remcos | 5644ffdefed81871ac28af49ae9bf45eee20fe6742da2b07f2c71badac020c1c

Analysis

max time kernel
151s
max time network
152s
platform
windows10_x64
resource
win10v20210408
submitted
06-05-2021 03:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Factura Serfinanza023854786775241209783648129.exe
Size

3.3MB
MD5

3b36fe43f9384fcbdfe4e1072890dd97
SHA1

6acaffd1dd94af1f93a625158a6cf96797363d20
SHA256

5644ffdefed81871ac28af49ae9bf45eee20fe6742da2b07f2c71badac020c1c
SHA512

7f8e82c4e60961a690dd30b932462ff1743c581ea1b7259aac7b7ca59b4633e5809497d60d50df8d6d06d326551c15e922478d137c3de8596a76639732c58a9b

Score

10^/10

remcos evasion persistence rat trojan

Malware Config

Extracted

Family

remcos

databasepropersonombrecomercialideasearchwords.services:3521

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Nirsoft 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\18309484-3d84-423a-b01d-3cf7fffb018e\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\18309484-3d84-423a-b01d-3cf7fffb018e\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\18309484-3d84-423a-b01d-3cf7fffb018e\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\8e0dae44-2561-4d2f-b1e8-edf6ec37cddc\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\8e0dae44-2561-4d2f-b1e8-edf6ec37cddc\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\8e0dae44-2561-4d2f-b1e8-edf6ec37cddc\AdvancedRun.exe	Nirsoft

Executes dropped EXE 6 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exePxxoServicesTrialNet1.exeAdvancedRun.exeAdvancedRun.exePxxoServicesTrialNet1.exe

pid process

3208 AdvancedRun.exe
3896 AdvancedRun.exe
2088 PxxoServicesTrialNet1.exe
3676 AdvancedRun.exe
1784 AdvancedRun.exe
3844 PxxoServicesTrialNet1.exe

Windows security modification 2 TTPs 11 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

Factura Serfinanza023854786775241209783648129.exePxxoServicesTrialNet1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	Factura Serfinanza023854786775241209783648129.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	Factura Serfinanza023854786775241209783648129.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	Factura Serfinanza023854786775241209783648129.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	Factura Serfinanza023854786775241209783648129.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe = "0"	PxxoServicesTrialNet1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	Factura Serfinanza023854786775241209783648129.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\Factura Serfinanza023854786775241209783648129.exe = "0"	Factura Serfinanza023854786775241209783648129.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	Factura Serfinanza023854786775241209783648129.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Factura Serfinanza023854786775241209783648129.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	Factura Serfinanza023854786775241209783648129.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	Factura Serfinanza023854786775241209783648129.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Factura Serfinanza023854786775241209783648129.exePxxoServicesTrialNet1.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	Factura Serfinanza023854786775241209783648129.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\MservicesOrg2 = "\"C:\\Users\\Admin\\AppData\\Roaming\\System32\\PxxoServicesTrialNet1.exe\""	Factura Serfinanza023854786775241209783648129.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	PxxoServicesTrialNet1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\MservicesOrg2 = "\"C:\\Users\\Admin\\AppData\\Roaming\\System32\\PxxoServicesTrialNet1.exe\""	PxxoServicesTrialNet1.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 24 IoCs

Processes:

Factura Serfinanza023854786775241209783648129.exePxxoServicesTrialNet1.exe

pid	process
624	Factura Serfinanza023854786775241209783648129.exe
624	Factura Serfinanza023854786775241209783648129.exe
624	Factura Serfinanza023854786775241209783648129.exe
624	Factura Serfinanza023854786775241209783648129.exe
624	Factura Serfinanza023854786775241209783648129.exe
624	Factura Serfinanza023854786775241209783648129.exe
624	Factura Serfinanza023854786775241209783648129.exe
624	Factura Serfinanza023854786775241209783648129.exe
624	Factura Serfinanza023854786775241209783648129.exe
624	Factura Serfinanza023854786775241209783648129.exe
624	Factura Serfinanza023854786775241209783648129.exe
624	Factura Serfinanza023854786775241209783648129.exe
2088	PxxoServicesTrialNet1.exe
2088	PxxoServicesTrialNet1.exe
2088	PxxoServicesTrialNet1.exe
2088	PxxoServicesTrialNet1.exe
2088	PxxoServicesTrialNet1.exe
2088	PxxoServicesTrialNet1.exe
2088	PxxoServicesTrialNet1.exe
2088	PxxoServicesTrialNet1.exe
2088	PxxoServicesTrialNet1.exe
2088	PxxoServicesTrialNet1.exe
2088	PxxoServicesTrialNet1.exe
2088	PxxoServicesTrialNet1.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Factura Serfinanza023854786775241209783648129.exePxxoServicesTrialNet1.exe

description	pid	process	target process
PID 624 set thread context of 3908	624	Factura Serfinanza023854786775241209783648129.exe	Factura Serfinanza023854786775241209783648129.exe
PID 2088 set thread context of 3844	2088	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe

Drops file in Windows directory 1 IoCs

Processes:

WerFault.exe

description ioc process

File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3524 624 WerFault.exe Factura Serfinanza023854786775241209783648129.exe
2240 2088 WerFault.exe PxxoServicesTrialNet1.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

2104 timeout.exe
3676 timeout.exe

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

pid	pid_target	process	target process
3524	624	WerFault.exe	Factura Serfinanza023854786775241209783648129.exe
2240	2088	WerFault.exe	PxxoServicesTrialNet1.exe

pid	process
2104	timeout.exe
3676	timeout.exe

Modifies registry class 1 IoCs

Processes:

Factura Serfinanza023854786775241209783648129.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	Factura Serfinanza023854786775241209783648129.exe

Suspicious behavior: EnumeratesProcesses 59 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exepowershell.exeFactura Serfinanza023854786775241209783648129.exeWerFault.exeAdvancedRun.exeAdvancedRun.exepowershell.exePxxoServicesTrialNet1.exeWerFault.exe

pid	process
3208	AdvancedRun.exe
3208	AdvancedRun.exe
3208	AdvancedRun.exe
3208	AdvancedRun.exe
3896	AdvancedRun.exe
3896	AdvancedRun.exe
3896	AdvancedRun.exe
3896	AdvancedRun.exe
1968	powershell.exe
624	Factura Serfinanza023854786775241209783648129.exe
624	Factura Serfinanza023854786775241209783648129.exe
624	Factura Serfinanza023854786775241209783648129.exe
1968	powershell.exe
3524	WerFault.exe
3524	WerFault.exe
3524	WerFault.exe
3524	WerFault.exe
3524	WerFault.exe
3524	WerFault.exe
3524	WerFault.exe
3524	WerFault.exe
3524	WerFault.exe
3524	WerFault.exe
3524	WerFault.exe
3524	WerFault.exe
3524	WerFault.exe
3524	WerFault.exe
3524	WerFault.exe
1968	powershell.exe
3676	AdvancedRun.exe
3676	AdvancedRun.exe
3676	AdvancedRun.exe
3676	AdvancedRun.exe
1784	AdvancedRun.exe
1784	AdvancedRun.exe
1784	AdvancedRun.exe
1784	AdvancedRun.exe
840	powershell.exe
840	powershell.exe
840	powershell.exe
2088	PxxoServicesTrialNet1.exe
2088	PxxoServicesTrialNet1.exe
2088	PxxoServicesTrialNet1.exe
2240	WerFault.exe
2240	WerFault.exe
2240	WerFault.exe
2240	WerFault.exe
2240	WerFault.exe
2240	WerFault.exe
2240	WerFault.exe
2240	WerFault.exe
2240	WerFault.exe
2240	WerFault.exe
2240	WerFault.exe
2240	WerFault.exe
2240	WerFault.exe
2240	WerFault.exe
2240	WerFault.exe
2240	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

PxxoServicesTrialNet1.exe

pid process

3844 PxxoServicesTrialNet1.exe

pid	process
3844	PxxoServicesTrialNet1.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exepowershell.exeFactura Serfinanza023854786775241209783648129.exeWerFault.exeAdvancedRun.exeAdvancedRun.exepowershell.exePxxoServicesTrialNet1.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	3208	AdvancedRun.exe
Token: SeImpersonatePrivilege	3208	AdvancedRun.exe
Token: SeDebugPrivilege	3896	AdvancedRun.exe
Token: SeImpersonatePrivilege	3896	AdvancedRun.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	624	Factura Serfinanza023854786775241209783648129.exe
Token: SeRestorePrivilege	3524	WerFault.exe
Token: SeBackupPrivilege	3524	WerFault.exe
Token: SeBackupPrivilege	3524	WerFault.exe
Token: SeDebugPrivilege	3524	WerFault.exe
Token: SeDebugPrivilege	3676	AdvancedRun.exe
Token: SeImpersonatePrivilege	3676	AdvancedRun.exe
Token: SeDebugPrivilege	1784	AdvancedRun.exe
Token: SeImpersonatePrivilege	1784	AdvancedRun.exe
Token: SeDebugPrivilege	840	powershell.exe
Token: SeDebugPrivilege	2088	PxxoServicesTrialNet1.exe
Token: SeDebugPrivilege	2240	WerFault.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

PxxoServicesTrialNet1.exe

pid process

3844 PxxoServicesTrialNet1.exe

pid	process
3844	PxxoServicesTrialNet1.exe

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

Factura Serfinanza023854786775241209783648129.exeAdvancedRun.execmd.exeFactura Serfinanza023854786775241209783648129.exeWScript.execmd.exePxxoServicesTrialNet1.exeAdvancedRun.execmd.exe

description	pid	process	target process
PID 624 wrote to memory of 3208	624	Factura Serfinanza023854786775241209783648129.exe	AdvancedRun.exe
PID 624 wrote to memory of 3208	624	Factura Serfinanza023854786775241209783648129.exe	AdvancedRun.exe
PID 624 wrote to memory of 3208	624	Factura Serfinanza023854786775241209783648129.exe	AdvancedRun.exe
PID 3208 wrote to memory of 3896	3208	AdvancedRun.exe	AdvancedRun.exe
PID 3208 wrote to memory of 3896	3208	AdvancedRun.exe	AdvancedRun.exe
PID 3208 wrote to memory of 3896	3208	AdvancedRun.exe	AdvancedRun.exe
PID 624 wrote to memory of 1968	624	Factura Serfinanza023854786775241209783648129.exe	powershell.exe
PID 624 wrote to memory of 1968	624	Factura Serfinanza023854786775241209783648129.exe	powershell.exe
PID 624 wrote to memory of 1968	624	Factura Serfinanza023854786775241209783648129.exe	powershell.exe
PID 624 wrote to memory of 1304	624	Factura Serfinanza023854786775241209783648129.exe	cmd.exe
PID 624 wrote to memory of 1304	624	Factura Serfinanza023854786775241209783648129.exe	cmd.exe
PID 624 wrote to memory of 1304	624	Factura Serfinanza023854786775241209783648129.exe	cmd.exe
PID 1304 wrote to memory of 2104	1304	cmd.exe	timeout.exe
PID 1304 wrote to memory of 2104	1304	cmd.exe	timeout.exe
PID 1304 wrote to memory of 2104	1304	cmd.exe	timeout.exe
PID 624 wrote to memory of 3908	624	Factura Serfinanza023854786775241209783648129.exe	Factura Serfinanza023854786775241209783648129.exe
PID 624 wrote to memory of 3908	624	Factura Serfinanza023854786775241209783648129.exe	Factura Serfinanza023854786775241209783648129.exe
PID 624 wrote to memory of 3908	624	Factura Serfinanza023854786775241209783648129.exe	Factura Serfinanza023854786775241209783648129.exe
PID 624 wrote to memory of 3908	624	Factura Serfinanza023854786775241209783648129.exe	Factura Serfinanza023854786775241209783648129.exe
PID 624 wrote to memory of 3908	624	Factura Serfinanza023854786775241209783648129.exe	Factura Serfinanza023854786775241209783648129.exe
PID 624 wrote to memory of 3908	624	Factura Serfinanza023854786775241209783648129.exe	Factura Serfinanza023854786775241209783648129.exe
PID 624 wrote to memory of 3908	624	Factura Serfinanza023854786775241209783648129.exe	Factura Serfinanza023854786775241209783648129.exe
PID 624 wrote to memory of 3908	624	Factura Serfinanza023854786775241209783648129.exe	Factura Serfinanza023854786775241209783648129.exe
PID 624 wrote to memory of 3908	624	Factura Serfinanza023854786775241209783648129.exe	Factura Serfinanza023854786775241209783648129.exe
PID 624 wrote to memory of 3908	624	Factura Serfinanza023854786775241209783648129.exe	Factura Serfinanza023854786775241209783648129.exe
PID 3908 wrote to memory of 408	3908	Factura Serfinanza023854786775241209783648129.exe	WScript.exe
PID 3908 wrote to memory of 408	3908	Factura Serfinanza023854786775241209783648129.exe	WScript.exe
PID 3908 wrote to memory of 408	3908	Factura Serfinanza023854786775241209783648129.exe	WScript.exe
PID 408 wrote to memory of 1900	408	WScript.exe	cmd.exe
PID 408 wrote to memory of 1900	408	WScript.exe	cmd.exe
PID 408 wrote to memory of 1900	408	WScript.exe	cmd.exe
PID 1900 wrote to memory of 2088	1900	cmd.exe	PxxoServicesTrialNet1.exe
PID 1900 wrote to memory of 2088	1900	cmd.exe	PxxoServicesTrialNet1.exe
PID 1900 wrote to memory of 2088	1900	cmd.exe	PxxoServicesTrialNet1.exe
PID 2088 wrote to memory of 3676	2088	PxxoServicesTrialNet1.exe	AdvancedRun.exe
PID 2088 wrote to memory of 3676	2088	PxxoServicesTrialNet1.exe	AdvancedRun.exe
PID 2088 wrote to memory of 3676	2088	PxxoServicesTrialNet1.exe	AdvancedRun.exe
PID 3676 wrote to memory of 1784	3676	AdvancedRun.exe	AdvancedRun.exe
PID 3676 wrote to memory of 1784	3676	AdvancedRun.exe	AdvancedRun.exe
PID 3676 wrote to memory of 1784	3676	AdvancedRun.exe	AdvancedRun.exe
PID 2088 wrote to memory of 840	2088	PxxoServicesTrialNet1.exe	powershell.exe
PID 2088 wrote to memory of 840	2088	PxxoServicesTrialNet1.exe	powershell.exe
PID 2088 wrote to memory of 840	2088	PxxoServicesTrialNet1.exe	powershell.exe
PID 2088 wrote to memory of 1084	2088	PxxoServicesTrialNet1.exe	cmd.exe
PID 2088 wrote to memory of 1084	2088	PxxoServicesTrialNet1.exe	cmd.exe
PID 2088 wrote to memory of 1084	2088	PxxoServicesTrialNet1.exe	cmd.exe
PID 1084 wrote to memory of 3676	1084	cmd.exe	timeout.exe
PID 1084 wrote to memory of 3676	1084	cmd.exe	timeout.exe
PID 1084 wrote to memory of 3676	1084	cmd.exe	timeout.exe
PID 2088 wrote to memory of 3844	2088	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2088 wrote to memory of 3844	2088	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2088 wrote to memory of 3844	2088	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2088 wrote to memory of 3844	2088	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2088 wrote to memory of 3844	2088	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2088 wrote to memory of 3844	2088	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2088 wrote to memory of 3844	2088	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2088 wrote to memory of 3844	2088	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2088 wrote to memory of 3844	2088	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2088 wrote to memory of 3844	2088	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe

C:\Users\Admin\AppData\Local\Temp\Factura Serfinanza023854786775241209783648129.exe
"C:\Users\Admin\AppData\Local\Temp\Factura Serfinanza023854786775241209783648129.exe"
1⤵
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:624

C:\Users\Admin\AppData\Local\Temp\18309484-3d84-423a-b01d-3cf7fffb018e\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\18309484-3d84-423a-b01d-3cf7fffb018e\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\18309484-3d84-423a-b01d-3cf7fffb018e\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3208

C:\Users\Admin\AppData\Local\Temp\18309484-3d84-423a-b01d-3cf7fffb018e\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\18309484-3d84-423a-b01d-3cf7fffb018e\AdvancedRun.exe" /SpecialRun 4101d8 3208
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3896

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Factura Serfinanza023854786775241209783648129.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2104

C:\Users\Admin\AppData\Local\Temp\Factura Serfinanza023854786775241209783648129.exe
"C:\Users\Admin\AppData\Local\Temp\Factura Serfinanza023854786775241209783648129.exe"
2⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3908

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:408

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1900

C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
5⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088

C:\Users\Admin\AppData\Local\Temp\8e0dae44-2561-4d2f-b1e8-edf6ec37cddc\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\8e0dae44-2561-4d2f-b1e8-edf6ec37cddc\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\8e0dae44-2561-4d2f-b1e8-edf6ec37cddc\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3676

C:\Users\Admin\AppData\Local\Temp\8e0dae44-2561-4d2f-b1e8-edf6ec37cddc\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\8e0dae44-2561-4d2f-b1e8-edf6ec37cddc\AdvancedRun.exe" /SpecialRun 4101d8 3676
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe" -Force
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
6⤵
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\SysWOW64\timeout.exe
timeout 1
7⤵
- Delays execution with timeout.exe
PID:3676

C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
"C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 1700
6⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 1620
2⤵
- Drops file in Windows directory
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
58a43a52afa50086e9b8bbcf231c2f85

SHA1
ba99655cb90f3f5d8877f7ad4d848ecd723e78d0

SHA256
e54a9997782060d42efa7e11c9293cd8834b92f82c2641f65e0a3f08b95450d5

SHA512
45804436ad30cbb9fac04306542b5646d8fe1c530f68bc8d9ce80a3703fa48085576ea553841fa3cecc97c18cb5cd86dde53ca74fdc555885b4aeacc54c633f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\18309484-3d84-423a-b01d-3cf7fffb018e\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\18309484-3d84-423a-b01d-3cf7fffb018e\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\18309484-3d84-423a-b01d-3cf7fffb018e\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8e0dae44-2561-4d2f-b1e8-edf6ec37cddc\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8e0dae44-2561-4d2f-b1e8-edf6ec37cddc\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8e0dae44-2561-4d2f-b1e8-edf6ec37cddc\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
a39af763b1c09ead3c98a6a615f377fe

SHA1
9bd3d39c89e47fe7072270ecc80b810103235c03

SHA256
a3930d7535eb768523ee52bbe69f13f857a0ae0f982d7bfc354d802f21010f8f

SHA512
3ed8e33ac95fd2536286b4afb2ed2a082bb5f98843478262b32263a14a5dbe0425de7b8d9662a5e482b207ebf8484ace8009ecd1881a6f6f8b0ccf3b0fdfe5da

Download Submit
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
MD5
3b36fe43f9384fcbdfe4e1072890dd97

SHA1
6acaffd1dd94af1f93a625158a6cf96797363d20

SHA256
5644ffdefed81871ac28af49ae9bf45eee20fe6742da2b07f2c71badac020c1c

SHA512
7f8e82c4e60961a690dd30b932462ff1743c581ea1b7259aac7b7ca59b4633e5809497d60d50df8d6d06d326551c15e922478d137c3de8596a76639732c58a9b

Download Submit
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
MD5
3b36fe43f9384fcbdfe4e1072890dd97

SHA1
6acaffd1dd94af1f93a625158a6cf96797363d20

SHA256
5644ffdefed81871ac28af49ae9bf45eee20fe6742da2b07f2c71badac020c1c

SHA512
7f8e82c4e60961a690dd30b932462ff1743c581ea1b7259aac7b7ca59b4633e5809497d60d50df8d6d06d326551c15e922478d137c3de8596a76639732c58a9b

Download Submit
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
MD5
3b36fe43f9384fcbdfe4e1072890dd97

SHA1
6acaffd1dd94af1f93a625158a6cf96797363d20

SHA256
5644ffdefed81871ac28af49ae9bf45eee20fe6742da2b07f2c71badac020c1c

SHA512
7f8e82c4e60961a690dd30b932462ff1743c581ea1b7259aac7b7ca59b4633e5809497d60d50df8d6d06d326551c15e922478d137c3de8596a76639732c58a9b

Download Submit
memory/408-140-0x0000000000000000-mapping.dmp

Download
memory/624-114-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/624-119-0x0000000006D10000-0x0000000006D11000-memory.dmp

Filesize
4KB

Download
memory/624-116-0x0000000005500000-0x0000000005501000-memory.dmp

Filesize
4KB

Download
memory/624-117-0x0000000005630000-0x0000000005631000-memory.dmp

Filesize
4KB

Download
memory/624-118-0x00000000055A0000-0x0000000005626000-memory.dmp

Filesize
536KB

Download
memory/840-205-0x0000000000000000-mapping.dmp

Download
memory/840-213-0x000000007E9C0000-0x000000007E9C1000-memory.dmp

Filesize
4KB

Download
memory/840-214-0x0000000000973000-0x0000000000974000-memory.dmp

Filesize
4KB

Download
memory/840-209-0x0000000000972000-0x0000000000973000-memory.dmp

Filesize
4KB

Download
memory/840-208-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/1084-206-0x0000000000000000-mapping.dmp

Download
memory/1304-126-0x0000000000000000-mapping.dmp

Download
memory/1784-160-0x0000000000000000-mapping.dmp

Download
memory/1900-146-0x0000000000000000-mapping.dmp

Download
memory/1968-181-0x00000000095B0000-0x00000000095B1000-memory.dmp

Filesize
4KB

Download
memory/1968-135-0x0000000007580000-0x0000000007581000-memory.dmp

Filesize
4KB

Download
memory/1968-125-0x0000000000000000-mapping.dmp

Download
memory/1968-129-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/1968-143-0x00000000086F0000-0x00000000086F1000-memory.dmp

Filesize
4KB

Download
memory/1968-142-0x0000000007610000-0x0000000007611000-memory.dmp

Filesize
4KB

Download
memory/1968-131-0x0000000007650000-0x0000000007651000-memory.dmp

Filesize
4KB

Download
memory/1968-139-0x0000000007D80000-0x0000000007D81000-memory.dmp

Filesize
4KB

Download
memory/1968-138-0x0000000007012000-0x0000000007013000-memory.dmp

Filesize
4KB

Download
memory/1968-137-0x0000000007010000-0x0000000007011000-memory.dmp

Filesize
4KB

Download
memory/1968-136-0x00000000074A0000-0x00000000074A1000-memory.dmp

Filesize
4KB

Download
memory/1968-134-0x0000000007400000-0x0000000007401000-memory.dmp

Filesize
4KB

Download
memory/1968-168-0x0000000009250000-0x0000000009283000-memory.dmp

Filesize
204KB

Download
memory/1968-175-0x0000000009230000-0x0000000009231000-memory.dmp

Filesize
4KB

Download
memory/1968-180-0x000000007EC50000-0x000000007EC51000-memory.dmp

Filesize
4KB

Download
memory/1968-145-0x00000000084E0000-0x00000000084E1000-memory.dmp

Filesize
4KB

Download
memory/1968-182-0x0000000009770000-0x0000000009771000-memory.dmp

Filesize
4KB

Download
memory/1968-204-0x0000000007013000-0x0000000007014000-memory.dmp

Filesize
4KB

Download
memory/2088-162-0x0000000006070000-0x0000000006071000-memory.dmp

Filesize
4KB

Download
memory/2088-147-0x0000000000000000-mapping.dmp

Download
memory/2104-130-0x0000000000000000-mapping.dmp

Download
memory/3208-120-0x0000000000000000-mapping.dmp

Download
memory/3676-207-0x0000000000000000-mapping.dmp

Download
memory/3676-157-0x0000000000000000-mapping.dmp

Download
memory/3844-210-0x0000000000413FA4-mapping.dmp

Download
memory/3844-212-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3896-123-0x0000000000000000-mapping.dmp

Download
memory/3908-133-0x0000000000413FA4-mapping.dmp

Download
memory/3908-132-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3908-144-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download