remcos | 714f5babb7ff43c5c7d994ee24ffca6be9508b86998ba18c719bcb3f9596f358

General

Target

EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exe
Size

184KB
MD5

4f9650b7df074e8bde07401b1ba53d29
SHA1

41e963c3f35af703e50e07e1dbecd47c86ccb7de
SHA256

714f5babb7ff43c5c7d994ee24ffca6be9508b86998ba18c719bcb3f9596f358
SHA512

b3554305a41e2520e9cb764dc61d8abb9552fa3b1e821c01208360f28afa6f7f50b3ce721975ec6a6bf78829af4783280d6939c87f6d51fb88d0ad6b88fd5312

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

C2

databasepropersonombrecomercialideasearchwords.services:3521

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

PxxoServicesTrialNet1.exePxxoServicesTrialNet1.exe

pid process

280 PxxoServicesTrialNet1.exe
1284 PxxoServicesTrialNet1.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1876 cmd.exe

pid	process
280	PxxoServicesTrialNet1.exe
1284	PxxoServicesTrialNet1.exe

pid	process
1876	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exePxxoServicesTrialNet1.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\	EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\MservicesOrg2 = "\"C:\\Users\\Admin\\AppData\\Roaming\\System32\\PxxoServicesTrialNet1.exe\""	EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\	PxxoServicesTrialNet1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\MservicesOrg2 = "\"C:\\Users\\Admin\\AppData\\Roaming\\System32\\PxxoServicesTrialNet1.exe\""	PxxoServicesTrialNet1.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exePxxoServicesTrialNet1.exe

description	pid	process	target process
PID 1840 set thread context of 1640	1840	EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exe	EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exe
PID 280 set thread context of 1284	280	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exe

pid	process
1840	EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exe
1840	EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exe

description	pid	process
Token: SeDebugPrivilege	1840	EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

PxxoServicesTrialNet1.exe

pid process

1284 PxxoServicesTrialNet1.exe

pid	process
1284	PxxoServicesTrialNet1.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exeEXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exeWScript.execmd.exePxxoServicesTrialNet1.exe

description	pid	process	target process
PID 1840 wrote to memory of 1648	1840	EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exe	EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exe
PID 1840 wrote to memory of 1648	1840	EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exe	EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exe
PID 1840 wrote to memory of 1648	1840	EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exe	EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exe
PID 1840 wrote to memory of 1648	1840	EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exe	EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exe
PID 1840 wrote to memory of 1640	1840	EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exe	EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exe
PID 1840 wrote to memory of 1640	1840	EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exe	EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exe
PID 1840 wrote to memory of 1640	1840	EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exe	EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exe
PID 1840 wrote to memory of 1640	1840	EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exe	EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exe
PID 1840 wrote to memory of 1640	1840	EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exe	EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exe
PID 1840 wrote to memory of 1640	1840	EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exe	EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exe
PID 1840 wrote to memory of 1640	1840	EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exe	EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exe
PID 1840 wrote to memory of 1640	1840	EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exe	EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exe
PID 1840 wrote to memory of 1640	1840	EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exe	EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exe
PID 1840 wrote to memory of 1640	1840	EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exe	EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exe
PID 1840 wrote to memory of 1640	1840	EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exe	EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exe
PID 1640 wrote to memory of 276	1640	EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exe	WScript.exe
PID 1640 wrote to memory of 276	1640	EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exe	WScript.exe
PID 1640 wrote to memory of 276	1640	EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exe	WScript.exe
PID 1640 wrote to memory of 276	1640	EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exe	WScript.exe
PID 276 wrote to memory of 1876	276	WScript.exe	cmd.exe
PID 276 wrote to memory of 1876	276	WScript.exe	cmd.exe
PID 276 wrote to memory of 1876	276	WScript.exe	cmd.exe
PID 276 wrote to memory of 1876	276	WScript.exe	cmd.exe
PID 1876 wrote to memory of 280	1876	cmd.exe	PxxoServicesTrialNet1.exe
PID 1876 wrote to memory of 280	1876	cmd.exe	PxxoServicesTrialNet1.exe
PID 1876 wrote to memory of 280	1876	cmd.exe	PxxoServicesTrialNet1.exe
PID 1876 wrote to memory of 280	1876	cmd.exe	PxxoServicesTrialNet1.exe
PID 280 wrote to memory of 1284	280	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 280 wrote to memory of 1284	280	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 280 wrote to memory of 1284	280	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 280 wrote to memory of 1284	280	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 280 wrote to memory of 1284	280	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 280 wrote to memory of 1284	280	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 280 wrote to memory of 1284	280	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 280 wrote to memory of 1284	280	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 280 wrote to memory of 1284	280	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 280 wrote to memory of 1284	280	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 280 wrote to memory of 1284	280	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe

C:\Users\Admin\AppData\Local\Temp\EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exe
"C:\Users\Admin\AppData\Local\Temp\EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1840

C:\Users\Admin\AppData\Local\Temp\EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exe
"C:\Users\Admin\AppData\Local\Temp\EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exe"
2⤵
PID:1648

C:\Users\Admin\AppData\Local\Temp\EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exe
"C:\Users\Admin\AppData\Local\Temp\EXTRACTO_SERFINANZA_694237605670237898130_880400300571994975454_677658493671733776943344733_49888556350297126565426875_p.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:276

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1876

C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:280

C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
"C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
a39af763b1c09ead3c98a6a615f377fe

SHA1
9bd3d39c89e47fe7072270ecc80b810103235c03

SHA256
a3930d7535eb768523ee52bbe69f13f857a0ae0f982d7bfc354d802f21010f8f

SHA512
3ed8e33ac95fd2536286b4afb2ed2a082bb5f98843478262b32263a14a5dbe0425de7b8d9662a5e482b207ebf8484ace8009ecd1881a6f6f8b0ccf3b0fdfe5da

Download Submit
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
MD5
4f9650b7df074e8bde07401b1ba53d29

SHA1
41e963c3f35af703e50e07e1dbecd47c86ccb7de

SHA256
714f5babb7ff43c5c7d994ee24ffca6be9508b86998ba18c719bcb3f9596f358

SHA512
b3554305a41e2520e9cb764dc61d8abb9552fa3b1e821c01208360f28afa6f7f50b3ce721975ec6a6bf78829af4783280d6939c87f6d51fb88d0ad6b88fd5312

Download Submit
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
MD5
4f9650b7df074e8bde07401b1ba53d29

SHA1
41e963c3f35af703e50e07e1dbecd47c86ccb7de

SHA256
714f5babb7ff43c5c7d994ee24ffca6be9508b86998ba18c719bcb3f9596f358

SHA512
b3554305a41e2520e9cb764dc61d8abb9552fa3b1e821c01208360f28afa6f7f50b3ce721975ec6a6bf78829af4783280d6939c87f6d51fb88d0ad6b88fd5312

Download Submit
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
MD5
4f9650b7df074e8bde07401b1ba53d29

SHA1
41e963c3f35af703e50e07e1dbecd47c86ccb7de

SHA256
714f5babb7ff43c5c7d994ee24ffca6be9508b86998ba18c719bcb3f9596f358

SHA512
b3554305a41e2520e9cb764dc61d8abb9552fa3b1e821c01208360f28afa6f7f50b3ce721975ec6a6bf78829af4783280d6939c87f6d51fb88d0ad6b88fd5312

Download Submit
C:\Users\Admin\Wdf35dhw7fsDR0uD3g4c2Pka9y47500M36
MD5
99626a32e6e4e99a32979df9d03555e7

SHA1
b71d8fd6813a665030a0cbc4d036a203dbe5ab0a

SHA256
4215dc643cf79bf02ea6c2e387da71f55e3cd633107d49bb124d0648c12aa9c8

SHA512
bd74c901e42b1871185690eb438b28b506d6a75da57f8286643e0c7b1ffe1dd13e11fe1b3a08496d938bd90103f5aa9e339eaa6cb7ed263ef1ff693c5f1e1b23

Download Submit
\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
MD5
4f9650b7df074e8bde07401b1ba53d29

SHA1
41e963c3f35af703e50e07e1dbecd47c86ccb7de

SHA256
714f5babb7ff43c5c7d994ee24ffca6be9508b86998ba18c719bcb3f9596f358

SHA512
b3554305a41e2520e9cb764dc61d8abb9552fa3b1e821c01208360f28afa6f7f50b3ce721975ec6a6bf78829af4783280d6939c87f6d51fb88d0ad6b88fd5312

Download Submit
memory/276-68-0x0000000000000000-mapping.dmp

Download
memory/280-75-0x0000000000000000-mapping.dmp

Download
memory/280-81-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/280-77-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/1284-86-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1284-83-0x0000000000413FA4-mapping.dmp

Download
memory/1640-66-0x0000000000413FA4-mapping.dmp

Download
memory/1640-71-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1640-65-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1840-63-0x0000000001E70000-0x0000000001E71000-memory.dmp

Filesize
4KB

Download
memory/1840-64-0x0000000000530000-0x0000000000556000-memory.dmp

Filesize
152KB

Download
memory/1840-60-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/1840-62-0x0000000074D91000-0x0000000074D93000-memory.dmp

Filesize
8KB

Download
memory/1876-72-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads