remcos | e547d52177207f8352766cd1e689e5f4891fb844367e12a1b6e04bca4d17ef58

General

Target

Factura Serfinanza049678941875683878450087827.exe
Size

196KB
MD5

23630bf8b6f0832cb04df9f462fe6a4c
SHA1

a7543a9eea778b009aada70657c132c0bd5e444d
SHA256

e547d52177207f8352766cd1e689e5f4891fb844367e12a1b6e04bca4d17ef58
SHA512

8219e590e57cf67d000d126843825ca615e0c39b2f5425641fc353023295261c4bf93070f72046d62ff00061c338f11cce63bbb28d24c14e3e843ff98d9ba7da

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

C2

databasepropersonombrecomercialideasearchwords.services:3521

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

PxxoServicesTrialNet1.exePxxoServicesTrialNet1.exe

pid process

588 PxxoServicesTrialNet1.exe
1052 PxxoServicesTrialNet1.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

816 cmd.exe

pid	process
588	PxxoServicesTrialNet1.exe
1052	PxxoServicesTrialNet1.exe

pid	process
816	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Factura Serfinanza049678941875683878450087827.exePxxoServicesTrialNet1.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\	Factura Serfinanza049678941875683878450087827.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\MservicesOrg2 = "\"C:\\Users\\Admin\\AppData\\Roaming\\System32\\PxxoServicesTrialNet1.exe\""	Factura Serfinanza049678941875683878450087827.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\	PxxoServicesTrialNet1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\MservicesOrg2 = "\"C:\\Users\\Admin\\AppData\\Roaming\\System32\\PxxoServicesTrialNet1.exe\""	PxxoServicesTrialNet1.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Factura Serfinanza049678941875683878450087827.exePxxoServicesTrialNet1.exe

description	pid	process	target process
PID 1668 set thread context of 436	1668	Factura Serfinanza049678941875683878450087827.exe	Factura Serfinanza049678941875683878450087827.exe
PID 588 set thread context of 1052	588	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Factura Serfinanza049678941875683878450087827.exe

description pid process

Token: SeDebugPrivilege 1668 Factura Serfinanza049678941875683878450087827.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

PxxoServicesTrialNet1.exe

pid process

1052 PxxoServicesTrialNet1.exe

description	pid	process
Token: SeDebugPrivilege	1668	Factura Serfinanza049678941875683878450087827.exe

pid	process
1052	PxxoServicesTrialNet1.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

Factura Serfinanza049678941875683878450087827.exeFactura Serfinanza049678941875683878450087827.exeWScript.execmd.exePxxoServicesTrialNet1.exe

description	pid	process	target process
PID 1668 wrote to memory of 436	1668	Factura Serfinanza049678941875683878450087827.exe	Factura Serfinanza049678941875683878450087827.exe
PID 1668 wrote to memory of 436	1668	Factura Serfinanza049678941875683878450087827.exe	Factura Serfinanza049678941875683878450087827.exe
PID 1668 wrote to memory of 436	1668	Factura Serfinanza049678941875683878450087827.exe	Factura Serfinanza049678941875683878450087827.exe
PID 1668 wrote to memory of 436	1668	Factura Serfinanza049678941875683878450087827.exe	Factura Serfinanza049678941875683878450087827.exe
PID 1668 wrote to memory of 436	1668	Factura Serfinanza049678941875683878450087827.exe	Factura Serfinanza049678941875683878450087827.exe
PID 1668 wrote to memory of 436	1668	Factura Serfinanza049678941875683878450087827.exe	Factura Serfinanza049678941875683878450087827.exe
PID 1668 wrote to memory of 436	1668	Factura Serfinanza049678941875683878450087827.exe	Factura Serfinanza049678941875683878450087827.exe
PID 1668 wrote to memory of 436	1668	Factura Serfinanza049678941875683878450087827.exe	Factura Serfinanza049678941875683878450087827.exe
PID 1668 wrote to memory of 436	1668	Factura Serfinanza049678941875683878450087827.exe	Factura Serfinanza049678941875683878450087827.exe
PID 1668 wrote to memory of 436	1668	Factura Serfinanza049678941875683878450087827.exe	Factura Serfinanza049678941875683878450087827.exe
PID 1668 wrote to memory of 436	1668	Factura Serfinanza049678941875683878450087827.exe	Factura Serfinanza049678941875683878450087827.exe
PID 436 wrote to memory of 1512	436	Factura Serfinanza049678941875683878450087827.exe	WScript.exe
PID 436 wrote to memory of 1512	436	Factura Serfinanza049678941875683878450087827.exe	WScript.exe
PID 436 wrote to memory of 1512	436	Factura Serfinanza049678941875683878450087827.exe	WScript.exe
PID 436 wrote to memory of 1512	436	Factura Serfinanza049678941875683878450087827.exe	WScript.exe
PID 1512 wrote to memory of 816	1512	WScript.exe	cmd.exe
PID 1512 wrote to memory of 816	1512	WScript.exe	cmd.exe
PID 1512 wrote to memory of 816	1512	WScript.exe	cmd.exe
PID 1512 wrote to memory of 816	1512	WScript.exe	cmd.exe
PID 816 wrote to memory of 588	816	cmd.exe	PxxoServicesTrialNet1.exe
PID 816 wrote to memory of 588	816	cmd.exe	PxxoServicesTrialNet1.exe
PID 816 wrote to memory of 588	816	cmd.exe	PxxoServicesTrialNet1.exe
PID 816 wrote to memory of 588	816	cmd.exe	PxxoServicesTrialNet1.exe
PID 588 wrote to memory of 1052	588	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 588 wrote to memory of 1052	588	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 588 wrote to memory of 1052	588	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 588 wrote to memory of 1052	588	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 588 wrote to memory of 1052	588	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 588 wrote to memory of 1052	588	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 588 wrote to memory of 1052	588	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 588 wrote to memory of 1052	588	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 588 wrote to memory of 1052	588	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 588 wrote to memory of 1052	588	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 588 wrote to memory of 1052	588	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe

C:\Users\Admin\AppData\Local\Temp\Factura Serfinanza049678941875683878450087827.exe
"C:\Users\Admin\AppData\Local\Temp\Factura Serfinanza049678941875683878450087827.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668

C:\Users\Admin\AppData\Local\Temp\Factura Serfinanza049678941875683878450087827.exe
"C:\Users\Admin\AppData\Local\Temp\Factura Serfinanza049678941875683878450087827.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:436

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:816

C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:588

C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
"C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1052

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

MD5
a39af763b1c09ead3c98a6a615f377fe

SHA1
9bd3d39c89e47fe7072270ecc80b810103235c03

SHA256
a3930d7535eb768523ee52bbe69f13f857a0ae0f982d7bfc354d802f21010f8f

SHA512
3ed8e33ac95fd2536286b4afb2ed2a082bb5f98843478262b32263a14a5dbe0425de7b8d9662a5e482b207ebf8484ace8009ecd1881a6f6f8b0ccf3b0fdfe5da

Download Submit
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe

MD5
23630bf8b6f0832cb04df9f462fe6a4c

SHA1
a7543a9eea778b009aada70657c132c0bd5e444d

SHA256
e547d52177207f8352766cd1e689e5f4891fb844367e12a1b6e04bca4d17ef58

SHA512
8219e590e57cf67d000d126843825ca615e0c39b2f5425641fc353023295261c4bf93070f72046d62ff00061c338f11cce63bbb28d24c14e3e843ff98d9ba7da

Download Submit
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe

MD5
23630bf8b6f0832cb04df9f462fe6a4c

SHA1
a7543a9eea778b009aada70657c132c0bd5e444d

SHA256
e547d52177207f8352766cd1e689e5f4891fb844367e12a1b6e04bca4d17ef58

SHA512
8219e590e57cf67d000d126843825ca615e0c39b2f5425641fc353023295261c4bf93070f72046d62ff00061c338f11cce63bbb28d24c14e3e843ff98d9ba7da

Download Submit
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe

MD5
23630bf8b6f0832cb04df9f462fe6a4c

SHA1
a7543a9eea778b009aada70657c132c0bd5e444d

SHA256
e547d52177207f8352766cd1e689e5f4891fb844367e12a1b6e04bca4d17ef58

SHA512
8219e590e57cf67d000d126843825ca615e0c39b2f5425641fc353023295261c4bf93070f72046d62ff00061c338f11cce63bbb28d24c14e3e843ff98d9ba7da

Download Submit
C:\Users\Admin\OO45d09342

MD5
775ee12a650e48a0c1510aed994672d1

SHA1
bbaad822d284cfdb2a3d0a5fcddf8817488df381

SHA256
10ef784e1cf143cb9ab74b7546e9109bcb95c5da9537ffdaa812854dea960fdd

SHA512
cd61ab5ed0db5dd32168285595854e880b999ade35b7c3f296bdf4835b21c31c8c61a0df2d8819417d0cccd11285e2a45b6b909022f32cb231c09b896c44b29b

Download Submit
\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe

MD5
23630bf8b6f0832cb04df9f462fe6a4c

SHA1
a7543a9eea778b009aada70657c132c0bd5e444d

SHA256
e547d52177207f8352766cd1e689e5f4891fb844367e12a1b6e04bca4d17ef58

SHA512
8219e590e57cf67d000d126843825ca615e0c39b2f5425641fc353023295261c4bf93070f72046d62ff00061c338f11cce63bbb28d24c14e3e843ff98d9ba7da

Download Submit
memory/436-63-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/436-65-0x0000000075B31000-0x0000000075B33000-memory.dmp

Filesize
8KB

Download
memory/436-69-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/436-64-0x0000000000413FA4-mapping.dmp

Download
memory/588-79-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/588-75-0x00000000011B0000-0x00000000011B1000-memory.dmp

Filesize
4KB

Download
memory/588-73-0x0000000000000000-mapping.dmp

Download
memory/816-70-0x0000000000000000-mapping.dmp

Download
memory/1052-81-0x0000000000413FA4-mapping.dmp

Download
memory/1052-84-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1512-66-0x0000000000000000-mapping.dmp

Download
memory/1668-59-0x0000000000B70000-0x0000000000B71000-memory.dmp

Filesize
4KB

Download
memory/1668-62-0x0000000000880000-0x00000000008AA000-memory.dmp

Filesize
168KB

Download
memory/1668-61-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads