remcos | 17828f7e3aa63c317b04baf8c3dbd4e069c12f66f45ae438094ae17cb7f5c7b9

Analysis

max time kernel
149s
max time network
145s
platform
windows10_x64
resource
win10v20210408
submitted
06-05-2021 04:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Factura Serfinanza085399218111227761873550570.exe
Size

3.2MB
MD5

8ba405455cf8c6776dc01cce9faef2ee
SHA1

f8b3e8ae0c018abd50dbc7fa4d9e50760fdf32f1
SHA256

17828f7e3aa63c317b04baf8c3dbd4e069c12f66f45ae438094ae17cb7f5c7b9
SHA512

7e7da9f56e5fdd7da68f052e85e5a8a5091f2d4de03b75cf582e979505c2d755eb889459f8fe9ce95a57b5dfe5e47e2a5703dd6d23d94cc146de381c0aae0fd2

Score

10^/10

remcos evasion persistence rat trojan

Malware Config

Extracted

Family

remcos

databasepropersonombrecomercialideasearchwords.services:3521

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Nirsoft 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\f8ae3ec9-ad51-477c-b614-1b4a7329c2a4\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\f8ae3ec9-ad51-477c-b614-1b4a7329c2a4\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\f8ae3ec9-ad51-477c-b614-1b4a7329c2a4\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\b99ffb86-f5ec-4779-8436-474e9ce1cb2d\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\b99ffb86-f5ec-4779-8436-474e9ce1cb2d\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\b99ffb86-f5ec-4779-8436-474e9ce1cb2d\AdvancedRun.exe	Nirsoft

Executes dropped EXE 6 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exePxxoServicesTrialNet1.exeAdvancedRun.exeAdvancedRun.exePxxoServicesTrialNet1.exe

pid process

432 AdvancedRun.exe
4084 AdvancedRun.exe
2148 PxxoServicesTrialNet1.exe
3384 AdvancedRun.exe
2760 AdvancedRun.exe
204 PxxoServicesTrialNet1.exe

Windows security modification 2 TTPs 11 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

Factura Serfinanza085399218111227761873550570.exePxxoServicesTrialNet1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	Factura Serfinanza085399218111227761873550570.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	Factura Serfinanza085399218111227761873550570.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\Factura Serfinanza085399218111227761873550570.exe = "0"	Factura Serfinanza085399218111227761873550570.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	Factura Serfinanza085399218111227761873550570.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe = "0"	PxxoServicesTrialNet1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	Factura Serfinanza085399218111227761873550570.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	Factura Serfinanza085399218111227761873550570.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Factura Serfinanza085399218111227761873550570.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	Factura Serfinanza085399218111227761873550570.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	Factura Serfinanza085399218111227761873550570.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	Factura Serfinanza085399218111227761873550570.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Factura Serfinanza085399218111227761873550570.exePxxoServicesTrialNet1.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	Factura Serfinanza085399218111227761873550570.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\MservicesOrg2 = "\"C:\\Users\\Admin\\AppData\\Roaming\\System32\\PxxoServicesTrialNet1.exe\""	Factura Serfinanza085399218111227761873550570.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	PxxoServicesTrialNet1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\MservicesOrg2 = "\"C:\\Users\\Admin\\AppData\\Roaming\\System32\\PxxoServicesTrialNet1.exe\""	PxxoServicesTrialNet1.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 24 IoCs

Processes:

Factura Serfinanza085399218111227761873550570.exePxxoServicesTrialNet1.exe

pid	process
604	Factura Serfinanza085399218111227761873550570.exe
604	Factura Serfinanza085399218111227761873550570.exe
604	Factura Serfinanza085399218111227761873550570.exe
604	Factura Serfinanza085399218111227761873550570.exe
604	Factura Serfinanza085399218111227761873550570.exe
604	Factura Serfinanza085399218111227761873550570.exe
604	Factura Serfinanza085399218111227761873550570.exe
604	Factura Serfinanza085399218111227761873550570.exe
604	Factura Serfinanza085399218111227761873550570.exe
604	Factura Serfinanza085399218111227761873550570.exe
604	Factura Serfinanza085399218111227761873550570.exe
604	Factura Serfinanza085399218111227761873550570.exe
2148	PxxoServicesTrialNet1.exe
2148	PxxoServicesTrialNet1.exe
2148	PxxoServicesTrialNet1.exe
2148	PxxoServicesTrialNet1.exe
2148	PxxoServicesTrialNet1.exe
2148	PxxoServicesTrialNet1.exe
2148	PxxoServicesTrialNet1.exe
2148	PxxoServicesTrialNet1.exe
2148	PxxoServicesTrialNet1.exe
2148	PxxoServicesTrialNet1.exe
2148	PxxoServicesTrialNet1.exe
2148	PxxoServicesTrialNet1.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Factura Serfinanza085399218111227761873550570.exePxxoServicesTrialNet1.exe

description	pid	process	target process
PID 604 set thread context of 1856	604	Factura Serfinanza085399218111227761873550570.exe	Factura Serfinanza085399218111227761873550570.exe
PID 2148 set thread context of 204	2148	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe

Drops file in Windows directory 1 IoCs

Processes:

WerFault.exe

description ioc process

File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2220 604 WerFault.exe Factura Serfinanza085399218111227761873550570.exe
3800 2148 WerFault.exe PxxoServicesTrialNet1.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

2160 timeout.exe
1444 timeout.exe

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

pid	pid_target	process	target process
2220	604	WerFault.exe	Factura Serfinanza085399218111227761873550570.exe
3800	2148	WerFault.exe	PxxoServicesTrialNet1.exe

pid	process
2160	timeout.exe
1444	timeout.exe

Modifies registry class 1 IoCs

Processes:

Factura Serfinanza085399218111227761873550570.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	Factura Serfinanza085399218111227761873550570.exe

Suspicious behavior: EnumeratesProcesses 59 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exepowershell.exeFactura Serfinanza085399218111227761873550570.exeAdvancedRun.exeAdvancedRun.exeWerFault.exepowershell.exePxxoServicesTrialNet1.exeWerFault.exe

pid	process
432	AdvancedRun.exe
432	AdvancedRun.exe
432	AdvancedRun.exe
432	AdvancedRun.exe
4084	AdvancedRun.exe
4084	AdvancedRun.exe
4084	AdvancedRun.exe
4084	AdvancedRun.exe
2868	powershell.exe
604	Factura Serfinanza085399218111227761873550570.exe
604	Factura Serfinanza085399218111227761873550570.exe
604	Factura Serfinanza085399218111227761873550570.exe
2868	powershell.exe
2868	powershell.exe
3384	AdvancedRun.exe
3384	AdvancedRun.exe
3384	AdvancedRun.exe
3384	AdvancedRun.exe
2760	AdvancedRun.exe
2760	AdvancedRun.exe
2760	AdvancedRun.exe
2760	AdvancedRun.exe
2220	WerFault.exe
2220	WerFault.exe
2220	WerFault.exe
2220	WerFault.exe
2220	WerFault.exe
2220	WerFault.exe
2220	WerFault.exe
2220	WerFault.exe
2220	WerFault.exe
2220	WerFault.exe
2220	WerFault.exe
2220	WerFault.exe
2220	WerFault.exe
2220	WerFault.exe
2220	WerFault.exe
3356	powershell.exe
3356	powershell.exe
2148	PxxoServicesTrialNet1.exe
2148	PxxoServicesTrialNet1.exe
2148	PxxoServicesTrialNet1.exe
3356	powershell.exe
3800	WerFault.exe
3800	WerFault.exe
3800	WerFault.exe
3800	WerFault.exe
3800	WerFault.exe
3800	WerFault.exe
3800	WerFault.exe
3800	WerFault.exe
3800	WerFault.exe
3800	WerFault.exe
3800	WerFault.exe
3800	WerFault.exe
3800	WerFault.exe
3800	WerFault.exe
3800	WerFault.exe
3800	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

PxxoServicesTrialNet1.exe

pid process

204 PxxoServicesTrialNet1.exe

pid	process
204	PxxoServicesTrialNet1.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exepowershell.exeFactura Serfinanza085399218111227761873550570.exeWerFault.exeAdvancedRun.exeAdvancedRun.exepowershell.exePxxoServicesTrialNet1.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	432	AdvancedRun.exe
Token: SeImpersonatePrivilege	432	AdvancedRun.exe
Token: SeDebugPrivilege	4084	AdvancedRun.exe
Token: SeImpersonatePrivilege	4084	AdvancedRun.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	604	Factura Serfinanza085399218111227761873550570.exe
Token: SeRestorePrivilege	2220	WerFault.exe
Token: SeBackupPrivilege	2220	WerFault.exe
Token: SeBackupPrivilege	2220	WerFault.exe
Token: SeDebugPrivilege	3384	AdvancedRun.exe
Token: SeImpersonatePrivilege	3384	AdvancedRun.exe
Token: SeDebugPrivilege	2760	AdvancedRun.exe
Token: SeImpersonatePrivilege	2760	AdvancedRun.exe
Token: SeDebugPrivilege	2220	WerFault.exe
Token: SeDebugPrivilege	3356	powershell.exe
Token: SeDebugPrivilege	2148	PxxoServicesTrialNet1.exe
Token: SeDebugPrivilege	3800	WerFault.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

PxxoServicesTrialNet1.exe

pid process

204 PxxoServicesTrialNet1.exe

pid	process
204	PxxoServicesTrialNet1.exe

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

Factura Serfinanza085399218111227761873550570.exeAdvancedRun.execmd.exeFactura Serfinanza085399218111227761873550570.exeWScript.execmd.exePxxoServicesTrialNet1.exeAdvancedRun.execmd.exe

description	pid	process	target process
PID 604 wrote to memory of 432	604	Factura Serfinanza085399218111227761873550570.exe	AdvancedRun.exe
PID 604 wrote to memory of 432	604	Factura Serfinanza085399218111227761873550570.exe	AdvancedRun.exe
PID 604 wrote to memory of 432	604	Factura Serfinanza085399218111227761873550570.exe	AdvancedRun.exe
PID 432 wrote to memory of 4084	432	AdvancedRun.exe	AdvancedRun.exe
PID 432 wrote to memory of 4084	432	AdvancedRun.exe	AdvancedRun.exe
PID 432 wrote to memory of 4084	432	AdvancedRun.exe	AdvancedRun.exe
PID 604 wrote to memory of 2868	604	Factura Serfinanza085399218111227761873550570.exe	powershell.exe
PID 604 wrote to memory of 2868	604	Factura Serfinanza085399218111227761873550570.exe	powershell.exe
PID 604 wrote to memory of 2868	604	Factura Serfinanza085399218111227761873550570.exe	powershell.exe
PID 604 wrote to memory of 3384	604	Factura Serfinanza085399218111227761873550570.exe	cmd.exe
PID 604 wrote to memory of 3384	604	Factura Serfinanza085399218111227761873550570.exe	cmd.exe
PID 604 wrote to memory of 3384	604	Factura Serfinanza085399218111227761873550570.exe	cmd.exe
PID 3384 wrote to memory of 2160	3384	cmd.exe	timeout.exe
PID 3384 wrote to memory of 2160	3384	cmd.exe	timeout.exe
PID 3384 wrote to memory of 2160	3384	cmd.exe	timeout.exe
PID 604 wrote to memory of 1856	604	Factura Serfinanza085399218111227761873550570.exe	Factura Serfinanza085399218111227761873550570.exe
PID 604 wrote to memory of 1856	604	Factura Serfinanza085399218111227761873550570.exe	Factura Serfinanza085399218111227761873550570.exe
PID 604 wrote to memory of 1856	604	Factura Serfinanza085399218111227761873550570.exe	Factura Serfinanza085399218111227761873550570.exe
PID 604 wrote to memory of 1856	604	Factura Serfinanza085399218111227761873550570.exe	Factura Serfinanza085399218111227761873550570.exe
PID 604 wrote to memory of 1856	604	Factura Serfinanza085399218111227761873550570.exe	Factura Serfinanza085399218111227761873550570.exe
PID 604 wrote to memory of 1856	604	Factura Serfinanza085399218111227761873550570.exe	Factura Serfinanza085399218111227761873550570.exe
PID 604 wrote to memory of 1856	604	Factura Serfinanza085399218111227761873550570.exe	Factura Serfinanza085399218111227761873550570.exe
PID 604 wrote to memory of 1856	604	Factura Serfinanza085399218111227761873550570.exe	Factura Serfinanza085399218111227761873550570.exe
PID 604 wrote to memory of 1856	604	Factura Serfinanza085399218111227761873550570.exe	Factura Serfinanza085399218111227761873550570.exe
PID 604 wrote to memory of 1856	604	Factura Serfinanza085399218111227761873550570.exe	Factura Serfinanza085399218111227761873550570.exe
PID 1856 wrote to memory of 3580	1856	Factura Serfinanza085399218111227761873550570.exe	WScript.exe
PID 1856 wrote to memory of 3580	1856	Factura Serfinanza085399218111227761873550570.exe	WScript.exe
PID 1856 wrote to memory of 3580	1856	Factura Serfinanza085399218111227761873550570.exe	WScript.exe
PID 3580 wrote to memory of 1584	3580	WScript.exe	cmd.exe
PID 3580 wrote to memory of 1584	3580	WScript.exe	cmd.exe
PID 3580 wrote to memory of 1584	3580	WScript.exe	cmd.exe
PID 1584 wrote to memory of 2148	1584	cmd.exe	PxxoServicesTrialNet1.exe
PID 1584 wrote to memory of 2148	1584	cmd.exe	PxxoServicesTrialNet1.exe
PID 1584 wrote to memory of 2148	1584	cmd.exe	PxxoServicesTrialNet1.exe
PID 2148 wrote to memory of 3384	2148	PxxoServicesTrialNet1.exe	AdvancedRun.exe
PID 2148 wrote to memory of 3384	2148	PxxoServicesTrialNet1.exe	AdvancedRun.exe
PID 2148 wrote to memory of 3384	2148	PxxoServicesTrialNet1.exe	AdvancedRun.exe
PID 3384 wrote to memory of 2760	3384	AdvancedRun.exe	AdvancedRun.exe
PID 3384 wrote to memory of 2760	3384	AdvancedRun.exe	AdvancedRun.exe
PID 3384 wrote to memory of 2760	3384	AdvancedRun.exe	AdvancedRun.exe
PID 2148 wrote to memory of 3356	2148	PxxoServicesTrialNet1.exe	powershell.exe
PID 2148 wrote to memory of 3356	2148	PxxoServicesTrialNet1.exe	powershell.exe
PID 2148 wrote to memory of 3356	2148	PxxoServicesTrialNet1.exe	powershell.exe
PID 2148 wrote to memory of 200	2148	PxxoServicesTrialNet1.exe	cmd.exe
PID 2148 wrote to memory of 200	2148	PxxoServicesTrialNet1.exe	cmd.exe
PID 2148 wrote to memory of 200	2148	PxxoServicesTrialNet1.exe	cmd.exe
PID 200 wrote to memory of 1444	200	cmd.exe	timeout.exe
PID 200 wrote to memory of 1444	200	cmd.exe	timeout.exe
PID 200 wrote to memory of 1444	200	cmd.exe	timeout.exe
PID 2148 wrote to memory of 204	2148	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2148 wrote to memory of 204	2148	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2148 wrote to memory of 204	2148	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2148 wrote to memory of 204	2148	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2148 wrote to memory of 204	2148	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2148 wrote to memory of 204	2148	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2148 wrote to memory of 204	2148	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2148 wrote to memory of 204	2148	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2148 wrote to memory of 204	2148	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2148 wrote to memory of 204	2148	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe

C:\Users\Admin\AppData\Local\Temp\Factura Serfinanza085399218111227761873550570.exe
"C:\Users\Admin\AppData\Local\Temp\Factura Serfinanza085399218111227761873550570.exe"
1⤵
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:604

C:\Users\Admin\AppData\Local\Temp\f8ae3ec9-ad51-477c-b614-1b4a7329c2a4\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\f8ae3ec9-ad51-477c-b614-1b4a7329c2a4\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\f8ae3ec9-ad51-477c-b614-1b4a7329c2a4\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:432

C:\Users\Admin\AppData\Local\Temp\f8ae3ec9-ad51-477c-b614-1b4a7329c2a4\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\f8ae3ec9-ad51-477c-b614-1b4a7329c2a4\AdvancedRun.exe" /SpecialRun 4101d8 432
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4084

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Factura Serfinanza085399218111227761873550570.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
- Suspicious use of WriteProcessMemory
PID:3384

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2160

C:\Users\Admin\AppData\Local\Temp\Factura Serfinanza085399218111227761873550570.exe
"C:\Users\Admin\AppData\Local\Temp\Factura Serfinanza085399218111227761873550570.exe"
2⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1856

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:3580

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1584

C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
5⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2148

C:\Users\Admin\AppData\Local\Temp\b99ffb86-f5ec-4779-8436-474e9ce1cb2d\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\b99ffb86-f5ec-4779-8436-474e9ce1cb2d\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\b99ffb86-f5ec-4779-8436-474e9ce1cb2d\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3384

C:\Users\Admin\AppData\Local\Temp\b99ffb86-f5ec-4779-8436-474e9ce1cb2d\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\b99ffb86-f5ec-4779-8436-474e9ce1cb2d\AdvancedRun.exe" /SpecialRun 4101d8 3384
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe" -Force
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3356

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
6⤵
- Suspicious use of WriteProcessMemory
PID:200

C:\Windows\SysWOW64\timeout.exe
timeout 1
7⤵
- Delays execution with timeout.exe
PID:1444

C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
"C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 1584
6⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 604 -s 1592
2⤵
- Drops file in Windows directory
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
acf6274ae7a3c36d8c86ff9c491effa4

SHA1
3457a25ee8927f18192f0b9693f55568d3cad46f

SHA256
448f92cb657d1bad3afd8cb95a1f1f867f97f65dd2170e9b6aa37e22f49fbcc4

SHA512
4812c2e6dde0a25e8d7cb5de84ad386a3510387738fc6c679a8e498e4cbb513acce991e46121858c6b69dc630fb46e669b06aa20f5d49537fe89b5d02e85969d

Download Submit
C:\Users\Admin\AppData\Local\Temp\b99ffb86-f5ec-4779-8436-474e9ce1cb2d\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\b99ffb86-f5ec-4779-8436-474e9ce1cb2d\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\b99ffb86-f5ec-4779-8436-474e9ce1cb2d\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\f8ae3ec9-ad51-477c-b614-1b4a7329c2a4\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\f8ae3ec9-ad51-477c-b614-1b4a7329c2a4\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\f8ae3ec9-ad51-477c-b614-1b4a7329c2a4\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
a39af763b1c09ead3c98a6a615f377fe

SHA1
9bd3d39c89e47fe7072270ecc80b810103235c03

SHA256
a3930d7535eb768523ee52bbe69f13f857a0ae0f982d7bfc354d802f21010f8f

SHA512
3ed8e33ac95fd2536286b4afb2ed2a082bb5f98843478262b32263a14a5dbe0425de7b8d9662a5e482b207ebf8484ace8009ecd1881a6f6f8b0ccf3b0fdfe5da

Download Submit
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
MD5
8ba405455cf8c6776dc01cce9faef2ee

SHA1
f8b3e8ae0c018abd50dbc7fa4d9e50760fdf32f1

SHA256
17828f7e3aa63c317b04baf8c3dbd4e069c12f66f45ae438094ae17cb7f5c7b9

SHA512
7e7da9f56e5fdd7da68f052e85e5a8a5091f2d4de03b75cf582e979505c2d755eb889459f8fe9ce95a57b5dfe5e47e2a5703dd6d23d94cc146de381c0aae0fd2

Download Submit
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
MD5
8ba405455cf8c6776dc01cce9faef2ee

SHA1
f8b3e8ae0c018abd50dbc7fa4d9e50760fdf32f1

SHA256
17828f7e3aa63c317b04baf8c3dbd4e069c12f66f45ae438094ae17cb7f5c7b9

SHA512
7e7da9f56e5fdd7da68f052e85e5a8a5091f2d4de03b75cf582e979505c2d755eb889459f8fe9ce95a57b5dfe5e47e2a5703dd6d23d94cc146de381c0aae0fd2

Download Submit
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
MD5
8ba405455cf8c6776dc01cce9faef2ee

SHA1
f8b3e8ae0c018abd50dbc7fa4d9e50760fdf32f1

SHA256
17828f7e3aa63c317b04baf8c3dbd4e069c12f66f45ae438094ae17cb7f5c7b9

SHA512
7e7da9f56e5fdd7da68f052e85e5a8a5091f2d4de03b75cf582e979505c2d755eb889459f8fe9ce95a57b5dfe5e47e2a5703dd6d23d94cc146de381c0aae0fd2

Download Submit
memory/200-183-0x0000000000000000-mapping.dmp

Download
memory/204-212-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/204-202-0x0000000000413FA4-mapping.dmp

Download
memory/432-120-0x0000000000000000-mapping.dmp

Download
memory/604-114-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/604-117-0x0000000005490000-0x0000000005491000-memory.dmp

Filesize
4KB

Download
memory/604-116-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download
memory/604-118-0x0000000004C20000-0x0000000004CA4000-memory.dmp

Filesize
528KB

Download
memory/604-119-0x0000000007030000-0x0000000007031000-memory.dmp

Filesize
4KB

Download
memory/1444-185-0x0000000000000000-mapping.dmp

Download
memory/1584-145-0x0000000000000000-mapping.dmp

Download
memory/1856-138-0x0000000000413FA4-mapping.dmp

Download
memory/1856-137-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1856-141-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2148-160-0x00000000019A0000-0x00000000019A1000-memory.dmp

Filesize
4KB

Download
memory/2148-146-0x0000000000000000-mapping.dmp

Download
memory/2160-133-0x0000000000000000-mapping.dmp

Download
memory/2760-158-0x0000000000000000-mapping.dmp

Download
memory/2868-131-0x0000000006E10000-0x0000000006E11000-memory.dmp

Filesize
4KB

Download
memory/2868-168-0x0000000009160000-0x0000000009193000-memory.dmp

Filesize
204KB

Download
memory/2868-148-0x0000000008380000-0x0000000008381000-memory.dmp

Filesize
4KB

Download
memory/2868-125-0x0000000000000000-mapping.dmp

Download
memory/2868-143-0x0000000007AC0000-0x0000000007AC1000-memory.dmp

Filesize
4KB

Download
memory/2868-129-0x0000000004840000-0x0000000004841000-memory.dmp

Filesize
4KB

Download
memory/2868-139-0x0000000007C60000-0x0000000007C61000-memory.dmp

Filesize
4KB

Download
memory/2868-136-0x00000000073A0000-0x00000000073A1000-memory.dmp

Filesize
4KB

Download
memory/2868-135-0x0000000007330000-0x0000000007331000-memory.dmp

Filesize
4KB

Download
memory/2868-130-0x0000000007450000-0x0000000007451000-memory.dmp

Filesize
4KB

Download
memory/2868-175-0x0000000009140000-0x0000000009141000-memory.dmp

Filesize
4KB

Download
memory/2868-180-0x00000000092A0000-0x00000000092A1000-memory.dmp

Filesize
4KB

Download
memory/2868-181-0x000000007EFF0000-0x000000007EFF1000-memory.dmp

Filesize
4KB

Download
memory/2868-144-0x00000000080F0000-0x00000000080F1000-memory.dmp

Filesize
4KB

Download
memory/2868-134-0x0000000007290000-0x0000000007291000-memory.dmp

Filesize
4KB

Download
memory/2868-132-0x0000000006E12000-0x0000000006E13000-memory.dmp

Filesize
4KB

Download
memory/2868-193-0x0000000009660000-0x0000000009661000-memory.dmp

Filesize
4KB

Download
memory/2868-196-0x0000000006E13000-0x0000000006E14000-memory.dmp

Filesize
4KB

Download
memory/3356-182-0x0000000000000000-mapping.dmp

Download
memory/3356-198-0x0000000006902000-0x0000000006903000-memory.dmp

Filesize
4KB

Download
memory/3356-197-0x0000000006900000-0x0000000006901000-memory.dmp

Filesize
4KB

Download
memory/3356-213-0x000000007EFC0000-0x000000007EFC1000-memory.dmp

Filesize
4KB

Download
memory/3356-214-0x0000000006903000-0x0000000006904000-memory.dmp

Filesize
4KB

Download
memory/3384-128-0x0000000000000000-mapping.dmp

Download
memory/3384-155-0x0000000000000000-mapping.dmp

Download
memory/3580-140-0x0000000000000000-mapping.dmp

Download
memory/4084-123-0x0000000000000000-mapping.dmp

Download