000000066F3000-memory.dmp

Filesize
4KB

Download
memory/2208-209-0x000000007EDC0000-0x000000007EDC1000-memory.dmp

Filesize
4KB

Download
memory/2252-131-0x0000000006B52000-0x0000000006B53000-memory.dmp

Filesize
4KB

Download
memory/2252-130-0x0000000006B50000-0x0000000006B51000-memory.dmp

Filesize
4KB

Download
memory/2252-156-0x000000007E9C0000-0x000000007E9C1000-memory.dmp

Filesize
4KB

Download
memory/2252-158-0x0000000008F00000-0x0000000008F01000-memory.dmp

Filesize
4KB

Download
memory/2252-149-0x0000000008F20000-0x0000000008F53000-memory.dmp

Filesize
204KB

Download
memory/2252-164-0x00000000092E0000-0x00000000092E1000-memory.dmp

Filesize
4KB

Download
memory/2252-165-0x0000000009480000-0x0000000009481000-memory.dmp

Filesize
4KB

Download
memory/2252-192-0x0000000006B53000-0x0000000006B54000-memory.dmp

Filesize
4KB

Download
memory/2252-125-0x0000000000000000-mapping.dmp

Download
memory/2252-128-0x0000000004650000-0x0000000004651000-memory.dmp

Filesize
4KB

Download
memory/2252-129-0x0000000007190000-0x0000000007191000-memory.dmp

Filesize
4KB

Download
memory/2252-132-0x00000000070C0000-0x00000000070C1000-memory.dmp

Filesize
4KB

Download
memory/2252-133-0x00000000077C0000-0x00000000077C1000-memory.dmp

Filesize
4KB

Download
memory/2252-138-0x0000000008160000-0x0000000008161000-memory.dmp

Filesize
4KB

Download
memory/2252-137-0x00000000082B0000-0x00000000082B1000-memory.dmp

Filesize
4KB

Download
memory/2252-136-0x0000000007D60000-0x0000000007D61000-memory.dmp

Filesize
4KB

Download
memory/2252-134-0x00000000078A0000-0x00000000078A1000-memory.dmp

Filesize
4KB

Download
memory/2252-135-0x0000000007A10000-0x0000000007A11000-memory.dmp

Filesize
4KB

Download
memory/2940-123-0x0000000000000000-mapping.dmp

Download
memory/3012-211-0x0000000000413FA4-mapping.dmp

Download
memory/3012-213-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3352-201-0x0000000000000000-mapping.dmp

Download
memory/3464-148-0x0000000000000000-mapping.dmp

Download
memory/3652-141-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3652-142-0x0000000000413FA4-mapping.dmp

Download
memory/3652-155-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4036-193-0x0000000000000000-mapping.dmp

Download
memory/4084-203-0x0000000005520000-0x0000000005521000-memory.dmp

Filesize
4KB

Download
memory/4084-194-0x0000000000000000-mapping.dmp

Download