remcos | 17828f7e3aa63c317b04baf8c3dbd4e069c12f66f45ae438094ae17cb7f5c7b9

Analysis

max time kernel
149s
max time network
150s
platform
windows10_x64
resource
win10v20210410
submitted
06-05-2021 03:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Factura Serfinanza085399218111227761873550570.exe
Size

3.2MB
MD5

8ba405455cf8c6776dc01cce9faef2ee
SHA1

f8b3e8ae0c018abd50dbc7fa4d9e50760fdf32f1
SHA256

17828f7e3aa63c317b04baf8c3dbd4e069c12f66f45ae438094ae17cb7f5c7b9
SHA512

7e7da9f56e5fdd7da68f052e85e5a8a5091f2d4de03b75cf582e979505c2d755eb889459f8fe9ce95a57b5dfe5e47e2a5703dd6d23d94cc146de381c0aae0fd2

Score

10^/10

remcos evasion persistence rat trojan

Malware Config

Extracted

Family

remcos

databasepropersonombrecomercialideasearchwords.services:3521

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Nirsoft 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\e7935d85-6cca-4e9f-8f79-4ef33defe9ab\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\e7935d85-6cca-4e9f-8f79-4ef33defe9ab\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\e7935d85-6cca-4e9f-8f79-4ef33defe9ab\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\1f5b7bdd-3ec3-4568-b325-09849c0eb01d\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\1f5b7bdd-3ec3-4568-b325-09849c0eb01d\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\1f5b7bdd-3ec3-4568-b325-09849c0eb01d\AdvancedRun.exe	Nirsoft

Executes dropped EXE 7 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exePxxoServicesTrialNet1.exeAdvancedRun.exeAdvancedRun.exePxxoServicesTrialNet1.exePxxoServicesTrialNet1.exe

pid	process
3972	AdvancedRun.exe
1328	AdvancedRun.exe
2568	PxxoServicesTrialNet1.exe
2616	AdvancedRun.exe
1168	AdvancedRun.exe
2440	PxxoServicesTrialNet1.exe
816	PxxoServicesTrialNet1.exe

Windows security modification 2 TTPs 11 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

Factura Serfinanza085399218111227761873550570.exePxxoServicesTrialNet1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	Factura Serfinanza085399218111227761873550570.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Factura Serfinanza085399218111227761873550570.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	Factura Serfinanza085399218111227761873550570.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe = "0"	PxxoServicesTrialNet1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	Factura Serfinanza085399218111227761873550570.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\Factura Serfinanza085399218111227761873550570.exe = "0"	Factura Serfinanza085399218111227761873550570.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	Factura Serfinanza085399218111227761873550570.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	Factura Serfinanza085399218111227761873550570.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	Factura Serfinanza085399218111227761873550570.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	Factura Serfinanza085399218111227761873550570.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	Factura Serfinanza085399218111227761873550570.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Factura Serfinanza085399218111227761873550570.exePxxoServicesTrialNet1.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\	Factura Serfinanza085399218111227761873550570.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\MservicesOrg2 = "\"C:\\Users\\Admin\\AppData\\Roaming\\System32\\PxxoServicesTrialNet1.exe\""	Factura Serfinanza085399218111227761873550570.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\	PxxoServicesTrialNet1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\MservicesOrg2 = "\"C:\\Users\\Admin\\AppData\\Roaming\\System32\\PxxoServicesTrialNet1.exe\""	PxxoServicesTrialNet1.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 24 IoCs

Processes:

Factura Serfinanza085399218111227761873550570.exePxxoServicesTrialNet1.exe

pid	process
500	Factura Serfinanza085399218111227761873550570.exe
500	Factura Serfinanza085399218111227761873550570.exe
500	Factura Serfinanza085399218111227761873550570.exe
500	Factura Serfinanza085399218111227761873550570.exe
500	Factura Serfinanza085399218111227761873550570.exe
500	Factura Serfinanza085399218111227761873550570.exe
500	Factura Serfinanza085399218111227761873550570.exe
500	Factura Serfinanza085399218111227761873550570.exe
500	Factura Serfinanza085399218111227761873550570.exe
500	Factura Serfinanza085399218111227761873550570.exe
500	Factura Serfinanza085399218111227761873550570.exe
500	Factura Serfinanza085399218111227761873550570.exe
2568	PxxoServicesTrialNet1.exe
2568	PxxoServicesTrialNet1.exe
2568	PxxoServicesTrialNet1.exe
2568	PxxoServicesTrialNet1.exe
2568	PxxoServicesTrialNet1.exe
2568	PxxoServicesTrialNet1.exe
2568	PxxoServicesTrialNet1.exe
2568	PxxoServicesTrialNet1.exe
2568	PxxoServicesTrialNet1.exe
2568	PxxoServicesTrialNet1.exe
2568	PxxoServicesTrialNet1.exe
2568	PxxoServicesTrialNet1.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Factura Serfinanza085399218111227761873550570.exePxxoServicesTrialNet1.exe

description	pid	process	target process
PID 500 set thread context of 808	500	Factura Serfinanza085399218111227761873550570.exe	Factura Serfinanza085399218111227761873550570.exe
PID 2568 set thread context of 816	2568	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe

Drops file in Windows directory 1 IoCs

Processes:

WerFault.exe

description ioc process

File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3884 500 WerFault.exe Factura Serfinanza085399218111227761873550570.exe
4056 2568 WerFault.exe PxxoServicesTrialNet1.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

1556 timeout.exe
3896 timeout.exe

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

pid	pid_target	process	target process
3884	500	WerFault.exe	Factura Serfinanza085399218111227761873550570.exe
4056	2568	WerFault.exe	PxxoServicesTrialNet1.exe

pid	process
1556	timeout.exe
3896	timeout.exe

Modifies registry class 1 IoCs

Processes:

Factura Serfinanza085399218111227761873550570.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	Factura Serfinanza085399218111227761873550570.exe

Suspicious behavior: EnumeratesProcesses 61 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exepowershell.exeFactura Serfinanza085399218111227761873550570.exeWerFault.exeAdvancedRun.exeAdvancedRun.exepowershell.exePxxoServicesTrialNet1.exeWerFault.exe

pid	process
3972	AdvancedRun.exe
3972	AdvancedRun.exe
3972	AdvancedRun.exe
3972	AdvancedRun.exe
1328	AdvancedRun.exe
1328	AdvancedRun.exe
1328	AdvancedRun.exe
1328	AdvancedRun.exe
2008	powershell.exe
500	Factura Serfinanza085399218111227761873550570.exe
2008	powershell.exe
500	Factura Serfinanza085399218111227761873550570.exe
500	Factura Serfinanza085399218111227761873550570.exe
3884	WerFault.exe
3884	WerFault.exe
3884	WerFault.exe
3884	WerFault.exe
3884	WerFault.exe
3884	WerFault.exe
3884	WerFault.exe
3884	WerFault.exe
3884	WerFault.exe
3884	WerFault.exe
3884	WerFault.exe
3884	WerFault.exe
3884	WerFault.exe
3884	WerFault.exe
3884	WerFault.exe
2008	powershell.exe
2616	AdvancedRun.exe
2616	AdvancedRun.exe
2616	AdvancedRun.exe
2616	AdvancedRun.exe
1168	AdvancedRun.exe
1168	AdvancedRun.exe
1168	AdvancedRun.exe
1168	AdvancedRun.exe
2108	powershell.exe
2108	powershell.exe
2108	powershell.exe
2568	PxxoServicesTrialNet1.exe
2568	PxxoServicesTrialNet1.exe
2568	PxxoServicesTrialNet1.exe
2568	PxxoServicesTrialNet1.exe
2568	PxxoServicesTrialNet1.exe
4056	WerFault.exe
4056	WerFault.exe
4056	WerFault.exe
4056	WerFault.exe
4056	WerFault.exe
4056	WerFault.exe
4056	WerFault.exe
4056	WerFault.exe
4056	WerFault.exe
4056	WerFault.exe
4056	WerFault.exe
4056	WerFault.exe
4056	WerFault.exe
4056	WerFault.exe
4056	WerFault.exe
4056	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

PxxoServicesTrialNet1.exe

pid process

816 PxxoServicesTrialNet1.exe

pid	process
816	PxxoServicesTrialNet1.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exepowershell.exeFactura Serfinanza085399218111227761873550570.exeWerFault.exeAdvancedRun.exeAdvancedRun.exepowershell.exePxxoServicesTrialNet1.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	3972	AdvancedRun.exe
Token: SeImpersonatePrivilege	3972	AdvancedRun.exe
Token: SeDebugPrivilege	1328	AdvancedRun.exe
Token: SeImpersonatePrivilege	1328	AdvancedRun.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	500	Factura Serfinanza085399218111227761873550570.exe
Token: SeRestorePrivilege	3884	WerFault.exe
Token: SeBackupPrivilege	3884	WerFault.exe
Token: SeBackupPrivilege	3884	WerFault.exe
Token: SeDebugPrivilege	3884	WerFault.exe
Token: SeDebugPrivilege	2616	AdvancedRun.exe
Token: SeImpersonatePrivilege	2616	AdvancedRun.exe
Token: SeDebugPrivilege	1168	AdvancedRun.exe
Token: SeImpersonatePrivilege	1168	AdvancedRun.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	2568	PxxoServicesTrialNet1.exe
Token: SeDebugPrivilege	4056	WerFault.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

PxxoServicesTrialNet1.exe

pid process

816 PxxoServicesTrialNet1.exe

pid	process
816	PxxoServicesTrialNet1.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

Factura Serfinanza085399218111227761873550570.exeAdvancedRun.execmd.exeFactura Serfinanza085399218111227761873550570.exeWScript.execmd.exePxxoServicesTrialNet1.exeAdvancedRun.execmd.exe

description	pid	process	target process
PID 500 wrote to memory of 3972	500	Factura Serfinanza085399218111227761873550570.exe	AdvancedRun.exe
PID 500 wrote to memory of 3972	500	Factura Serfinanza085399218111227761873550570.exe	AdvancedRun.exe
PID 500 wrote to memory of 3972	500	Factura Serfinanza085399218111227761873550570.exe	AdvancedRun.exe
PID 3972 wrote to memory of 1328	3972	AdvancedRun.exe	AdvancedRun.exe
PID 3972 wrote to memory of 1328	3972	AdvancedRun.exe	AdvancedRun.exe
PID 3972 wrote to memory of 1328	3972	AdvancedRun.exe	AdvancedRun.exe
PID 500 wrote to memory of 2008	500	Factura Serfinanza085399218111227761873550570.exe	powershell.exe
PID 500 wrote to memory of 2008	500	Factura Serfinanza085399218111227761873550570.exe	powershell.exe
PID 500 wrote to memory of 2008	500	Factura Serfinanza085399218111227761873550570.exe	powershell.exe
PID 500 wrote to memory of 3952	500	Factura Serfinanza085399218111227761873550570.exe	cmd.exe
PID 500 wrote to memory of 3952	500	Factura Serfinanza085399218111227761873550570.exe	cmd.exe
PID 500 wrote to memory of 3952	500	Factura Serfinanza085399218111227761873550570.exe	cmd.exe
PID 3952 wrote to memory of 1556	3952	cmd.exe	timeout.exe
PID 3952 wrote to memory of 1556	3952	cmd.exe	timeout.exe
PID 3952 wrote to memory of 1556	3952	cmd.exe	timeout.exe
PID 500 wrote to memory of 808	500	Factura Serfinanza085399218111227761873550570.exe	Factura Serfinanza085399218111227761873550570.exe
PID 500 wrote to memory of 808	500	Factura Serfinanza085399218111227761873550570.exe	Factura Serfinanza085399218111227761873550570.exe
PID 500 wrote to memory of 808	500	Factura Serfinanza085399218111227761873550570.exe	Factura Serfinanza085399218111227761873550570.exe
PID 500 wrote to memory of 808	500	Factura Serfinanza085399218111227761873550570.exe	Factura Serfinanza085399218111227761873550570.exe
PID 500 wrote to memory of 808	500	Factura Serfinanza085399218111227761873550570.exe	Factura Serfinanza085399218111227761873550570.exe
PID 500 wrote to memory of 808	500	Factura Serfinanza085399218111227761873550570.exe	Factura Serfinanza085399218111227761873550570.exe
PID 500 wrote to memory of 808	500	Factura Serfinanza085399218111227761873550570.exe	Factura Serfinanza085399218111227761873550570.exe
PID 500 wrote to memory of 808	500	Factura Serfinanza085399218111227761873550570.exe	Factura Serfinanza085399218111227761873550570.exe
PID 500 wrote to memory of 808	500	Factura Serfinanza085399218111227761873550570.exe	Factura Serfinanza085399218111227761873550570.exe
PID 500 wrote to memory of 808	500	Factura Serfinanza085399218111227761873550570.exe	Factura Serfinanza085399218111227761873550570.exe
PID 808 wrote to memory of 2616	808	Factura Serfinanza085399218111227761873550570.exe	WScript.exe
PID 808 wrote to memory of 2616	808	Factura Serfinanza085399218111227761873550570.exe	WScript.exe
PID 808 wrote to memory of 2616	808	Factura Serfinanza085399218111227761873550570.exe	WScript.exe
PID 2616 wrote to memory of 2720	2616	WScript.exe	cmd.exe
PID 2616 wrote to memory of 2720	2616	WScript.exe	cmd.exe
PID 2616 wrote to memory of 2720	2616	WScript.exe	cmd.exe
PID 2720 wrote to memory of 2568	2720	cmd.exe	PxxoServicesTrialNet1.exe
PID 2720 wrote to memory of 2568	2720	cmd.exe	PxxoServicesTrialNet1.exe
PID 2720 wrote to memory of 2568	2720	cmd.exe	PxxoServicesTrialNet1.exe
PID 2568 wrote to memory of 2616	2568	PxxoServicesTrialNet1.exe	AdvancedRun.exe
PID 2568 wrote to memory of 2616	2568	PxxoServicesTrialNet1.exe	AdvancedRun.exe
PID 2568 wrote to memory of 2616	2568	PxxoServicesTrialNet1.exe	AdvancedRun.exe
PID 2616 wrote to memory of 1168	2616	AdvancedRun.exe	AdvancedRun.exe
PID 2616 wrote to memory of 1168	2616	AdvancedRun.exe	AdvancedRun.exe
PID 2616 wrote to memory of 1168	2616	AdvancedRun.exe	AdvancedRun.exe
PID 2568 wrote to memory of 2108	2568	PxxoServicesTrialNet1.exe	powershell.exe
PID 2568 wrote to memory of 2108	2568	PxxoServicesTrialNet1.exe	powershell.exe
PID 2568 wrote to memory of 2108	2568	PxxoServicesTrialNet1.exe	powershell.exe
PID 2568 wrote to memory of 3664	2568	PxxoServicesTrialNet1.exe	cmd.exe
PID 2568 wrote to memory of 3664	2568	PxxoServicesTrialNet1.exe	cmd.exe
PID 2568 wrote to memory of 3664	2568	PxxoServicesTrialNet1.exe	cmd.exe
PID 3664 wrote to memory of 3896	3664	cmd.exe	timeout.exe
PID 3664 wrote to memory of 3896	3664	cmd.exe	timeout.exe
PID 3664 wrote to memory of 3896	3664	cmd.exe	timeout.exe
PID 2568 wrote to memory of 2440	2568	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2568 wrote to memory of 2440	2568	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2568 wrote to memory of 2440	2568	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2568 wrote to memory of 816	2568	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2568 wrote to memory of 816	2568	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2568 wrote to memory of 816	2568	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2568 wrote to memory of 816	2568	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2568 wrote to memory of 816	2568	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2568 wrote to memory of 816	2568	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2568 wrote to memory of 816	2568	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2568 wrote to memory of 816	2568	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2568 wrote to memory of 816	2568	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe
PID 2568 wrote to memory of 816	2568	PxxoServicesTrialNet1.exe	PxxoServicesTrialNet1.exe

C:\Users\Admin\AppData\Local\Temp\Factura Serfinanza085399218111227761873550570.exe
"C:\Users\Admin\AppData\Local\Temp\Factura Serfinanza085399218111227761873550570.exe"
1⤵
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:500
- C:\Users\Admin\AppData\Local\Temp\e7935d85-6cca-4e9f-8f79-4ef33defe9ab\AdvancedRun.exe
  "C:\Users\Admin\AppData\Local\Temp\e7935d85-6cca-4e9f-8f79-4ef33defe9ab\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\e7935d85-6cca-4e9f-8f79-4ef33defe9ab\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3972
- - C:\Users\Admin\AppData\Local\Temp\e7935d85-6cca-4e9f-8f79-4ef33defe9ab\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\e7935d85-6cca-4e9f-8f79-4ef33defe9ab\AdvancedRun.exe" /SpecialRun 4101d8 3972
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1328
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Factura Serfinanza085399218111227761873550570.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2008
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout 1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3952
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1556
- C:\Users\Admin\AppData\Local\Temp\Factura Serfinanza085399218111227761873550570.exe
  "C:\Users\Admin\AppData\Local\Temp\Factura Serfinanza085399218111227761873550570.exe"
  2⤵
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:808
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
        
        C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
        5⤵
        Executes dropped EXE
        Windows security modification
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2568
      - C:\Users\Admin\AppData\Local\Temp\1f5b7bdd-3ec3-4568-b325-09849c0eb01d\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1f5b7bdd-3ec3-4568-b325-09849c0eb01d\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\1f5b7bdd-3ec3-4568-b325-09849c0eb01d\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\1f5b7bdd-3ec3-4568-b325-09849c0eb01d\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1f5b7bdd-3ec3-4568-b325-09849c0eb01d\AdvancedRun.exe" /SpecialRun 4101d8 2616
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1168
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe" -Force
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 1
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        7⤵
        Delays execution with timeout.exe
        
        PID:3896
      - C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe"
        6⤵
        Executes dropped EXE
        
        PID:2440
      - C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:816
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 1628
        6⤵
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4056
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 500 -s 1600
  2⤵
  - Drops file in Windows directory
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
853afa8d631ed869f7444b98b246b7e1

SHA1
5ef6f89a6189b83498622462043b62deffa31122

SHA256
742afd03c15b03584f21a41a3af218ecd835c62dde29de6fe84723dce47a2e91

SHA512
3b77d7dcbbf2fd9ff914f051168453fa9d713eb9e119c72e10dd76d0a8ad7359236e07abe70b3d80904ec035e2c223f57da1731bbd6854a6a0e1874872a1b160

Download Submit
C:\Users\Admin\AppData\Local\Temp\1f5b7bdd-3ec3-4568-b325-09849c0eb01d\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1f5b7bdd-3ec3-4568-b325-09849c0eb01d\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1f5b7bdd-3ec3-4568-b325-09849c0eb01d\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\e7935d85-6cca-4e9f-8f79-4ef33defe9ab\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\e7935d85-6cca-4e9f-8f79-4ef33defe9ab\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\e7935d85-6cca-4e9f-8f79-4ef33defe9ab\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

MD5
a39af763b1c09ead3c98a6a615f377fe

SHA1
9bd3d39c89e47fe7072270ecc80b810103235c03

SHA256
a3930d7535eb768523ee52bbe69f13f857a0ae0f982d7bfc354d802f21010f8f

SHA512
3ed8e33ac95fd2536286b4afb2ed2a082bb5f98843478262b32263a14a5dbe0425de7b8d9662a5e482b207ebf8484ace8009ecd1881a6f6f8b0ccf3b0fdfe5da

Download Submit
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe

MD5
8ba405455cf8c6776dc01cce9faef2ee

SHA1
f8b3e8ae0c018abd50dbc7fa4d9e50760fdf32f1

SHA256
17828f7e3aa63c317b04baf8c3dbd4e069c12f66f45ae438094ae17cb7f5c7b9

SHA512
7e7da9f56e5fdd7da68f052e85e5a8a5091f2d4de03b75cf582e979505c2d755eb889459f8fe9ce95a57b5dfe5e47e2a5703dd6d23d94cc146de381c0aae0fd2

Download Submit
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe

MD5
8ba405455cf8c6776dc01cce9faef2ee

SHA1
f8b3e8ae0c018abd50dbc7fa4d9e50760fdf32f1

SHA256
17828f7e3aa63c317b04baf8c3dbd4e069c12f66f45ae438094ae17cb7f5c7b9

SHA512
7e7da9f56e5fdd7da68f052e85e5a8a5091f2d4de03b75cf582e979505c2d755eb889459f8fe9ce95a57b5dfe5e47e2a5703dd6d23d94cc146de381c0aae0fd2

Download Submit
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe

MD5
8ba405455cf8c6776dc01cce9faef2ee

SHA1
f8b3e8ae0c018abd50dbc7fa4d9e50760fdf32f1

SHA256
17828f7e3aa63c317b04baf8c3dbd4e069c12f66f45ae438094ae17cb7f5c7b9

SHA512
7e7da9f56e5fdd7da68f052e85e5a8a5091f2d4de03b75cf582e979505c2d755eb889459f8fe9ce95a57b5dfe5e47e2a5703dd6d23d94cc146de381c0aae0fd2

Download Submit
C:\Users\Admin\AppData\Roaming\System32\PxxoServicesTrialNet1.exe

MD5
8ba405455cf8c6776dc01cce9faef2ee

SHA1
f8b3e8ae0c018abd50dbc7fa4d9e50760fdf32f1

SHA256
17828f7e3aa63c317b04baf8c3dbd4e069c12f66f45ae438094ae17cb7f5c7b9

SHA512
7e7da9f56e5fdd7da68f052e85e5a8a5091f2d4de03b75cf582e979505c2d755eb889459f8fe9ce95a57b5dfe5e47e2a5703dd6d23d94cc146de381c0aae0fd2

Download Submit
memory/500-114-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/500-119-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/500-118-0x0000000005650000-0x0000000005651000-memory.dmp

Filesize
4KB

Download
memory/500-117-0x0000000004EF0000-0x0000000004F74000-memory.dmp

Filesize
528KB

Download
memory/500-116-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/808-144-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/808-138-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/808-139-0x0000000000413FA4-mapping.dmp

Download
memory/816-213-0x0000000000413FA4-mapping.dmp

Download
memory/816-215-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1168-180-0x0000000000000000-mapping.dmp

Download
memory/1328-123-0x0000000000000000-mapping.dmp

Download
memory/1556-129-0x0000000000000000-mapping.dmp

Download
memory/2008-131-0x0000000006D20000-0x0000000006D21000-memory.dmp

Filesize
4KB

Download
memory/2008-135-0x0000000007450000-0x0000000007451000-memory.dmp

Filesize
4KB

Download
memory/2008-145-0x0000000007C70000-0x0000000007C71000-memory.dmp

Filesize
4KB

Download
memory/2008-125-0x0000000000000000-mapping.dmp

Download
memory/2008-130-0x00000000040F0000-0x00000000040F1000-memory.dmp

Filesize
4KB

Download
memory/2008-141-0x0000000007920000-0x0000000007921000-memory.dmp

Filesize
4KB

Download
memory/2008-140-0x0000000006CF0000-0x0000000006CF1000-memory.dmp

Filesize
4KB

Download
memory/2008-160-0x0000000008BD0000-0x0000000008C03000-memory.dmp

Filesize
204KB

Download
memory/2008-169-0x0000000008B90000-0x0000000008B91000-memory.dmp

Filesize
4KB

Download
memory/2008-132-0x0000000006B50000-0x0000000006B51000-memory.dmp

Filesize
4KB

Download
memory/2008-137-0x00000000074C0000-0x00000000074C1000-memory.dmp

Filesize
4KB

Download
memory/2008-176-0x0000000008D00000-0x0000000008D01000-memory.dmp

Filesize
4KB

Download
memory/2008-133-0x00000000066E0000-0x00000000066E1000-memory.dmp

Filesize
4KB

Download
memory/2008-177-0x000000007EF10000-0x000000007EF11000-memory.dmp

Filesize
4KB

Download
memory/2008-136-0x0000000006C20000-0x0000000006C21000-memory.dmp

Filesize
4KB

Download
memory/2008-204-0x00000000066E3000-0x00000000066E4000-memory.dmp

Filesize
4KB

Download
memory/2008-134-0x00000000066E2000-0x00000000066E3000-memory.dmp

Filesize
4KB

Download
memory/2008-182-0x0000000008EC0000-0x0000000008EC1000-memory.dmp

Filesize
4KB

Download
memory/2108-210-0x0000000006740000-0x0000000006741000-memory.dmp

Filesize
4KB

Download
memory/2108-217-0x0000000006743000-0x0000000006744000-memory.dmp

Filesize
4KB

Download
memory/2108-205-0x0000000000000000-mapping.dmp

Download
memory/2108-216-0x000000007E640000-0x000000007E641000-memory.dmp

Filesize
4KB

Download
memory/2108-211-0x0000000006742000-0x0000000006743000-memory.dmp

Filesize
4KB

Download
memory/2568-178-0x00000000058B0000-0x00000000058B1000-memory.dmp

Filesize
4KB

Download
memory/2568-149-0x0000000000000000-mapping.dmp

Download
memory/2616-170-0x0000000000000000-mapping.dmp

Download
memory/2616-142-0x0000000000000000-mapping.dmp

Download
memory/2720-148-0x0000000000000000-mapping.dmp

Download
memory/3664-206-0x0000000000000000-mapping.dmp

Download
memory/3896-208-0x0000000000000000-mapping.dmp

Download
memory/3952-126-0x0000000000000000-mapping.dmp

Download
memory/3972-120-0x0000000000000000-mapping.dmp

Download