remcos | 92aaa412fd4384f56646d3b70ae7e8f4e26e436501ac61b9dd29652162a2997c

Analysis

max time kernel
149s
max time network
144s
platform
windows10_x64
resource
win10v20210408
submitted
26-04-2021 07:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe
Size

172KB
MD5

1984154af6e8dc43909b7a3880212d6c
SHA1

0e1bdb2215010ecd58fb847a06c780e1b67f3cf6
SHA256

92aaa412fd4384f56646d3b70ae7e8f4e26e436501ac61b9dd29652162a2997c
SHA512

6ddc29c7f542bd4cf140b96edc2fe67be4e3b590c17e81a6638d3f6afc824c572bf01b50cd54877f62ff36a0d3ddac0f5b793f5fc1743365e4b552d69f4f37b7

Score

10^/10

remcos evasion persistence rat trojan

Malware Config

Extracted

Family

remcos

databasepropersonombrecomercialideasearchwords.services:3521

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Nirsoft 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\2bd991cd-0551-4f82-9f7e-2f153634d1ed\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\2bd991cd-0551-4f82-9f7e-2f153634d1ed\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\2bd991cd-0551-4f82-9f7e-2f153634d1ed\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\56950ca8-fd28-43af-b1f3-995a48a5483c\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\56950ca8-fd28-43af-b1f3-995a48a5483c\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\56950ca8-fd28-43af-b1f3-995a48a5483c\AdvancedRun.exe	Nirsoft

Executes dropped EXE 7 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exePxxoServicesTrialNet1.exeAdvancedRun.exeAdvancedRun.exePxxoServicesTrialNet1.exePxxoServicesTrialNet1.exe

pid	process
208	AdvancedRun.exe
2392	AdvancedRun.exe
2204	PxxoServicesTrialNet1.exe
208	AdvancedRun.exe
684	AdvancedRun.exe
736	PxxoServicesTrialNet1.exe
2776	PxxoServicesTrialNet1.exe

Windows security modification 2 TTPs 11 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exePxxoServicesTrialNet1.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe = "0"	EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe = "0"	PxxoServicesTrialNet1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exePxxoServicesTrialNet1.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\MservicesOrg2 = "\"C:\\Users\\Admin\\AppData\\Roaming\\System32\\PxxoServicesTrialNet1.exe\""	EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	PxxoServicesTrialNet1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\MservicesOrg2 = "\"C:\\Users\\Admin\\AppData\\Roaming\\System32\\PxxoServicesTrialNet1.exe\""	PxxoServicesTrialNet1.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exePxxoServicesTrialNet1.exe

description	pid	process	target process
PID 852 set thread context of 3800	852	EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe	EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe
PID 2204 set thread context of 2776	2204	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exepowershell.exeAdvancedRun.exeAdvancedRun.exepowershell.exePxxoServicesTrialNet1.exe

pid	process
208	AdvancedRun.exe
208	AdvancedRun.exe
208	AdvancedRun.exe
208	AdvancedRun.exe
2392	AdvancedRun.exe
2392	AdvancedRun.exe
2392	AdvancedRun.exe
2392	AdvancedRun.exe
3856	powershell.exe
3856	powershell.exe
3856	powershell.exe
208	AdvancedRun.exe
208	AdvancedRun.exe
208	AdvancedRun.exe
208	AdvancedRun.exe
684	AdvancedRun.exe
684	AdvancedRun.exe
684	AdvancedRun.exe
684	AdvancedRun.exe
200	powershell.exe
200	powershell.exe
200	powershell.exe
2204	PxxoServicesTrialNet1.exe
2204	PxxoServicesTrialNet1.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exeAdvancedRun.exeAdvancedRun.exepowershell.exeAdvancedRun.exeAdvancedRun.exepowershell.exePxxoServicesTrialNet1.exe

description	pid	process
Token: SeDebugPrivilege	852	EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe
Token: SeDebugPrivilege	208	AdvancedRun.exe
Token: SeImpersonatePrivilege	208	AdvancedRun.exe
Token: SeDebugPrivilege	2392	AdvancedRun.exe
Token: SeImpersonatePrivilege	2392	AdvancedRun.exe
Token: SeDebugPrivilege	3856	powershell.exe
Token: SeDebugPrivilege	208	AdvancedRun.exe
Token: SeImpersonatePrivilege	208	AdvancedRun.exe
Token: SeDebugPrivilege	684	AdvancedRun.exe
Token: SeImpersonatePrivilege	684	AdvancedRun.exe
Token: SeDebugPrivilege	200	powershell.exe
Token: SeDebugPrivilege	2204	PxxoServicesTrialNet1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

PxxoServicesTrialNet1.exe

pid process

2776 PxxoServicesTrialNet1.exe

pid	process
2776	PxxoServicesTrialNet1.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exeAdvancedRun.exeEXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exeWScript.execmd.exePxxoServicesTrialNet1.exeAdvancedRun.exe

description	pid	process	target process
PID 852 wrote to memory of 208	852	EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe	AdvancedRun.exe
PID 852 wrote to memory of 208	852	EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe	AdvancedRun.exe
PID 852 wrote to memory of 208	852	EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe	AdvancedRun.exe
PID 208 wrote to memory of 2392	208	AdvancedRun.exe	AdvancedRun.exe
PID 208 wrote to memory of 2392	208	AdvancedRun.exe	AdvancedRun.exe
PID 208 wrote to memory of 2392	208	AdvancedRun.exe	AdvancedRun.exe
PID 852 wrote to memory of 3856	852	EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe	powershell.exe
PID 852 wrote to memory of 3856	852	EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe	powershell.exe
PID 852 wrote to memory of 3856	852	EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe	powershell.exe
PID 852 wrote to memory of 3800	852	EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe	EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe
PID 852 wrote to memory of 3800	852	EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe	EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe
PID 852 wrote to memory of 3800	852	EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe	EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe
PID 852 wrote to memory of 3800	852	EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe	EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe
PID 852 wrote to memory of 3800	852	EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe	EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe
PID 852 wrote to memory of 3800	852	EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe	EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe
PID 852 wrote to memory of 3800	852	EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe	EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe
PID 852 wrote to memory of 3800	852	EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe	EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe
PID 852 wrote to memory of 3800	852	EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe	EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe
PID 852 wrote to memory of 3800	852	EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe	EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe
PID 3800 wrote to memory of 912	3800	EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe	WScript.exe
PID 3800 wrote to memory of 912	3800	EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe	WScript.exe
PID 3800 wrote to memory of 912	3800	EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe	WScript.exe
PID 912 wrote to memory of 788	912	WScript.exe	cmd.exe
PID 912 wrote to memory of 788	912	WScript.exe	cmd.exe
PID 912 wrote to memory of 788	912	WScript.exe	cmd.exe
PID 788 wrote to memory of 2204	788	cmd.exe	PxxoServicesTrialNet1.exe
PID 788 wrote to memory of 2204	788	cmd.exe	PxxoServicesTrialNet1.exe
PID 788 wrote to memory of 2204	788	cmd.exe	PxxoServicesTrialNet1.exe
PID 2204 wrote to memory of 208	2204	PxxoServicesTrialNet1.exe	AdvancedRun.exe
PID 2204 wrote to memory of 208	2204	PxxoServicesTrialNet1.exe	AdvancedRun.exe
PID 2204 wrote to memory of 208	2204	PxxoServicesTrialNet1.exe	AdvancedRun.exe
PID 208 wrote to memory of 684	208	AdvancedRun.exe	AdvancedRun.exe
PID 208 wrote to memory of 684	208	AdvancedRun.exe	AdvancedRun.exe
PID 208 wrote to memory of 684	208	AdvancedRun.exe	AdvancedRun.exe
PID 2204 wrote to memory of 200	2204	PxxoServicesTrialNet1.exe	powershell.exe
PID 2204 wrote to memory of 200	2204	PxxoServicesTrialNet1.exe	powershell.exe
PID 2204 wrote to memory of 200	2204	PxxoServicesTrialNet1.exe	powershell.exe
PID 2204 wrote to memory of 736	2204	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2204 wrote to memory of 736	2204	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2204 wrote to memory of 736	2204	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2204 wrote to memory of 2776	2204	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2204 wrote to memory of 2776	2204	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2204 wrote to memory of 2776	2204	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2204 wrote to memory of 2776	2204	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2204 wrote to memory of 2776	2204	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2204 wrote to memory of 2776	2204	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2204 wrote to memory of 2776	2204	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2204 wrote to memory of 2776	2204	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2204 wrote to memory of 2776	2204	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2204 wrote to memory of 2776	2204	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe

C:\Users\Admin\AppData\Local\Temp\EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe
"C:\Users\Admin\AppData\Local\Temp\EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe"
1⤵
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:852
- C:\Users\Admin\AppData\Local\Temp\2bd991cd-0551-4f82-9f7e-2f153634d1ed\AdvancedRun.exe
  "C:\Users\Admin\AppData\Local\Temp\2bd991cd-0551-4f82-9f7e-2f153634d1ed\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\2bd991cd-0551-4f82-9f7e-2f153634d1ed\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:208
- - C:\Users\Admin\AppData\Local\Temp\2bd991cd-0551-4f82-9f7e-2f153634d1ed\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\2bd991cd-0551-4f82-9f7e-2f153634d1ed\AdvancedRun.exe" /SpecialRun 4101d8 208
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2392
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3856
- C:\Users\Admin\AppData\Local\Temp\EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe
  "C:\Users\Admin\AppData\Local\Temp\EXTRACTO_SERFINANZA_763491694580295682345_2506299590056647_254934221025470843464344641438_1557713157182575338992538102_p.exe"
  2⤵
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3800
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:912
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:788
    - - C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
        
        C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
        5⤵
        Executes dropped EXE
        Windows security modification
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2204
      - C:\Users\Admin\AppData\Local\Temp\56950ca8-fd28-43af-b1f3-995a48a5483c\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\56950ca8-fd28-43af-b1f3-995a48a5483c\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\56950ca8-fd28-43af-b1f3-995a48a5483c\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\56950ca8-fd28-43af-b1f3-995a48a5483c\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\56950ca8-fd28-43af-b1f3-995a48a5483c\AdvancedRun.exe" /SpecialRun 4101d8 208
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:684
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe" -Force
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:200
      - C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe"
        6⤵
        Executes dropped EXE
        
        PID:736
      - C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        
        PID:2776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\7fXzf8RPffj0OGmfG0fa

MD5
745d6f2c97fdc03732316b0b5c71e2cb

SHA1
2745dffd4e49d5c635e372cd245d55b2a152ffd9

SHA256
c48e8e0f13cd13be812af60379df4da6a67e1de90bfeaa90415e719cb7894a1c

SHA512
360bb19902c3eddfdd1b503ff4d3bbd448079f912fc9edd08b33c1374098f3a6d25da58fd22e11759c417916d08672c05e7fd4db8662db60fdfd88cc67dec2be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
133600f9cf4e9c93660abf366361f403

SHA1
fb1c0102b177c5bd80f813e1c2e154f90eabf7ff

SHA256
eb5fcbe6e81e567c181435b6da4f628e6c46a3f2de977e9697ad8e88fd3dc20a

SHA512
23afbd4890786c02262a2cbe229dad1fb48583cda29276ff032726008add9878a60ab89b1d1f8118d13509984e68be0d68b47b055f2246aecd174002be612bb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bd991cd-0551-4f82-9f7e-2f153634d1ed\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bd991cd-0551-4f82-9f7e-2f153634d1ed\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bd991cd-0551-4f82-9f7e-2f153634d1ed\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\56950ca8-fd28-43af-b1f3-995a48a5483c\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\56950ca8-fd28-43af-b1f3-995a48a5483c\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\56950ca8-fd28-43af-b1f3-995a48a5483c\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

MD5
a39af763b1c09ead3c98a6a615f377fe

SHA1
9bd3d39c89e47fe7072270ecc80b810103235c03

SHA256
a3930d7535eb768523ee52bbe69f13f857a0ae0f982d7bfc354d802f21010f8f

SHA512
3ed8e33ac95fd2536286b4afb2ed2a082bb5f98843478262b32263a14a5dbe0425de7b8d9662a5e482b207ebf8484ace8009ecd1881a6f6f8b0ccf3b0fdfe5da

Download Submit
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe

MD5
1984154af6e8dc43909b7a3880212d6c

SHA1
0e1bdb2215010ecd58fb847a06c780e1b67f3cf6

SHA256
92aaa412fd4384f56646d3b70ae7e8f4e26e436501ac61b9dd29652162a2997c

SHA512
6ddc29c7f542bd4cf140b96edc2fe67be4e3b590c17e81a6638d3f6afc824c572bf01b50cd54877f62ff36a0d3ddac0f5b793f5fc1743365e4b552d69f4f37b7

Download Submit
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe

MD5
1984154af6e8dc43909b7a3880212d6c

SHA1
0e1bdb2215010ecd58fb847a06c780e1b67f3cf6

SHA256
92aaa412fd4384f56646d3b70ae7e8f4e26e436501ac61b9dd29652162a2997c

SHA512
6ddc29c7f542bd4cf140b96edc2fe67be4e3b590c17e81a6638d3f6afc824c572bf01b50cd54877f62ff36a0d3ddac0f5b793f5fc1743365e4b552d69f4f37b7

Download Submit
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe

MD5
1984154af6e8dc43909b7a3880212d6c

SHA1
0e1bdb2215010ecd58fb847a06c780e1b67f3cf6

SHA256
92aaa412fd4384f56646d3b70ae7e8f4e26e436501ac61b9dd29652162a2997c

SHA512
6ddc29c7f542bd4cf140b96edc2fe67be4e3b590c17e81a6638d3f6afc824c572bf01b50cd54877f62ff36a0d3ddac0f5b793f5fc1743365e4b552d69f4f37b7

Download Submit
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe

MD5
1984154af6e8dc43909b7a3880212d6c

SHA1
0e1bdb2215010ecd58fb847a06c780e1b67f3cf6

SHA256
92aaa412fd4384f56646d3b70ae7e8f4e26e436501ac61b9dd29652162a2997c

SHA512
6ddc29c7f542bd4cf140b96edc2fe67be4e3b590c17e81a6638d3f6afc824c572bf01b50cd54877f62ff36a0d3ddac0f5b793f5fc1743365e4b552d69f4f37b7

Download Submit
memory/200-204-0x0000000000000000-mapping.dmp

Download
memory/200-207-0x0000000006D72000-0x0000000006D73000-memory.dmp

Filesize
4KB

Download
memory/200-206-0x0000000006D70000-0x0000000006D71000-memory.dmp

Filesize
4KB

Download
memory/200-210-0x0000000006D73000-0x0000000006D74000-memory.dmp

Filesize
4KB

Download
memory/200-209-0x000000007E8B0000-0x000000007E8B1000-memory.dmp

Filesize
4KB

Download
memory/208-120-0x0000000000000000-mapping.dmp

Download
memory/208-198-0x0000000000000000-mapping.dmp

Download
memory/684-201-0x0000000000000000-mapping.dmp

Download
memory/788-193-0x0000000000000000-mapping.dmp

Download
memory/852-118-0x0000000004D30000-0x000000000522E000-memory.dmp

Filesize
5.0MB

Download
memory/852-117-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/852-114-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/852-116-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download
memory/852-119-0x0000000002850000-0x00000000028BC000-memory.dmp

Filesize
432KB

Download
memory/912-162-0x0000000000000000-mapping.dmp

Download
memory/2204-194-0x0000000000000000-mapping.dmp

Download
memory/2204-203-0x0000000002F80000-0x0000000002F81000-memory.dmp

Filesize
4KB

Download
memory/2392-123-0x0000000000000000-mapping.dmp

Download
memory/2776-212-0x0000000000413FA4-mapping.dmp

Download
memory/2776-214-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3800-161-0x0000000000413FA4-mapping.dmp

Download
memory/3800-160-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3800-165-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3856-136-0x0000000007A80000-0x0000000007A81000-memory.dmp

Filesize
4KB

Download
memory/3856-135-0x0000000007BA0000-0x0000000007BA1000-memory.dmp

Filesize
4KB

Download
memory/3856-159-0x000000007F590000-0x000000007F591000-memory.dmp

Filesize
4KB

Download
memory/3856-158-0x0000000009310000-0x0000000009311000-memory.dmp

Filesize
4KB

Download
memory/3856-153-0x0000000008FA0000-0x0000000008FA1000-memory.dmp

Filesize
4KB

Download
memory/3856-146-0x0000000008FE0000-0x0000000009013000-memory.dmp

Filesize
204KB

Download
memory/3856-138-0x0000000008270000-0x0000000008271000-memory.dmp

Filesize
4KB

Download
memory/3856-137-0x0000000007F30000-0x0000000007F31000-memory.dmp

Filesize
4KB

Download
memory/3856-164-0x0000000006BC3000-0x0000000006BC4000-memory.dmp

Filesize
4KB

Download
memory/3856-163-0x00000000094B0000-0x00000000094B1000-memory.dmp

Filesize
4KB

Download
memory/3856-134-0x00000000078E0000-0x00000000078E1000-memory.dmp

Filesize
4KB

Download
memory/3856-133-0x00000000070F0000-0x00000000070F1000-memory.dmp

Filesize
4KB

Download
memory/3856-132-0x0000000007050000-0x0000000007051000-memory.dmp

Filesize
4KB

Download
memory/3856-130-0x0000000006BC0000-0x0000000006BC1000-memory.dmp

Filesize
4KB

Download
memory/3856-131-0x0000000006BC2000-0x0000000006BC3000-memory.dmp

Filesize
4KB

Download
memory/3856-129-0x0000000007200000-0x0000000007201000-memory.dmp

Filesize
4KB

Download
memory/3856-128-0x0000000006A20000-0x0000000006A21000-memory.dmp

Filesize
4KB

Download
memory/3856-125-0x0000000000000000-mapping.dmp

Download