remcos | 566f71be697a18778afe097f9461ef1fa7f6fbf0cf634995561e971814eae319

Analysis

max time kernel
150s
max time network
147s
platform
windows10_x64
resource
win10v20210410
submitted
06-05-2021 03:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Factura Serfinanza038612482397383420891150743.exe
Size

3.3MB
MD5

d3125370ba418b71a02b9365db6929d0
SHA1

6b8430a8b5bd8965bbac50feac7255d631d41f5c
SHA256

566f71be697a18778afe097f9461ef1fa7f6fbf0cf634995561e971814eae319
SHA512

40807071b38bc0ec37d7d6f061d23e06017d9738bfa11b5383fce7d31a4c152bdd5090b3243c0bd28eb5676341e0b2dbc2d411cb6d53cc11276e94a2ae92b1eb

Score

10^/10

remcos evasion persistence rat trojan

Malware Config

Extracted

Family

remcos

databasepropersonombrecomercialideasearchwords.services:3521

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Nirsoft 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\fd52c56d-87f7-4daa-8bd0-21f83001ce56\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\fd52c56d-87f7-4daa-8bd0-21f83001ce56\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\fd52c56d-87f7-4daa-8bd0-21f83001ce56\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\80c5ea0c-71d0-4be3-8e37-64e7ff0f44dd\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\80c5ea0c-71d0-4be3-8e37-64e7ff0f44dd\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\80c5ea0c-71d0-4be3-8e37-64e7ff0f44dd\AdvancedRun.exe	Nirsoft

Executes dropped EXE 10 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exePxxoServicesTrialNet1.exeAdvancedRun.exeAdvancedRun.exePxxoServicesTrialNet1.exePxxoServicesTrialNet1.exePxxoServicesTrialNet1.exePxxoServicesTrialNet1.exePxxoServicesTrialNet1.exe

pid	process
2680	AdvancedRun.exe
3832	AdvancedRun.exe
1956	PxxoServicesTrialNet1.exe
4124	AdvancedRun.exe
4172	AdvancedRun.exe
4484	PxxoServicesTrialNet1.exe
4496	PxxoServicesTrialNet1.exe
4504	PxxoServicesTrialNet1.exe
4520	PxxoServicesTrialNet1.exe
4536	PxxoServicesTrialNet1.exe

Windows security modification 2 TTPs 11 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

Factura Serfinanza038612482397383420891150743.exePxxoServicesTrialNet1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	Factura Serfinanza038612482397383420891150743.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	Factura Serfinanza038612482397383420891150743.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	Factura Serfinanza038612482397383420891150743.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	Factura Serfinanza038612482397383420891150743.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	Factura Serfinanza038612482397383420891150743.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe = "0"	PxxoServicesTrialNet1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\Factura Serfinanza038612482397383420891150743.exe = "0"	Factura Serfinanza038612482397383420891150743.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Factura Serfinanza038612482397383420891150743.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	Factura Serfinanza038612482397383420891150743.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	Factura Serfinanza038612482397383420891150743.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	Factura Serfinanza038612482397383420891150743.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

PxxoServicesTrialNet1.exeFactura Serfinanza038612482397383420891150743.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\	PxxoServicesTrialNet1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\MservicesOrg2 = "\"C:\\Users\\Admin\\AppData\\Roaming\\System32\\PxxoServicesTrialNet1.exe\""	PxxoServicesTrialNet1.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\	Factura Serfinanza038612482397383420891150743.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\MservicesOrg2 = "\"C:\\Users\\Admin\\AppData\\Roaming\\System32\\PxxoServicesTrialNet1.exe\""	Factura Serfinanza038612482397383420891150743.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 24 IoCs

Processes:

Factura Serfinanza038612482397383420891150743.exePxxoServicesTrialNet1.exe

pid	process
2204	Factura Serfinanza038612482397383420891150743.exe
2204	Factura Serfinanza038612482397383420891150743.exe
2204	Factura Serfinanza038612482397383420891150743.exe
2204	Factura Serfinanza038612482397383420891150743.exe
2204	Factura Serfinanza038612482397383420891150743.exe
2204	Factura Serfinanza038612482397383420891150743.exe
2204	Factura Serfinanza038612482397383420891150743.exe
2204	Factura Serfinanza038612482397383420891150743.exe
2204	Factura Serfinanza038612482397383420891150743.exe
2204	Factura Serfinanza038612482397383420891150743.exe
2204	Factura Serfinanza038612482397383420891150743.exe
2204	Factura Serfinanza038612482397383420891150743.exe
1956	PxxoServicesTrialNet1.exe
1956	PxxoServicesTrialNet1.exe
1956	PxxoServicesTrialNet1.exe
1956	PxxoServicesTrialNet1.exe
1956	PxxoServicesTrialNet1.exe
1956	PxxoServicesTrialNet1.exe
1956	PxxoServicesTrialNet1.exe
1956	PxxoServicesTrialNet1.exe
1956	PxxoServicesTrialNet1.exe
1956	PxxoServicesTrialNet1.exe
1956	PxxoServicesTrialNet1.exe
1956	PxxoServicesTrialNet1.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Factura Serfinanza038612482397383420891150743.exePxxoServicesTrialNet1.exe

description	pid	process	target process
PID 2204 set thread context of 3828	2204	Factura Serfinanza038612482397383420891150743.exe	Factura Serfinanza038612482397383420891150743.exe
PID 1956 set thread context of 4536	1956	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe

Drops file in Windows directory 1 IoCs

Processes:

WerFault.exe

description ioc process

File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3532 2204 WerFault.exe Factura Serfinanza038612482397383420891150743.exe
4584 1956 WerFault.exe PxxoServicesTrialNet1.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

2740 timeout.exe
4412 timeout.exe

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

pid	pid_target	process	target process
3532	2204	WerFault.exe	Factura Serfinanza038612482397383420891150743.exe
4584	1956	WerFault.exe	PxxoServicesTrialNet1.exe

pid	process
2740	timeout.exe
4412	timeout.exe

Modifies registry class 1 IoCs

Processes:

Factura Serfinanza038612482397383420891150743.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	Factura Serfinanza038612482397383420891150743.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exepowershell.exeFactura Serfinanza038612482397383420891150743.exeWerFault.exeAdvancedRun.exeAdvancedRun.exepowershell.exePxxoServicesTrialNet1.exeWerFault.exe

pid	process
2680	AdvancedRun.exe
2680	AdvancedRun.exe
2680	AdvancedRun.exe
2680	AdvancedRun.exe
3832	AdvancedRun.exe
3832	AdvancedRun.exe
3832	AdvancedRun.exe
3832	AdvancedRun.exe
3792	powershell.exe
3792	powershell.exe
2204	Factura Serfinanza038612482397383420891150743.exe
2204	Factura Serfinanza038612482397383420891150743.exe
2204	Factura Serfinanza038612482397383420891150743.exe
3792	powershell.exe
3532	WerFault.exe
3532	WerFault.exe
3532	WerFault.exe
3532	WerFault.exe
3532	WerFault.exe
3532	WerFault.exe
3532	WerFault.exe
3532	WerFault.exe
3532	WerFault.exe
3532	WerFault.exe
3532	WerFault.exe
3532	WerFault.exe
3532	WerFault.exe
3532	WerFault.exe
3532	WerFault.exe
4124	AdvancedRun.exe
4124	AdvancedRun.exe
4124	AdvancedRun.exe
4124	AdvancedRun.exe
4172	AdvancedRun.exe
4172	AdvancedRun.exe
4172	AdvancedRun.exe
4172	AdvancedRun.exe
4300	powershell.exe
4300	powershell.exe
1956	PxxoServicesTrialNet1.exe
1956	PxxoServicesTrialNet1.exe
1956	PxxoServicesTrialNet1.exe
1956	PxxoServicesTrialNet1.exe
1956	PxxoServicesTrialNet1.exe
1956	PxxoServicesTrialNet1.exe
1956	PxxoServicesTrialNet1.exe
1956	PxxoServicesTrialNet1.exe
1956	PxxoServicesTrialNet1.exe
1956	PxxoServicesTrialNet1.exe
1956	PxxoServicesTrialNet1.exe
4300	powershell.exe
4584	WerFault.exe
4584	WerFault.exe
4584	WerFault.exe
4584	WerFault.exe
4584	WerFault.exe
4584	WerFault.exe
4584	WerFault.exe
4584	WerFault.exe
4584	WerFault.exe
4584	WerFault.exe
4584	WerFault.exe
4584	WerFault.exe
4584	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

PxxoServicesTrialNet1.exe

pid process

4536 PxxoServicesTrialNet1.exe

pid	process
4536	PxxoServicesTrialNet1.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exepowershell.exeFactura Serfinanza038612482397383420891150743.exeWerFault.exeAdvancedRun.exeAdvancedRun.exepowershell.exePxxoServicesTrialNet1.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	2680	AdvancedRun.exe
Token: SeImpersonatePrivilege	2680	AdvancedRun.exe
Token: SeDebugPrivilege	3832	AdvancedRun.exe
Token: SeImpersonatePrivilege	3832	AdvancedRun.exe
Token: SeDebugPrivilege	3792	powershell.exe
Token: SeDebugPrivilege	2204	Factura Serfinanza038612482397383420891150743.exe
Token: SeRestorePrivilege	3532	WerFault.exe
Token: SeBackupPrivilege	3532	WerFault.exe
Token: SeBackupPrivilege	3532	WerFault.exe
Token: SeDebugPrivilege	3532	WerFault.exe
Token: SeDebugPrivilege	4124	AdvancedRun.exe
Token: SeImpersonatePrivilege	4124	AdvancedRun.exe
Token: SeDebugPrivilege	4172	AdvancedRun.exe
Token: SeImpersonatePrivilege	4172	AdvancedRun.exe
Token: SeDebugPrivilege	4300	powershell.exe
Token: SeDebugPrivilege	1956	PxxoServicesTrialNet1.exe
Token: SeDebugPrivilege	4584	WerFault.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

PxxoServicesTrialNet1.exe

pid process

4536 PxxoServicesTrialNet1.exe

pid	process
4536	PxxoServicesTrialNet1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Factura Serfinanza038612482397383420891150743.exeAdvancedRun.execmd.exeFactura Serfinanza038612482397383420891150743.exeWScript.execmd.exePxxoServicesTrialNet1.exeAdvancedRun.execmd.exe

description	pid	process	target process
PID 2204 wrote to memory of 2680	2204	Factura Serfinanza038612482397383420891150743.exe	AdvancedRun.exe
PID 2204 wrote to memory of 2680	2204	Factura Serfinanza038612482397383420891150743.exe	AdvancedRun.exe
PID 2204 wrote to memory of 2680	2204	Factura Serfinanza038612482397383420891150743.exe	AdvancedRun.exe
PID 2680 wrote to memory of 3832	2680	AdvancedRun.exe	AdvancedRun.exe
PID 2680 wrote to memory of 3832	2680	AdvancedRun.exe	AdvancedRun.exe
PID 2680 wrote to memory of 3832	2680	AdvancedRun.exe	AdvancedRun.exe
PID 2204 wrote to memory of 3792	2204	Factura Serfinanza038612482397383420891150743.exe	powershell.exe
PID 2204 wrote to memory of 3792	2204	Factura Serfinanza038612482397383420891150743.exe	powershell.exe
PID 2204 wrote to memory of 3792	2204	Factura Serfinanza038612482397383420891150743.exe	powershell.exe
PID 2204 wrote to memory of 4016	2204	Factura Serfinanza038612482397383420891150743.exe	cmd.exe
PID 2204 wrote to memory of 4016	2204	Factura Serfinanza038612482397383420891150743.exe	cmd.exe
PID 2204 wrote to memory of 4016	2204	Factura Serfinanza038612482397383420891150743.exe	cmd.exe
PID 4016 wrote to memory of 2740	4016	cmd.exe	timeout.exe
PID 4016 wrote to memory of 2740	4016	cmd.exe	timeout.exe
PID 4016 wrote to memory of 2740	4016	cmd.exe	timeout.exe
PID 2204 wrote to memory of 3828	2204	Factura Serfinanza038612482397383420891150743.exe	Factura Serfinanza038612482397383420891150743.exe
PID 2204 wrote to memory of 3828	2204	Factura Serfinanza038612482397383420891150743.exe	Factura Serfinanza038612482397383420891150743.exe
PID 2204 wrote to memory of 3828	2204	Factura Serfinanza038612482397383420891150743.exe	Factura Serfinanza038612482397383420891150743.exe
PID 2204 wrote to memory of 3828	2204	Factura Serfinanza038612482397383420891150743.exe	Factura Serfinanza038612482397383420891150743.exe
PID 2204 wrote to memory of 3828	2204	Factura Serfinanza038612482397383420891150743.exe	Factura Serfinanza038612482397383420891150743.exe
PID 2204 wrote to memory of 3828	2204	Factura Serfinanza038612482397383420891150743.exe	Factura Serfinanza038612482397383420891150743.exe
PID 2204 wrote to memory of 3828	2204	Factura Serfinanza038612482397383420891150743.exe	Factura Serfinanza038612482397383420891150743.exe
PID 2204 wrote to memory of 3828	2204	Factura Serfinanza038612482397383420891150743.exe	Factura Serfinanza038612482397383420891150743.exe
PID 2204 wrote to memory of 3828	2204	Factura Serfinanza038612482397383420891150743.exe	Factura Serfinanza038612482397383420891150743.exe
PID 2204 wrote to memory of 3828	2204	Factura Serfinanza038612482397383420891150743.exe	Factura Serfinanza038612482397383420891150743.exe
PID 3828 wrote to memory of 1816	3828	Factura Serfinanza038612482397383420891150743.exe	WScript.exe
PID 3828 wrote to memory of 1816	3828	Factura Serfinanza038612482397383420891150743.exe	WScript.exe
PID 3828 wrote to memory of 1816	3828	Factura Serfinanza038612482397383420891150743.exe	WScript.exe
PID 1816 wrote to memory of 736	1816	WScript.exe	cmd.exe
PID 1816 wrote to memory of 736	1816	WScript.exe	cmd.exe
PID 1816 wrote to memory of 736	1816	WScript.exe	cmd.exe
PID 736 wrote to memory of 1956	736	cmd.exe	PxxoServicesTrialNet1.exe
PID 736 wrote to memory of 1956	736	cmd.exe	PxxoServicesTrialNet1.exe
PID 736 wrote to memory of 1956	736	cmd.exe	PxxoServicesTrialNet1.exe
PID 1956 wrote to memory of 4124	1956	PxxoServicesTrialNet1.exe	AdvancedRun.exe
PID 1956 wrote to memory of 4124	1956	PxxoServicesTrialNet1.exe	AdvancedRun.exe
PID 1956 wrote to memory of 4124	1956	PxxoServicesTrialNet1.exe	AdvancedRun.exe
PID 4124 wrote to memory of 4172	4124	AdvancedRun.exe	AdvancedRun.exe
PID 4124 wrote to memory of 4172	4124	AdvancedRun.exe	AdvancedRun.exe
PID 4124 wrote to memory of 4172	4124	AdvancedRun.exe	AdvancedRun.exe
PID 1956 wrote to memory of 4300	1956	PxxoServicesTrialNet1.exe	powershell.exe
PID 1956 wrote to memory of 4300	1956	PxxoServicesTrialNet1.exe	powershell.exe
PID 1956 wrote to memory of 4300	1956	PxxoServicesTrialNet1.exe	powershell.exe
PID 1956 wrote to memory of 4324	1956	PxxoServicesTrialNet1.exe	cmd.exe
PID 1956 wrote to memory of 4324	1956	PxxoServicesTrialNet1.exe	cmd.exe
PID 1956 wrote to memory of 4324	1956	PxxoServicesTrialNet1.exe	cmd.exe
PID 4324 wrote to memory of 4412	4324	cmd.exe	timeout.exe
PID 4324 wrote to memory of 4412	4324	cmd.exe	timeout.exe
PID 4324 wrote to memory of 4412	4324	cmd.exe	timeout.exe
PID 1956 wrote to memory of 4484	1956	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 1956 wrote to memory of 4484	1956	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 1956 wrote to memory of 4484	1956	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 1956 wrote to memory of 4496	1956	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 1956 wrote to memory of 4496	1956	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 1956 wrote to memory of 4496	1956	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 1956 wrote to memory of 4504	1956	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 1956 wrote to memory of 4504	1956	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 1956 wrote to memory of 4504	1956	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 1956 wrote to memory of 4520	1956	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 1956 wrote to memory of 4520	1956	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 1956 wrote to memory of 4520	1956	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 1956 wrote to memory of 4536	1956	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 1956 wrote to memory of 4536	1956	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 1956 wrote to memory of 4536	1956	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe

C:\Users\Admin\AppData\Local\Temp\Factura Serfinanza038612482397383420891150743.exe
"C:\Users\Admin\AppData\Local\Temp\Factura Serfinanza038612482397383420891150743.exe"
1⤵
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Local\Temp\fd52c56d-87f7-4daa-8bd0-21f83001ce56\AdvancedRun.exe
  "C:\Users\Admin\AppData\Local\Temp\fd52c56d-87f7-4daa-8bd0-21f83001ce56\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\fd52c56d-87f7-4daa-8bd0-21f83001ce56\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Users\Admin\AppData\Local\Temp\fd52c56d-87f7-4daa-8bd0-21f83001ce56\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\fd52c56d-87f7-4daa-8bd0-21f83001ce56\AdvancedRun.exe" /SpecialRun 4101d8 2680
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3832
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Factura Serfinanza038612482397383420891150743.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3792
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout 1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4016
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2740
- C:\Users\Admin\AppData\Local\Temp\Factura Serfinanza038612482397383420891150743.exe
  "C:\Users\Admin\AppData\Local\Temp\Factura Serfinanza038612482397383420891150743.exe"
  2⤵
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3828
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1816
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:736
    - - C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
        
        C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
        5⤵
        Executes dropped EXE
        Windows security modification
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1956
      - C:\Users\Admin\AppData\Local\Temp\80c5ea0c-71d0-4be3-8e37-64e7ff0f44dd\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\80c5ea0c-71d0-4be3-8e37-64e7ff0f44dd\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\80c5ea0c-71d0-4be3-8e37-64e7ff0f44dd\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\80c5ea0c-71d0-4be3-8e37-64e7ff0f44dd\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\80c5ea0c-71d0-4be3-8e37-64e7ff0f44dd\AdvancedRun.exe" /SpecialRun 4101d8 4124
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4172
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe" -Force
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4300
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 1
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        7⤵
        Delays execution with timeout.exe
        
        PID:4412
      - C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe"
        6⤵
        Executes dropped EXE
        
        PID:4484
      - C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe"
        6⤵
        Executes dropped EXE
        
        PID:4496
      - C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe"
        6⤵
        Executes dropped EXE
        
        PID:4504
      - C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe"
        6⤵
        Executes dropped EXE
        
        PID:4520
      - C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:4536
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 1616
        6⤵
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4584
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 1620
  2⤵
  - Drops file in Windows directory
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
7e7318eca614af4cb08ec30bec62f537

SHA1
c6e40ee01816f60f192612518df8db7da6d4d91a

SHA256
d536722740e44d65d627cfff1eb4e2be0894e96e3e0be12beceae9a35fa0b86b

SHA512
fa42d385583c26e4b6f4a4df23f7cc491674cc35d689ab331edb18fbe2deb0d37d6b5270b65bc3335146fa713c8aa8a41999079e857c9ea8feed5a68d9b00ca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\80c5ea0c-71d0-4be3-8e37-64e7ff0f44dd\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\80c5ea0c-71d0-4be3-8e37-64e7ff0f44dd\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\80c5ea0c-71d0-4be3-8e37-64e7ff0f44dd\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd52c56d-87f7-4daa-8bd0-21f83001ce56\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd52c56d-87f7-4daa-8bd0-21f83001ce56\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd52c56d-87f7-4daa-8bd0-21f83001ce56\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

MD5
a39af763b1c09ead3c98a6a615f377fe

SHA1
9bd3d39c89e47fe7072270ecc80b810103235c03

SHA256
a3930d7535eb768523ee52bbe69f13f857a0ae0f982d7bfc354d802f21010f8f

SHA512
3ed8e33ac95fd2536286b4afb2ed2a082bb5f98843478262b32263a14a5dbe0425de7b8d9662a5e482b207ebf8484ace8009ecd1881a6f6f8b0ccf3b0fdfe5da

Download Submit
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe

MD5
d3125370ba418b71a02b9365db6929d0

SHA1
6b8430a8b5bd8965bbac50feac7255d631d41f5c

SHA256
566f71be697a18778afe097f9461ef1fa7f6fbf0cf634995561e971814eae319

SHA512
40807071b38bc0ec37d7d6f061d23e06017d9738bfa11b5383fce7d31a4c152bdd5090b3243c0bd28eb5676341e0b2dbc2d411cb6d53cc11276e94a2ae92b1eb

Download Submit
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe

MD5
d3125370ba418b71a02b9365db6929d0

SHA1
6b8430a8b5bd8965bbac50feac7255d631d41f5c

SHA256
566f71be697a18778afe097f9461ef1fa7f6fbf0cf634995561e971814eae319

SHA512
40807071b38bc0ec37d7d6f061d23e06017d9738bfa11b5383fce7d31a4c152bdd5090b3243c0bd28eb5676341e0b2dbc2d411cb6d53cc11276e94a2ae92b1eb

Download Submit
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe

MD5
d3125370ba418b71a02b9365db6929d0

SHA1
6b8430a8b5bd8965bbac50feac7255d631d41f5c

SHA256
566f71be697a18778afe097f9461ef1fa7f6fbf0cf634995561e971814eae319

SHA512
40807071b38bc0ec37d7d6f061d23e06017d9738bfa11b5383fce7d31a4c152bdd5090b3243c0bd28eb5676341e0b2dbc2d411cb6d53cc11276e94a2ae92b1eb

Download Submit
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe

MD5
d3125370ba418b71a02b9365db6929d0

SHA1
6b8430a8b5bd8965bbac50feac7255d631d41f5c

SHA256
566f71be697a18778afe097f9461ef1fa7f6fbf0cf634995561e971814eae319

SHA512
40807071b38bc0ec37d7d6f061d23e06017d9738bfa11b5383fce7d31a4c152bdd5090b3243c0bd28eb5676341e0b2dbc2d411cb6d53cc11276e94a2ae92b1eb

Download Submit
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe

MD5
d3125370ba418b71a02b9365db6929d0

SHA1
6b8430a8b5bd8965bbac50feac7255d631d41f5c

SHA256
566f71be697a18778afe097f9461ef1fa7f6fbf0cf634995561e971814eae319

SHA512
40807071b38bc0ec37d7d6f061d23e06017d9738bfa11b5383fce7d31a4c152bdd5090b3243c0bd28eb5676341e0b2dbc2d411cb6d53cc11276e94a2ae92b1eb

Download Submit
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe

MD5
d3125370ba418b71a02b9365db6929d0

SHA1
6b8430a8b5bd8965bbac50feac7255d631d41f5c

SHA256
566f71be697a18778afe097f9461ef1fa7f6fbf0cf634995561e971814eae319

SHA512
40807071b38bc0ec37d7d6f061d23e06017d9738bfa11b5383fce7d31a4c152bdd5090b3243c0bd28eb5676341e0b2dbc2d411cb6d53cc11276e94a2ae92b1eb

Download Submit
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe

MD5
d3125370ba418b71a02b9365db6929d0

SHA1
6b8430a8b5bd8965bbac50feac7255d631d41f5c

SHA256
566f71be697a18778afe097f9461ef1fa7f6fbf0cf634995561e971814eae319

SHA512
40807071b38bc0ec37d7d6f061d23e06017d9738bfa11b5383fce7d31a4c152bdd5090b3243c0bd28eb5676341e0b2dbc2d411cb6d53cc11276e94a2ae92b1eb

Download Submit
memory/736-148-0x0000000000000000-mapping.dmp

Download
memory/1816-143-0x0000000000000000-mapping.dmp

Download
memory/1956-174-0x0000000005DB0000-0x0000000005DB1000-memory.dmp

Filesize
4KB

Download
memory/1956-149-0x0000000000000000-mapping.dmp

Download
memory/2204-117-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

Filesize
4KB

Download
memory/2204-116-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/2204-118-0x0000000002BC0000-0x0000000002C44000-memory.dmp

Filesize
528KB

Download
memory/2204-119-0x0000000006A60000-0x0000000006A61000-memory.dmp

Filesize
4KB

Download
memory/2204-114-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2680-120-0x0000000000000000-mapping.dmp

Download
memory/2740-128-0x0000000000000000-mapping.dmp

Download
memory/3792-132-0x0000000007A40000-0x0000000007A41000-memory.dmp

Filesize
4KB

Download
memory/3792-204-0x0000000003143000-0x0000000003144000-memory.dmp

Filesize
4KB

Download
memory/3792-142-0x00000000084F0000-0x00000000084F1000-memory.dmp

Filesize
4KB

Download
memory/3792-125-0x0000000000000000-mapping.dmp

Download
memory/3792-130-0x0000000003400000-0x0000000003401000-memory.dmp

Filesize
4KB

Download
memory/3792-139-0x0000000008360000-0x0000000008361000-memory.dmp

Filesize
4KB

Download
memory/3792-160-0x0000000009470000-0x00000000094A3000-memory.dmp

Filesize
204KB

Download
memory/3792-169-0x0000000009240000-0x0000000009241000-memory.dmp

Filesize
4KB

Download
memory/3792-138-0x0000000007BD0000-0x0000000007BD1000-memory.dmp

Filesize
4KB

Download
memory/3792-172-0x000000007EEB0000-0x000000007EEB1000-memory.dmp

Filesize
4KB

Download
memory/3792-131-0x00000000073E0000-0x00000000073E1000-memory.dmp

Filesize
4KB

Download
memory/3792-176-0x00000000095B0000-0x00000000095B1000-memory.dmp

Filesize
4KB

Download
memory/3792-137-0x0000000003142000-0x0000000003143000-memory.dmp

Filesize
4KB

Download
memory/3792-136-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/3792-133-0x0000000007AE0000-0x0000000007AE1000-memory.dmp

Filesize
4KB

Download
memory/3792-135-0x0000000007EE0000-0x0000000007EE1000-memory.dmp

Filesize
4KB

Download
memory/3792-182-0x0000000009770000-0x0000000009771000-memory.dmp

Filesize
4KB

Download
memory/3792-134-0x0000000007E70000-0x0000000007E71000-memory.dmp

Filesize
4KB

Download
memory/3828-140-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3828-141-0x0000000000413FA4-mapping.dmp

Download
memory/3828-144-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3832-123-0x0000000000000000-mapping.dmp

Download
memory/4016-126-0x0000000000000000-mapping.dmp

Download
memory/4124-177-0x0000000000000000-mapping.dmp

Download
memory/4172-180-0x0000000000000000-mapping.dmp

Download
memory/4300-210-0x0000000007460000-0x0000000007461000-memory.dmp

Filesize
4KB

Download
memory/4300-211-0x0000000007462000-0x0000000007463000-memory.dmp

Filesize
4KB

Download
memory/4300-205-0x0000000000000000-mapping.dmp

Download
memory/4300-219-0x000000007ECD0000-0x000000007ECD1000-memory.dmp

Filesize
4KB

Download
memory/4300-220-0x0000000007463000-0x0000000007464000-memory.dmp

Filesize
4KB

Download
memory/4324-206-0x0000000000000000-mapping.dmp

Download
memory/4412-208-0x0000000000000000-mapping.dmp

Download
memory/4536-216-0x0000000000413FA4-mapping.dmp

Download
memory/4536-218-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download