remcos | d339fb0c1a994e652b4fe8f4cfd8a16745ca9a04f9042cab1d16ca73103f41d4

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7v20210410
submitted
26-04-2021 00:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Factura Serfinanza053176011500426549564067806.exe
Size

188KB
MD5

81650b5894e10dc7f6b4d45f05f36bf9
SHA1

5f22af376e1395cbdca9470ff9432938c290b3d5
SHA256

d339fb0c1a994e652b4fe8f4cfd8a16745ca9a04f9042cab1d16ca73103f41d4
SHA512

4c1142054c46cc3a94b3778424fc06bc835208e974acd16ee063b0dc46e943eb3bb929d29c9ecd990d3fbe79c0788094976a4e250fc6134d907f7a0d78ef03df

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

databasepropersonombrecomercialideasearchwords.services:3521

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 5 IoCs

Processes:

PxxoServicesTrialNet1.exePxxoServicesTrialNet1.exePxxoServicesTrialNet1.exePxxoServicesTrialNet1.exePxxoServicesTrialNet1.exe

pid	process
1676	PxxoServicesTrialNet1.exe
1304	PxxoServicesTrialNet1.exe
664	PxxoServicesTrialNet1.exe
780	PxxoServicesTrialNet1.exe
1784	PxxoServicesTrialNet1.exe

Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

940 cmd.exe

pid	process
940	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Factura Serfinanza053176011500426549564067806.exePxxoServicesTrialNet1.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\	Factura Serfinanza053176011500426549564067806.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\MservicesOrg2 = "\"C:\\Users\\Admin\\AppData\\Roaming\\System32\\PxxoServicesTrialNet1.exe\""	Factura Serfinanza053176011500426549564067806.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\	PxxoServicesTrialNet1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\MservicesOrg2 = "\"C:\\Users\\Admin\\AppData\\Roaming\\System32\\PxxoServicesTrialNet1.exe\""	PxxoServicesTrialNet1.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Factura Serfinanza053176011500426549564067806.exePxxoServicesTrialNet1.exe

description	pid	process	target process
PID 1072 set thread context of 336	1072	Factura Serfinanza053176011500426549564067806.exe	Factura Serfinanza053176011500426549564067806.exe
PID 1676 set thread context of 1784	1676	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

Factura Serfinanza053176011500426549564067806.exePxxoServicesTrialNet1.exe

pid	process
1072	Factura Serfinanza053176011500426549564067806.exe
1072	Factura Serfinanza053176011500426549564067806.exe
1072	Factura Serfinanza053176011500426549564067806.exe
1072	Factura Serfinanza053176011500426549564067806.exe
1072	Factura Serfinanza053176011500426549564067806.exe
1072	Factura Serfinanza053176011500426549564067806.exe
1072	Factura Serfinanza053176011500426549564067806.exe
1072	Factura Serfinanza053176011500426549564067806.exe
1676	PxxoServicesTrialNet1.exe
1676	PxxoServicesTrialNet1.exe
1676	PxxoServicesTrialNet1.exe
1676	PxxoServicesTrialNet1.exe
1676	PxxoServicesTrialNet1.exe
1676	PxxoServicesTrialNet1.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Factura Serfinanza053176011500426549564067806.exePxxoServicesTrialNet1.exe

description	pid	process
Token: SeDebugPrivilege	1072	Factura Serfinanza053176011500426549564067806.exe
Token: SeDebugPrivilege	1676	PxxoServicesTrialNet1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

PxxoServicesTrialNet1.exe

pid process

1784 PxxoServicesTrialNet1.exe

pid	process
1784	PxxoServicesTrialNet1.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

Factura Serfinanza053176011500426549564067806.exeFactura Serfinanza053176011500426549564067806.exeWScript.execmd.exePxxoServicesTrialNet1.exe

description	pid	process	target process
PID 1072 wrote to memory of 1564	1072	Factura Serfinanza053176011500426549564067806.exe	Factura Serfinanza053176011500426549564067806.exe
PID 1072 wrote to memory of 1564	1072	Factura Serfinanza053176011500426549564067806.exe	Factura Serfinanza053176011500426549564067806.exe
PID 1072 wrote to memory of 1564	1072	Factura Serfinanza053176011500426549564067806.exe	Factura Serfinanza053176011500426549564067806.exe
PID 1072 wrote to memory of 1564	1072	Factura Serfinanza053176011500426549564067806.exe	Factura Serfinanza053176011500426549564067806.exe
PID 1072 wrote to memory of 1584	1072	Factura Serfinanza053176011500426549564067806.exe	Factura Serfinanza053176011500426549564067806.exe
PID 1072 wrote to memory of 1584	1072	Factura Serfinanza053176011500426549564067806.exe	Factura Serfinanza053176011500426549564067806.exe
PID 1072 wrote to memory of 1584	1072	Factura Serfinanza053176011500426549564067806.exe	Factura Serfinanza053176011500426549564067806.exe
PID 1072 wrote to memory of 1584	1072	Factura Serfinanza053176011500426549564067806.exe	Factura Serfinanza053176011500426549564067806.exe
PID 1072 wrote to memory of 1016	1072	Factura Serfinanza053176011500426549564067806.exe	Factura Serfinanza053176011500426549564067806.exe
PID 1072 wrote to memory of 1016	1072	Factura Serfinanza053176011500426549564067806.exe	Factura Serfinanza053176011500426549564067806.exe
PID 1072 wrote to memory of 1016	1072	Factura Serfinanza053176011500426549564067806.exe	Factura Serfinanza053176011500426549564067806.exe
PID 1072 wrote to memory of 1016	1072	Factura Serfinanza053176011500426549564067806.exe	Factura Serfinanza053176011500426549564067806.exe
PID 1072 wrote to memory of 748	1072	Factura Serfinanza053176011500426549564067806.exe	Factura Serfinanza053176011500426549564067806.exe
PID 1072 wrote to memory of 748	1072	Factura Serfinanza053176011500426549564067806.exe	Factura Serfinanza053176011500426549564067806.exe
PID 1072 wrote to memory of 748	1072	Factura Serfinanza053176011500426549564067806.exe	Factura Serfinanza053176011500426549564067806.exe
PID 1072 wrote to memory of 748	1072	Factura Serfinanza053176011500426549564067806.exe	Factura Serfinanza053176011500426549564067806.exe
PID 1072 wrote to memory of 336	1072	Factura Serfinanza053176011500426549564067806.exe	Factura Serfinanza053176011500426549564067806.exe
PID 1072 wrote to memory of 336	1072	Factura Serfinanza053176011500426549564067806.exe	Factura Serfinanza053176011500426549564067806.exe
PID 1072 wrote to memory of 336	1072	Factura Serfinanza053176011500426549564067806.exe	Factura Serfinanza053176011500426549564067806.exe
PID 1072 wrote to memory of 336	1072	Factura Serfinanza053176011500426549564067806.exe	Factura Serfinanza053176011500426549564067806.exe
PID 1072 wrote to memory of 336	1072	Factura Serfinanza053176011500426549564067806.exe	Factura Serfinanza053176011500426549564067806.exe
PID 1072 wrote to memory of 336	1072	Factura Serfinanza053176011500426549564067806.exe	Factura Serfinanza053176011500426549564067806.exe
PID 1072 wrote to memory of 336	1072	Factura Serfinanza053176011500426549564067806.exe	Factura Serfinanza053176011500426549564067806.exe
PID 1072 wrote to memory of 336	1072	Factura Serfinanza053176011500426549564067806.exe	Factura Serfinanza053176011500426549564067806.exe
PID 1072 wrote to memory of 336	1072	Factura Serfinanza053176011500426549564067806.exe	Factura Serfinanza053176011500426549564067806.exe
PID 1072 wrote to memory of 336	1072	Factura Serfinanza053176011500426549564067806.exe	Factura Serfinanza053176011500426549564067806.exe
PID 1072 wrote to memory of 336	1072	Factura Serfinanza053176011500426549564067806.exe	Factura Serfinanza053176011500426549564067806.exe
PID 336 wrote to memory of 544	336	Factura Serfinanza053176011500426549564067806.exe	WScript.exe
PID 336 wrote to memory of 544	336	Factura Serfinanza053176011500426549564067806.exe	WScript.exe
PID 336 wrote to memory of 544	336	Factura Serfinanza053176011500426549564067806.exe	WScript.exe
PID 336 wrote to memory of 544	336	Factura Serfinanza053176011500426549564067806.exe	WScript.exe
PID 544 wrote to memory of 940	544	WScript.exe	cmd.exe
PID 544 wrote to memory of 940	544	WScript.exe	cmd.exe
PID 544 wrote to memory of 940	544	WScript.exe	cmd.exe
PID 544 wrote to memory of 940	544	WScript.exe	cmd.exe
PID 940 wrote to memory of 1676	940	cmd.exe	PxxoServicesTrialNet1.exe
PID 940 wrote to memory of 1676	940	cmd.exe	PxxoServicesTrialNet1.exe
PID 940 wrote to memory of 1676	940	cmd.exe	PxxoServicesTrialNet1.exe
PID 940 wrote to memory of 1676	940	cmd.exe	PxxoServicesTrialNet1.exe
PID 1676 wrote to memory of 1304	1676	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 1676 wrote to memory of 1304	1676	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 1676 wrote to memory of 1304	1676	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 1676 wrote to memory of 1304	1676	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 1676 wrote to memory of 664	1676	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 1676 wrote to memory of 664	1676	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 1676 wrote to memory of 664	1676	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 1676 wrote to memory of 664	1676	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 1676 wrote to memory of 780	1676	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 1676 wrote to memory of 780	1676	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 1676 wrote to memory of 780	1676	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 1676 wrote to memory of 780	1676	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 1676 wrote to memory of 1784	1676	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 1676 wrote to memory of 1784	1676	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 1676 wrote to memory of 1784	1676	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 1676 wrote to memory of 1784	1676	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 1676 wrote to memory of 1784	1676	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 1676 wrote to memory of 1784	1676	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 1676 wrote to memory of 1784	1676	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 1676 wrote to memory of 1784	1676	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 1676 wrote to memory of 1784	1676	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 1676 wrote to memory of 1784	1676	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 1676 wrote to memory of 1784	1676	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe

C:\Users\Admin\AppData\Local\Temp\Factura Serfinanza053176011500426549564067806.exe
"C:\Users\Admin\AppData\Local\Temp\Factura Serfinanza053176011500426549564067806.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1072

C:\Users\Admin\AppData\Local\Temp\Factura Serfinanza053176011500426549564067806.exe
"C:\Users\Admin\AppData\Local\Temp\Factura Serfinanza053176011500426549564067806.exe"
2⤵
PID:1564

C:\Users\Admin\AppData\Local\Temp\Factura Serfinanza053176011500426549564067806.exe
"C:\Users\Admin\AppData\Local\Temp\Factura Serfinanza053176011500426549564067806.exe"
2⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\Factura Serfinanza053176011500426549564067806.exe
"C:\Users\Admin\AppData\Local\Temp\Factura Serfinanza053176011500426549564067806.exe"
2⤵
PID:1016

C:\Users\Admin\AppData\Local\Temp\Factura Serfinanza053176011500426549564067806.exe
"C:\Users\Admin\AppData\Local\Temp\Factura Serfinanza053176011500426549564067806.exe"
2⤵
PID:748

C:\Users\Admin\AppData\Local\Temp\Factura Serfinanza053176011500426549564067806.exe
"C:\Users\Admin\AppData\Local\Temp\Factura Serfinanza053176011500426549564067806.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:544

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:940

C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676

C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
"C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe"
6⤵
- Executes dropped EXE
PID:1304

C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
"C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe"
6⤵
- Executes dropped EXE
PID:664

C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
"C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe"
6⤵
- Executes dropped EXE
PID:780

C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
"C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1784

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\00Md1M1VfFd38s
MD5
19dd22b3ad2e2e8c3b83a3287d23c04a

SHA1
6d1cd1acebebeaedf776a1ff9b588f354bc035c2

SHA256
100b4739447d1ce5a487ea2fd1769efb458078527ca5b537ecc148ba084ccd86

SHA512
3bc9ee423e97b43b3bba2501185d35f185a52dc54a70a7d97127586d3d117d865eaca8559285b96da0c4dbcac22083d234002c7121ffb5f65e023a247b05037e

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
a39af763b1c09ead3c98a6a615f377fe

SHA1
9bd3d39c89e47fe7072270ecc80b810103235c03

SHA256
a3930d7535eb768523ee52bbe69f13f857a0ae0f982d7bfc354d802f21010f8f

SHA512
3ed8e33ac95fd2536286b4afb2ed2a082bb5f98843478262b32263a14a5dbe0425de7b8d9662a5e482b207ebf8484ace8009ecd1881a6f6f8b0ccf3b0fdfe5da

Download Submit
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
MD5
81650b5894e10dc7f6b4d45f05f36bf9

SHA1
5f22af376e1395cbdca9470ff9432938c290b3d5

SHA256
d339fb0c1a994e652b4fe8f4cfd8a16745ca9a04f9042cab1d16ca73103f41d4

SHA512
4c1142054c46cc3a94b3778424fc06bc835208e974acd16ee063b0dc46e943eb3bb929d29c9ecd990d3fbe79c0788094976a4e250fc6134d907f7a0d78ef03df

Download Submit
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
MD5
81650b5894e10dc7f6b4d45f05f36bf9

SHA1
5f22af376e1395cbdca9470ff9432938c290b3d5

SHA256
d339fb0c1a994e652b4fe8f4cfd8a16745ca9a04f9042cab1d16ca73103f41d4

SHA512
4c1142054c46cc3a94b3778424fc06bc835208e974acd16ee063b0dc46e943eb3bb929d29c9ecd990d3fbe79c0788094976a4e250fc6134d907f7a0d78ef03df

Download Submit
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
MD5
81650b5894e10dc7f6b4d45f05f36bf9

SHA1
5f22af376e1395cbdca9470ff9432938c290b3d5

SHA256
d339fb0c1a994e652b4fe8f4cfd8a16745ca9a04f9042cab1d16ca73103f41d4

SHA512
4c1142054c46cc3a94b3778424fc06bc835208e974acd16ee063b0dc46e943eb3bb929d29c9ecd990d3fbe79c0788094976a4e250fc6134d907f7a0d78ef03df

Download Submit
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
MD5
81650b5894e10dc7f6b4d45f05f36bf9

SHA1
5f22af376e1395cbdca9470ff9432938c290b3d5

SHA256
d339fb0c1a994e652b4fe8f4cfd8a16745ca9a04f9042cab1d16ca73103f41d4

SHA512
4c1142054c46cc3a94b3778424fc06bc835208e974acd16ee063b0dc46e943eb3bb929d29c9ecd990d3fbe79c0788094976a4e250fc6134d907f7a0d78ef03df

Download Submit
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
MD5
81650b5894e10dc7f6b4d45f05f36bf9

SHA1
5f22af376e1395cbdca9470ff9432938c290b3d5

SHA256
d339fb0c1a994e652b4fe8f4cfd8a16745ca9a04f9042cab1d16ca73103f41d4

SHA512
4c1142054c46cc3a94b3778424fc06bc835208e974acd16ee063b0dc46e943eb3bb929d29c9ecd990d3fbe79c0788094976a4e250fc6134d907f7a0d78ef03df

Download Submit
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
MD5
81650b5894e10dc7f6b4d45f05f36bf9

SHA1
5f22af376e1395cbdca9470ff9432938c290b3d5

SHA256
d339fb0c1a994e652b4fe8f4cfd8a16745ca9a04f9042cab1d16ca73103f41d4

SHA512
4c1142054c46cc3a94b3778424fc06bc835208e974acd16ee063b0dc46e943eb3bb929d29c9ecd990d3fbe79c0788094976a4e250fc6134d907f7a0d78ef03df

Download Submit
\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
MD5
81650b5894e10dc7f6b4d45f05f36bf9

SHA1
5f22af376e1395cbdca9470ff9432938c290b3d5

SHA256
d339fb0c1a994e652b4fe8f4cfd8a16745ca9a04f9042cab1d16ca73103f41d4

SHA512
4c1142054c46cc3a94b3778424fc06bc835208e974acd16ee063b0dc46e943eb3bb929d29c9ecd990d3fbe79c0788094976a4e250fc6134d907f7a0d78ef03df

Download Submit
memory/336-65-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/336-66-0x0000000000413FA4-mapping.dmp

Download
memory/336-68-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/544-69-0x0000000000000000-mapping.dmp

Download
memory/940-72-0x0000000000000000-mapping.dmp

Download
memory/1072-63-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/1072-62-0x0000000075411000-0x0000000075413000-memory.dmp

Filesize
8KB

Download
memory/1072-60-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/1072-64-0x0000000000780000-0x00000000007A6000-memory.dmp

Filesize
152KB

Download
memory/1676-81-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download
memory/1676-77-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/1676-75-0x0000000000000000-mapping.dmp

Download
memory/1784-86-0x0000000000413FA4-mapping.dmp

Download
memory/1784-89-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download